Devil's Advocate Security

Anti-Forensics Tools - DECAF to your COFFEE

2009-12-15T12:00:00.000-05:00

Anti-forensics tools meant to counter mainstream forensics packages aren't new, but DECAF, a response to Microsoft's COFFEE tools are a pre-packaged forensic toolkit looks like an interesting entry into the field. Those worried by COFFEE's described capability to "decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer" appear to have at least one possible way to counter it.

Fans of The Big Hit are likely wondering when the anti-anti-forensic device will be released...

The Importance of Background Checks

2009-12-14T20:06:00.002-05:00

The Department of Homeland Security recently learned the importance of background checks the hard way, as a fugitive wanted on a national arrest warrant for insurance fraud was found to be working for a DHS office. This serves as a great reminder that background checks are a really inexpensive way to make sure that staff working in potentially sensitive positions (or with access to sensitive data) are worth reviewing.

Free Security Software - A Checklist for Setting Up Your New PC

2009-12-03T21:30:00.001-05:00

The explosion of new, inexpensive PCs has resulted in a lot of systems that didn't come with pre-packaged software, or that simply come with a trial antivirus package. Is it possible to build a capable security suite for your new system without spending money?

Yes!

Antivirus and Anti-Spyware

Get a copy of AVG's free product. It is relatively lightweight, runs well even on netbooks, and it receives good reviews.

Windows Defender is increasingly capable, and is a good second choice to install.

I also continue to recommend SpyBot as a good general purpose anti-spyware tool.

Virus Recovery and Malware Removal

MalwareBytes remains my default recommendation for those who need to recover from a virus infection.

Password Storage

I continue to use Password Safe for most of my password storage needs, but LastPass's online storage system is an excellent option as well. You can find my previous LastPass article here.

Browsers

Start with Firefox, and if you're comfortable with it, add plugins such as NoScript. Firefox's autoupdate capability as well as the wide variety of security controls available make it a great choice as your default browser.

With these free tools, you'll be well on your way to secure computing - for free!

The Speedy Evolution of iPhone Worms

2009-11-28T19:15:00.005-05:00

The popularity of iPhone worms targeted at jailbroken iPhones with the original SSH password that I described recently continues to grow. The exploits have also become more threatening, moving from the Rickrolling ikee worm (whose creator was recently hired by an Australian iPhone software development Mogeneration) to the more threatening worms, including one that grabs your private data from the phone.

In chronological order so far worms have been:

Held iPhones hostage for 5 euros (November 2nd, ihacked)
Rickrolled affected users (November 8th, ikee)
Stolen personal data such as contacts, email, SMS messages, photos, music, and other users data (November 10th, iPhone/Privacy.A)

Of note, Sophos provides a very nice writeup and commentary on ikee.

Of course, as theappleblog notes, this threat could be much worse in future generations, as the technique is quickly improved and as more iPhone aware coders take advantage of the platform. Right now, a lot of the techniques used by Windows worms haven't shown up - the self replication capabilities are rudimentary, if there at all, and the concealment methods are largely simply based on file location.

The good news continues to be that the worms only go after phones with the default jailbroken SSH password, and that changing that password on a jailbroken phone will prevent the exploit. The bad news is that malware writers are likely now building toolkits that will easily integrate with the next iPhone exploit - and all that is really needed is an OS level vulnerability that can be remotely exploited to make iPhones a treasure trove of data for successful attackers.

The iPhone will continue to be an attractive target, both because of the desire of the user base to expand the phone's capabilities via jailbreak, and because of the user data and network access that a hacked iPhone can provide. I expect to see more concerted attacks on the iPhone's OS and applications over time, meaning that security and IT staff can expect to have new threats appearing on their networks - pocketable devices scanning for other devices and infecting each other may very well be our next big user initiated threat vector.

NIST 800-53 v3 controls in database form - No Extra Charge!

2009-11-17T10:14:00.003-05:00

Have you ever been asked to implement standards for your organization - only to find out that they are buried within a gazillion page document with tables and appendices that you must pull actionable items out of? Top that off with your organizations's risk scores, cross referenced controls for the defined risk level...you get the picture. I think we all have and we can agree that it isn't much fun. This morning, a colleague pointed me to a new release from our friends at NIST. Enter NIST SP 800-53 v3 in database format. From the readme:

The NIST SP 800-53 reference database application is a FileMaker runtime database solution. It represents the security controls that are organized into families for ease of use in the control selection and specification process. The security control structure consists of three key components: a control section, a supplemental guidance section, and a control enhancements section. The priority and minimum assurance requirements (i.e., low, moderate, and high) for security controls are applicable to each control. The user can browse the security controls based on various criteria, search for specific control, and export the control to various file types, e.g., tab-separated text file, comma-separated text file, XML, etc.

