More fun with ipsumdump. Below, sorting March ingress by COUNT(SIP), COUNT(SPort), Sorted GeoIP location. All very fast.
ipsumdump -s --no-headers Marchrferrisx.snort.in |
sort -nr | uniq -c | sort -nr | less
626 75.125.252.73
384 74.125.19.191
358 125.45.109.196
286 66.165.46.165
242 74.125.127.191
234 74.125.53.191
138 67.214.120.156
138 204.236.155.168
127 67.228.177.148
120 74.125.19.19
107 173.14.243.230
105 221.195.73.86
103 221.192.199.35
....
ipsumdump -S --no-headers Marchrferrisx.snort.in |
sort -nr | uniq -c | sort -nr
6523 80
1669 443
1220 12200
553 63585
468 19150
459 19099
238 6000
198 19135
156 19134
93 21
46 110
34 5242
30 9875
21 52079
21 35356
20 1935
for i in `ipsumdump -s --no-headers Marchrferrisx.snort.in |
sort -nr | uniq |sort -nr`
do
echo $i `geoip.sh $i | awk -F: '{print $2$3}'`
done
222.86.62.237 CN, N/A, N/A, N/A, 35.000000, 105.000000, 0, 0
222.59.176.26 CN, 04, Wuxi, N/A, 31.577200, 120.293900, 0, 0
222.59.176.105 CN, 04, Wuxi, N/A, 31.577200, 120.293900, 0, 0
222.45.112.59 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
222.45.112.221 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
222.41.8.67 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
222.37.37.33 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
222.34.103.72 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
222.243.14.144 CN, 11, Xupu, N/A, 27.909401, 110.585800, 0, 0
222.219.236.209 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
222.215.230.49 CN, 32, Chengdu, N/A, 30.666700, 104.066597, 0, 0
222.215.230.170 CN, 32, Chengdu, N/A, 30.666700, 104.066597, 0, 0
222.214.218.188 CN, 32, Chengdu, N/A, 30.666700, 104.066597, 0, 0
222.211.69.13 CN, 32, Chengdu, N/A, 30.666700, 104.066597, 0, 0
222.208.183.218 CN, 32, Chengdu, N/A, 30.666700, 104.066597, 0, 0
222.186.25.143 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
222.186.24.37 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
...
Monday, April 5, 2010
Friday, April 2, 2010
"One Page Checklist for Securing and Cleaning a Malware Infected Windows PC"
A "One Page Checklist for Securing and Cleaning a Malware Infected Windows PC" is available. From the paper:
In this process, you are looking for outbound and inbound communication and connection attempts that seem suspicious – data transfers that you can not account for, processes that seem inexplicable, or unsigned files. You may or may not see logon attempts, registry changes, file creation, file access, file permission changes. You may need to correlate Network Monitor logs with network ingress and egress firewall logs. Additional info at:
Wednesday, March 31, 2010
Vista logon.scr error
Vista, as most of us know, will take a machine out of standby (light sleep), to install the "Tuesday updates". After it reboots, I see this:
Logon screen error are traditionally dangerous because they have been used to bypass the logon screen.
Logon screen error are traditionally dangerous because they have been used to bypass the logon screen.
Monday, March 22, 2010
Data Breaches 2010
Below is a list of 171 data breaches identified by public records found by the ID Theft Resource Center for the first two and one half months of 2010. ITRC has a justice department grant to catalog all known data breaches from credible sources. ITRC is a donor sponsored, multi-venue, non-profit working to resolve identity theft. If you are a public or private sector enterprise of any type - banking, financial services, insurance, University, medical provider, HMO, governmental department, law firm, hotelier, or non-profit - you will find analogs to your business in this list. I encourage you to read through this list if you have any network or data exposure and ask yourself:
ITRC20100316-01 John Hancock Financial Services
- What information assets does my group have to lose?
- How could we lose them?
ITRC20100316-01 John Hancock Financial Services
ITRC20100315-02 TD Bank PA Yes
ITRC20100311-01 US Bank OH
ITRC20100310-05 Securities and Exchange Commission
ITRC20100310-04 Assurity Financial Services US
ITRC20100309-10 Virgin Money USA Inc
ITRC20100309-01 Ally Bank US
ITRC20100308-16 Wells Fargo - Law
ITRC20100308-14 Partnership Federal Credit Union
ITRC20100308-09 Telhio Credit Union OH
ITRC20100308-08 M&T Bank MD
ITRC20100305-08 BlackRock US
ITRC20100226-01 CitiGroup US
ITRC20100224-01 SunTrust Banks FL
ITRC20100218-08 ING Fund US
ITRC20100201-03 Ameriquest Mortgage MN
ITRC20100126-07 Gregory Navone, First Interstate
ITRC20100114-02 Lincoln National Financial Securities
ITRC20100113-02 Suffolk County National Bank
ITRC20100104-01 Eastern Bank Corp MA
ITRC20100316-03 Beecher Carlson Holdings US
ITRC20100316-02 Beer & Wine Hobby
ITRC20100315-01 Littleton Pizza Hut franchisee
ITRC20100312-01 MonoPrice.com US
ITRC20100310-08 Experian US
ITRC20100310-07 GroupM US
ITRC20100310-06 Citco - Evanston Capital
ITRC20100310-03 Kraft Foods US
ITRC20100310-01 Thrivent Financial PA None
ITRC20100309-15 AlixPartners LLP US
ITRC20100309-14 T-Mobile MD
ITRC20100309-13 Hotels.com - vendor US
ITRC20100309-12 LitCon Group VA
ITRC20100309-11 AT&T - unknown vendor
ITRC20100309-08 California Business Bureau Medical
ITRC20100309-07 Wolters Kluwer - CCH
ITRC20100309-06 Center for American Progress
ITRC20100309-05 Ameriprise Financial - vendor
ITRC20100309-03 Priceline.com US -
ITRC20100309-02 United Guaranty Residential Insurance
ITRC20100308-15 Coffee.org US
ITRC20100308-13 LampSource US
ITRC20100308-12 Ameriprise Financial US
ITRC20100308-11 Bristol-Myers Squibb Company US
ITRC20100308-10 MoneyGram International US
ITRC20100308-07 National Audubon Society AZ
ITRC20100308-06 Willard InterContinental Hotel DC
ITRC20100308-05 Ameriprise Financial Inc US
ITRC20100308-04 Cell Phone Kiosk -
ITRC20100308-03 Arrow Electronics NY
ITRC20100308-01 Los Angeles Westin Bonaventure
ITRC20100305-12 Uniformed Services Benefit Association
ITRC20100305-11 Nuance Communications US Yes
ITRC20100305-10 FCI USA LLC US
ITRC20100305-09 Genworth Financial, Life Insurance
ITRC20100305-07 Thermo Fisher Scientific Inc
ITRC20100305-05 Moses,Phillips, Young, Brannon and
ITRC20100305-04 Easybakeware.com US
ITRC20100305-02 Hancock Fabrics US
ITRC20100304-03 Vernon Sales Promotion US
ITRC20100301-07 Feeney Agency PA
ITRC20100301-06 McGraw-Hill Construction UT
ITRC20100301-05 Erisa Pension Systems -
ITRC20100301-02 MSO of Puerto Rico
ITRC20100301-01 MSO of Puerto Rico
ITRC20100226-02 Wyndham Hotels US
ITRC20100225-01 Law Firms, Smyrna GA
ITRC20100224-02 Association for the Blind
ITRC20100223-24 Mid America Kidney Stone
ITRC20100223-17 Merkle Direct Marketing -
ITRC20100223-16 Health Services for Children
ITRC20100223-12 Public Employee Health Insurance
ITRC20100223-07 Private Practice, Wilmington NC
ITRC20100223-02 Educators Mutual Insurance Association
ITRC20100219-02 H&R Block IN Yes
ITRC20100218-09 Cullman Dairy Queen AL
ITRC20100218-07 Galeton, Gloves Inc US
ITRC20100218-06 Daedalus Books US
ITRC20100218-05 TGI Friday's - West
ITRC20100218-04 Eclipse Property Solutions FL
ITRC20100218-02 Small Dog Electronics US
ITRC20100212-03 Macy's - St Louis
ITRC20100212-01 Equifax US
