October 2008 Archives

Abstract

Corporate websites, Google, forums, newsgroups ... All valuable sources of all kinds of information. Unfortunately, those that seek information from these sources are not always our customers, partners, or (potential) employees, but can also be people with less honest intentions. In order to research which sensitive information can be found freely available on the Internet, the author will put on a black hat and scour various online locations and use simple tools to get this information without breaking the law, and without crossing the line between ethical and non-ethical. Research includes locations where it is often already expected that an adversary will turn to for intelligence gathering, such as attempts to perform zone transfers. But also information that may not seem sensitive at first, such as corporate websites and even Google searches will be put under the loop. The conclusion of this research is that a lot of sensitive information is out there, and was put there by people either knowingly or unknowingly. It is about time that user education is taken more seriously, and turning the Internet inside out in search for sensitive information should become a very important part of audits and penetration testing.

Download here.

Earlier this week "Computer Forensics For Dummies" was released, and a look at the back cover disappointed me a bit as it stated "You don't need a computer science degree to master e-discovery", making it seem like a trivial process. However, from the first reader reactions it appears that it explains the concepts very well while still keeping the technical jargon to a minimum, making it easy to understand for anyone with limited technical knowledge.

Although it may not be recommended reading for the more tech savvy that want to improve their knowledge in the field, it might be an interesting read nevertheless as it could help explain computer forensics to others in a non-technical way.

Abstract

Massive Multiplayer Online Role Playing Games (MMORPGs) are at a basic level a networked application. Blizzard’s World of Warcraft is currently the largest example of such a type of application, with over nine million subscribers at last count. Whilst the idea of researching a game for network security may sound trivial, nine million potential backdoors into home and business computers is not. The ports used by the game, as well as authentication methods and client update programs were examined using packet analysis software. No obvious vulnerabilities were discovered as a result of this analysis. In addition to this analysis, an examination of the literature in terms of other types of attack that are present was also performed. These include such common attacks as SPAM, malware and trojans. The conclusion is that while no specific network vulnerability appears to exist in the games launcher or updater, there are still a number of other attack vectors that need to be considered and protected against.

Paper co-authored with Andrew Woodward and published in the Proceedings of 5th Australian Information Security Management Conference, held on the 4th December, 2007 at Edith Cowan University, Perth, Western Australia

Reference and download: ISBN 0-7298-0647-2

Abstract

Since June 2005, viewers in Belgium can get access digital TV or IPTV available via ADSL through Belgacom, the largest telecommunications provider in the country. The decoders used to enjoy these services are the Mood 300 series from Tilgin (formerly i3 Micro Technology). As of the Mood 337, the decoders contain a hard disk to enable the viewer to record and pause TV programs. Although it is publicly known that the Mood’s hard disk is used to save recorded and paused TV programs, it was still unknown if it contains any data that could be of interest during a forensic investigation. Interesting data ranges from which TV programs where watched, over discovery of unauthorized data storage, to criminal profiling and alibi verification. This paper will research the possibilities, especially with regards to which TV programs were watched and alternate data storage, as criminal profiling and alibi verification is not merely a task the forensic investigator can do alone.

Just like game consoles that use a hard disk, the Mood 337 can easily be disassembled and attached to a PC for forensic analysis. The reason why analysis of this system is necessary is simply because it contains a hard disk. Anyone with a screwdriver can remove, replace or modify it not only for experimenting purposes but also for illegitimate uses. Analysis shows that most of the 80 Gb of disk space on the disk is not even in use, and can easily have data being written on it without interfering with the system’s primary function of providing IPTV services. It was also found that the Mood runs on a Linux base system with a 2.4 kernel, using XML file for the configuration of IPTV functions and services. Analysis reveals that even the (billable) ‘pause’ function is nothing more but a ‘yes’ or ‘no’ flag in an XML file. Other files that would be expected on a Linux system, such as /etc/fstab or /etc/passwd, were not found, while these might have been proven useful in this analysis. Further examination of the hard disk indicates the use of certificates for protection against piracy. However, it was proven to be a trivial task to simply copy recorded data to a PC and play it with a media player.

The most important discovery of this research is that correctness of time and date appears to be of lesser value for the creators and/or distributors of the Mood 337. Throughout the system, various different time stamps and time zones were used, and more importantly time and date were changed several times. Even though two NTP servers are configured for time synchronisation, neither one of them seems to be correct. In order for data recovered from this hard disk to be acceptable before a court of law, fixing the time and date should be one of the highest priority changes that are needed.

Paper published in the Proceedings of 5th Australian Digital Forensics Conference, held on the 3rd December, 2007 at Edith Cowan University, Perth, Western Australia

Reference and download: ISBN 0-7298-0646-4

Talks attended on Day 1
Malware of the future: When mathematics works for the dark side.
Investigating individuals and groups using open source intelligence
RFIDIOTs!!! Practical RFID hacking (without soldering irons)
Analysis of an undocumented network protocol
User Authentication at the Firewall Level
Anti-Virus 2.0 - Compilers in disguise
Go outside Citrix context

Talks attended on Day 2
Hacking Internet Kiosks
gFuzz: An Instrumental Web Application Fuzzing Environment
Browser Exploits - A new model for Browser security
Server side virus scanning
"The end of the internet" aka " Self-replicating malware on home routers"
Bridging the Gap between the Enterprise and You - or - Who's the JBoss now?

Talks attended on Day 3
Immersed network discovery and attacks, specifics of telecom Core networks (CN SS7/SIGTRAN) insider atacks
Cracking into embedded devices and beyond
How to make smartcards resistant to hackers' lightsabers?
A little journey inside Windows memory
Browser Rootkits
Various Ways of Classifying Malware