Even though I aspire to be a digital forensics examiner, I couldn't help
but chuckle when I read the first
episode this year of The Register's BOFH. This episode tells the
story where Simon threatens the Boss that he and his colleague will
forge emails and use several anti-forensics techniques if the Boss
doesn't agree to drop his allegations against the infamous duo.
January 2009 Archives
A colleague pointed me to a new Security Conference named Brucon that will be held on 18-19
September in Brussels (Belgium) this year. There's not an awful lot of
information available yet, but it seems like the organisers are
ambitious and see it rather big for a first timer. Although I am
hesitant, I'm curious if this will be a success and will try to attend
the event at least on the 19th.
Brucon aims to become the best and most fun hacking and security event in Belgium and W. Europe offering a high quality line up of speakers, opportunities of networking with peers, hacking challenges and workshops. Brucon is an open-minded gathering of people discussing computer security, privacy, information technology and it's cultural/technical implications on society. The conference creates bridges between the various actors active in computer security world, included but not limited to hackers, security professionals, security communities, non-profit organizations, CERTs, students, law enforcement agencies, etc.....
Topics of interest include, but are not limited to :
* Electronic/Digital Privacy
* Wireless Network and Security
* Attacks on Information Systems and/or Digital Information Storage
* Web Application and Web Services Security
* Lockpicking & physical security
* Honeypots/Honeynets
* Spyware, Phishing and Botnets (Distributed attacks)
* Hardware hacking, embedded systems and other electronic devices
* Mobile devices exploitation, Symbian, P2K and bluetooth technologies
* Electronic Voting
* Free Software and Security
* Standards for Information Security
* Legal and Social Aspect of Information Security
* Software Engineering and Security
* Security in Information Retrieval
* Network security
* Security aspects in SCADA, industrial environments and "obscure" networks
* Forensics and Anti-Forensics
* Mobile communications security and vulnerabilities
* Information warfare and industrial espionage
Ax0n wrote
an open letter from geeks to IT recruiters last week, and I couldn't
agree more with the statements he makes. He split it up in two parts:
how to get geeks to come work for you, and how to keep them once they
signed the contract.
To get a geek on board, Ax0n has these recommendations:
- Have all screening and profile "paperwork" in one comprehensive online wizard or form
- Only ask for information you need to make a hiring decision
- Don't grill us on our resume and work history
- Instead of asking about skills that qualify them for the position, ask about their interest in the kind of work they think they'll be doing
Once hired, try to keep your geek happy:
- Try to measure productivity in output, not in hours
- Assign tasks to the geeks who are most interested in them, not the ones with the most experience
- Segregate the corporate, compensatory hierarchy from the leadership hierarchy
For more detailed guidelines, read the post over at HiR.
To get a geek on board, Ax0n has these recommendations:
- Have all screening and profile "paperwork" in one comprehensive online wizard or form
- Only ask for information you need to make a hiring decision
- Don't grill us on our resume and work history
- Instead of asking about skills that qualify them for the position, ask about their interest in the kind of work they think they'll be doing
Once hired, try to keep your geek happy:
- Try to measure productivity in output, not in hours
- Assign tasks to the geeks who are most interested in them, not the ones with the most experience
- Segregate the corporate, compensatory hierarchy from the leadership hierarchy
For more detailed guidelines, read the post over at HiR.
The Liquidmatrix
Security Digest blog lead me to a new website today named Mac OS X Forensics. It
contains lots of information on various OS X technologies and about the
HFS+ filesystem, and tons of tips and tricks for setting up your own Mac
forensics workstation and performing analysis.
About a month ago, Team Cymru came with an excellent idea: they started a
look-up service that matches known malware to MD5 or SHA-1 hashes. They
have implemented it in such a way that it uses Whois or DNS services to
do the looking up, which is what makes it so brilliant in my opinion.
Check out their website for more information!
Check out their website for more information!