ITRC20100209-13 Ozarks Area Community Action
ITRC20100209-11 St. Clair Winery &
ITRC20100209-10 Highmark US -
ITRC20100209-06 Ceridian US
ITRC20100209-03 AvMed Health Plans FL
ITRC20100202-03 Innotek US
ITRC20100202-02 P.F. Chang's Bistro
ITRC20100119-04 ExposeObama.com
ITRC20100119-03 Time Customer Service
ITRC20100119-02 Goodwill - Kent County
ITRC20100111-01 Metropark NY
ITRC20100104-02 Moriarty & Primack MA
ITRC20100305-01 New Mexico State University
ITRC20100301-04 Bennett College NC
ITRC20100219-01 Valdosta State University GA
ITRC20100218-01 Southern Illinois University IL
ITRC20100209-14 Kansas City Art Institute
ITRC20100209-04 University of Texas El
ITRC20100202-01 West Virginia University WV
ITRC20100201-04 Columbia University
ITRC20100201-02 Humboldt State University CA
ITRC20100126-05 University of Missouri MO
ITRC20100114-03 Eugene School District OR
ITRC20100114-01 Western Michigan University MI
ITRC20100316-04 St. Louis Metropolitan Police
ITRC20100305-06 Anne Arundel County's Fire
ITRC20100304-01 SC Department of Health
ITRC20100301-03 Arkansas Guard, Camp Robinson
ITRC20100223-25 New York Department of
ITRC20100223-14 Alaska Department of Health
ITRC20100223-13 Brooke Army Medical Center
ITRC20100222-01 TennCare TN Yes -
ITRC20100218-03 West Memphis Police Department
ITRC20100209-09 Social Security Administration NY
ITRC20100209-08 Wyoming Department of Health
ITRC20100209-07 Ohio Department of Administrative
ITRC20100209-02 D.C. Office of Tax
ITRC20100209-01 CA Department of Health
ITRC20100201-01 Iowa Racing and Gaming
ITRC20100128-01 PricewaterhouseCoopers - Alaska state
ITRC20100127-01 US Department of Commerce
ITRC20100126-08 New York Department of
ITRC20100126-06 Minnesota Department of Labor
ITRC20100126-04 Seattle Municipal Court WA
ITRC20100126-02 Internal Revenue Service -
ITRC20100126-01 Columbus Health Department OH
ITRC20100119-01 City of Oakridge OR
ITRC20100107-01 Housing Authority of New
ITRC20100104-03 Transportation Security Administration (TSA)
ITRC20100311-07 BlueCross BlueShield of RI
ITRC20100311-06 Center for Neurosciences AZ
ITRC20100311-05 Advanced NeuroSpinal Care CA
ITRC20100311-04 Lucille Packard Children's Hospital
ITRC20100311-03 University of New Mexico
ITRC20100311-02 North Carolina Baptist Hospital
ITRC20100310-02 Quest Diagnostics - AmeriPath
ITRC20100309-16 Empi Recovery Services -
ITRC20100309-04 DaVita - Renal Treatment
ITRC20100308-02 University of Texas Southwestern
ITRC20100305-03 Wake Forest University Baptist
ITRC20100302-01 Diabetes Direct FL
ITRC20100226-03 Shands HealthCare FL
ITRC20100225-02 University of Washington Medical
ITRC20100223-23 Private Practice Torrance #5
ITRC20100223-22 Private Practice Torrance #4
ITRC20100223-21 Private Practice Torrance #3
ITRC20100223-20 Private Practice Torrance #2
ITRC20100223-19 Private Practice, Torrance #1
ITRC20100223-18 City of Hope National
ITRC20100223-15 Cogent Healthcare of Wisconsin,
ITRC20100223-11 BlueCross BlueShield - DC,
ITRC20100223-10 Children's Medical Center of
ITRC20100223-09 Concentra TX
ITRC20100223-08 Advocate Health Care IL
ITRC20100223-06 Blue Island Radiology Consultants,
ITRC20100223-05 Private Practice, Stoughton MA
ITRC20100223-04 Cardiology Consultants FL Yes
ITRC20100223-01 Ashley and Gray DDS
ITRC20100222-02 Group Health WA
ITRC20100212-02 University of Texas Medical
ITRC20100209-12 Greensburg Dental Practices PA
ITRC20100209-05 Abbott Medical Optics CA
ITRC20100128-02 University of California -
ITRC20100127-02 University Medical Clinic -
ITRC20100126-09 Methodist Hospital - Texas
ITRC20100126-03 Unknown Dentist TX
ITRC20100113-01 Kaiser HMO CA
ITRC20100105-01 Massachusetts Eye and Ear
Thursday, March 18, 2010
ipsumdump..
It is easy to be fond of professor Eddie Kohler's ipsumdump. Take your monthly egress pcap file and filter it through something like this:
for i in `ipsumdump -s --no-headers $1 | sort -n | uniq`
do echo $i, `./geoip.sh $i | awk '{print $1""$7""$8" "$9""$10""$11}'`
done
( where geoip.sh is geoiplookup -f /usr/local/share/GeoIP/GeoLiteCity.dat $1 )
and what you are quickly returned something like this:
10.10.10.2, GeoIPAddressnot found
12.129.147.95, GeoIPVA,Ashburn, 20147,39.033501,-77.483803,
12.130.131.98, GeoIPCA,San Bruno,94066,37.622799,
12.130.81.249, GeoIPNY,Brooklyn, N/A,40.652500,-73.955399,
12.149.161.248, GeoIPCA,Mountain View,94043,37.419201,
12.25.91.250, GeoIPCT,Stamford, N/A,41.083099,-73.538803,
12.25.93.2, GeoIPNY,Newburgh, 12550,41.537498,-74.051201,
24.123.206.230, GeoIPIN,Lawrenceburg, 47025,39.162300,-84.891098,
24.226.158.219, GeoIPQC,Richmond, N/A,45.666698,-72.150002,
24.43.25.8, GeoIPCA,Los Angeles,N/A,34.041599,
24.43.43.169, GeoIPCA,Los Angeles,N/A,34.041599,
38.103.25.181, GeoIPVA,Alexandria, N/A,38.790901,-77.094704,
38.106.23.79, GeoIPN/A,N/A, N/A,38.000000,-97.000000,
41.208.20.155, GeoIP06,Alberton, N/A,-26.233299,28.133301,
58.19.117.118, GeoIP12,Wuhan, N/A,30.583300,114.266701,
58.215.75.62, GeoIP22,Beijing, N/A,39.928902,116.388298,
59.181.103.140, GeoIP16,Bombay, N/A,18.975000,72.825798,
59.36.98.195, GeoIP30,Dongguan, N/A,23.048901,113.744598,
59.51.114.39, GeoIP11,Changsha, N/A,28.179199,113.113602,
...
for i in `ipsumdump -s --no-headers $1 | sort -n | uniq`
do echo $i, `./geoip.sh $i | awk '{print $1""$7""$8" "$9""$10""$11}'`
done
( where geoip.sh is geoiplookup -f /usr/local/share/GeoIP/GeoLiteCity.dat $1 )
and what you are quickly returned something like this:
10.10.10.2, GeoIPAddressnot found
12.129.147.95, GeoIPVA,Ashburn, 20147,39.033501,-77.483803,
12.130.131.98, GeoIPCA,San Bruno,94066,37.622799,
12.130.81.249, GeoIPNY,Brooklyn, N/A,40.652500,-73.955399,
12.149.161.248, GeoIPCA,Mountain View,94043,37.419201,
12.25.91.250, GeoIPCT,Stamford, N/A,41.083099,-73.538803,
12.25.93.2, GeoIPNY,Newburgh, 12550,41.537498,-74.051201,
24.123.206.230, GeoIPIN,Lawrenceburg, 47025,39.162300,-84.891098,
24.226.158.219, GeoIPQC,Richmond, N/A,45.666698,-72.150002,
24.43.25.8, GeoIPCA,Los Angeles,N/A,34.041599,
24.43.43.169, GeoIPCA,Los Angeles,N/A,34.041599,
38.103.25.181, GeoIPVA,Alexandria, N/A,38.790901,-77.094704,
38.106.23.79, GeoIPN/A,N/A, N/A,38.000000,-97.000000,
41.208.20.155, GeoIP06,Alberton, N/A,-26.233299,28.133301,
58.19.117.118, GeoIP12,Wuhan, N/A,30.583300,114.266701,
58.215.75.62, GeoIP22,Beijing, N/A,39.928902,116.388298,
59.181.103.140, GeoIP16,Bombay, N/A,18.975000,72.825798,
59.36.98.195, GeoIP30,Dongguan, N/A,23.048901,113.744598,
59.51.114.39, GeoIP11,Changsha, N/A,28.179199,113.113602,
...
Tuesday, March 16, 2010
How the FEDS use social networking...
What type of security risk is social networking? A document obtained by the EFF and posted on Wired's Threat Level blog details how FBI and Secret Service are using social networking sites to obtain information. Here's a sample from the document:
"Overview of Key Social Networking Sites
GETTING INFO FROM FACEBOOK
Data is organized by user ID or group ID
Standard data productions (per LE guide):
Neoprint, Photoprint, User Contact Info, Group Contanct Info, IP Logs
HOWEVER, Facebook has other data available.
Often cooperative with emergency requests."
