Friday, June 13, 2003

The Enemy Within: Firewalls and Backdoors
As a modern IT professional you've done all the right things to keep the "bad guys" out: you protected your network with firewalls and/or proxies, deployed anti-virus software across all platforms, and secured your mobile workstations with personal firewalls. You may even be in the process of designing and deploying an enterprise-wide network and host intrusion detection framework to help keep an even closer eye on what's going on. Even with all this, are you really safe? Can your multiple-lines of defense truly protect your network from modern methods of intrusion?
This article presents an overview of modern backdoor techniques, discusses how they can be used to bypass the security infrastructure that exists in most network deployments and issues a wake-up call for those relying on current technologies to safeguard their systems/networks.

Monday, June 09, 2003

RedFang
Redfang is a small proof-of-concept application that finds non-discovereable Bluetooth devices by brute forcing the last six bytes of the device's Bluetooth address and doing a read_remote_name().

Thursday, June 05, 2003

How To Use SpamAssassin on Win32
SpamAssassin is a wonderful open source product that performs heuristic spam analysis and RBL lookups, among other tests, to allow you to block most spam mail.
In its default form, it is designed and written for Unix platforms. This document provides information on how to get SpamAssassin working on Win32.
NTIDA
NTIDA (NT Intrusion Detection Audit) is a scripted framework dependant on thirdparty freeware utilities intended to assist administrators in easily auditing their critical NT/2K systems.

Wednesday, June 04, 2003

Windows NT/2000/XP Hardening
This paper is a brief security note to advise users of Windows NT, 2000 and XP workstations on how to apply patches and configure their systems to better protect them from compromise. This is emphatically not a comprehensive guide to Windows security but it is a first step in that direction.

Tuesday, June 03, 2003

Open Source Computer Forensics Manual
An open-source manual for computer forensics covering methodology, process and delving into technical standard operating procedures.
Easy Encryption
Fred Langa looks at the universe of products that help you protect sensitive files and data from prying eyes and hackers.
Argus
Welcome to the Argus Open Project, home of Argus, the network Audit
Record Generation and Utilization System. The Argus Open Project is
focused on developing network activity audit strategies that can do real
work for the network architect, administrator and network user.

Monday, June 02, 2003

Cisco Disovery Protocol
cdpr is used to decode a Cisco Disovery Protocol (CDP) packet, by default it will report the device ID, the IP Address (of the device), and the port number that the machine is connected to. Optionally it will decode the entire CDP packet.

Friday, May 30, 2003

ODESSA
What is odessa? It's an acronym for "Open Digital Evidence Search and Seizure Architecture"
The intent of this project is to provide a completely open and extensible suite of tools for performing digital evidence analysis as well as a means of generating a usable report detailing the analysis and any findings. The odessa tool suite currently represents more than 7 man years of labor, and consists of 3 highly modular cross-platform tools for the acquisition, analysis, and documentation of digital evidence.

Tuesday, May 27, 2003

Conducting a Security Audit: An Introductory Overview
The word "audit" can send shivers down the spine of the most battle-hardened executive. It means that an outside organization is going to conduct a formal written examination of one or more crucial components of the organization. Financial audits are the most common examinations a business manager encounters. This is a familiar area for most executives: they know that financial auditors are going to examine the financial records and how those records are used. They may even be familiar with physical security audits. However, they are unlikely to be acquainted with information security audits; that is, an audit of how the confidentiality, availability and integrity of an organization's information is assured. They should be. An information security audit is one of the best ways to determine the security of an organization's information without incurring the cost and other associated damages of a security incident.
ISECOM - Institute for Security and Open Methodologies
Security Testing
OSSTMM - Open Source Security Testing Methodology Manual
OSSTMM Shortcuts
Internal Security Testing
BSTA Workbook - Business Security Testing and Analysis Workbook
Application Security
SPSMM - Secure Programming Standards Methodology Manual
Theses
Security Tools
Operational Tools
Development
Open Protocol Resource
Security Training
JACK - Jack of all Trades Security Testing Training Supplement
OPST - OSSTMM Professional Security Tester Certification
OPSA - OSSTMM Professional Security Analyst Certification
OPSS - OSSTMM Professional Security Series
Hacker High School
Incident Handling
SIPES - Security Incident Pollicy Enforcement System
Business Integrity Testing
Software Quality Testing
STICK - Software Testing Checklist