A lot of discussion has been going on for a while already as to whether
or not Mac users need anti-virus software on their systems. Even though
the general answer may be 'no', I would say: if it adds protection and
doesn't decrease usability too drastically, why not use it!
It looks like PC Tools shares that opinion, and they came with a free anti-virus for Mac users: iAntiVirus. It currently protects against about 90 virusses, and claims be resource friendly.
It looks like PC Tools shares that opinion, and they came with a free anti-virus for Mac users: iAntiVirus. It currently protects against about 90 virusses, and claims be resource friendly.
Dr. Craig Wright published a paper called “Overwriting Hard Drive
Data: The Great Wiping Controversy” in December 2008. It discusses the
already long existing controversy around wiping hard disks. History
taught us that wiping hard disks should consist of multiple passes to
ensure that data is unrecoverable. However, Craig researched this
subject and came to the conclusion that 1 pass is sufficient, and broke
the myth. Thank you for saving us a lot of time, Craig!
A summary
of the paper can be found here,
and the full paper was published in the Springer Verlag Lecture Notes
in Computer Science (LNCS) series.
Since this year, senior police officers in Britain are allowed to do
remote computer searches without the need for a search warrant. Although
the rules to abide by are quite strict, I'm not sure I can agree with
this initiative. On one side I'd say yes, sure, if you can prevent a
serious crime with it, why not... but on the other hand, what about
privacy, and where does one draw the line of what is a reasonable cause
for such a search and what is not? I do understand that this will make
life easier for police officers, and they might get results quicker, but
I still tend to agree with the statement of the court in a case as
described by Susan
Brenner; which is that a search warrant is required, or else it is
considered trespassing:
The plaintiffs in those cases sued English law enforcement officers, claiming the officers had committed trespass by breaking into their homes and searching them. To what I suspect was the government’s surprise, the plaintiffs won. The courts held that it is a trespass for a law enforcement officer to do this, just as it would be an actionable trespass if you or I were to do it. The courts also held, though, that an officer was protected from liability if he committed the breaking into and searching under the authority of a court-issued warrant, a search warrant. So the search warrant gave the officer a complete defense to a suit for trespass.
Greg, my partner, came up with a fun quote to print on a t-shirt today.
Thought it was so funny I had to share it:
I am a proud member of the Downadup network.
Waiting for instructions.
I am a proud member of the Downadup network.
Waiting for instructions.
Software used:
- nLite
- Hitachi Microdrive Filters
- Windows XP Embedded Feature Pack
- WinRAR or WinZIP
- Any Linux Live CD
Hardware used:
- blank CD
- external USB CD/DVD reader
- SanDisk 4GB SDHC card
- eeePC 901
1. Use nLite to slim down your Windows XP installation. I removed all components as listed in this wiki entry, and it installed fine for me.