So glad to hear that FEDS are getting co-operation from Facebook. Think for a moment what this other data might be: your chats? your friend searches? your browsing? I have to wonder what Facebook "IP Logs" look like....
Friday, February 26, 2010
Some Thoughts on Computer Defense for Small Business
I have written a paper targeted for small business owners: "Some Thoughts on Computer Defense for Small Business"
"The problem of computer security will continue to increase in intensity in the coming years. Geo-political conflict, an increasing wealth divide between North and South in an increasingly networked world, and increasingly sophisticated threats will challenge the most well prepared specialists to secure your network. The passage of time has only made the following Unix administrator's adage become more true: “There are two kinds of computer users: those who have lost data and those who will.” Which part of that data loss cycle is your destiny?" read more
"The problem of computer security will continue to increase in intensity in the coming years. Geo-political conflict, an increasing wealth divide between North and South in an increasingly networked world, and increasingly sophisticated threats will challenge the most well prepared specialists to secure your network. The passage of time has only made the following Unix administrator's adage become more true: “There are two kinds of computer users: those who have lost data and those who will.” Which part of that data loss cycle is your destiny?" read more
Wednesday, February 24, 2010
Advanced Persistent Threat IV
SRI's Malware Threat Center has issued version 1.5 of Bot Hunter. Bot Hunter uses a proprietary algorithm with data collection facilities of a customized Snort to determine the botnet communication on Windows hosts and at Unix bastion at the egress of your network. You can review the data it collects from its honey net. Here's a picture of it running on Vista:
Update: 02/27/10 And so I had a 1.10 Score. (Below) Bot Net Hunter reported that a Microsoft IP conducted an outbound scan of 18 IPs. Something to think about...
OUTBOUND SCAN (spp)
207.46.16.248 (2) (20:05:49.902 PST)
event=777:7777005 (2) {udp} E5[bh] Detected moderate malware port scanning of 18 IPs (11 /24s) (# pkts S/M/O/I=0/52/4/0): 137u:52, [] MAC_Src: 00:16:EA:4C:F3:AE
Funny, I had Netmon 3.3 running, but it didn't catch that IP at that time This turned out to be a Microsoft DNS IP:
9:41:51.287 192.168.0.14 80 (0x50) 207.46.16.248 207.46.16.248 msdn.microsoft.akadns.net 00-09-5B-00-F3-DA msdn.microsoft.akadns.net 5599 (0x15DF)
Tuesday, February 16, 2010
Advanced Persistent Threat Part III
It certainly is possible to examine host or network outbound conversations. But we then have to determine which outbound conversations are legitimate. Current AV software attempts to block access to potentially 'known dangerous' or 'pre-determined dangerous' malware sites but such judgements are apparently failing to prevent APT from sending stolen data to weigh stations. On OpenBSD if we are looking at outbound connections, we might sniff as thus using Snort:
/usr/local/bin/snort -D -vdeXX -l . -L `date "+%d%b%H%S%Z%Y.out"` -i dc0 'port not(whois or domain or router) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)'
On Vista, we might have two interfaces (wired and wireless) we need to examine:
start /min cmd /c C:\snort\bin\snort.exe -vdeXX -l . -i 1 port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)
start /min cmd /c C:\snort\bin\snort.exe -vdeXX -l . -i 2 port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)
We can look at the logs. And we are surprised by the number of outbound connections we make:
C:\Snort\bin>snort -v -q -r snort.log.1266372570 | find "->" | gawk -F"->" '{print $2}' | sort /R | uniq -c | sort /R
327 74.125.103.208:80
133 74.202.67.83:80
105 216.35.221.76:80
100 198.104.200.154:80
51 72.21.91.19:80
32 96.17.70.50:80
....
Perhaps one solution to APT would be some real time co-ordination between sites suspected of being data theft transfer stations and real-time (firewall or host) blocking of the data-transfer to those hosts/servers. This type of solution has some headwind but may need to be implemented on a individual or corporate basis to prevent "incidental blacklisting". Other solutions might include:
(1) real time packet examination of data for critical or sensitive information
(2) heuristic detection of data flows that seems 'abnormal'
(3) heuristic detection of file access that seems 'abnormal'
The industry awaits such solutions.
/usr/local/bin/snort -D -vdeXX -l . -L `date "+%d%b%H%S%Z%Y.out"` -i dc0 'port not(whois or domain or router) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)'
On Vista, we might have two interfaces (wired and wireless) we need to examine:
start /min cmd /c C:\snort\bin\snort.exe -vdeXX -l . -i 1 port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)
start /min cmd /c C:\snort\bin\snort.exe -vdeXX -l . -i 2 port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)
We can look at the logs. And we are surprised by the number of outbound connections we make:
C:\Snort\bin>snort -v -q -r snort.log.1266372570 | find "->" | gawk -F"->" '{print $2}' | sort /R | uniq -c | sort /R
327 74.125.103.208:80
133 74.202.67.83:80
105 216.35.221.76:80
100 198.104.200.154:80
51 72.21.91.19:80
32 96.17.70.50:80
....
Perhaps one solution to APT would be some real time co-ordination between sites suspected of being data theft transfer stations and real-time (firewall or host) blocking of the data-transfer to those hosts/servers. This type of solution has some headwind but may need to be implemented on a individual or corporate basis to prevent "incidental blacklisting". Other solutions might include:
(1) real time packet examination of data for critical or sensitive information
(2) heuristic detection of data flows that seems 'abnormal'
(3) heuristic detection of file access that seems 'abnormal'
The industry awaits such solutions.
Friday, February 12, 2010
Advanced Persistent Threat Part II
These thoughts occur to me this week in reading the numerous blog posts on APT and the Mandiant Report. Somehow my research made me think of the bane of Othello the Moor ( "Iago" ). Very loosely translated from Latin, "Iago" might mean "I am nothing". Often it is more commonly translated as "supplanter" or "heel grabber".
(1) I don't have a binary, technical threat analysis, disassembled stub, class diagram or detection method for APT.
(2) I don't know any host based security products that would block "illegitimate APT" (outgoing traffic) on ports 80 and 443 from a legitimate user space request. How would developers even implement such a service? If you could trace all events to an un-hijacked input device, you could block any events that are not desktop based. This would probably put updates,software installations,sandbox scripts in a pickle. Therefore, is this a problem in search of a network based solution?
(3) I propose we solve the debate about how "APT style" threats can be distinguished from other threats by
(4) I don't know yet how to prototype or replicate an APT in my lab. Therefore, How do I know it exists outside of the conceptualization of others?
(5) Ten years ago last August I received this comment while working with an IDS developer: "This product will stop the script kiddies and most of the uber-hackers. Then there's the "Men in Black". I have no idea how we stop them."
- "Iago"
(1) I don't have a binary, technical threat analysis, disassembled stub, class diagram or detection method for APT.
(2) I don't know any host based security products that would block "illegitimate APT" (outgoing traffic) on ports 80 and 443 from a legitimate user space request. How would developers even implement such a service? If you could trace all events to an un-hijacked input device, you could block any events that are not desktop based. This would probably put updates,software installations,sandbox scripts in a pickle. Therefore, is this a problem in search of a network based solution?
(3) I propose we solve the debate about how "APT style" threats can be distinguished from other threats by
- (a) ranking the level of resources needed to complete them or
- (b) the level of functional immunity granted their perpetrators
(4) I don't know yet how to prototype or replicate an APT in my lab. Therefore, How do I know it exists outside of the conceptualization of others?
(5) Ten years ago last August I received this comment while working with an IDS developer: "This product will stop the script kiddies and most of the uber-hackers. Then there's the "Men in Black". I have no idea how we stop them."
- "Iago"
Tuesday, February 9, 2010
Advanced Persistent Threat
The news on "Advanced Persistent Threat" has been broken in a big way by Google and the recent Mandiant report. More comments will follow at a later date. But some occur to me now:
(1) Our current desktop and server Operating Systems are not secure.
(2) Computer networks are insecure for most organizations and at many levels.
(3) Digital data can no longer be protected against a determined foe.
(4) Security researchers and visionaries should receive more funding. Lots.
Order and read the Mandiant Report. Then imagine what a resourced foe could do if they believed the security of their nation-state depended upon seemless corporate intrusions. Now imagine those techniques automated and in the wild. In order for the world to have safe computing systems, our government and industry needs to sponsor more research and decriminalize vulnerability research. Otherwise, no data will ever be secret or protected again.
(1) Our current desktop and server Operating Systems are not secure.
(2) Computer networks are insecure for most organizations and at many levels.
(3) Digital data can no longer be protected against a determined foe.
(4) Security researchers and visionaries should receive more funding. Lots.