Thursday, May 22, 2003

Passive Network Traffic Analysis
Network IDS devices use passive network monitoring extensively to detect possible threats. Through passive monitoring, a security admin can gain a thorough understanding of the network's topology: what services are available, what operating systems are in use, and what vulnerabilities may be exposed on the network. Much of this data can be gathered in an automated, non-intrusive manner through the use of standard tools, which will be discussed later in this article. While the concepts presented here are not difficult to understand, the reader should have at least an intermediate understanding of IP and a base-level familiarity with the operation of network sniffers.

Tuesday, May 20, 2003

Securing Apache: Step-by-Step
This article shows in a step-by-step fashion, how to install and configure the Apache 1.3.x Web server in order to mitigate or avoid successful break-in when new vulnerabilities in this software are found.

Friday, May 16, 2003

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary & Brute-Force attacks, decoding scrambled passwords, revealing password boxes and analyzing routing protocols.

IRS scans for IP restrictions set for a particular service on a Host. It combines "ARP Poisoning" and 'Half-Scan' techniques and tries totally spoofed TCP connections to the selected port of the Target. IRS is not a port Scanner but a 'valid source IP address' Scanner for a given service.

sTerm is a Telnet client with a unique feature. It can establish an entire bi-directional Telnet session to a target host never sending your real IP and MAC addresses in any packet. By using "ARP Poisoning", "MAC Spoofing" and "IP Spoofing" techniques sTerm can effectively bypass ACLs, Firewall rules and IP restrictions on servers and network devices. the connection will be done impersonating a Trusted Host.

cPfPc (Cisco PIX Firewall Password Calculator) produces the encrypted form of Cisco PIX enable mode passwords without the need to access the device.

ArpWorks is an utility for sending customized 'ARP announce' packets over the network. All ARP parameters, including the Ethernet Source MAC address (the phisical address of your network card) can be changed as you like. Other features are: IP to MAC resolver, subnet MAC discovery, host isolation, packets redirection, general IP confict.

Saturday, May 10, 2003

Top 75 Network Security Tools
In May of 2003, I conducted a survey of Nmap users from the nmap-hackers mailing list to determine their favorite security tools. Each respondent could list up to 8. This was a followup to the highly successful June 2000 Top 50 list. An astounding 1854 people responded in '03, and their recommendations were so impressive that I have expanded the list to 75 tools! Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also plan to point newbies to this page whenever they write me saying "I do not know where to start".

Wednesday, May 07, 2003

Wellenreiter v1.8 - scanning for dummies
Perl Wellenreiter-1.8 has been released right now. Get it at our downloadsection. Wellenreiter is the first and only Linux Wireless scanner that does not need configurations by the user. It detects its environment automaticly. As long as the needed modules and drivers are present, Wellenreiter find its settings. As i said in the topic,scanning for dummies.
Practical examples for establishing Web service security in .NET
Instead of abstract theories, here are some examples to provide an easy and quick way to accomplish a rather complex task
Because security is one of the most fundamental aspects in the development and deployment of a Web service, there are a myriad of articles, documentation, and samples of how to make it secure. Yet the majority of this information is conveyed as abstract theory, as opposed to practical, real-world implementation.
Here, I'll share some practical examples on Web service security in .NET, not just abstract theories. These examples provide an easy and fast way to accomplish a rather complex task.
Let's explore programmatic Web service security using Visual Studio .NET to implement a custom, stateful SOAP Header to authenticate a consumer before allowing a method to execute. I will also show you how to remove public access to your Web service, how to prevent anonymous users from obtaining your WSDL file, and how to implement your Web service in an unauthorised manner. I will then explain how you can wrap your entire Web service implementation in a highly secure, encrypted format.

