December 2008 Archives

Yesterday, Andrew Hay blogged about one of his printers generating really strange traffic: it was scanning the firewall and was trying to get to metasploit.com!

This reminded me of a similar case I had with one of our customers. A small write-up...
The customer could no longer send any emails. They discovered that their mailserver was blacklisted for sending SPAM, and called in our help.

We checked the mailserver, and there were indeed lots of emails going out. We searched further, and found 3 hosts that were sending excessive traffic the the mailserver: 3 HP multifunctional printers in 2 different physical locations in different subnets. We blocked the access from the printers to their mailserver on the inbetween firewall, they were removed from the blacklist, and their email problem was resolved.

But now we were still stuck with the massive amount of traffic the printers were sending towards the firewall, trying to reach the mailserver. We configured the printers so they could not send emails anymore, but this was not a permanent solution as they still wanted to be able to scan documents and have them delivered to their inboxes. We got in touch with HP Support, and they claimed that it is impossible for the printers to initiate traffic on their own, and that there should be another host somewhere on the network that instructs the printers to send said traffic.

Again, we went sniffing the network trying to find a host that was steering the printers, but alas nothing was found but 'normal' print jobs. Hearing this, HP still didn't seem to believe what was happening, and suggested to re-flash the printers and wipe the hard disks, and we did. But again, once connected back to the network and enabling the email service, the strange traffic reappeared.

We decided to take one of the printers out of the network, and connect it directly to a laptop. Sniffing on the laptop, we noticed that the printer immediately began ARPing for an address that is completely unrelated to this customer, and was found to be even located overseas. Searching further, the address belonged to a known spammer.

With this information, finally HP believed something was seriously wrong with the printers, and began investigating... and as far as I know today, after 3 months, they still are (yeah right), 'cause I never heard back from them since. And how 3 printers in 2 locations and different subnets all started this behavior at the exact same time... beats me!

Someone asked me yesterday why Juniper NSM shows ports for ICMP traffic (mostly destination 'port' 512), while ICMP is a portless protocol. Good question!

Did some Googling today, and it looks like this isn't really NSM related but generally a method of matching ICMP sessions. The 'source port' is actually the ICMP sequence number, while the 'destination port' is the ICMP identifier.

Googling on a bit, I found you can even identify which operating system is used to send the ICMP traffic. If the ICMP identifier is either 256, 512 or 768, the querying machine has a Microsoft operating system:

Microsoft Windows NT - 256
Microsoft Windows 98/98SE - 512
Microsoft Windows 2000 - 512
Microsoft Windows ME - 768
Microsoft Windows 2000 Family with SP1 - 768

The Russian National Hi-Tech Crime Unit recently created a nifty little program called 'Forensic Assistant' or '0xFA' that was designed to easily locate and analyse artifacts scattered around the system such as various types of IM conversations, index.dat, .lnk, pf, registry files, etcetera.

Source: XKCD

Today a beta was released of a new F-Secure application, created by their Vulnerability Response team: Exploit Shield. According to the accompagnying blog entry, Exploit Shield will protect both reactively and proactively against malicious activity and 0-day exploits. I'd compare it with a freeware anti-virus that doesn't use signatures but behavioral analysis.

Note that the application reports this activity back to F-Secure, allowing them to investigate quicker and respond more effectively to keep the bad boys out. The way it's set up somewhat reminds me of my earlier article about Microsoft Morro, where I played with the idea that this seems like a large free honeynet for the vendor. It's not necessarily a bad thing, just something you need to be aware of.

Many good ideas like this one seem to be popping up lately. For home (Windows) users, I'd go for a combination of F-Secure Exploit Shield, Microsoft Morro, Secunia Personal Software Inspector, Avast Anti-Virus and probably add some sort of firewall in the mix. That's a lot of software to manage, but I guess there's always a price to pay for security, even if it's free.

Via the Irongeek website I found NetworkMiner today. In a way, it does not seem as advanced as Xplico and ClearSight Analyzer, but it may be sufficient for what you use it and thus a very good idea to have it in your toolkit anyway. Whereas Xplico is a freeware *nix application and ClearSight Analyzer is a commercial Windows program, NetworkMiner is a freeware Windows application. In my opinion it is usually a good idea to have a mix of commercial and freeware software, and both *nix and Windows platforms to use them on.

Update: Coincidentally while I was writing this article, an anonymous reader pointed me to a post on the When Puffy Meets RedDevil blog about the very same subject. Thanks for the heads up!