Order and read the Mandiant Report. Then imagine what a resourced foe could do if they believed the security of their nation-state depended upon seemless corporate intrusions. Now imagine those techniques automated and in the wild. In order for the world to have safe computing systems, our government and industry needs to sponsor more research and decriminalize vulnerability research. Otherwise, no data will ever be secret or protected again.
Monday, February 8, 2010
Defending Against the Small Business Threat
"Do you expect I'm going to solve this? I'm going to take on these Russian thieves? Clearly I'm not going to [be able to] do it." -small business owner defrauded by malware and "money mules"
A great and overdue article in the Wall Street Journal this morning: "Wanted: Defense Against Online Bank Fraud". The article discusses a now popular cyber-crime first popularized in 2008 which is initiated by an online theft/fraud of insecured ATM/payroll data on user/client/small business PCs. Fake payroll members are created and then [recruited] "money mules" cash out fraudulent paychecks from ATM terminals across the globe. If the fraud is timed right, a small business can lose large sums from their payroll accounts within 24 hours or less. The FBI and the IC3 has been warning about this for some time:
Small businesses during a recession make excellent targets. It is a bit like capitalizing on sick children. Large businesses and banks know the value of security infrastructure and development. They have lots to lose and they have been high priority targets in the past. (And they have just received big chunks of "Stimulus funding." ) Most small business employ limited staff, have a few PCs (perhaps running some accounting software), maybe some server or cloud infrastructure investments, and a web site or web/commerce site.
The few aggressive owners/proprietors that investigate securing their infrastructure may have done so on a "self-help" basis - implementing firewalls, UTM, anti-virus, anti-spyware. But even these self-motivated individuals are in no way prepared to be the targets of dedicated information warfare from skilled global criminal enterprises originating in eastern Europe, South America, Russia, China, etc. Thus, in less than 24 hours, small business payroll accounts, many of these derived from 'bridge loans' from local banks, are wiped out. The targeting of small business by cyber-criminals is an "anti-stimulus" effort; functioning to effectively siphon funds from a weakened American economy.
Tuesday, December 15, 2009
Security as Interdepartmental conflict...
I received this message in my hotmail this morning:
Why does Microsoft get dinged for this type of presentation? Why does it happen? On a small scale it was probably because the hotmail Calendar team wasn't talking with the hotmail Security team. But that doesn't answer much. Computer security is still, in almost all industries and architectures, and "add-in". It is overlaid on top of existing products and architectures. The "security guys" are on separate teams, their training is exclusive, their recommendations are "integrated" into existing products. The practice of security never fully integrates into test suites for most product development because it can't be marketed like a popsicle. It is sold as an immunity, a dose of antibiotic, a pill. Compatibility of security architecture with existing product development has ambiguous ownership.
Why does Microsoft get dinged for this type of presentation? Why does it happen? On a small scale it was probably because the hotmail Calendar team wasn't talking with the hotmail Security team. But that doesn't answer much. Computer security is still, in almost all industries and architectures, and "add-in". It is overlaid on top of existing products and architectures. The "security guys" are on separate teams, their training is exclusive, their recommendations are "integrated" into existing products. The practice of security never fully integrates into test suites for most product development because it can't be marketed like a popsicle. It is sold as an immunity, a dose of antibiotic, a pill. Compatibility of security architecture with existing product development has ambiguous ownership.
Saturday, December 5, 2009
Cell Tracking
This is the link to an absolutely extraordinary post on privacy by Christopher Soghoian:
http://paranoia.dubfire.net/2009/12/8-million-reasons-for-real-surveillance.html . Mr. Soghoian's post describes the evolution of "Cell Tracking", an issue the EFF has discussed for a number of years at http://www.eff.org/issues/cell-tracking. An exceptional video on current status of the law for "cell tracking" and "mobility tracking" can be found here: http://www.youtube.com/watch?v=YFo2VcfWCBQ&feature=channel/
The information reminds me that the OS inside most cell-phones is a literal "black box". Because I run midpssh, I can usually find cell's IP address in the netstat tables of my SSH Server. I can see there may be some filtered ports on my phone. But I cannot:
(1) access a console or ssh prompt
(2) run a network sniffer or IDS on my cell phone to see if someone is "pinging" my location or hacking me.
Your cell phone is a tracking device that forbids you from root access.
http://paranoia.dubfire.net/2009/12/8-million-reasons-for-real-surveillance.html . Mr. Soghoian's post describes the evolution of "Cell Tracking", an issue the EFF has discussed for a number of years at http://www.eff.org/issues/cell-tracking. An exceptional video on current status of the law for "cell tracking" and "mobility tracking" can be found here: http://www.youtube.com/watch?v=YFo2VcfWCBQ&feature=channel/
The information reminds me that the OS inside most cell-phones is a literal "black box". Because I run midpssh, I can usually find cell's IP address in the netstat tables of my SSH Server. I can see there may be some filtered ports on my phone. But I cannot:
(1) access a console or ssh prompt
(2) run a network sniffer or IDS on my cell phone to see if someone is "pinging" my location or hacking me.
Your cell phone is a tracking device that forbids you from root access.
Monday, November 30, 2009
"The specified uptodateness vector is corrupt."
I haven't posted in awhile. Time to get back into the swing of things with a little pre-Christmas Season silliness. Occasionally, the practice of network security makes us all a little goofy. Seemingly random pursuits overtake us. Silly thoughts fill our console. Perhaps this is a result of low light in the northern latitudes this time of year...In any event, should use wish to query all of the messages available in the "net helpmsg" file on Windows Vista, you can run a command like this:
for /l %i in (1,1,16000) do @( echo %i && net helpmsg %i ) 2>NUL
This will give a formatted output of every existing net help msg and all numbers that are not so.. Keep in mind that there are most probably less than 5000 of these messages, however they are numbered somewhat inconsistently in the sequence between 1 - 16,000. With cygwin or GNUWin32 utilities loaded you could add:
for /l %i in (1,1,16000) do @( echo %i && net helpmsg %i ) 2>NUL | egrep -B 2 -i [a-z] | tr -d /-/- | tr -d \r
This would produce a long list of only those numbers with messages and, after some substantial period of time and processor use, would yield some very interesting reading. Here are a few of my favorites:
581
A Windows Server has an incorrect configuration.
593
NTVDM encountered a hard error.
597
The parameter(s) passed to the server in the clientserver shared memory window were invalid. Too much data may have been put in the shared memory window.
598
The stream is not a tiny stream.
611
There is an IP address conflict with another system on the network
612
There is an IP address conflict with another system on the network
615
The policy of your user account does not allow you to change passwords too frequently.
This is done to prevent users from changing back to a familiar, but potentially discovered, password.
If you feel your password has been compromised then please contact your administrator immediately to have a new one assigned.
617
You have attempted to change your password to one that you have used in the past.
The policy of your user account does not allow this. Please select a password that you have not previously used.
629
A group marked use for deny only cannot be enabled.
670
WOW Assertion Error.
677
{Too Much Information}
The specified access control list (ACL) contained more information than was expected.
678
This warning level status indicates that the transaction state already exists for the registry subtree, but that a transaction commit was previously aborted.
The commit has NOT been completed, but has not been rolled back either (so it may still be committed if desired).
680
{GUID Substitution}
During the translation of a global identifier (GUID) to a Windows security ID (SID), no administrativelydefined GUID prefix was found.
A substitute prefix was used, which will not compromise system security. However, this may provide a more restrictive access than intended.
704
{Redundant Read}
To satisfy a read request, the NT faulttolerant file system successfully read the requested data from a redundant copy.
This was done because the file system encountered a failure on a member of the faulttolerant volume, but was unable to reassign the failing area of the device.
705
{Redundant Write}
To satisfy a write request, the NT faulttolerant file system successfully wrote a redundant copy of the information.
This was done because the file system encountered a failure on a member of the faulttolerant volume, but was not able to reassign the failing area of the device.
730
The system has awoken
746
{Connect Failure on Primary Transport}
An attempt was made to connect to the remote server hs on the primary transport, but the connection failed.
The computer WAS able to connect on a secondary transport.
1265
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
1274
The group policy framework should call the extension in the synchronous foreground policy refresh.
1282
The system detected an overrun of a stackbased buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
1292
An operation attempted to exceed an implementationdefined limit.
1349
The type of the token is inappropriate for its attempted use.
1350
Unable to perform a security operation on an object that has no associated security.
1353
The domain was in the wrong state to perform the security operation.
1370
An internal security database corruption has been encountered.
1384
During a logon attempt, the user's security context accumulated too many security IDs.
2228
There are too many names in the user accounts database.
2385
The Run server you requested is paused.
2431
The alert table is full.
3013
The printer driver is known to be unreliable.
3014
The printer driver is known to harm the system.
3029
Local security could not be started because the user accounts database
(NET.ACC) was missing or corrupted, and no usable backup
database was present.