Tuesday, May 06, 2003

MUSC Computer Use Policy
The University recognizes its legal and social obligations to respect the privacy of the authorized users of its computing and network resources. However, users must recognize that the confidentiality of their electronic communications cannot be guaranteed by the University. Moreover, the University reserves the right to audit or monitor any uses of its computing and network resources when necessary to ensure compliance with University policy, and with federal, state and local law.
The University network provides its authorized users with access to many classes of privileged information. Users must maintain the confidentiality and integrity of the information they access, and must not use privileged information for any purpose not explicitly authorized.
The University's computing and network resources exist to support the University's missions of teaching, research, patient care and public service. Incidental personal use of these resources by authorized users is permitted only to the extent that such use is lawful and ethical, does not conflict with the University's missions, does not interfere with other authorized users, and does not cause additional expense to the University.
Scapy
Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery, packet sniffer, etc. It can for the moment replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f
Projects of Syn Ack Labs
stegtunnel hides data in the IPID and initial sequence numbers of TCP connections.
lsrtunnel will spoof connections to a host that reverses source routed packets as an arbitrary IP address.
lsrscan is a tool to determine what remote hosts do with loose source routed IP datagrams.
crypt-ml attempts to extend OpenPGP encryption to mailing lists.
is a Linux-based stealthy LKM detector, useful for honeypots and the like.
Crypto crackers
Links to several crypto crackers.

Tuesday, April 29, 2003

The NoCat Community Wireless Network Project
Connect to the network using DHCP, you bring up a web browser, type in any url and you'll get an authentication screen. Authenticate first then you can use the network etc.

Saturday, April 26, 2003

OpenBSD IPsec clients
This page is for people who wants to use IPsec clients with OpenBSD as an IPsec gateway.

Thursday, April 24, 2003

A technique for counting NATted hosts
A PDF file.
Detecting NAT Devices using sFlow
Unauthorized NAT (Network Address Translation) devices can be a significant security problem. Typically the NAT device will appear to the network administrator as an end host and it will authenticate itself onto the network. However, the NAT device provides unrestricted access to any number of hosts connecting to it directly, or more troublingly via wireless (Wi-Fi 802.11). Wi-Fi is a particular problem since it allows access to the network from a considerable distance, allowing unauthorized access without even entering the building.
Reliably detecting NAT devices is difficult since they are virtually indistinguishable from legitimate hosts. This paper describes how the detailed, pervasive, traffic monitoring capabilities of sFlow (RFC 3176) can be used to identify NAT devices on a network.

Thursday, April 17, 2003

Cisco Support for Lawful Intercept In IP Networks
Service providers are being asked to meet lawful intercept requirements of IP networks for voice as well as data in a variety of countries worldwide. Service Provider requirements vary from country to country but some requirements remain common even though details such as delivery formats may differ. The objective of this document is to describe how a Service Provider can support lawful intercept with a general solution that has a minimum set of common interfaces. This document does not deal with legal requirements or obligations.

Tuesday, April 15, 2003

PKI... Why Go Through the Hassle?
As e-mail increasingly substitutes the use of letters and faxes (also to governmental bodies) and as commercial transactions on the web get more and more important to organisations, the need for secure communications equally grows, especially with spoof attacks, interception of transmissions and other hacking methods becoming more widespread and getting more “intelligent” every day. So, if the web is to achieve its true (commercial) potential, it is important that the right technological infrastructure is in place. Public Key Infrastructure (PKI) enabled by cryptography provides a secure basis. Digital signatures use public key infrastructure.
Digital Forensics Lesson Learned Repository
The use of computers to store evidence by criminals has become more prevalent as our society has become increasingly computerized. It is now routine to find calendars, e-mails among co-conspirators, financial account information, detailed plans of crimes, telephone numbers and other artifacts that can be used as evidence in a criminal case stored on a hard drive, PDA or cell phone. However, every new computerized device or new software upgrade poses additional challenges to computer forensics experts who are already thinly stretched as case loads mount. There is little opportunity for innovation and research, and no slack to allow the luxury of reinventing the wheel for similar cases.

