Thursday, July 04, 2002

Please sir, can we have the summit security papers back?
“THERE are some people here to see you, sir,” the Canadian official said.
Outside the press building at the G8 summit yesterday stood a secret service special agent, a Mountie, and an off-duty Canadian policeman in T-shirt and shorts. All looked rather sheepish.
Could I give them back a secret 134-page document detailing security at the G8 summit, they asked? I had found the document, marked “confidential”, on a boulder in a busy picnic area close to the summit headquarters the previous day. Had it fallen into other hands the safety of Tony Blair, George Bush and other world leaders could have been jeopardised.
It lay open at a page detailing the security protocols for the arrival of each of the world leaders at Calgary airport on Tuesday night.
It showed the seating plans inside Tony Blair’s helicopter, including the locations of security guards and Alastair Campbell, his communications chief. It also contained secret phone numbers of each leader’s Canadian liaison officers, who were responsible for organising the arrival and departure of each President and Prime Minister.
It contained diagrams of the meeting rooms where the leaders held their working groups, lunches and dinners. The room plans showed where each leader sat and where windows were positioned, to help security guards to protect the G8 leaders against the threat of sniper fire and other attacks from outside.
Dozens more pages gave a minute-by-minute account of each leader
I Told You So
Let's concentrate on the Microsoft story. Last August, I wrote of a rumor that Microsoft wanted to replace TCP/IP with a proprietary protocol -- a protocol owned by Microsoft -- that it would tout as being more secure. Actually, the new protocol would likely be TCP/IP with some of the reserved fields used as pointers to proprietary extensions, quite similar to Vines IP, if you remember that product from Banyan Systems. I called it TCP/MS in the column. How do you push for the acceptance of such a protocol? First, make the old one unworkable by placing millions of exploitable TCP/IP stacks out on the Net, ready-to-use by any teenage sociopath. When the Net slows or crashes, the blame would not be assigned to Microsoft. Then ship the new protocol with every new copy of Windows, and install it with every Windows Update over the Internet. Zero to 100 million copies could happen in less than a year.

This week, Microsoft announced Palladium through an exclusive story in Newsweek written by Steven Levy, who ought to have known better. Palladium is the code name for a Microsoft project to make all Internet communication safer by essentially pasting a digital certificate on every application, message, byte, and machine on the Net, then encrypting the data EVEN INSIDE YOUR COMPUTER PROCESSOR. Palladium compatible hardware (presumably chipsets and motherboards) will come from both AMD and Intel, and the software will, of course, come from Microsoft. That software is w
A look at six popular personal firewall products for Windows machines
All you want to do is use your computer to do your job, play games, learn, buy, and surf the Web. You don’t want to worry about malicious intruders, port scans, Trojan horses, worms, and all the other mischievous stuff that hunts your computer. You shouldn’t have to worry, but you must; thousands of malicious programs exist solely to break into your PC. That’s where personal firewalls come in. Personal firewalls are software programs you install on the PCs they protect. More expensive hardware-based and corporate firewalls protect entire networks, cost more than personal firewalls, and usually aren’t as user-friendly. Personal firewalls are designed to keep the bad guys and programs out of your PC. The best-of-breed will keep malicious intruders outside your PC, turn away their unwanted probes, and prevent bad programs that have already staked a claim on your PC from doing further damage.
Guard Your Data with Kerberos
All security operations in SQL Server depend on the twin processes of authentication and authorization. If the server doesn't have total confidence in the user's identity and, thus, can't be sure of the permissions a user has, all attempts to control access to data fail. Microsoft has long preferred Windows NT authenticated logins over SQL Server authenticated logins because Windows has more effective mechanisms for verifying users' identities than just comparing an account and password combination. Kerberos authentication, the default authentication protocol in Windows 2000, improves on NT's authentication protocol in several ways and offers identification of both the client and the server. Let's look briefly at how Kerberos works, then examine how you can use its features to guard the data on your SQL Server 2000 servers. Note that you have to be running SQL Server 2000 on Win2K to use Kerberos; I cover the requirements in detail later.
Microsoft's Secret Plan to Secure the PC
You've heard of Trustworthy Computing, and the massive corporate remodeling going on at Microsoft where every developer, product manager, and executive assistant has been asked to rethink everything they do in the context of security. Well, that's just the tip of the iceberg. Secretly, the company has been working on a plan to rearchitect the PC from the ground up, to address the security, privacy, and intellectual property theft issues that dog the industry today. Inexplicably, the company pulled an Apple and chose to detail its plans solely to Newsweek, so we only have that one report to work from. But if Newsweek's take on the plan is correct, and consumers and businesses buy into the new devices that would result, the PC landscape will soon change forever.

The plan is code-named Palladium, a reference to a statue of the Greek goddess Athena that one guarded ancient Troy from attack. Palladium involves a number of hardware and software solutions that will, in part, be implemented as part of a future Windows version--possibly Longhorn, due in 2004--that requires specific hardware to work. "This isn't just about solving problems, but expanding new realms of possibilities in the way people live and work with computers," says product manager Mario Juarez.
cqure.net/The SMBProxy Tool
Got SAM ? Don't want to spend more time cracking it ?