THE SYSTEM IS NOT SECURE.
3060
The service did not respond to control and was stopped with
the DosKillProc function.
3194
Hanging up a stuck session to ***.
3413
Your logon time at *** ends at ***.
Please clean up and log off.
3513
More data is available than can be returned by Windows.
3950
Reissue the given operation as a cached IO operation
4006
Replication with a nonconfigured partner is not allowed.
6628
Log space is exhausted.
6730
The transaction does not have a superior enlistment.
8606
Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
8629
The specified uptodateness vector is corrupt.
8630
The request to replicate secrets is denied.
10038
An operation was attempted on something that is not a socket.
10059
Too many references to some kernel object.
10107
A system call that should never fail has failed.
11007
There are no senders.
11008
There are no receivers.
15250
The requested system device cannot be identified due to multiple indistinguishable devices potentially matching the identification criteria.
for /l %i in (1,1,16000) do @( echo %i && net helpmsg %i ) 2>NUL
This will give a formatted output of every existing net help msg and all numbers that are not so.. Keep in mind that there are most probably less than 5000 of these messages, however they are numbered somewhat inconsistently in the sequence between 1 - 16,000. With cygwin or GNUWin32 utilities loaded you could add:
for /l %i in (1,1,16000) do @( echo %i && net helpmsg %i ) 2>NUL | egrep -B 2 -i [a-z] | tr -d /-/- | tr -d \r
This would produce a long list of only those numbers with messages and, after some substantial period of time and processor use, would yield some very interesting reading. Here are a few of my favorites:
581
A Windows Server has an incorrect configuration.
593
NTVDM encountered a hard error.
597
The parameter(s) passed to the server in the clientserver shared memory window were invalid. Too much data may have been put in the shared memory window.
598
The stream is not a tiny stream.
611
There is an IP address conflict with another system on the network
612
There is an IP address conflict with another system on the network
615
The policy of your user account does not allow you to change passwords too frequently.
This is done to prevent users from changing back to a familiar, but potentially discovered, password.
If you feel your password has been compromised then please contact your administrator immediately to have a new one assigned.
617
You have attempted to change your password to one that you have used in the past.
The policy of your user account does not allow this. Please select a password that you have not previously used.
629
A group marked use for deny only cannot be enabled.
670
WOW Assertion Error.
677
{Too Much Information}
The specified access control list (ACL) contained more information than was expected.
678
This warning level status indicates that the transaction state already exists for the registry subtree, but that a transaction commit was previously aborted.
The commit has NOT been completed, but has not been rolled back either (so it may still be committed if desired).
680
{GUID Substitution}
During the translation of a global identifier (GUID) to a Windows security ID (SID), no administrativelydefined GUID prefix was found.
A substitute prefix was used, which will not compromise system security. However, this may provide a more restrictive access than intended.
704
{Redundant Read}
To satisfy a read request, the NT faulttolerant file system successfully read the requested data from a redundant copy.
This was done because the file system encountered a failure on a member of the faulttolerant volume, but was unable to reassign the failing area of the device.
705
{Redundant Write}
To satisfy a write request, the NT faulttolerant file system successfully wrote a redundant copy of the information.
This was done because the file system encountered a failure on a member of the faulttolerant volume, but was not able to reassign the failing area of the device.
730
The system has awoken
746
{Connect Failure on Primary Transport}
An attempt was made to connect to the remote server hs on the primary transport, but the connection failed.
The computer WAS able to connect on a secondary transport.
1265
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
1274
The group policy framework should call the extension in the synchronous foreground policy refresh.
1282
The system detected an overrun of a stackbased buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
1292
An operation attempted to exceed an implementationdefined limit.
1349
The type of the token is inappropriate for its attempted use.
1350
Unable to perform a security operation on an object that has no associated security.
1353
The domain was in the wrong state to perform the security operation.
1370
An internal security database corruption has been encountered.
1384
During a logon attempt, the user's security context accumulated too many security IDs.
2228
There are too many names in the user accounts database.
2385
The Run server you requested is paused.
2431
The alert table is full.
3013
The printer driver is known to be unreliable.
3014
The printer driver is known to harm the system.
3029
Local security could not be started because the user accounts database
(NET.ACC) was missing or corrupted, and no usable backup
database was present.
THE SYSTEM IS NOT SECURE.
3060
The service did not respond to control and was stopped with
the DosKillProc function.
3194
Hanging up a stuck session to ***.
3413
Your logon time at *** ends at ***.
Please clean up and log off.
3513
More data is available than can be returned by Windows.
3950
Reissue the given operation as a cached IO operation
4006
Replication with a nonconfigured partner is not allowed.
6628
Log space is exhausted.
6730
The transaction does not have a superior enlistment.
8606
Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
8629
The specified uptodateness vector is corrupt.
8630
The request to replicate secrets is denied.
10038
An operation was attempted on something that is not a socket.
10059
Too many references to some kernel object.
10107
A system call that should never fail has failed.
11007
There are no senders.
11008
There are no receivers.
15250
The requested system device cannot be identified due to multiple indistinguishable devices potentially matching the identification criteria.
Monday, September 7, 2009
The Network Monitor API: Part II
The LoadCapAndFilter example from Network Monitor Examples from Codeplex allows you to specify a particular filter from Network Monitor API. Some fragments from the code are below. Note how the string is escaped (e.g. \"GET\") :
[LoadCapAndFilter.cpp]
/Add filter
ret = NmAddFilter(myFrameParserConfig, L"http.request.command == \"GET\"", &myHTTPFilterID);
...
//Add field
ret = NmAddField(myFrameParserConfig, L"http.request.uri", &myHTTPFieldID);
....
// Obtain the value of http.request.uri from frame. We
// know that strings are passed as word pointer to unicode string in the variant.
..
ret = NmGetFieldValueString(myParsedFrame, myHTTPFieldID, 256, (LPWSTR)value);
sparser.npb:001.000 Successfully unserialized NPL parser 'C:\Users\Admin\AppData\Local\Microsoft\Network Monitor 3\sparser.npb.
Frame 14: HTTP: /crls/globalca1.crl
Frame 100: HTTP: /crls/globalca1.crl
Frame 227: HTTP: /crls/globalca1.crl
Frame 547: HTTP: /crls/globalca1.crl
....
I can modify the LoadCapAndFilter Network Monitor example to parse as needed. For example, Microsoft has a global load balacer that it contacts both before and after secondary authorization for Wireless Network Connections. It functions by contacting http://nssi.glbdns.microsoft.com/ncsi.txt and checking to see is a successful http request is returned. If it can't do so, the returned payload shows no http status code:
HTTP HTTP:Response, HTTP/1.0, Status Code = , URL: /ncsi.txt
If it gets a hit, this request shows:
HTTP:Response, HTTP/1.1, Status Code = 200, URL: /ncsi.txt
LoadCapAndFilterGet_NCSI.exe Test.cap
sparser.npb:001.000 Successfully unserialized NPL parser 'C:\Users\Admin\AppData\Local\Microsoft\Network Monitor 3\sparser.npb.
Frame 8012: HTTP: /ncsi.txt
Frame 8452: HTTP: /ncsi.txt
Frame 8815: HTTP: /ncsi.txt
Frame 9178: HTTP: /ncsi.txt
Frame 9560: HTTP: /ncsi.txt
...
[LoadCapAndFilterGETNCSI.cpp]:
//Add filter
ret = NmAddFilter(myFrameParserConfig, L"HTTP.Request.URI == \"/ncsi.txt\"", &myHTTPFilterID);
...
//Add field
ret = NmAddField(myFrameParserConfig, L"http.request.uri", &myHTTPFieldID);
....
[LoadCapAndFilter.cpp]
/Add filter
ret = NmAddFilter(myFrameParserConfig, L"http.request.command == \"GET\"", &myHTTPFilterID);
...
//Add field
ret = NmAddField(myFrameParserConfig, L"http.request.uri", &myHTTPFieldID);
....
// Obtain the value of http.request.uri from frame. We
// know that strings are passed as word pointer to unicode string in the variant.
..
ret = NmGetFieldValueString(myParsedFrame, myHTTPFieldID, 256, (LPWSTR)value);
Sample output:
sparser.npb:001.000 Successfully unserialized NPL parser 'C:\Users\Admin\AppData\Local\Microsoft\Network Monitor 3\sparser.npb.
Frame 14: HTTP: /crls/globalca1.crl
Frame 100: HTTP: /crls/globalca1.crl
Frame 227: HTTP: /crls/globalca1.crl
Frame 547: HTTP: /crls/globalca1.crl
....