The download is about 42MB and is available here. After a quick decompression, you are ready to roll. However, this beta is limited to Windows support. If you're not familiar with the NIST SP 800 family of publications, you should be. They provide a great set of knowledge, vetted security controls and are available at no extra cost.

The application itself requires no installation, and therefore, will run without administrative control over the machine you are using it on (hint - you can share it with folks like legal counsel or developers so they can enjoy ease of access). To further protect the integrity of the data, the instance runs as read only. Once up and running, you are presented with a fairly busy interface that takes a bit of browsing to understand. However, after a few minutes you can quickly find the controls you need, according to your risk impact scores, with all the supporting information at your fingertips. This truly is a helpful tool to have in your cache.

First iPhone Worm in the wild - for Jailbroken iPhones only

2009-11-09T12:30:00.000-05:00

PMP Today reports that the first iPhone targeted worm is hitting jailbroken iPhones due to a standard SSH password. The worm is a mobile device Rick Roll, resulting in a Rick Astley photo being set as the phone's background.

The easy fix is, of course, to not use a default SSH password - "alpine" wasn't exactly a good password to start with.

Risky Behavior: Making Risk Assessment Fun

2009-11-05T21:03:00.004-05:00

The Naval Safety Center's Picture of the Week often provides a great visual aid when discussing risks - I find that audiences get a kick out of them, and they can help break the ice when starting a risk assessment. This one? I'm pretty sure that's an integrity risk (for his bones), and an availability risk (to his services). Impact? High! Probability? Well...that depends.

Visualizing a Risk Vocabulary

2009-11-01T20:34:00.006-05:00

Worlde.net's word visualization tool can be a great way to map out words and concepts. The Wikipedia text for Risk Assessment became part of a presentation I am building for a presentation that I was asked to provide as a guest speaker in an MBA class. Here's what is looks like:

The map for computer virus is also interesting:

I suspect that these will be useful visual aids in my presentations - a new way to present security concepts is often helpful, particularly when dealing with a non-IT staff audience.

Future Proofing an Information Security Job

2009-10-30T12:00:00.000-04:00

One of the more interesting information security job questions that I've seen recently is "How do you future proof a security job?".

That's an interesting question - security, like much of IT has changed significantly over the past few years, and the skillsets required have changed or matured. A decade ago, there were far fewer dedicated information security positions, web security was just starting to become a visible issue, and intrusion detection was in its infancy. We've come from a world where local networks mean that copied floppies and boot sector viruses were our main threat to a world where even our phones are possible threat vectors.

How then, can an information technology security professional stay relevant?

If you want to remain a technologist, rather than enter management, there are two popular paths: specialize or become a generalist.

If you choose to specialize, your route will take you down the path of becoming ever more highly trained in one discipline, or possibly a few closely related areas. Penetration testers may become more skilled programmers, and could delve deeply into web technologies, or system kernel exploits. Network security experts might become a CCIE, or tackle high end certifications from specific vendors.

The problem is that when that technology dies, you may have to re-train. That's nothing new in the world of information technology. Banyan Vines and Netware administrators have moved on to handle Active Directory and experts in Token Ring have trained to deal with gigabit switched ethernet and Internet protocols. What it does mean is that you have to keep an eye open to avoid being outdated with the technologies that you are expert in. Specialization is a great way to get a job - if that job is in demand, and the supply is small. Cobol programmers knew this in 1999 - but that was a relatively rare opportunity for a dying technology to make a brief comeback.

The other route, of course, is that of the generalist. This tends to put you into a role that glues together security with other IT areas, and can be quite rewarding - but you may find that you're unable to operate at the same depth that your specialized peers can attain. Generalists may have a harder time justifying specialized training, and will not necessarily find that their resumes qualify them directly for the highly specialized jobs that require a single scarce skill.

Which route should a security analyst take? That's a tough call. At the end of the day, your work environment and your own preferences will likely shape your futureproofing efforts. In either case, technology will change, new threats will appear, and the job will continue to provide the challenges that we all face.