2. Install Windows XP on the internal 4GB SSD of your eeePC 901 using your new Windows CD
3. Install the eeePC drivers from the recovery CD you received with your eeePC. Also insert the SDHC card to which you are going to install Windows, so that Windows can install the SD drivers
4. Install the Hitachi Microdrive Filters as follows:
4.1 Go to the Windows registry
4.2 Navigate to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_USB2.0&Prod_CardReader_SD0&Rev_0100. In that directory, open the directory that consists of just numbers
4.3 In the right pane, locate the "Hardware ID" key. Open it, and copy the first line of text
4.4 Close the registry
4.5 Extract the Hitachi Microdrive Filters zip file
4.6 Open cfadisk.inf
4.7 Locate the [cfadisk_device] section, which consists of the following 11 lines:
4.8 Delete all of the above mentionned lines after the first occurance of cfadisk_install, so your [cfadisk_device] section looks like this:
4.9 After the comma, paste the line of text you copied from your registry
4.10 Save the file
4.11 Go to your Device Manager, and locate your card reader
4.12 Right-click the card reader and select Update Driver
4.13 Point the driver installer to the cfadisk.inf file you just edited
4.14 Reboot your eeePC
5. Modify your USB drivers by editing the following files in C:\WINDOWS\inf:
5.1 In usb.inf, edit your [StandardHub.AddService] and [CommonClassParent.AddService] sections to look as follows:
5.2 In usbport.info, edit your [EHCI.AddService], [OHCI.AddService] , [UHCI.AddService] and [ROOTHUB.AddService] sections to look as follows:
5.3 In usbstor.inf, edit your [USBSTOR.AddService] section to look as follows:
6. Make some changes to the registry to make your changes to the drivers persistent
6.1 Open your Windows Registry
6.2 Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
6.3 Go to each of the subdirectories USBSTOR, usbehci, usbhub, usbuhci and usbohci, and change the key named "Start" to 0 for each of them
6.4 Reboot
7. Make sure the edited drivers are loaded
7.1 Go to your Device Manager
7.2 Delete all hardware under Universal Serial Bus controllers
7.3 If you use a USB mouse, switch to use the touchpad now
7.4 At the top, go to the Action menu and click Scan for Hardware Changes
8. Clone your new Windows installation to the SDHC card. The easiest way to do this is to boot your eeePC with a bootable Linux distribution and use DD (for me the command was "dd if=/dev/sda1 of=/dev/sdb1", but you might have to use different names than sda1 and sdb1)
9. Reboot your eeePC and boot into the Windows installation on your internal SSD drive
10. Make some last changes to the registry
10.1 Go to the Windows Registry
10.2 Go to HKEY_LOCAL_MACHINE
10.3 Click the File menu and choose Load Hive
10.4 Open Windows\System32\config\system from the Windows installation on your SDHC card (not your local drive!)
10.5 Give it an easy to recognise name
10.6 You will now have a new directory under HKEY_LOCAL_MACHINE with the name you just entered
10.7 Open the new directory, and open MountedDevices
10.8 Locate the DosDevices keys, and rename \DosDevices\C: to \DosDevices\X: and \DosDevices\D: to \DosDevices\C:
10.9 Select the directory you created earlier again
10.10 Click the File menu and choose Unoad Hive
11. Replace the USB drivers on the SDHC with the Windows XP Embedded version of the drivers
11.1 Install WinRAR
11.2 Open the Windows XP Embedded Feature Pack .iso file with WinRAR
11.3 Extract the file XPEFP2007.exe
11.4 Open a new instance of WinRAR, and open XPEFP2007.exe with it
11.5 In WinRAR, go to the directory named 'Rep'
11.6 Extract the files usbhubb.sys and usbstorb.sys
11.7 Rename usbhubb.sys to usbhub.sys and usbstorb.sys to usbstor.sys
11.8 Copy both files to WINDOWS\system32\drivers on your SDHC card (not on your local drive!)
11.9 Give both files now on the SDHC card read-only permissions
12. Change the desktop background color so you can easily distinguish between your local Windows installation and your SDHC Windows installation, to make sure the correct one is booted.
13. Reboot, and boot into your SDHC Windows installation by pressing Esc during the eeePC's boot sequence
14. Cross your fingers, and hope that when Windows is booted you are greeted by the old desktop background color
15. Install Anti-virus, Windows Updates, ...
16. Install a decent Linux distribution on your internal SSD :D
This tutorial was created by combining various bits and pieces from the following locations, and tested twice (involuntarily ;)) for correctness:
http://wiki.eeeuser.com/howto:installxp
http://wiki.eeeuser.com/howto:nlitexp
http://forum.eeeuser.com/viewtopic.php?pid=378472#p378472
http://forum.eeeuser.com/viewtopic.php?id=11644
http://forums.ngine.de/viewtopic.php?t=1764
http://forums.ngine.de/viewtopic.php?p=8384#p8384
http://forums.ngine.de/viewtopic.php?f=4&t=2318&start=0
- nLite
- Hitachi Microdrive Filters
- Windows XP Embedded Feature Pack
- WinRAR or WinZIP
- Any Linux Live CD
Hardware used:
- blank CD
- external USB CD/DVD reader
- SanDisk 4GB SDHC card
- eeePC 901
1. Use nLite to slim down your Windows XP installation. I removed all components as listed in this wiki entry, and it installed fine for me.