A "Lesson Learned" is defined as: "A good work practice or innovative approach that is captured and shared to promote repeat application, or an adverse work practice or experience that is captured and shared to avoid recurrence[1]." In order to facilitate sharing information on computer forensics, we are developing a web-based Lessons-Learned Repository (LLR) to facilitate both the contribution and retrieval of Lessons.

The LLR will initially be populated through contributions from a set of selected computer forensics specialists from the Law Enforcement community, the results of an analysis of the transcripts of past court cases involving electronic evidence and standardized procedures for collecting the data from a device in a legally admissible manner [2]. Once the Repository is on-line, it is anticipated additional Lessons will continue to be contributed from the global computer forensics community, as well as being augmented by manufacturers willing to post contact information for product-specific inquiries.
Warren Harrison
Warren's research interests are focused on the areas of software engineering, computer forensics and mobile wireless applications. He is currently Editor-in-Chief of IEEE Software Magazine, whose mission is "building the community of leading software practitioners." He is also past-Editor-in-Chief of Empirical Software Engineering and the Software Quality Journal.

Monday, April 14, 2003

Steganography Revealed
Over the past couple of years, steganography has been the source of a lot of discussion, particularly as it was suspected that terrorists connected with the September 11 attacks might have used it for covert communications. While no such connection has been proven, the concern points out the effectiveness of steganography as a means of obscuring data. Indeed, along with encryption, steganography is one of the fundamental ways by which data can be kept confidential. This article will offer a brief introductory discussion of steganography: what it is, how it can be used, and the true implications it can have on information security.
Webinvestigator
The Internet consists of over two billion pages of information yet many investigators make only superficial use of this amazing resource. This site is dedicated to those who have to dig deeper and use information more carefully than the general public.

Wednesday, April 02, 2003

CyberData
CyberData, LLC (formerly 20/20 Investigations, Inc.) has established itself as a leader in providing computer forensic analysis and computer crime investigation services. Our mission is to provide the highest quality of services with unequaled integrity. We serve our clients with complete honesty, outstanding customer service, and personal attention. We provide exceptional value to our clients by combining our investigative skills with our knowledge in computer forensics and computer crime investigations.

Services we provide are:
Computer Forensic Analysis
Analysis of previously analyzed reports
Analysis of computer media (hard drives, disks, CD's, flash cards, Palm Pilots, etc.)

Computer Crime Investigations
E-Mail Tracing and Internet Profiling
Intellectual Property Theft
Cyber-Stalking and Suspected Child Pornography
Online Fraud
Abuse of Computer Use Policies

Consulting
Minimizing data theft
Providing solutions to businesses
Analysis of Computer Use Policies

Password Cracking
Lost password?
Employee sabotage?

Hard Drive Wiping
Wipe the drive before you donate that old computer
New employee or re-allocating the computer to another person?
Unconditional guarantee – drives are wiped to Department of Defense standards

Data Recovery
Recover lost or missing files
Recover accidentally deleted files
Compusleuth
CompuSleuth, Inc. is comprised of a team of highly skilled forensic computer specialists. Located in Westerville, Ohio, our goal is to provide expert services to the corporate, legal and accounting communities on both a local and national level.
WarTyping.com
The first (and currently only) site on the net dedicated specifically to the art of "War Typing". WarTyping is basically the act of location, and interception of radio signals transmitted by wireless keyboards onto the public airwaves by driving / walking around with the appropriate equipment.

Tuesday, April 01, 2003

ForensicsWeb
Welcome to Forensics Web! A site dedicated to technology related investigations and forensics. This site caters to law enforcment and corpsec interests with a special focus on computer related forensics and investigations. New sections, forums, and content will come online over time.