How To: Search Engine Webpage Removal - A Search Engine Entry Removal Roundup

2009-10-29T20:30:00.004-04:00

If you run a website of any type, there is a good chance that you'll want to remove content from Google, Bing, and other search engines at some point, either due to outdated information or sensitive data exposure. Below are links to the documentation provided by each of the major search engines for their removal process.

Most search engines will tell you that your first action should be to create an appropriate robots.txt, and many want you to return a 404 error. If you don't, they may keep your content cached for even longer than they might otherwise.

Google

First, you can build and submit a removal request for information, images, outdated or inappropriate content.

Then, you can remove your own content, then cause Google to re-index it more quickly using their webpage removal request tool.

Finaly, make sure you follow Google's noindex meta tag and robots.txt instructions.

Yahoo!

With Yahoo's move to the Bing search engine, their removal process has changed. You can use their SiteExplorer tool to remove your site from their results.

Ask (formerly Ask Jeeves)

Ask only provides robot.txt support, and has no formal published removal process.

Bing

Microsoft's new search engine has recently published removal instructions.

AltaVista

Per AltaVista's support information,

"If an AltaVista user comes across web pages that contain private personal, professional or financial information that is not available to the public and/or may have been illegally obtained, he or she can write to legal-support-uk@av.com to request that the offending URL be removed from AltaVista's index. Please note that removing said URL from AltaVista's index does not remove the URL from the public internet or the indexes of other search engines."

Archive.org / the Wayback Machine

Archive.org provides a long term snapshot of much of the Internet, dated by when the page was crawled. If your site has been available for any length of time, and if you have static content that it can crawl, there's a good chance you'll want to contact Archive.org for exclusion.

President Obama on Cybersecurity Month

2009-10-23T12:30:00.001-04:00

President Obama's short video on cybersecurity month is available. This is the first time I've heard the President outline our frequent security advice - verify identities before giving out information, update your software, beware of suspicious emails. You can watch for yourself below:

Worried About The Evil Maid?

2009-10-22T20:56:00.004-04:00

Joanna Rutkowska's "Evil Maid" TrueCrypt attack has been getting a lot of buzz in security circles today. In essence, the attack involves compromising the trust that TrueCrypt (and the user) places in the boot process. An evil maid (or other ne'er-do-well) exploits their physical access to a machine and that machine's capability to boot from external media such as a USB device to add a keylogger or other trojan to the boot sector or firmware, allowing capture of the presumably unchanging decryption key that the user enters to access their filesystem.

Am I particularly concerned about this as an attack against my organization's resources? Of course not!

We do use encryption on our mobile systems - not TrueCrypt, but the caution is largely against the concept, not necessarily only Rutkowska's specific implementation. With that said, a simple risk assessment serves us in good stead. Is our data so valuable, or are maids so twisted that we have to worry about them attempting to access our laptops which (hopefully) we lock in safes in hotel rooms, or otherwise appropriately protect? No - none of the people that I work with are in Her Majesty's Secret Service, or otherwise likely to be high value targets.

The good news is that Rutkowska's implementation of this attack serves as a good reminder that our trust in enterprise drive encryption is much like any other technological solution in our daily security war - simply a stage in the escalation of tools.

Years ago, we recommended passwords on laptops. Then, legislation and more technically aware users pushed us to drive encryption. Next, as attacks like this become more widely approachable, we'll worry about how to use TPM, drive hashing, two factor authentication, or technologies that can guarantee the state of a system between uses. For now, I'm far more worried about malware installed on systems either via a vulnerability or a user's mistake. Why? Because our drive encryption efforts do nothing when the drive is unlocked for the user's daily work.

For your daily security efforts, you can likely worry about much more immediate security concerns - and in the meantime, if your maid cackles evilly, and speaks in l33t - you may want to guard your USB ports.

VirusScan 8.7 and Security Center reporting

2009-10-20T17:30:00.000-04:00

If you've been driven to distraction recently by users who noticed that the Windows Security Center wasn't reporting their McAfee VirusScan 8.7 status correctly, you're in luck. Messages like "McAfee VirusScan Enterprise is on but reporting its status to Windows Security Center in a format that is no longer supported" on Windows 7 and Vista, while only a reporting issue, were resulting in a lot of questions.

McAfee has released Patch 2 (link goes to the readme) for VirusScan 8.7 which fixes the issue. Along they way, they also improved the performance of On Access scans, which many users were complaining about as well.