2. Install Windows XP on the internal 4GB SSD of your eeePC 901 using your new Windows CD
3. Install the eeePC drivers from the recovery CD you received with your eeePC. Also insert the SDHC card to which you are going to install Windows, so that Windows can install the SD drivers
4. Install the Hitachi Microdrive Filters as follows:
4.1 Go to the Windows registry
4.2 Navigate to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_USB2.0&Prod_CardReader_SD0&Rev_0100. In that directory, open the directory that consists of just numbers
4.3 In the right pane, locate the "Hardware ID" key. Open it, and copy the first line of text
4.4 Close the registry
4.5 Extract the Hitachi Microdrive Filters zip file
4.6 Open cfadisk.inf
4.7 Locate the [cfadisk_device] section, which consists of the following 11 lines:
%Microdrive_devdesc% = cfadisk_install,IDE\DiskIBM-DSCM-11000__________________________SC2IC801
%Microdrive_devdesc% = cfadisk_install,IDE\DiskIBM-DSCM-11000__________________________SC2IC815
%Microdrive_devdesc% = cfadisk_install,IDE\DiskIBM-DSCM-11000__________________________SC2IC915
%Microdrive_devdesc% = cfadisk_install,IDE\DiskIBM-DSCM-10512__________________________SC1IC801
%Microdrive_devdesc% = cfadisk_install,IDE\DiskIBM-DSCM-10512__________________________SC1IC815
%Microdrive_devdesc% = cfadisk_install,IDE\DiskIBM-DSCM-10512__________________________SC1IC915
%Microdrive_devdesc% = cfadisk_install,IDE\DiskIBM-DMDM-10340__________________________MD2IC501
%Microdrive_devdesc% = cfadisk_install,IDE\DiskIBM-DMDM-10340__________________________MD2IC601
; debug on VMWare/special drive
; %Microdrive_devdesc% = cfadisk_install,IDE\DiskVMware_Virtual_IDE_Hard_Drive___________00000001
; %Microdrive_devdesc% = cfadisk_install,IDE\DiskIC25N040ATCS040________________________CA4OA71A
4.8 Delete all of the above mentionned lines after the first occurance of cfadisk_install, so your [cfadisk_device] section looks like this:
%Microdrive_devdesc% = cfadisk_install,
4.9 After the comma, paste the line of text you copied from your registry
4.10 Save the file
4.11 Go to your Device Manager, and locate your card reader
4.12 Right-click the card reader and select Update Driver
4.13 Point the driver installer to the cfadisk.inf file you just edited
4.14 Reboot your eeePC
5. Modify your USB drivers by editing the following files in C:\WINDOWS\inf:
5.1 In usb.inf, edit your [StandardHub.AddService] and [CommonClassParent.AddService] sections to look as follows:
[StandardHub.AddService]
DisplayName = %StandardHub.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbhub.sys
LoadOrderGroup = Boot Bus Extender
[CommonClassParent.AddService]
DisplayName = %GenericParent.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbccgp.sys
LoadOrderGroup = Boot Bus Extender
5.2 In usbport.info, edit your [EHCI.AddService], [OHCI.AddService] , [UHCI.AddService] and [ROOTHUB.AddService] sections to look as follows:
[EHCI.AddService]
DisplayName = %EHCIMP.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbehci.sys
LoadOrderGroup = Boot Bus Extender
[OHCI.AddService]
DisplayName = %OHCIMP.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbohci.sys
LoadOrderGroup = Boot Bus Extender
[UHCI.AddService]
DisplayName = %UHCIMP.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbuhci.sys
LoadOrderGroup = Boot Bus Extender
[ROOTHUB.AddService]
DisplayName = %ROOTHUB.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbhub.sys
LoadOrderGroup = Boot Bus Extender
5.3 In usbstor.inf, edit your [USBSTOR.AddService] section to look as follows:
[USBSTOR.AddService]
DisplayName = %USBSTOR.SvcDesc%
ServiceType = 1
StartType = 0
Tag = 3
ErrorControl = 1