Thursday, March 20, 2003

tscrack
TScrack is a dictionary based (rather than bruteforce) password cracker for Microsoft Windows Terminal Services (RDP).
File Signature Database
This database is designed to assist examiners primarily for the process of searching unallocated space. With the ever-growing number of forensic tools being produced I have attempted to create a portable database, allowing examiners to export the data within, for the use on the majority of the leading forensic computing tools.

Wednesday, March 19, 2003

Wireless Security & Hacking
This is the last article in the Wireless series. Just to remind you, the first article introduced the reader to the Wireless world and discussed Wireless devices and protocols. The second article went deeper into Wireless networks, provided general info on WLAN and discussed IEEE standards for them. This article deals with WLAN security, explains the most common attack techniques and introduces some useful tools.

Monday, March 17, 2003

Four basic steps can get hackers into most computers
Every breach of computer security is different, depending on the skills of the attacker and the defenses in your system. But most hackers follow the same four basic steps to perpetrate an attack — profiling, scanning, enumerating and exploiting.

Here's how each step works.
Remote timing attacks are practical
Timing attacks are usually used to attack weak computing devices such as smartcards. We show that timing attacks apply to general software systems. Specifically, we devise a timing attack against OpenSSL. Our experiments show that we can extract private keys from an OpenSSL-based web server running on a machine in the local network. Our results demonstrate that timing attacks against network servers are practical and therefore all security systems should defend against them.

Tuesday, March 11, 2003

Cryptographic Filesystems: Design and Implementation
As security becomes a greater focus in networks, every aspect of online information needs a level of protection from the network-level use of firewalls and IDS to the host-level use of IDS. However, an additional level of security has recently come to the forefront of security - cryptographic filesystems. While the technology for cryptographic filesystems has been available for quite a while, the deployment of cryptographic filesystems in production environments has not taken hold. This article will discuss some of the background and technology of cryptographic filesystems and will then cover some example implementations of these filesystems including Microsoft's Encrypting File System for Windows 2000, the Linux CryptoAPI, and the Secure File System.

Friday, March 07, 2003

Crypto For Newbies
Alright, I know you have read some crypto tutorial on the web before and you probably got confused at the first site of "cipher". In this tutorial I will not discribe very indepth of how the crypto works, but I will go over the very basics and introduce you to the different types of common encryptions and encoding schemes used on the net. I will go over how to encrypt and decrypt each of them so this tutorial should be a walk in the park. I've added a section on JTR, it is not very detailed.. but nether is the rest of this tutorial. It should be enough to get you going with JTR and crack a few password files. There are a few basic encoding methods used. I say encoding because they are just other ways of presenting data, unlike encryption they do not try to keep the message secret. Anyone can decode them without knowing the key, all they need to know is which program to use to decode it, or how to arrange the letters. Three very basic forms of encoding are uuencode (.uue) base64 (.b64) and rot13 (doesn't have a file extention as far as I know) All of these encoding methods are really simple to understand and decode. I'll also go over XOR and DES, which are true forms of encryption.

Thursday, March 06, 2003

TAKEDOWN: Transcripts
In the course of tracking the attacker, a great deal of network traffic was captured by a specially modified version of tcpdump (here's information on the legality of the acquisition of this evidence), and then a program written by Tsutomu was used to produce playable logs. Another program will play them back (forwards or backwards) for you, in real-time (or faster, if you choose).
Attack Lab Design & Security Mini How-Two
This document provides guidance for building and securing an attack lab. An attack lab is a networking environment designed for evaluating exploits, viruses, and similar security related software, and sometimes provides a facility for pen-test training, practice, and exercises. There are security measures that should be put in place to minimize the risk associated with the aforementioned activities. This document describes the necessary hardware, software, and network setup for an efficient and effective attack lab, as well as procedures and mechanisms to minimize the risks associated with running an attack lab.
raptor's room
I'm a computer security researcher and consultant, a UNIX software developer and a system administrator. My particular interests are networking (specifically old-style X.25 packet switched networks and IEEE 802.11 wlan), telephony (fixed and mobile phones), communication protocols, and cryptography.
Security Is in the Smart Cards
News that a hacker recently accessed as many as 8 million Visa and MasterCard accounts would have been shocking if we weren't becoming so disturbingly numb to such break-ins. We really can't go on this way if retail e-commerce is to become a permanent, trusted part of our lives.