What went wrong? Well, the Microsoft API for this reporting was updated, and this required updates from vendors. McAfee's patch lagged behind, resulting in worried customers. The good news is that their AV was working. The bad news is that we've spent years making our customers more aware, and now even a false positive can cause a lot of helpdesk calls.

1000 Security Experts? Not exactly what the doctor ordered.

2009-10-17T17:30:00.000-04:00

Bob Cringely recently discussed the Department of Homeland Security's plan to hire 1,000 "cybersecurity experts" to defend U.S. computer networks. His take? That there aren't 1,000 cybersecurity experts to be found in the U.S. His unnamed cybersecurity expert friends tend to agree in various forms, ranging from a discussion of the semantics of the goal to a more in-depth discussion of the forms of expertise that can be found, and a note that there are 1,000 security experts - on the wrong side of the fence.

Cringely also contends that no matter what the actual intent, this hiring is largely window dressing and that the end result won't be a sea change in how government information security is done. He points to low CCIE graduation rates as a good metric for how many security experts can be found, which may not be the best metric for security expertise across the board - to me, it indicates that holders of one brand of high level network security expertise do exist, but that the demand for CCIEs isn't sufficient to push further qualifiers into the certificate at a high rate. In addition, personal experience indicates to me that many qualified security experts don't carry all of the certifications that they could qualify for for any of a broad variety of reasons - that doesn't mean that we have hundreds of certification-less CCIEs around, but it does mean that we may have experts we're not counting if we only count certificates.

The problem here is that security expertise covers a broad variety of fields from risk assessment to network security to physical security design and back again. Seeking a thousand cybersecurity experts is, in many ways more akin to seeking a thousand expert college professors in engineering. You many not find them all in nuclear engineering at the level that you desire, but you may very well find that many experts across all of the disciplines that you need - and then you'll realize that you really wanted some of them to be TA's, Ph.D. candidates, and others who many not yet be experts - but will be.

Polymath experts with broad experience and deep expertise across the spectrum of information security are definitely necessary to tie those skillsets together, especially when you need to glue complex systems together, but you don't need - or necessary want hundreds of those big guns. Cringely notes that such experts aren't found in packs, and that is one point that I'll agree with. In any field the major experts hold a special place, and some take full advantage of it.

One of Cringely's experts dismisses the DHS plan - "you will end up with 1,000 Security Managers in the government with Sec+, and CISSP certifications". This picture of outsourced expertise and a lack of true change doesn't reflect the fact that skilled security managers are just as necessary as the heavy hitter deep dive experts. If the Department of Homeland Security really wants to change the face of government information security, the program and these new hires must be run adeptly, and that can be a real challenge.

DHS doesn't need to simply hire 1000 identical security superheroes. They need to embed employees with appropriate skillsets in those areas that face risk - after they assess the risk - and then they need to work out a coherent program to improve and manage both their security program and their security staffers. With the right guidance, 1000 security employees of many types could change how government information security is done.

The Three Phases of the Security Analyst

2009-10-15T21:00:00.001-04:00

Creative Commons attribution licensed image courtesy Flickr user anyjazz65

I spend a lot of time working with people outside of my own immediately group of security analysts, and I often find it useful to provide a model that will help them understand how security analysts work. Fortunately, I've found one that I like.

Security staffers that I have known through the years tend to fall into one of three stages - typically depending on the phase of their career, with some variation depending on the person's personality, their workplace, and of course, their experience.

The Phases:

1. The Black and White Security Analyst: A Binary Analysis - typical amongst newer security professionals, a Black and White analyst sees the world as a series of security issues. A system is either secure, or insecure. It complies with best practices, or it fails. Black and white analysts can drive outsiders nuts (and, at times, their non-black and white compatriots), but they also serve as a very useful check to the other phases - and they make very good auditors.

Some black and white analysts find their role because of limited direct experience. Simple book knowledge rarely has a compromise solution, and forcing best practices can make an otherwise reasonable staffer look like a truly obstinate opponent. Every analyst needs to fall back on these behaviors at times, particularly for thorny problems that have a high risk solution. Of course, in some environments this is the desired mode of operation, and should be fostered.

2. Shades of Gray: The Risk Modeller - as security professionals spend more time in the field - and, often, as they become more jaded, they often start to view the world as a series of risks. Training teaches you to do a risk assessment, to rate those risks, and to build controls based on that model.