ServiceBinary = %12%\USBSTOR.SYS
LoadOrderGroup = Boot Bus Extender
6. Make some changes to the registry to make your changes to the drivers persistent
6.1 Open your Windows Registry
6.2 Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
6.3 Go to each of the subdirectories USBSTOR, usbehci, usbhub, usbuhci and usbohci, and change the key named "Start" to 0 for each of them
6.4 Reboot
7. Make sure the edited drivers are loaded
7.1 Go to your Device Manager
7.2 Delete all hardware under Universal Serial Bus controllers
7.3 If you use a USB mouse, switch to use the touchpad now
7.4 At the top, go to the Action menu and click Scan for Hardware Changes
8. Clone your new Windows installation to the SDHC card. The easiest way to do this is to boot your eeePC with a bootable Linux distribution and use DD (for me the command was "dd if=/dev/sda1 of=/dev/sdb1", but you might have to use different names than sda1 and sdb1)
9. Reboot your eeePC and boot into the Windows installation on your internal SSD drive
10. Make some last changes to the registry
10.1 Go to the Windows Registry
10.2 Go to HKEY_LOCAL_MACHINE
10.3 Click the File menu and choose Load Hive
10.4 Open Windows\System32\config\system from the Windows installation on your SDHC card (not your local drive!)
10.5 Give it an easy to recognise name
10.6 You will now have a new directory under HKEY_LOCAL_MACHINE with the name you just entered
10.7 Open the new directory, and open MountedDevices
10.8 Locate the DosDevices keys, and rename \DosDevices\C: to \DosDevices\X: and \DosDevices\D: to \DosDevices\C:
10.9 Select the directory you created earlier again
10.10 Click the File menu and choose Unoad Hive
11. Replace the USB drivers on the SDHC with the Windows XP Embedded version of the drivers
11.1 Install WinRAR
11.2 Open the Windows XP Embedded Feature Pack .iso file with WinRAR
11.3 Extract the file XPEFP2007.exe
11.4 Open a new instance of WinRAR, and open XPEFP2007.exe with it
11.5 In WinRAR, go to the directory named 'Rep'
11.6 Extract the files usbhubb.sys and usbstorb.sys
11.7 Rename usbhubb.sys to usbhub.sys and usbstorb.sys to usbstor.sys
11.8 Copy both files to WINDOWS\system32\drivers on your SDHC card (not on your local drive!)
11.9 Give both files now on the SDHC card read-only permissions
12. Change the desktop background color so you can easily distinguish between your local Windows installation and your SDHC Windows installation, to make sure the correct one is booted.
13. Reboot, and boot into your SDHC Windows installation by pressing Esc during the eeePC's boot sequence
14. Cross your fingers, and hope that when Windows is booted you are greeted by the old desktop background color
15. Install Anti-virus, Windows Updates, ...
16. Install a decent Linux distribution on your internal SSD :D
This tutorial was created by combining various bits and pieces from the following locations, and tested twice (involuntarily ;)) for correctness:
http://wiki.eeeuser.com/howto:installxp
http://wiki.eeeuser.com/howto:nlitexp
http://forum.eeeuser.com/viewtopic.php?pid=378472#p378472
http://forum.eeeuser.com/viewtopic.php?id=11644
http://forums.ngine.de/viewtopic.php?t=1764
http://forums.ngine.de/viewtopic.php?p=8384#p8384
http://forums.ngine.de/viewtopic.php?f=4&t=2318&start=0
I came across an email from Peter Giannoulis (The Academy) today, and it
appears that he had yet another brilliant idea: in order to assist
family and friends that do not have the skill to secure their own
systems at home, they launced The
Academy Home. The purpose of the site is to tackle the issue of
botnets and rampant malware that exist due to insecure home systems that
have been compromised.