How did we get here? Credit card companies and online retailers bent over backward to make consumers feel secure about their transactions. Seeing to it that credit card numbers can't be lifted via communications over the wire or over the air was an important step.

But what of the credit card data once it's in the hands of the online retailer or the transaction processing company? In the instance above, Data Processing International, which services mostly television and catalog sales by phone, was the target. At a minimum, that data should be stored in encrypted form, preferably encrypted with the credit card vendor's public key so that the data is inaccessible to anyone but the vendor. But even better, it should not be stored at all.


The credit card data needed to complete a transaction should be submitted once and not retained. American Express' Private Payments program is a leader here, as the vendor gets a temporary transaction number, not the actual credit card number. But retailers have, by and large, chosen to store credit card numbers in online databases to encourage easier purchasing. Here's where smart cards can help. Using a smart card and scanner in combination with online wallet software can alleviate the chore of entering card data manually.

Monday, March 03, 2003

Hydan: Information Hiding in Program Binaries
Hydan steganographically conceals a message into an application. It exploits redundancy in the i386 instruction set by defining sets of functionally equivalent instructions. It then encodes information in machine code by using the appropriate instructions from each set.
SSH Tunneling part 1 - Local Forwarding
Want to encrypt an otherwise cleartext transmission? SSH Tunneling may be the tool for you.
Computer Crime Investigator's Toolkit
What I've tried to do is devise a summary of basic, practical knowledge, "tricks," if you like, that should interest all computer crime investigators. While they may not be the final word in preparing for an examination, these techniques will provide some insight into the ways and means of computer criminals. I hope to get you into the spirit of the hunt. Learning to think how a criminal looks at twisting, altering, hiding, and diverting information will definitely make the game more interesting. This is a pathfinder, a starting point to discovering other resources.

Thursday, February 27, 2003

Catweasel
Catweasel is a universal floppy disk controller that uses unmodified PC diskdrives. The Catweasel can handle nearly any disk format, you just have to find a drive for them. Normally, these drives are just 3.5 inch and 5.25 inch drives. PC floppy drives used to be known as being able to work with PC formatted disks only, but now you can access any of the disk formats listed further below.

Wednesday, February 26, 2003

CD Data Recovery
We are experts in recovery and repair of inaccessible, unreadable or deleted data, files, pictures, documents, or AutoCad® drawings etc., from optical storage media such as: CD-ROM, CD-R, CD-RW, DVD-RAM, DVD-R/W, DVD+R/W, 3-inch Mini CD-R., (Used in Mavica® MVC-CD1000 digital cameras), Home Audio Recording CDs, Compact Flash ™(CF), Smart Media ™ (SSFDC), Sony® memory sticks and PCMCIA ATA Cards.

Tuesday, February 25, 2003

The SPAM-L FAQ - Tracking Spam
This section deals with the technical aspects of spam, like telling where it came from. Having a UNIX shell account will be extremely helpful as a lot of the utilities are native to UNIX; however, you can perform most of these functions with other operating systems using third-party (usually shareware) tools, unlike UNIX, which comes with many of the tools mentioned already installed.
Reading Email Headers
This document is intended to provide a comprehensive introduction to the behavior of email headers. It is primarily intended to help victims of unsolicited email ("email spam") attempting to determine the real source of the (generally forged) email that plagues them; it should also help in attempts to understand any other forged email. It may also be beneficial to readers interested in a general-purpose introduction to mail transfer on the Internet.
Disk Splicing
Forensic Disk Splicing for Law Enforcement is designed to teach disk splicing techniques to law enforcement personnel who are already trained in computer forensics. The course teaches how to reconstruct 3.5 inch and 5.25 inch diskettes that have been cut, segmented, bent, torn, melted and/or (in the case of 3.5 inch diskettes) removed from the disk hub and recover data from the diskette.
Frontline Test Equipment
Frontline Test Equipment, Inc. is the leading provider of PC-based data communication protocol analyzers in the world. Our products are used by engineers and technicians who develop, test, install, maintain, and repair equipment and instrumentation that is interconnected by a variety of communication technologies.
Currently available products include asynchronous serial data analyzers, synchronous serial data analyzers, Bit Error Rate Testers (BERT), Ethernet protocol analyzers, Industrial Automation and SCADA communication protocol analyzers, Bluetooth™ protocol analyzers and Intelligent Traffic System (NTCIP) protocol analyzers.