Their assessments start to balance these risks, and they become more flexible in their views. The danger? Making too many tradeoffs, whether for functionality or simply for the ease of implementation. This can have a benefit of course, as often the shades of gray allow the analyst to be more flexible when analyzing risks and controls.

3. The Realist: Life Along the Continuum- some, but not all security staffers make it to a third phase. This third phase tends to emphasize the continuum of possible security options, and those who have reached this level will typically rate security based on the improvement along that continuum. Analysts often set a minimum acceptable level - and strive to ensure that a balance is maintained between improvements beyond that and the organizational costs of moving along the line. Realists are fully aware that security cannot always win, and instead choose their battles. This can mean that at times, they are more willing to accept compromise than they necessarily should be, and burnout can lead to a less effective analyst, but realists are often the best interfaces with outside organizations if you need to build bridges.

In the end, all three stages are useful, and each has its place. What matters in the end is reaching an organizationally acceptable balance of risk, usability, and security, and that ebb and flow is what makes the job both a challenge and an adventure.

Passwords...in Newsweek?

2009-10-11T23:13:00.004-04:00

You know that passwords and their problems have gone mainstream when Newsweek carries an article about them. Nick Summers describes current password technology issues, as well as some of the potential future solutions. It even describes brute forcing and the issues with simple passwords - meaning that your users might come ask a few good questions.

That's amazing. I've got the same combination on my luggage...

2009-10-07T19:18:00.003-04:00

Wired's Danger Room blog quotes analysis of a recent Hotmail, MSN, and Microsoft Live account leak which showed that 123456 was the most common password.

In my experience universities tend to find that their most common passwords are catch phrases common to the school. Corporations that run password audits may find similar patterns in their own users passwords selections.

Does your organization have a common password?

Hostageware Hits the Mainstream

2009-10-01T21:00:00.000-04:00

Creative Commons Attribution licensed image courtesy Alan Miles NYC

The New York Times was recently hit with a hostageware ad that switched from a seemingly legitimate Vonage ad to virus warnings. The Times believed they were trusting a vendor that they had previously worked with, and allowed un-vetted servers to serve ads to their site. The Times isn't the only major site to have this occur, and my security threats crystal ball says that since we've all locked our computers down to prevent worms, the bad guys are going to target the places that they know that we go - and trust.

As the New York Times article notes, "These so-called affiliates can mimic the advertisements of legitimate companies, learn their techniques for submitting ads to networks and sites, meddle with ad servers and then go so far as to provide customer support for people who install the software, keeping the scam running as long as possible."

In my own recent experience, this type of ad is increasingly prevalent as a threat to users, and the malware itself is taking advantage of a number of browser bugs and plugin bugs to slide past users defenses. With threats that take advantage of PDF vulnerabilities, Java vulnerabilities, and more, users who navigate to trusted sites may still be compromised. This also means that the standard habits that we have taught users for years are no longer a panacea - simply not going to untrusted sites and not opening unexpected emails, or avoiding clicking untrusted links isn't the shield it was.

Home users who find themselves staring at a popup screen that offers to save them from the malware that their PC is infected with can find some solace in the fact that capable anti-malware products like MalwareBytes is available for free. Sadly, mainstream AV seems to have real problems with many of these hostageware packages, so a second layer of defense is key.

So, what can you do from a corporate perspective? That's a bit tougher. Here's what I'm looking at:

First, full patching for systems that includes browser plugins is really essential. I continue to see systems that have full OS patches that are behind on browser plugins. Comprehensive, system wide software management is becoming even more of a corporate necessity.
Second, enterprise AV can still be helpful, even if only for detection. Remember to have your support staffers check out machines that show continued issues, as some components of malware often gets removed, but the remaining parts can restore them. I've had organizations using central AV notice large numbers of their machines disappearing, which resulted in investigation that showed a widespread compromise. Not exactly how they expected to leverage their AV management console, but well worth the price of admission.
Third, investigate enterprise licenses for useful tools. MalwareBytes and other vendors do offer attractive pricing for enterprise licensing. I've found that a quick Google results survey can often indicate what secondary package is most recommended, and that can really help.
Fourth, monitoring outbound traffic for hits on known malware and scam sites gives you a chance to find infected hosts before they become problems.
Finally, user training and awareness is still key. Finding out when these hostageware programs are showing up, and what the user was doing when they got infected can help prevent widespread infections.

How is your enterprise handling hostageware?