I can modify the LoadCapAndFilter Network Monitor example to parse as needed. For example, Microsoft has a global load balacer that it contacts both before and after secondary authorization for Wireless Network Connections. It functions by contacting http://nssi.glbdns.microsoft.com/ncsi.txt and checking to see is a successful http request is returned. If it can't do so, the returned payload shows no http status code:
HTTP HTTP:Response, HTTP/1.0, Status Code = , URL: /ncsi.txt
If it gets a hit, this request shows:
HTTP:Response, HTTP/1.1, Status Code = 200, URL: /ncsi.txt
By changing the top code to (far) below, I can cycle through all my wireless sniffs to see how many times my Vista laptop tries to get: http://nssi.glbdns.microsoft.com/ncsi.txt with :
for /f %i in ('dir /b *.cap') do LoadCapAndFilterGet_NCSI.exe %i
LoadCapAndFilterGet_NCSI.exe Test.cap
sparser.npb:001.000 Successfully unserialized NPL parser 'C:\Users\Admin\AppData\Local\Microsoft\Network Monitor 3\sparser.npb.
Frame 8012: HTTP: /ncsi.txt
Frame 8452: HTTP: /ncsi.txt
Frame 8815: HTTP: /ncsi.txt
Frame 9178: HTTP: /ncsi.txt
Frame 9560: HTTP: /ncsi.txt
...
[LoadCapAndFilterGETNCSI.cpp]:
//Add filter
ret = NmAddFilter(myFrameParserConfig, L"HTTP.Request.URI == \"/ncsi.txt\"", &myHTTPFilterID);
...
//Add field
ret = NmAddField(myFrameParserConfig, L"http.request.uri", &myHTTPFieldID);
....
Another example:
This code ...
//Add filter
ret = NmAddFilter(myFrameParserConfig, L"TCP.Port == 443", &myHTTPFilterID);
if(ret != ERROR_SUCCESS)
{
wprintf(L"Fail to load Add fitler, error: \n", ret);
}
//Add field
ret = NmAddField(myFrameParserConfig, L"SSL.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.Extns.ClientHelloExtension.ServerNameList.ServerName", &myHTTPFieldID);
if(ret != ERROR_SUCCESS)
{
wprintf(L"Fail to load Add field, error: \n", ret);
}
produces this output:
C:\Users\Admin\Documents\Network Monitor 3\Captures>LoadCapAndFilterTCP001.exe Test.cap
sparser.npb:001.000 Successfully unserialized NPL parser 'C:\Users\Admin\AppData\Local\Microsoft\Network Monitor 3\sparser.npb.
Frame 7160: TCP443: www.google.com
Frame 16097: TCP443: signin.evri.com
Frame 16341: TCP443: signin.evri.com
Frame 16577: TCP443: www.connect.facebook.com
Frame 16591: TCP443: www.connect.facebook.com
Frame 16599: TCP443: www.connect.facebook.com
Frame 16631: TCP443: www.connect.facebook.com
..
To make LoadCapAndFilter work, the correct return types for NMGetFieldValue must be assigned. I had quite a few problems making other queries work, seemingly because of this.
// Obtain the value of http.request.uri from frame. We
// know that strings are passed as word pointer to unicode string in the variant.
WCHAR value[256];
ret = NmGetFieldValueString(myParsedFrame, myHTTPFieldID, 256, (LPWSTR)value);
if(ret == ERROR_SUCCESS
Tuesday, September 1, 2009
The NetworkMonitor API: Part I
I've spent the last three weeks building the Network Monitor Examples from Codeplex: http://nmexperts.codeplex.com/Release/ProjectReleases.aspx?ReleaseId=27988. Sniffers have been pretty black box to me before this project. I was prompted to do this because Network Monitor 3.3 on 64 bit systems doesn't produce captures that can be analyzed by logparser.exe. This is good and bad. Logparser only dumped out 20 fields from netmon *.cap files. Despite the struggle, it was worth installing the latest versions (VS2008, VS2009 Express ), configuring VS C++ to work with the WDDK and the Netmon API and compiling the examples on both 32 and 64 bit systems. Microsoft has released the Netmon SDK and API to the web at codeplex.com. Network Monitor itself is a free download and the lib and header files come along for the ride. Open Parsers are part of the project, allowing the coder to create his own parsers; filters; experts.
The samples allow you to build open, close, save, filter and parse captures files and parsers. Some examples are below. This project is best done by someone unafraid of Visual Studio and the WDDK.
IterateFields.exe Test.cap 500
sparser.npb:001.000 Successfully unserialized NPL parser 'C:\Users\Admin\AppData\Local\Microsoft\Network Monitor 3\sparser.npb.
Iterate the fields of frame #500
Frame.WiFi (WiFi) - Offset: 0, Size: 1536
WiFi.WiFi.MetaData (WiFiMetadata) - Offset: 0, Size: 32
WiFi.WiFi.MetaData.Version (UINT8) - Offset: 0, Size: 1
WiFi.WiFi.MetaData.Length (UINT16) - Offset: 1, Size: 2
WiFi.WiFi.MetaData.OpMode (UINT32) - Offset: 3, Size: 4
WiFi.WiFi.MetaData.OpMode.StationMode (UINT32) - Offset: 3, Size: 0
WiFi.WiFi.MetaData.OpMode.APMode (UINT32) - Offset: 3, Size: 0
WiFi.WiFi.MetaData.OpMode.ExtensibleStationMode (UINT32) - Offset: 3, Size: 0
WiFi.WiFi.MetaData.OpMode.Unused (UINT32) - Offset: 3, Size: 3
WiFi.WiFi.MetaData.OpMode.MonitorMode (UINT32) - Offset: 6, Size: 0
WiFi.WiFi.MetaData.Flags (UINT32) - Offset: 7, Size: 4
WiFi.WiFi.MetaData.PhyType (UINT32) - Offset: 11, Size: 4
WiFi.WiFi.MetaData.Channel (UINT32) - Offset: 15, Size: 4
WiFi.WiFi.MetaData.lRSSI (INT32) - Offset: 19, Size: 4
WiFi.WiFi.MetaData.Rate (UINT8) - Offset: 23, Size: 1
WiFi.WiFi.MetaData.TimeStamp (FILETIME) - Offset: 24, Size: 8 ....
IterateFieldsWithDisplayFormat.exe Test.cap 500
sparser.npb:001.000 Successfully unserialized NPL parser 'C:\Users\Admin\AppData\Local\Microsoft\Network Monitor 3\sparser.npb.
Iterate the fields of frame #500
Field count = 92
WiFi: [Unencrypted Data] .T...., (I)
Error 1168 tryin to retreive display name for frame 499 element 1. Version: 2 (0x2)
Length: 32 (0x20)
OpMode: Extensible Station Mode
StationMode: (...............................0) Not Station Mode
APMode: (..............................0.) Not AP Mode
ExtensibleStationMode: (.............................1..) Extensible Station Mode
Unused: (.0000000000000000000000000000...)
MonitorMode: (0...............................) Monitor Mode
Flags: 4294967295 (0xFFFFFFFF)
RemData: Outbound
TimeStamp: 08/18/2009, 05:41:19 PM
FrameControl: .T.... (0x0801)
Version: (..............00) 0
Type: (............10..) Data
SubType: (........0000....) Data
DS: (......01........) STA to DS via AP
MoreFrag: (.....0..........) No
Retransmission: (....0...........) No
PowerMgt: (...0............) Active Mode
MoreData: (..0.............) No
Encrypted: (.0..............) No
Order: (0...............) Unordered....
GetFrameComments 100secwithComments.cap
Frame 1 Comment Info:
TitleByteLength: 34, Title: Test Comment 001
DescriptionByteLength: 137, Description: {\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 MS Shell D
\viewkind4\uc1\pard\f0\fs17 testing...\par
}
Frame 2 has no comment info
Frame 3 has no comment info
Frame 4 has no comment info
Frame 5 has no comment info....
Tuesday, August 11, 2009
Securing Digital Content: Part I
I will post no code for this blog entry so that I can answer the question of a friend of mine : How does a normal person take reasonable steps to safeguard sensitive digital content in this day of repeated sophisticated instrusions, penetrations, institutionalized hacking and institutionalized snooping? This is a long subject that would require more than just one blog entry. Here are some (random or not) thoughts:
Part I Strategies
I would answer the strategy for maintaining content security like this:
(1) Assume data loss or data theft. Develop a strategy not just to defend against data loss/theft but to recover from it.
(2) Understand the "big" picture. Take some time to understand just how insecure digital data now is for all of us, including journalists, businesses, corporations, nation-states. Read James Bamford's "The Shadow Government" or Misha Glennys "McMafia"
(3) Have a reasonable picture of your enemies and how determined they would be to find your content or stop you from owning it.
(4) Remember the famous (and ancient) network adminstrators maxim: "There are only two kinds of computer users: Those who have lost data and those who will." Always back-up your work. Always work with a net.