Sunday, February 23, 2003

Stupid Security
We've all been there. Standing for ages in a security line at an inconsequential office building only to be given a security pass that a high school student could have faked. Or being forced to take off our shoes at an airport that can't even screen its luggage.
If you thought the accounting profession was bad news, just wait till you hear how stupid the security industry has become. Even before 9/11 a whole army of bumbling amateurs has taken it upon themselves to figure out pointless, annoying, intrusive, illusory and just plain stupid measures to "protect" our security.
It's become a global menace. From the nightclub in Berlin that demands the home address of its patrons, to the phone company in Britain that won't let anyone pay more than fifty pounds a month from a bank account, the world has become infested with bumptious administrators competing to hinder or harass you. And often for no good reason whatever.
The sensitive and sensible folk at Privacy International have endured enough of this treatment. So until March 15th 2003 we are running an international competition to discover the world's most pointless, intrusive, stupid and self-serving security measures.
How to protect yourself from snooping software
Beware: tiny software apps called adware or spyware may be tracking your behavior online right now. Don't like that idea? Robert tells you the best--and cheapest--way to get rid of these pests.
Fighting the enemy within
Fortunately, there is an answer to the risk of social engineering and the threats posed by employee use of company machines. Security policy automation, an emerging security software concept, removes many security risks by implementing a security policy across enterprise systems and consistently auditing and monitoring systems for compliance.
Security of Email
A PDF document.
Decimalisation Table Attacks for PIN Cracking
Two Cambridge University researchers have discovered a new attack on the hardware security nodules employed by banks that makes it possible to retrieve customers' cash machine PINs in an average of 15 tries. The attack takes advantage of a weakness in the cryptographic model used by many HSMs to encrypt, store and retrieve PINs. The system, used by many ATMs, reads the customer's account number that is encoded on the magnetic strip of the ATM card. The software then encrypts the account number using a secret DES key. The ciphertext of the account number is then converted to hexadecimal and the first four digits of it are retained. Those digits are then put through a decimalization table, which converts them to a format that's usable on the ATM keypad. By manipulating the contents of this table, it's possible for an attacker to learn progressively more about the PIN with each guess. Using various schemes described in the paper, a knowledgeable attacker could discover as many as 7,000 PINs in a half hour, the authors say.

Wednesday, February 12, 2003

Darik's Boot and Nuke
Darik's Boot and Nuke ("DBAN") is a self-contained boot floppy that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction.

Sunday, February 09, 2003

Physical Security Standards for Sensitive Compartmented Information Facilities
Physical security standards are hereby established governing the construction and protection of facilities for storing, processing, and discussing Sensitive Compartmented Information (SCI) which requires extraordinary security safeguards.

Thursday, February 06, 2003

The Great IDS Debate
Intrusion detection systems (IDS) have rapidly become a crucial component of any network defense strategy. Over the past few years, their popularity has soared as vendors have refined their results and increased performance capabilities. At the heart of intrusion detection systems lies the analysis engine. It reviews each packet, determines if it is malicious, and logs an alert if necessary – the core tasks of an IDS. Two different IDS techniques, each favored by separate and loyal camps, have emerged as the preferred engine behind the software. Despite the copious marketing material and fiery online debates, each method has distinct strengths and weaknesses. In this article, we'll examine and compare the two different techniques: signature analysis and protocol analysis.