Thawte Discontinues Free Email Certificates and the Web of Trust

2009-09-24T17:00:00.002-04:00

Creative Commons Attribution License image courtesy Flickr user Fristle

Thawte's Web of Trust and free email certificates have been a great way to get S/MIME certificates signed for personal use by a large CA. I've been a notary for a few years, and I've found that being able to offer an easy to obtain certificate with a reasonably strong validation process was a great way to introduce S/MIME certificates and secure email to many people.

Today Thawte announced that both their free personal email certificates and the Web of Trust will cease to exist after November 16th, 2009. Details of the impact are covered in their FAQ.

This will remove one of the largest in-person vetted identity certification groups that I know of - a reasonably unique institution. Those who paid money for notarization to receive points in the Web of Trust will find that that investment no longer pays returns. Thawte's consolation prize is a single year of VeriSign's commercial personal email certificate service, and a free one year certificate of the member's choice.

I'm not aware of any viable community replacement for this servicefor S/MIME certificate users, and I'm somewhat disappointed that Thawte hasn't pushed the idea of making this some form of community supported or managed service.

Aquisition drive too small? Loop and offset to the rescue!

2009-09-22T07:35:00.005-04:00

On any given day, I might need to take an image of a physical drive to analyze offline. In the past, our imaging target drives of 1TB were plenty to handle a raw dump of the drive as well as partition dumps or carves later on. However, with the spate of large capacity drives being installed, even in laptops, I'm lucky to just get the raw dump of the drive with some working space for an evidence locker. But what if I need to parse through the partitions individually or want to mount them remotely? Loop device mounting and offset (commands operands supported within the mount command) to the rescue. After imaging the entire drive and of course verifying the hash, I have everything I need. Now for the fun.

Typically, you can mount a raw image with the loop device operand:

#mount -o loop,ro -t auto /some/image.raw /your/mountpoint

I use this often when I only have an image of a partition. However, this option will not work when trying to mount an image of an entire physical device with one or more logical drives defined within it. So now what?

Given that an image is really just a block level copy of data, we are only dealing with data. Using the the loop device with further options - offset specifically - offers you the ability to tell it where you want it to consider the starting point within the string of data. In essence, the offset operand tells mount and the loop device to offset from the actual beginning of the string of data n bytes. But where do my partitions start and end?

To get an idea of what is contained inside the image, as far as file system information, logical drives etc, you will need to use a utility like fdisk. fdisk is a partition table manipulator for Linux. While it can be used to manipulate the partitions, we'll just use it to find out what's inside the image. The following command will give you all the details we need about an image:

# fdisk -ul image.001

You must set cylinders.
You can do this from the extra functions menu.

Disk image.001: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0xd42ad42a

Device Boot Start End Blocks Id System
image.001p1 * 63 42154559 21077248+ 7 HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=(1023, 254, 63) logical=(2623, 254, 63)
image.001p2 42154560 156296384 57070912+ 5 Extended
Partition 2 has different physical/logical beginnings (non-Linux?):
phys=(1023, 0, 1) logical=(2624, 0, 1)
Partition 2 has different physical/logical endings:
phys=(1023, 254, 63) logical=(9728, 254, 63)
image.001p5 42154623 156296384 57070881 7 HPFS/NTFS

In the example above, I pointed "fdisk -ul" at an image of a Windows drive that had two partitions. I used option "u" to list the sizes in sectors instead of cylinders and "l" to list the partitions within the device and then exit. So, from here, how do we calculate where the starting point is for each partition and then tell mount where we want the beginning to be? First we start by determining the sector size. This will be in bytes, and the number we use as a multiplier to determine how many bytes into the image we want to offset. We can see in the output that the sector size is 512 bytes:

Units = sectors of 1 * 512 = 512 bytes

Next we need to know at what sector each partition starts. In the example above, we see several partitions listed; image.001p1, image.001p2, image.001p5. Each partition entry in the output has a start point denoted in sectors:

Device Boot Start End Blocks Id System
image.001p1 * 63 42154559 21077248+ 7 HPFS/NTFS
image.001p2 42154560 156296384 57070912+ 5 Extended
image.001p5 42154623 156296384 57070881 7 HPFS/NTFS

