November 2008 Archives

Last week it was decided on international (European Union) level that Europol will be the central point where cybercrime incidents can be reported. Some countries already had their local centers for this purpose, such as for example eCops (a great initiative of the Belgian Federal Computer Crime Unit), but now Europol will be helping in cybercrime cases that cross country borders.

The full report of the Council's conclusions can be found here.

Srizbi is one of the largest botnets in the world, and is the very same one that was responsible for all the spam sent via McColo recently. As we've all read all over the Internet, the botnet revived and now operates from Estiona. Nothing new there. What is interesting though, is that FireEye Malware Intelligence Lab made a very nice writeup of the inner workings of the botnet in general along with a quite detailed analysis on how the mechanism works that caused Srizbi to be available again to it's bot herder.

Earlier this month, FireEye also explained how to find out if your PC is part of the Srizbi botnet, and what to do about it if it is.

Yesterday Secunia released the final version of their Personal Software Inspector (PSI) application. PSI is an application that can monitor your installed programs, and inform you if new security patches are available for those programs. It even goes further than that, as it will also show the Secunia Security Advisory related the the vulnerabilities that can be patched and even a link to the location where the patch can be downloaded.

I haven't tested it myself yet, but looking at the FAQ and screenshots it appears to be very efficient and easy to use. Definitely worth a try.

Alex Eckelberry, CEO of Sunbelt Software, released a technical review he and various other forensic experts wrote with regards to the Julie Amero case. I've read the report, and it blew my mind how many potential mistakes were made both during the original forensic investigation, and the incorrect statements that were made during testimony, but above all the ignorance and incompetence of the so called 'experts' in this case. I must admit, I don't have much field experience with digital forensics myself, but I couldn't believe some of the things I read. For example, 'forensic' images were made with Ghost, and a statement was made that adware or spyware is unable to generate pornographic popups. Oh and my favorite: a 'red' link indicates that someone intentionally viewed a site. I think I need to go back to school...

Via the Grand Stream Dreams blog, I discovered 2 freeware (!) tools for Firefox 3 and Google Chrome forensics. Both tools analyse the browsers' SQLite databases, and extract all history data and bookmarks. The first, Firefox 3 Extractor, is a command line application, and the second, FoxAnalysis, has an easy to use point-and-click interface. Both can extract and present the data both in CSV format or in a nice HTML report.

The Firefox 3 Extractor website also provides quite some nice background information for those interested in the inner workings of the browsers, or that can help to explain the correct working of the tool during testimony. For example, the website explains where to find the SQLite databases, how dates and times are decoded, and contains a schema diagram of the table relationships within the database.

Chaos Computer Club is organising the 25th edition of their Chaos Communication Congress, and have announced a preliminary schedule today. Although there is quite some "been there, done that"-topics such as Tor, smartcard security, etcetera, quite a few interesting talks are listed as well. The schedule appears far from complete, but at the moment my personal favorites are:

Building an international movement: hackerspaces.org
Terrorist All-Stars
Locating Mobile Phones using SS7
Short Attention Span Security
Banking Malware 101
Tricks: makes you smile
Soviet Unterzoegersdorf
Running your own GSM network
Hacking into Botnets
Cisco IOS attack and defense

Two brothers, Jason and Corey Jones, were released on bail in a murder case where they were the prime suspects thanks to a metro ticket. Based on its serial number, the New York MetroCard's history can be digitally traced providing the times and locations it was used. The Jones brothers' lawyers had this recovery initiated by the New York City Transit, and were able to prove that on the night of the murder the brothers could not have been anywhere near the scene.

Source: New York Times

The Forefront team, the team responsible for Microsoft's security products for businesses, is happy with the coming of Morro, the new and free anti-virus for Microsoft Windows that will be released next year. The reason is that they think it will have a positive impact on Microsoft's business products as it "will allow Microsoft to capture even more threat intelligence from customers as more people use the free anti-malware solution" and that they can use this information in their "security research and the development of signatures and protection capabilities in Forefront".

Wait... did I read that correctly? Doesn't that sound like a free honeynet for Microsoft's own purposes?