SMBProxy is a "Passing The Hash" tool that works as a proxy.It makes it possible to authenticate to a Windows NT4/2000server by only knowing the md4 hash. It also makes itpossible to mount shares, access the registry and anythingelse you could do with that particular users privileges. The theory behind this is pretty old, and I don't take any credit for it. The tools for doing this though, have been quite limited. That's why I decided to release this proxy, to really demonstrate the magic of "Passing The Hash".

It succesfully intercepts communication with Windows NT 4.0 and Windows 2000. It looks for the username trying to connect and does a lookup in the pwdump file for the users hash. Currently it only intercepts the NTLM hash. It's still in early development stages but seems to work good enough to release.

Wednesday, July 03, 2002

Technology Secrets of Cocaine Inc.
Colombian cartels have spent billions of dollars to build one of the world's most sophisticated IT infrastructures. It's helping them smuggle more dope than ever before.

On a rainy night eight years ago in the Colombian city of Cali, crack counter-narcotics troops swarmed over the first floor of a low-rise condominium complex in an upscale neighborhood. They found no drugs or guns. But what they did find sent shudders through law enforcement and intelligence circles around the world.

The building was owned by a front man for Cali cocaine cartel leader José Santacruz Londono. Inside was a computer center, manned in shifts around the clock by four to six technicians. The central feature of the facility was a $1.5 million IBM AS400 mainframe, the kind once used by banks, networked with half a dozen terminals and monitors.

According to former and current DEA, military, and State Department officials, the cartel had assembled a database that contained both the office and residential telephone numbers of U.S. diplomats and agents based in Colombia, along with the entire call log for the phone company in Cali, which was leaked by employees of the utility. The mainframe was loaded with custom-written data-mining software. It cross-referenced the Cali phone exchange's traffic with the phone numbers of American personnel and Colombian intelligence and law enforcement officials. The computer was essentially conducting a perpetual internal mole-hunt of the cartel's organizational chart. "They could correlate phone numbers, personalities, locations -- any way you want to cut it," says the former director of a law enforcement agency. "Santacruz could see if any of his lieutenants were spilling the beans."
Simple encipherment techniques
This is the first article in what is planned to be a three article series on the subject of cryptography.
Overview of the dangers of buggy code and resulting security issues.
Since the beginning of programming there have been errors, failures, and outright blunders that have occurred due to a lack of proper coding.

Faulty and unreliable code is a danger in general. Just about every organization and corporation that deals with programming of software, or hardware, has experienced it to a degree, some to a much more obtuse range than others.

The fact is faulty code is dangerous not only to security, but to people. NASA as well as the European Space Agency have had problems with launching rockets (some to the point of harming crew members) due to faulty and improperly finished code. As well as a lack of proper implementation (another issue, but not the topic of this article).

Microsoft has been dealing with unreliable code for years (and not just theirs mind you). As have most commercial companies. It’s a fact that it is a serious, but unfortunately, fairly lightly addressed issue.

Now, this article will focus on the dangers of faulty, unreliable, and even partially unfinished code to security, as well as malicious code, such as that used in buffer overflow attacks, that could take advantage of it.

Tuesday, July 02, 2002

New IE spy progie exploits DCOM
A group of Japanese security enthusiasts has developed a little tool called IE'en which exposes traffic between an IE user and any server he's contacting, including logins and passwords over HTTPS.
What's interesting here is the ability to capture packets between the client and server by exploiting DCOM (Distributed Component Object Model), a Microsoft program interface allowing the mediation and exchange of program and data objects over a network, similar to CORBA.

Monday, July 01, 2002

www.forensic-computing.co.uk
This web site is owned by a forensic computing professional, who wanted a UK resource to be available to colleagues. This is not a commercial site, nor is it associated with any particular agency or organisation; government or otherwise. The site will not endorse any particular commercial services or products, and has nothing to sell.

We hope to provide the forensic computing community with links to resources and promote good practice in all that we do.
Technology Pathways LLC
Technology Pathways, LLC is a leading developer of computer forensics software and solutions. We are committed to providing our customers with the best quality products and services available.
ProDiscover™ DFT is our flagship product allowing computer forensics investigators to streamline evidence acquisition, analysis and reporting.
The Open Web Application Security Project
The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services.
Proxy Tunneling Engine Class for C++
Tunneling proxy (also known as 'Proxy Chaining') servers is a kinda old technique, but effective way to make yourself hard to trace. Even if you tunnel with 5 proxies deep it would be a hell of a job to find out the attackers real IP.
I'm not going to explain how this technique works because there are enough docs about this on the Net.
One of the reason is that most proxy servers are misconfigured so they dont even log you request.
The class code below allows you to expand your private tools or other code projects to support proxy tunneling by simply setting some parameters, like the path to your proxy file.
Seven Common SSL Pitfalls
SSL is an excellent protocol. Like many tools, it is effective if you know how to use it well, but it is also easy to misuse. If you are deploying SSL, there are many pitfalls to be aware of, but with a little work, most can be avoided. In this article, we discuss the seven most common pitfalls when deploying SSL-enabled applications with OpenSSL.
FallenCrew E-mail Tracking
The main purpose of this service is to allow tracking of the emails you sent from our online mailing service. Tracking in this sense means knowing if and when the recipient read your email and how many times it was opened.