(5) Lower your "personal attack surface". Two separate strategies come to mind:
(a) Confuse possible threats through secrecy, security, iconoclastic behavior, obfuscation and misdirection. (e.g. Keep a 'cover' or 'alibi' or 'grey' lifestyle, own many small computers, own multiple phones but don't always carry them, take public transport to busy malls to work, cultivate unpredictable behavior patterns etc. )
(b) Become involved and well-known in your community and tribe: develop friends, watchers, and confidants. Keep a respected public content profile on a Blog. Attend your block watch, neighborhood meetings, have your neighbors over for dinner etc.
These two strategies may be more compatible than apparent...
(6) If something feels wrong to you, it probably is. If you don't feel like filling out some Facebook survey that asks for the "top twenty things people don't know about you" your life may well be more secure. Hackers often make up password lists of details from peoples personal lives. Ask your medical professional exactly why he needs your Social Security number on that form. Despite recent HIPPA laws, medical information is notoriously insecure. The list goes on: too personal strangers, tele-funders from not well-known organizations asking for your credit card numbers. Limit the leakage of critical personal information. Often, no one else needs to know. Resist the urge to converse too personal details to strangers.
(7) Don't underestimate the threats. But don't spend too much time worrying about them either. It is well-known that successful personal security always involves intuition and spontaneity. Both are dimmed by too much concern.
Part II Safe Computing Practices
As for generally accepted computing security practices, if I had to protect sensitive content I would:
(1) read any number of sites that give excellent recommendations on "safe computing practices" from the NSA to FBI to CERT to SANS to SLATE and USE THEM.
(2) understand my firewall, anti-virus, security templates and encryption suites well and USE THEM.
(3) understand my Operating System/Application suite really well. Monitor Operating System/Application security flaws and update as prescribed.
(4) review my firewall, syslog, eventviewer, anti-virus, and web logs every week and attempt to profile both my audience and possible threats from collating all log information.
(5) use product vendors I believe in for my OS, Applications, firewall, AV, encryption suites. Consider using "open-source" platforms and applications whose code is well-reviewed.
(6) if possible or practical, I would store a non-digital copy of protected content in multiple safe locations to protect from disaster.
(7) not keep secure information or sensitive content in your e-mail. Most e-mail is exchanged in 'clear text' across the wire. Most e-mail stores are not kept in 'data vaults' although some e-mail software will offer you this option.
(8) try to remember that data-loss is multi-faceted and often physical in nature. More data may be lost from stolen laptops in America than through network intrusions: Buy a vault and USE IT. Buy multiple deadbolts and USE THEM. Be careful with your laptops and portable drives when you are in a crowd or public place. (See Part IV, suggestion (2) below.)
True Story: I once heard a friend of mine discuss how the local PD called upon to help him break the encryption on a drive of an uncommon real-time UNIX OS that belonged to a narcotics trafficker.
The dealer had gone to some lengths to use a rare OS with encryption of which few people would have technical experience. But once the local PD had physical control of the box...game over....
Part III More Computer Security Practices
Some more computer security suggestions for content protection:
(1) Receive e-mail in plain text always. Consider sending digitally signed e-mail.
(2) Encrypt your laptop and hard drives with third party encryption.
(3) Understand file and logon security for your Operating System and deploy and use them.
(4) Deploy host and network firewalls and a honeypot. Consider firewalling different segment of your network. Lately, I like the concept of these new UTM (Unified Threat Modeling) firewalls from NetGear and other vendors...
(5) Learn to sniff and review traffic everywhere you go. There's something satisfying about actually reviewing network traffic as you work on the network. Something like surveying the crowd on the street you are walking on...
(6) Consider carrying a small portable hardware firewall for your laptop.
(7) Get in the practice of quickly reformatting an up to date version of your OS if you feel the least bit quesy about your OS behavior. [This tip implies an excellent data back-up habit and some patience with OS installation.].
(8) Wireless is still a risk, especially if unencrypted. If you use it, use a VPN or encryption for sensitive communication and the highest strength encryption you can afford. Beware of "rogue" public hot spots that steal information.
(9) Use OpenSSH for your network communication as much as possible, especially across networks you don't control or own.
(10) Get in the habit of using 21 character plus passwords and changing them often. Yes, you can.
(11) Regardless of whether you run Windows or UNIX, don't take unneccesary sharing or open port or remote administration risks. 'Lock down' the most expensive version of Windows you can afford (e.g. Vista Ultimate).
[Note: Securing Windows or UNIX requires some effort and thought and training. The use of a consultant may be advisable.]
Part IV Offbeat Ideas?
On the "inventive" or "offbeat" side, if I had to protect sensitive content I might:
(1) Store everything on an old, cheap OpenBSD box that never touches the internet. Run only OpenBSD approved packages.
(2) Buy a Nokia 810, and install and configure iptables. Use it to Skype with your friends off some random wireless connection instead using a cell-phone. Carry it in your jacket pocket and use it instead of a laptop.
(3) Use an iconoclastic Linux distro designed for security - 'Back-Trax' comes to mind...
(4) Surf and collect e-mail on a thumb drive from a bootable Linux distro. Then boot back into an OpenBSD, Linux, Debian,Ubuntu laptop that has no networking at all for your "protected content".
(5) Or you could do the converse: Surf on your hard drive box, boot into a Linux DVD distro, mount a "secure" thumb drive or SD drive for storing sensitive content.
(6) Keep two sets of content: One that can be "found" by your enemies (after some work) and one that is "hidden". For example,thumb-drives are easy to purchase, back up, and/or store on your person. You could leave decoys lying around with "disinformative content" for when the spooks do a "sneak and peek" at your apartment.
(7) Set up a surveillance system around your home.
(8) Teach yourself to hack and spy. Nothing will make you more paranoid and careful than knowing the "arts of the enemy". Actually, nothing will intimidate your enemies more than aggressive "back-tracking" of their hacking and spying attempts.
(9) Live in the most populous neighborhood you can stand. San Francisco's China Town comes to mind. It's hard to follow one person consistently in a crowd.
(10) Publish some of your most problematic secret content on a blog, similar to what the Electronic Freedom Foundation does every month. Nothing makes sensitive content less so than publicity. Sometimes, nothing makes a holding a secret less dangerous than sharing it.
AND THE NUMBER ONE WAY TO PROTECT SENSITIVE CONTENT IS...
[Live without any. Wasn't life simpler without computers? :-)]
Part I Strategies
I would answer the strategy for maintaining content security like this:
(1) Assume data loss or data theft. Develop a strategy not just to defend against data loss/theft but to recover from it.
(2) Understand the "big" picture. Take some time to understand just how insecure digital data now is for all of us, including journalists, businesses, corporations, nation-states. Read James Bamford's "The Shadow Government" or Misha Glennys "McMafia"
(3) Have a reasonable picture of your enemies and how determined they would be to find your content or stop you from owning it.
(4) Remember the famous (and ancient) network adminstrators maxim: "There are only two kinds of computer users: Those who have lost data and those who will." Always back-up your work. Always work with a net.
(5) Lower your "personal attack surface". Two separate strategies come to mind:
(a) Confuse possible threats through secrecy, security, iconoclastic behavior, obfuscation and misdirection. (e.g. Keep a 'cover' or 'alibi' or 'grey' lifestyle, own many small computers, own multiple phones but don't always carry them, take public transport to busy malls to work, cultivate unpredictable behavior patterns etc. )
(b) Become involved and well-known in your community and tribe: develop friends, watchers, and confidants. Keep a respected public content profile on a Blog. Attend your block watch, neighborhood meetings, have your neighbors over for dinner etc.
These two strategies may be more compatible than apparent...
(6) If something feels wrong to you, it probably is. If you don't feel like filling out some Facebook survey that asks for the "top twenty things people don't know about you" your life may well be more secure. Hackers often make up password lists of details from peoples personal lives. Ask your medical professional exactly why he needs your Social Security number on that form. Despite recent HIPPA laws, medical information is notoriously insecure. The list goes on: too personal strangers, tele-funders from not well-known organizations asking for your credit card numbers. Limit the leakage of critical personal information. Often, no one else needs to know. Resist the urge to converse too personal details to strangers.
(7) Don't underestimate the threats. But don't spend too much time worrying about them either. It is well-known that successful personal security always involves intuition and spontaneity. Both are dimmed by too much concern.
Part II Safe Computing Practices
As for generally accepted computing security practices, if I had to protect sensitive content I would:
(1) read any number of sites that give excellent recommendations on "safe computing practices" from the NSA to FBI to CERT to SANS to SLATE and USE THEM.
(2) understand my firewall, anti-virus, security templates and encryption suites well and USE THEM.
(3) understand my Operating System/Application suite really well. Monitor Operating System/Application security flaws and update as prescribed.