Fellow blogger Benny posted today about Google Streetview snapping pictures of our Belgian cities. This reminded me of the news I saw on TV yesterday, where it was announced that a car would be driving around all streets in Belgium to take pictures, in order to get a view of everything and to map dangerous crossroads and the like. While Google is facing a problem with privacy complaints, I hear no one complaining about yesterday's news item...

I'm trying to think if the organisation making the pictures was the government, or the institute for safety on the roads, but can't remember exactly.

Update: Benny informed me that the Flemish government is responsible for this project. I read the information a bit more carefully, and apparently the intention is to map all traffic signs. However, the article does mention that not only traffic signs will be photographed but also streets. So the impact on privacy is a lot smaller than the Google Streetview project, but still...

Rob Lee, known from Mandiant and SANS, has written an excellent article on memory forensic acquisition and analysis. For all you old-skool forensic investigators out there, he has an important message: stop pulling the plug!

A lot of valuable information will be lost if memory is not analysed, such as hidden processes, active network connections, currently logged on users, etcetera. Not to forget, a memory image can be searched for strings that might be useful later in the investigation as they might be passwords, for example.

Found this awesome website today (via Joel Esler's blog) that, as the makers describe it, is made "for all those people that find it more convenient to bother you with their question rather than google it for themselves".

The "Let me google that for you"-website lets you enter a Google search term, and generates a link to send to the person asking you questions It will show them an animation of someone entering that search term in Google, and end with the hilarious question "was that so hard?" before pointing the user to the actual Google search results.

Try it!

It's finally official: HAR2009 will be held August 13-16 in Vierhouten. The call for papers is expected early december, around the same time the ticketshop will be opened.

For those that don't know what it is all about, the wiki describes it very well: Four days of techno-anarchism, ideological debates, hands-on tinkering and lots of fun.

Mark your calendars!

Yet again someone in posession of CP was is pulling out the Trojan defense trick. Ex-lawyer Kevin Plachta 'thinks' he accidentally downloaded a virus, which in turn must have downloaded the CP onto his computer.

The first thing that springs to mind when reading stories like this one, is that people who do not properly secure their personal computers should also accept the consequences. I would look at this in a way similar to a law we have in Belgium, where a car owner can be fined for not locking his car because this makes it too easy for the bad guys to do their thing.

Of course if anti-malware software is present (and up-to-date!) the Trojan defense could still be a valid one, but if this is not the case at least people can be kept accountable.

Source: Security.nl

ZoneAlarm is celebrating it's 15th aniversary, and therefore offers anyone who wants to hear it a free 1 year license to ZoneAlarm Pro. The offer starts today at 15:00 and lasts for only 24 hours!

The difference with the already free ZoneAlarm firewall is that the Pro version also includes 0-day attack prevention, anti-spyware, identity protection and wireless protection.

Interested? Register here.

A bunch of us Telindus-people participated in the capture the flag contest at Hack.Lu. After a long night, we managed to get first place for a while on Friday morning, but by the end of the day we were forth. Not bad, seen the participation of some known pentesting teams such as RedTeam!

The SANS Institute conducted a survey to find out which are the most interesting jobs in infosec. The complete results will be published later this year, but gcn.com managed to get a sneak peek. The participants in the survey were split in 2 categories: government employees and non-government (commercial) people.

First, the opinion of government security employees:

1. Information security crime investigator/forensics expert
2. System, network and/or Web penetration tester
3. Forensics analyst
4 (tie). Incident response, incident handler
4 (tie). Security architect
6. Vulnerability researcher
7 (tie). Network security engineer
7 (tie).Security analyst
7 (tie).Sworn law enforcement officer specializing in information security crime
10 (tie). CISO/ISO or director of security
10 (tie). Application penetration tester

The opinions of non-government employees were slightly different, yet still quite similar to those of government people.

1 (tie). System, Network, and/or Web penetration tester
1 (tie): Information security crime investigator/forensics expert
3. Forensics analyst
4. Vulnerability researcher
5. Application penetration tester
6. Security architect
7. CISO/ISO or director of security
8 (tie). Incident response, incident handler
8 (tie). Sworn law enforcement officer specializing in information security crime
10. Security evangelist

Even thought he difference between government and non-government (with regards to infosec jobs) is small, the slight differences still make me wonder if I'm on the right side of the line...