Update 2: Russ McRee from HolisticInfoSec.org was kind enough to drop me an email with some more information on NetworkMiner, including a link to an article he wrote about the application. It is a really nice rundown of NetworkMiner, and set me to think that I should play around some more with it. I'm beginning to get the impression that I seriously underestimated its possibilities, which I failed to see behind the minimalistic looking GUI.

It may not be a good idea at the moment to use EnCase Enterprise or WinEn for physical memory acquisitions. It was discovered by several users, that "critical sections of physical memory are being overwritten when a physical memory sample is acquired on certain hardware configurations."

Volatile Systems reported that Guidance Software is aware of the issue, and is investigating. However, at this time there is no fix available yet and it is recommended that other memory acquisition tools are used instead. Such as Volatility, of course :)

One of the papers I wrote back in school discusses the security issues and considerations that should be kept in mind when playing online games, as I was (and still am) fascinated about the millions of people playing a game together without actually knowing eachother. I looked at the subject from a security point-of-view; namely how secure the software is and what the possibilities of attack and abuse are. Now, Susan Brenner announced the publication of her article 'Fantasy Crime' in he Vanderbilt Journal of Entertainment and Technology Law’s Fall 2008 issue (Vol. 11 No. 1). The article will "analyse activities in virtual worlds that would constitute crime if they were committed in the real world." Having read the draft (available here), I think it very nicely complements with the paper I wrote, as Ms. Brenner's article looks at things from a judicial point of view.

I came across this article a few days ago. It tells the story of a school teacher that contacted Ken Starks from HeliOS Solutions (brilliant project, by the way) to accuse him of spreading misconceptions with regards to Linux.

After almost falling of my chair laughing about the ignorance this teacher showed in some of her statements ("No software is free and spreading that misconception is harmful" or "if you contacted Microsoft, they would be more than happy to supply you with copies of an older verison of Windows"), I began to realise a bit more how big the challenge is to make the rest of the world aware that there is life beyond Microsoft.

Anyway, because of this article I was curious about Ken Starks and the HeliOS project. Not realising how evil Linux really is (:p) I Google'd Ken's name and the first hit that came up was an interview with him on Linux.com. Browsing to the interview, I found myself greeted by our proxy with the following message:

"The URL you requested ("http://www.linux.com/") is categorised as "Illegal or Questionable", and therefore denied during business hours. Please note that this site will be available outside business hours."

Should I laugh or start crying?

OWASP has released version 3 of their testing guide, creating a "best practices" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes how to find certain issues.

More info about the testing project can be found here, and the guide can be downloaded here.

Whenever a new story appears on Susan Brenner's CYB3RCRIM3 blog I'm anxious to take a 5-minute break from work and read it. Today was not different, as she wrote the first story I've ever read about what could be called the Nigerian Defense. It presents the case of Mr. J. Kelly, charged by the state of Alaska for presenting counterfeit checks to a bank. His defense was that he was 'not very smart' and was the victim of a scam.

Ed Skoudis is continuing his good tradition of writing Christmas-themed hacker challenges. This year, you are called to the rescue of Kris Kringle so he can escape from the dungeon and safe Sombertown from the Burgermeisters in the exciting story "Santa Claus is Hacking to Town".

Belgian Minister of Administrative Simplification and ICT Van Quickenborne is renewing the ambitious plan to provide people in lower income scales with a PC and Internet connectivity. Although this is a great idea, the way he wants to do this frightens me a bit as he wants to use old governement PCs and distribute these for the project. This is actually still a great idea, but did anyone think of possible consequences? After all, a simple format of the hard disk is not exactly enough to ensure that potentially confidential data can not be recovered by yours truly.

A very nice read on this topic is a paper by Craig Valli, Throwing out the Enterprise with the Hard Disk, and its follow-up paper (co-authored with Andrew Woodward) Oops They Did it Again: Results of the 2007 Australian Remnant Hard Disk Study.

Source: ZDNet

A couple of weeks ago, I attended a demo session by ClearSight Networks about their ClearSight Analyzer. It did seem like quite an interesting product for performing network forensics, as it provides a different view on network traffic as opposed to plain old Wireshark.

A few days later, I came across a freeware (under GPL) alternative: Xplico. Looking at the screenshots it seems to include many of the functionalities that ClearSight Analyzer offers, such as reconstruction of emails, VoIP calls and web pages.

Xplico is included in the DEFT Linux Computer Forensics Live CD, or can be downloaded here.