(4) review my firewall, syslog, eventviewer, anti-virus, and web logs every week and attempt to profile both my audience and possible threats from collating all log information.
(5) use product vendors I believe in for my OS, Applications, firewall, AV, encryption suites. Consider using "open-source" platforms and applications whose code is well-reviewed.
(6) if possible or practical, I would store a non-digital copy of protected content in multiple safe locations to protect from disaster.
(7) not keep secure information or sensitive content in your e-mail. Most e-mail is exchanged in 'clear text' across the wire. Most e-mail stores are not kept in 'data vaults' although some e-mail software will offer you this option.
(8) try to remember that data-loss is multi-faceted and often physical in nature. More data may be lost from stolen laptops in America than through network intrusions: Buy a vault and USE IT. Buy multiple deadbolts and USE THEM. Be careful with your laptops and portable drives when you are in a crowd or public place. (See Part IV, suggestion (2) below.)
True Story: I once heard a friend of mine discuss how the local PD called upon to help him break the encryption on a drive of an uncommon real-time UNIX OS that belonged to a narcotics trafficker.
The dealer had gone to some lengths to use a rare OS with encryption of which few people would have technical experience. But once the local PD had physical control of the box...game over....
Part III More Computer Security Practices
Some more computer security suggestions for content protection:
(1) Receive e-mail in plain text always. Consider sending digitally signed e-mail.
(2) Encrypt your laptop and hard drives with third party encryption.
(3) Understand file and logon security for your Operating System and deploy and use them.
(4) Deploy host and network firewalls and a honeypot. Consider firewalling different segment of your network. Lately, I like the concept of these new UTM (Unified Threat Modeling) firewalls from NetGear and other vendors...
(5) Learn to sniff and review traffic everywhere you go. There's something satisfying about actually reviewing network traffic as you work on the network. Something like surveying the crowd on the street you are walking on...
(6) Consider carrying a small portable hardware firewall for your laptop.
(7) Get in the practice of quickly reformatting an up to date version of your OS if you feel the least bit quesy about your OS behavior. [This tip implies an excellent data back-up habit and some patience with OS installation.].
(8) Wireless is still a risk, especially if unencrypted. If you use it, use a VPN or encryption for sensitive communication and the highest strength encryption you can afford. Beware of "rogue" public hot spots that steal information.
(9) Use OpenSSH for your network communication as much as possible, especially across networks you don't control or own.
(10) Get in the habit of using 21 character plus passwords and changing them often. Yes, you can.
(11) Regardless of whether you run Windows or UNIX, don't take unneccesary sharing or open port or remote administration risks. 'Lock down' the most expensive version of Windows you can afford (e.g. Vista Ultimate).
[Note: Securing Windows or UNIX requires some effort and thought and training. The use of a consultant may be advisable.]
Part IV Offbeat Ideas?
On the "inventive" or "offbeat" side, if I had to protect sensitive content I might:
(1) Store everything on an old, cheap OpenBSD box that never touches the internet. Run only OpenBSD approved packages.
(2) Buy a Nokia 810, and install and configure iptables. Use it to Skype with your friends off some random wireless connection instead using a cell-phone. Carry it in your jacket pocket and use it instead of a laptop.
(3) Use an iconoclastic Linux distro designed for security - 'Back-Trax' comes to mind...
(4) Surf and collect e-mail on a thumb drive from a bootable Linux distro. Then boot back into an OpenBSD, Linux, Debian,Ubuntu laptop that has no networking at all for your "protected content".
(5) Or you could do the converse: Surf on your hard drive box, boot into a Linux DVD distro, mount a "secure" thumb drive or SD drive for storing sensitive content.
(6) Keep two sets of content: One that can be "found" by your enemies (after some work) and one that is "hidden". For example,thumb-drives are easy to purchase, back up, and/or store on your person. You could leave decoys lying around with "disinformative content" for when the spooks do a "sneak and peek" at your apartment.
(7) Set up a surveillance system around your home.
(8) Teach yourself to hack and spy. Nothing will make you more paranoid and careful than knowing the "arts of the enemy". Actually, nothing will intimidate your enemies more than aggressive "back-tracking" of their hacking and spying attempts.
(9) Live in the most populous neighborhood you can stand. San Francisco's China Town comes to mind. It's hard to follow one person consistently in a crowd.
(10) Publish some of your most problematic secret content on a blog, similar to what the Electronic Freedom Foundation does every month. Nothing makes sensitive content less so than publicity. Sometimes, nothing makes a holding a secret less dangerous than sharing it.
AND THE NUMBER ONE WAY TO PROTECT SENSITIVE CONTENT IS...
[Live without any. Wasn't life simpler without computers? :-)]
Monday, August 3, 2009
Parsing Vista Firewalls: Part V
When combined with cmd.exe you can populate a logparser query file with cmd.exe variables. The datagrid output of log parser allows for "pretty". The chart output requires a licensed copy of MS Chart output dll. A little knowledge of SQL takes you quite a long way with Log Parser.
:: must delete "#Fields" from pfirewall.log first for correct field parsing.
@echo off
set field=%1
set filename=%2
echo SELECT %field%, COUNT(*) > OrderByFieldGroupByCount.sql
echo FROM 'C:\Windows\System32\LogFiles\Firewall\%filename%' >> OrderByFieldGroupByCount.sql
echo GROUP BY %field% >> OrderByFieldGroupByCount.sql
echo ORDER BY COUNT(*) DESC >> OrderByFieldGroupByCount.sql
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -i:TSV file:OrderByFieldGroupByCount.sql -q:on -iSeparator:spaces -fixedSep:OFF -nSkipLines:3 -o:datagrid
:: must delete "#Fields" from pfirewall.log first for correct field parsing.
@echo off
set field1=%1
set field2=%2
set filename=%3
echo SELECT %field1% , %field2% , COUNT(*) > OrderByFieldGroupByCount.sql
echo FROM 'C:\Windows\System32\LogFiles\Firewall\%filename%' >> OrderByFieldGroupByCount.sql
echo GROUP BY %field1% , %field2% >> OrderByFieldGroupByCount.sql
echo ORDER BY COUNT(*) DESC >> OrderByFieldGroupByCount.sql
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -i:TSV file:OrderByFieldGroupByCount.sql -q:on -iSeparator:spaces -fixedSep:OFF -nSkipLines:3 -o:datagrid
Saturday, August 1, 2009
Parsing Vista Firewall: Part IV
Microsoft's logparser.exe use sql query syntax to parse many different log formats. Vista's firewall most reasonably resembles at TSV log file format. However, it takes some work with logparser.exe to get the correct parameters as below. The third or 'header' line row needs the words "#Fields" removed from the file for accurate field recognition.
LogParser "SELECT * FROM 'pfirewall.log' WHERE ( action = 'ALLOW' AND protocol = 'UDP' AND path = 'RECEIVE' AND src-ip <> '127.0.0.1' ) " -i:TSV -iSeparator:spaces -fixedSep:OFF -nSkipLines:3
Filename RowNumber date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
--------------------------------------------------- --------- ---------- -------- ------ -------- --------------- --------------- -------- -------- ---- -------- ------ ------ ------ -------- -------- ---- -------
C:\Program Files (x86)\Log Parser 2.2\pfirewall.log 7105 2009-07-11 19:56:59 ALLOW UDP 192.168.0.4 239.255.255.250 51493 1900 0 - - - - - - - RECEIVE
C:\Program Files (x86)\Log Parser 2.2\pfirewall.log 7107 2009-07-11 19:56:59 ALLOW UDP 169.254.172.113 239.255.255.250 51493 1900 0 - - - - - - - RECEIVE
C:\Program Files (x86)\Log Parser 2.2\pfirewall.log 8046 2009-07-11 21:56:36 ALLOW UDP 192.168.0.4 239.255.255.250 51493 1900 0 - - - - - - - RECEIVE
C:\Program Files (x86)\Log Parser 2.2\pfirewall.log 8047 2009-07-11 21:56:36 ALLOW UDP 169.254.172.113 239.255.255.250 51493 1900 0 - - - - - - - RECEIVE
C:\Program Files (x86)\Log Parser 2.2\pfirewall.log 8316 2009-07-11 22:03:29 ALLOW UDP 169.254.172.113 239.255.255.250 51493 1900 0 - - - - - - - RECEIVE
C:\Program Files (x86)\Log Parser 2.2\pfirewall.log 8353 2009-07-11 22:06:18 ALLOW UDP 192.168.0.4 239.255.255.250 51493 1900 0 - - - - - - - RECEIVE
C:\Program Files (x86)\Log Parser 2.2\pfirewall.log 8355 2009-07-11 22:06:18 ALLOW UDP 169.254.172.113 239.255.255.250 51493 1900 0 - - - - - - - RECEIVE
....
Subscribe to:
Posts (Atom)