A Django site.
April 23, 2010

Inside Security News
insecnews
is about »
» InfoSec Europe 2010

Uni. of Glamorgan's ISRG group will be at #InfoSec10 Europe located at Stand R93 or at the Uni. Pavilion: http://goo.gl/blZk

» My Twitter on Security

Hey everyone, I have finally found a reason to have twitter. It aint the best medium but it is the fastest way to say something, which can be followed by an article on a blog etc. For now I will maintain my own twitter, so if you want to track anything I track or write (tweet) that is security related checkout: https://twitter.com/kxynos

January 4, 2010

Inside Security News
insecnews
is about »
» Decaf COFEE put me to sleep

Decaf[1] is the hackers reply to Microsoft's COFEE tool set. Once again creating a tool to combat a set of tools as old as Sysinternals is nothing new or surprising. If it did not happen we would have been surprised.

Unfortunately (and thank god) systems are open and when they are closed (-source) people can still reverse-engineer and break them. This is the nature of the system, be that a PC, Apple, hardware, software or a mobile phone.

In other news an Xbox 360 thief was caught when the original user's account automatically signed in [2]. Proving that with some effort it is possible to track and catch thieves that keep and connect Internet-capable systems. Hear that UK!

Links used:
[1] - http://www.theregister.co.uk/2009/12/14/microsoft_cofee_vs_decaf/
[2] - http://www.theregister.co.uk/2009/12/30/x_box_theft_suspect_racked_down/

December 4, 2009

Inside Security News
insecnews
is about »
» MS COFEE for live comp. forensics

It is all about the COFEE [1] that will keep you awake. In this case, ahead of the game. Microsoft's COFEE (Computer Online Forensics Evidence Extractor) [1] is out and about, making the rounds on the Internet underground (and overground, “freedom of speech” sites). This is what happens when you try to keep something secret, everyone wants it.

I understand the motives to keep it hush hush, but from what I hear the tool set is compromised of basic programs you can find on a Windows OS and at Microsoft online (old Sysinternals tool set, now part of Microsoft).

Will Anti-forensics kick in and destroy your acquisition? Well to be honest if the tools are the ones you find on a Windows OS, then any rootkit installed on the machine will feed any tool talking to the OS false data anyway. Nothing new there! Once again proving that usual computer forensics still will be required to extrapolate the information.

What about the volatile information lost after a shutdown, that has been captured by this tool set. That is why it is called volatile (it lives for a short period) and good luck in piecing things together after imaging the drive. It will provide valuable information that you would not have otherwise but how will it be proven in court is another matter altogether. It would not be a hard subject if everything was handed to you in a silver-platter-report every time.

[1] - http://wikileaks.org/wiki/Microsoft_COFEE_%28Computer_Online_Forensics_Evidence_Extractor%29_tool_and_documentation%2C_Sep_2009

October 22, 2009

Inside Security News
insecnews
is about »
» e-Crime Wales Summit 2009

The e-Crime Wales 2009 Summithttp://www.ecrimewales.com/ held at Llandudno, Wales is over and a number of great speakers attended. Our own Prof. Andrew Blyth presented our findings on the installation of 15 IDS sensors in Welsh SME's around Wales. Hopefully the attendees (business owners etc) would have come into contact with a number of security professionals and brought upto date on how to protect their businesses or at least where to go from here.

The few that I did see at least, from the live feed, all pointed out the need to be aware of the security implications of using online resources and complacency should not an option, even though most people choose it. There is always one question that that needs to be answered before deciding to got (or watch the live feed) one of these events, 'What information will I walk away with?' . I think that it is a great opportunity to be exposed to the horror stories that the speakers have to offer through their experience and you can always pickup and relate to them at some point or hope not to.

Check out the twitter feed here [http://twitter.com/ecrimewales] with some questions and answers and a general overview of the speakers key points.

A picture of Prof. Andrew Blyth, Ed Gibson & Chris Corcoran http://bit.ly/3drSUL

A great service provided by SpamHaus are the advisory lists they provide (i.e., Spamhaus Block List, Exploits Block List and Policy Block List ). Check them out at http://www.spamhaus.org/.

e-Crime Wales also have a blog at http://ecrimewales.posterous.com/

Update (@11:20): We got a mention in the Welsh Daily Post: "E-crime costs Welsh companies hundreds of millions of pounds annually" - Oct 22 2009 - Daily Post - http://www.dailypost.co.uk/business-news/business-news/2009/10/22/e-crime-costs-welsh-companies-hundreds-of-millions-of-pounds-annually-55578-24989506/

October 20, 2009

Inside Security News
insecnews
is about »
» AccessData Corp Youtube Channel

It seems that towards the end of the summer AccessData Training Team has started to post videos of how to do certain things with FTK 3 on youtube ( http://www.youtube.com/profile?user=AccessDataCorp#g/u ).

Of interest :

FTK 3 Computer Forensics: Mac Analysis : http://www.youtube.com/watch?v=P2DCxtMqQyw
Showing you the developments in support of the Mac OS X files and HFS+ format and extended attributes (very useful!!! check http://www.youtube.com/watch?v=P2DCxtMqQyw#t=4m23s). It also demonstrates where to find the Mac user's password shadow file and password has and then use PRTK to attack the hash value. EXIF data for photos, etc are supported now too.

FTK 3 Computer Forensics: Field Mode : http://www.youtube.com/watch?v=mSHsn22YxeY&feature;=channel
Demonstrating on the fly analysis without doing the initial lengthly analysis, at least when not needed.