But wait - in this example I have a drive image that only contained two partitions - why are there three listed? This is because the drive I imaged was partitioned with one primary boot partition and an extended partition which contains another partition. There are many religious debates on how to partition drives, but suffice it to say, this is by far more common than not. Today, we are only concerned about mounting the two NTFS partitions listed. In the fdisk output we can see that partition 1 starts at sector 63 and partition 5 starts at sector 42154623. We'll multiply these starting sectors by our sector size to determine what our offset (in bytes) is for each mount operation:

sector size * starting sector = offset
512 * 63 = 32256
512 * 42154623 = 21583166976

Now that we have the offset, in bytes, we can formulate our mount commands:

#mount -o ro,loop,offset=32256 -t ntfs-3g image.001 /some/mountpoint
and
#mount -o ro,loop,offset=21583166976 -t ntfs-3g image.001 /another/mountpoint

And there we have it - both partitions within a raw drive image mounted and ready to explore without having to take more images of just the logical drives - or carve them out of what we have. Of course, file systems will vary along with disk geometry and associated mounting options. However these basic steps can be used to identify and mount every partition contained within a raw disk image.

Stolen Laptop Recovery with LogMeIN - Round 2

2009-09-18T12:30:00.000-04:00

PC World has David Krop's story of laptop recovery using LogMeIn. I've discussed a couple of similar stories involving a laptop and an iPhone previously, as well as the case for remote control software, and this is another example of a laptop that was not properly secured being used by a new user while remote login software was on.

The buyer of the stolen laptop is quoted, saying "I didn't care whether it was stolen, I buy stolen stuff all the time. I don't care... If I can save $600, I'll do it.". While he may not have learned a lesson, the owner of the stolen laptops did, noting that he won't leave the laptops unattended, that he takes only one with him, and that he uses passwords and remote tracking software now.

What You Do on Facebook Can Cause You Harm is True For Criminals Too

2009-09-18T12:15:00.001-04:00

Jonathan G. Parker of Fort Loudon, Pennsylvania was arraigned on a burglary charge after he forgot to log out of Facebook on the computer at a house that he had robbed.

We're all busy telling our users that what they do on Facebook can cause them problems in the future, but this is a slightly more direct example...

Making Web Application Security Controls Repeatable

2009-09-17T20:28:00.005-04:00

Raul Siles recently posted a useful reminder as his ISC diary post - "Review the security controls of your Web Applications... all them!". He used the problems described by Ryan Barnett that were found in Yahoo's web API as an excellent example of this rule. Both posts point to a common problem in applications that I see - the loss of established controls in new code and new functionality.

One way I've been working to help fix this in an organization that hasn't developed a comprehensive software develoment lifecycle or broad QA process is to build a multi-step process to handle security flaws found in an application. Typical steps are:

Determine whether the problem is unique to the application, or if it is a flaw that is likely found in other applications, either current or future.
If it is more than a one time problem, design a common library or technique to handle the problem.
Assess the severity of the problem, and apply the fix to other applications if the risk is determined to be high enough to justify the effort. If not, add the fix to the queue for the next update to those applications.
Re-test the application to verify that the fix works.
Document the library and ensure that the rest of the team is aware of it.

One of the best things about this sort of process is that developers start to think about problems in a much broader context. Recently, I've seen two of the developers I work with frequently stop during a meeting and ask out loud "I wonder if that applies in application X too...". That thought process usually ends up in modifications to their standard application libraries which means that problems I saw once tend not to come back across their entire group.

How are these vulnerabilities discovered? A web application vulnerability scanner - WebInspect in this case - provides most of the vulnerability testing. Manual testing, while often deeper and more likely to find corner cases for vulnerabilities doesn't scale as well into an environment with limited resources and a large number of applications. Automated testing systems are also great to help cover some gaps in skillset. As Jeremiah Grossman points out, they may simply cover low hanging fruit, but that can be very valuable.

Do you have a unique or creative internal process to make sure that your organization keeps web application vulnerabilities from recurring?

Brazilian ATM Skimmer Installation Video

2009-09-14T12:15:00.001-04:00

LiveLeak has great footage of an ATM skimmer being installed in Brazil, as well as the police arrest that followed. Note - LiveLeak itself may be not safe for some work environments due to adult ads.

The first few seconds are a quick lesson in how easily these skimmers can be attached.

Security Humor: Indiana State Government Ponzi Scheme Education

2009-09-11T08:00:00.001-04:00

Google text ads can sometimes be a bit humorous as seen in this example:

I knew there was a reason that our budget wasn't as bad as those in other states. Of course, I wonder if the Secretary of State also teaches advanced Ponzi schemes...