CyberGuardians

Seriously people when are the decision makers going to get a clue and realize that outsourcing never saves money in the long term and typically leads to something like this. Source: MSFT/Danger's Servers Were Sabotaged After reading this story how can you consider outsourcing your critical infrastructure? Just ask T-Mobile how this feels, if they even recover from the negative PR. Outsourcing never delivers what is promised, it's strictly for executives to enrich themselves in the short term and leaves someone else holding the bag when it hits the fan. The only time outsourcing makes sense is when its for short term project-based activities, otherwise your waiting on a potential time bomb. Also, why is everybody hating on Microsoft? Hitachi was the "expert" vendor in this fiasco performing the upgrade. They should have made damn sure they had a working backup copy prior to this major upgrade. What is it amateur hour? Is that what platinum support buys you these days? ...

So my first Blackhat is in the books. I thoroughly enjoyed it and got to learn quite a bit and get some networking done as well. My only two complaints would be first, that it was completely overcrowded on the 4th floor and that made getting to a session very difficult. The second being that classic conference paradox. A lot of the great topics with new material were presented by people with poor public presentation skills, whereas alot of the great speakers presented either old stuff or no real useful content. That aside it was a hoot. I started the week attending a Malware Analysis class by Mandiant which was excellent. They basically crammed a 4 day course into 2 days, so it moved very quick and had lots of content and labs. The teachers were extremely knowlegeable and were able to convey the material well. My only suggestion would be that they should have spent more time on Ollydbg, but with the labs I can do that on my own time. They did spend extensive time using IDAPro, whic...

In continuing my tradition of reviewing books that are 2 or 3 years old, I have recently finished reading Real Digital Forensics by Keith Jones, Richard Bejtlich, and Curtis Rose. Yeah, I hate paying full price for a new book, but mostly its because I buy so many books that by the time I get around to actually reading them, its been a few years Laughing. Now on to the review. With this group of experienced authors, it hard to imagine the book not being a success. While not spectacular, this books is very solid and fairly easy to read. I would have to say for someone looking to attend the SANS hacking and forensic courses, this book could easily fill the gap and save you thousands of dollars. One thing I really liked was that they did not waste time on any fluff chapters about the history of whatever, they just jumped right into the material. They also made it a point to show the differences between incident response on *nix vs. windows. All the chapters that focused on analysis and...

Real Digital Forensics by Keith Jones, Richard Bejtlich, and Curtis Rose 1 - Windows Live Response Never save data locally on the hd, as there is a chance you may be overwriting evidence Always use the -b option with md5sum, to perform the hash in binary mode -k option with cryptcat, allows you to set the encryption password Volatile Data * system date and time * current network connections * open tcp and udp ports * which exe's are opening tcp and udp ports * cached netbios name table * users currently logged on * internal routing table * running processes * running services * scheduled jobs * open files * process memory dumps To truly verify a system binary, you must compare hashes with trusted source Common attack involves changing a servers routing table to redirect traffic and bypass firewalls Firedaemon turns any process into a service userdump.exe will capture memory space used by any running process. userdump output cannot be ...

While collisions in MD5 hashes are nothing new, this most recent study by Wegner, Stevens, Lenstra ( Article Link ) adds even more concern to the trustworthiness of an MD5 hash. If you can't trust a signed executable, what can you trust? I think nothing. Their technique however requires much premeditation. Its not as if you can create a collision on an existing executable. To be effective in a malicious way, it would require that you create two executables up front with the same hash. This is done by appending 832 bytes of useless data to the existing executables. As you can imagine, this would make it very easy for a criminal to create two versions of software, one with a backdoor, that have the exact same MD5 hash. Of course, it would be easy for them to get the good one signed and then create a download site with the malicious one. While this is somewhat sophisticated, i could definitely see this being utilized by the hack for money crews. It doesn't take much to get your s...

Windows Forensics and Incident Recovery Notes Windows Event Log -clearing the Security Event Log generates event ID 517 -Stealing info via USB drive may cause event ID 134: "Removable Storage Service"; If logs have been cleared,check HKEY_LOCAL_MACHINE\System\MountedDevices Registry key. A right click on these entries may show "RemoveableMedia" -Logon events http://support.microsoft.com/default.aspx?kbid=174073 -Logon types http://support.microsoft.com/default.aspx?scid=kb;en-us;140714 -More security Events http://support.microsoft.com/kb/174074/ CMD Line History - doskey /history or the RunMRU registry key File Associations - C:\>assoc will list out every association; C:\>assoc .exe ---> .exe=exefile - ftype exefile ---> exefile="%1" %* ; shows what variables used at runtime; matched the value in HKEY_CLASSES_ROOT\exefile\shell\open\command - if this value has been moded by malware use --> C:\>ftype exefile="%1" %* to change ba...

I had the pleasure of reading Protect Your Windows Network From Perimeter To Data by Jesper Johansson and Steve Riley. Even though it lacks Vista coverage being written in 2005, it is still very relevant and useful to security professionals today. It's a book that I wish I had read sooner, as its a very good primer to security in a windows environment. Its the perfect companion to the Windows Security Resource Kit . The book's two authors are both seasoned security veterans and their IT geek humor is enjoyed throughout the book. I found myself thinking, "Yeah, I've been there before" several times and laughing at the absurdity of the situations we are frequently presented with. Two notes of caution about this book before delving in. These guys were both Microsoft employees at the time of the writing, so yes you will see some mild MS bias throughout, but they do a good job of reminding you in the text as well. I mean really, who recommends ISA server over a FW...