Links used:

AccessData youtube channel - http://www.youtube.com/profile?user=AccessDataCorp#g/u

FTK 3 Computer Forensics: Mac Analysis - http://www.youtube.com/watch?v=P2DCxtMqQyw

FTK 3 Computer Forensics: Field Mode - http://www.youtube.com/watch?v=mSHsn22YxeY&feature;=channel

FTK 3 Computer Forensics: Mac Analysis: Attributes B-tree @ 4m23s - http://www.youtube.com/watch?v=P2DCxtMqQyw#t=4m23s

September 9, 2009

Inside Security News
insecnews
is about »
» Blue Screen your shinny Windows Vista/7 box

An exploit is making the rounds that affects Windows Vista and 7 which have SMB (i.e., SAMBA or file sharing) enabled. The researcher, after a small change in the SMB Header has managed to crash the SRV2.SYS DLL which fails to handle malformed SMB headers[1].

"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"

Solution:
As of now: Funny enough disable file sharing if and when not needed, or implement a rule to block SMB ports.

Links Used:
[1] - Full Disclosure: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. - http://seclists.org/fulldisclosure/2009/Sep/0039.html

August 12, 2009

Inside Security News
insecnews
is about »
» MD5 hashing algorithm is dead, get over it!

I had a funny argument with a friend the other day about the MD5 hashing algorithm. The argument was that it had been heard that MD5 is not vulnerable to collisions. Anyone having doubts can see the great examples provided by x-ways.net (creators of WinHex) and the relevant paper.
In case the site goes dead here is an example they have:
Input vector 1:

d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c
2f ca b5 87 12 46 7e ab 40 04 58 3e b8 fb 7f 89
55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 71 41 5a
08 51 25 e8 f7 cd c9 9f d9 1d bd f2 80 37 3c 5b
d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6
dd 53 e2 b4 87 da 03 fd 02 39 63 06 d2 48 cd a0
e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 a8 0d 1e
c6 98 21 bc b6 a8 83 93 96 f9 65 2b 6f f7 2a 70

Input vector 2:

d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c
2f ca b5 07 12 46 7e ab 40 04 58 3e b8 fb 7f 89
55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 f1 41 5a
08 51 25 e8 f7 cd c9 9f d9 1d bd 72 80 37 3c 5b
d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6
dd 53 e2 34 87 da 03 fd 02 39 63 06 d2 48 cd a0
e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 28 0d 1e
c6 98 21 bc b6 a8 83 93 96 f9 65 ab 6f f7 2a 70
Identical MD5 value, verified with WinHex: 79054025255fb1a26e4bc422aef54eb4

If you were to put theses two hex values into a file (with a Hex Editor) and then through a MD5 hashing function and a SHA-1 hashing function you can see that MD5 produces the same result were as SHA-1 produces a different one. What is interesting is the amount of changes made. Very few. Is it doctored? I think not! Game over! ...sorry if I am re-iterating an old issue, but like the media many time people need to hear about certain issues. Especially digital forensic analysts who rely upon these values for integrity and in their comparison functions.

MD5 hashing algorithm is dead, get over it! Long live the next one!! ...or as long as you can that is!
Links Used:
[1] MD5 Collision - http://www.x-ways.net/md5collision.html

May 7, 2009

Inside Security News
insecnews
is about »
» Disk Study 2008-2009

We do the disk study every year and really look forward to what might pop up. It is a bit like the feeling you get when unwrapping gifts at a birthday or Christmas. This year[1-7] we had some very interesting drives come our way. As Prof. Andrew Blyth said “While it's not getting worse, its not getting any better either” which is really worrying.

Let me take this opportunity to mention also that we use AccessData as our analysis tool and that the drives provided were all randomly and blindly delivered to us.

We had two drives containing data from the Scottish NHS hospital with confidential patient data and a disk from the German embassy in Paris (France) containing interesting security logs.

The case that has made the headlines is that of a drive found in America by the partnering University (Longwood University) contained test launch procedures etc. I also think that the drive involving a US-based consultant, formerly with a US-based weapons manufacture, that revealed account numbers and details of proposals and $50bn in currency exchange was as equally interesting.

Update:
Details from the following companies are included in [5], they are Laura Ashley, Lanarkshire NHS, Ford Motor Company, Swindon Council and Nokia.
Updated content and links at 16:32

Full coverage can be found at:

[1] http://news.bbc.co.uk/1/hi/wales/8036324.stm

[2] http://www.theregister.co.uk/2009/05/07/data_destruction_survey/

[3] http://www.telegraph.co.uk/news/worldnews/northamerica/usa/5289638/Sensitive-US-missile-defence-data-found-on-computer-disk-bought-on-eBay.html

[4] http://www.dailymail.co.uk/news/article-1178239/Computer-hard-drive-sold-eBay-details-secret-U-S-missile-defence-system.html

[5] http://www.channel4.com/news/articles/science_technology/sensitive+data+on+ebay+computers/3129857

[6] http://www.guardian.co.uk/technology/2009/may/07/data-loss-hard-drives

[7] http://www.guardian.co.uk/technology/2009/may/06/data-loss-lockheed-missile-defence

May 5, 2009

Inside Security News
insecnews
is about »
» Infosec 2009

Infosec 2009 has come and gone. We met and networked with a lot of people and explained to many our research and projects. I can say it was a lot of fun overall. Certainly standing and talking to people all day can be very tiring. Especially over a period of three days. Don't forget the unpacking and packing! Finally we have some pictures to show.


We have Huw Read and Gareth Davies at stand K47 getting ready to welcome the visitors and any inquisitive minds.



Prof. Andrew Blyth at the stand making sure that all lollies and apples are in order for handing out with a complimentary pen.



Iain Sutherland and Huw Read were at hand for any further questions.



The Information Security Research Group in a group photo with Phil Zimmerman at Infosec 2009.



Exactly opposite from our stand was GData who had a "Back to the Future" like DeLorean on show.