Spread the word, and make sure your local helpdesk users (i.e. mom, dad, auntie Alice and uncle Bob, ...) sign up for an account!
For your own reading and viewing pleasure, don't forget The Academy Pro exists as well.
Spread the word, and make sure your local helpdesk users (i.e. mom, dad, auntie Alice and uncle Bob, ...) sign up for an account!
For your own reading and viewing pleasure, don't forget The Academy Pro exists as well.
One of the reasons for not blogging lately was the time I spent in
Berlin in and around the annual CCC congress. While they are still fresh
in memory, let me start with the funniest quotes of the congress. Over
the next days I'll start writing short reviews of all the talks I
attended. But for now, the quotes:
Vista users are not vulnerable... but they have other issues
- Luciano Bello, Predictable RNG in the vulnerable Debian OpenSSL package
It says 'network cable is unplugged'... oh there's a knot in the cable!
- Claus Cohnen, Life is a Holodeck
MS Office is used by everyone today... um... in large organisations
- Bruce Dang, Methods for Understanding Targeted Attacks with Office Documents. The poor guy had a rough time being a Microsoft employee presenting in front of an almost all *nix audience, as he sometimes had to carefully choose his wording. Nevertheless, he did an excellent job
So the Exch... Mail gateway
- Bruce Dang, Methods for Understanding Targeted Attacks with Office Documents
Mitigating attacks. Use Office 2007... I'm going to skip this slide
- Bruce Dang, Methods for Understanding Targeted Attacks with Office Documents
The vulnerability in SNMPv3 is of the category that when you are asked to please provide your password, you answer: well, I don't know the password, but how about I give you the first letter? And it lets you in...
- Dan Kaminsky or FX/Phenoelit talked about the SNMP bug, but I dont remember who made the joke
Please defragment now
- When the room was over-crowded, the heralds asked that everyone moved to the right side to fill up all the open seats, so that people at the door could have a seat too. Someone had made the allusion to a defragmentation routine, and several heralds began using it. Not sure who started it though
Vista users are not vulnerable... but they have other issues
- Luciano Bello, Predictable RNG in the vulnerable Debian OpenSSL package
It says 'network cable is unplugged'... oh there's a knot in the cable!
- Claus Cohnen, Life is a Holodeck
MS Office is used by everyone today... um... in large organisations
- Bruce Dang, Methods for Understanding Targeted Attacks with Office Documents. The poor guy had a rough time being a Microsoft employee presenting in front of an almost all *nix audience, as he sometimes had to carefully choose his wording. Nevertheless, he did an excellent job
So the Exch... Mail gateway
- Bruce Dang, Methods for Understanding Targeted Attacks with Office Documents
Mitigating attacks. Use Office 2007... I'm going to skip this slide
- Bruce Dang, Methods for Understanding Targeted Attacks with Office Documents
The vulnerability in SNMPv3 is of the category that when you are asked to please provide your password, you answer: well, I don't know the password, but how about I give you the first letter? And it lets you in...
- Dan Kaminsky or FX/Phenoelit talked about the SNMP bug, but I dont remember who made the joke
Please defragment now
- When the room was over-crowded, the heralds asked that everyone moved to the right side to fill up all the open seats, so that people at the door could have a seat too. Someone had made the allusion to a defragmentation routine, and several heralds began using it. Not sure who started it though
The past few weeks I didn't get to blog at all for various reasons
(holidays, sickness, ...), but I'm ready to get started again! so, here
we go...