Tuesday, February 04, 2003

LogAnalysis.Org
This is the new loganalysis.org! We're dedicated to pulling together a repository of useful information on log analysis for computer security.

Log Analysis is one of the great overlooked aspects of operational computer security. Many organizations spend hundreds of thousands of dollars on intrusion detection systems (IDS) deployments - but still ignore their firewall logs. Why? Because the tools and knowledge are often not there, or the tools that exist are too inconvenient. You should expect that to change. Right now, IDS vendors are up against the wall with the volumes of data they produce; the next wave in security is to try to usefully correlate and process the contents of multiple logs.

Monday, February 03, 2003

Macintosh Security Site
This site is devoted to the security of your Macintosh computer and the programs or servers you run on it. SecureMac started in February of 1999. Over the past years we have served thousands of people, helping them secure their networks and detect hackers.

On this site you will learn how to secure your Macintosh, detect any hackers present on it, while viewing the most reliable source of security related products, with extensive reviews and ratings evaluated by the top Macintosh security experts. We feel that to create a secure product, the product must be tested, explored, and look at thoroughly. Every product on SecureMac.com is evaluated to its fullest, from secure programming, concept and design. Every product is given a rating and explained in details, each developer or developing group is notified of any security issues or advisories before released to the public to ensure a safe transition for all of their users.
i-Catcher
i-Catcher is an innovative PC-Video integration package with sophisticated motion detection and alerting features. Originally devised as a security/surveillance product, i-Catcher is as successful in capturing wildlife images as it is in identifying intruders in your home or business.

In its simplest form i-Catcher is a single application that detects motion in a camera feed, then captures the images and posts them to a web site (look at these examples), or sends them via email (there is also an option for SMS alerting). The i-Catcher Wildlife and Sentry applications can also be connected to i-Catcher Console to provide network-wide monitoring of up to 255 cameras.
WinGrab
Freeware screen capture program for Windows 9x/Mill/NT4/Win2k

Sunday, February 02, 2003

chkrootkit
chkrootkit is a tool to locally check for signs of a rootkit.

Saturday, February 01, 2003

TightVNC: VNC-Based Free Remote Control Solution
TightVNC is a free remote control package derived from the popular VNC software. With TightVNC, you can see the desktop of a remote machine and control it with your local mouse and keyboard, just like you would do it sitting in the front of that computer.

Friday, January 31, 2003

WinGrab
Freeware screen capture program for Windows 9x/Mill/NT4/Win2k
Offline NT Password & Registry Editor
This is a utility to (re)set the password of any user that has a valid (local) account on your NT system, by modifying the crypted password in the registrys SAM file.
You do not need to know the old password to set a new one.
It works offline, that is, you have to shutdown your computer and boot off a floppydisk or CD. The bootdisk includes stuff to access NTFS partitions and scripts to glue the whole thing together.
Works with syskey (no need to turn it off, but you can if you have lost the key)
Will detect and offer to unlock locked or disabled out user accounts!

Wednesday, January 29, 2003

CCIPS SEARCHING AND SEIZING COMPUTERS
Searching and Seizing Computers and Related Electronic Evidence Issues.
The Smart Card Cryptographic Service Provider Cookbook
This article provides background information for Cryptographic Service Provider (CSP) developers. It brings together information already available on MSDN about smart cards, cryptography, and CSPs, then goes on to detail the calls that are made to the CSPs in typical scenarios, important design considerations, and smart card-specific error codes. (24 printed pages)
ProofSecure.com - Web Application Security
We wrote a program called "Paros" for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

Tuesday, January 28, 2003

What to look for when buying a VPN
Virtual private networking is becoming an integral part of today's data networks. Virtual private network (VPN) drivers range from securing corporate communications to reducing costs by replacing leased lines. But for those who have not yet deployed a VPN, the options can be daunting. There are several approaches and dozens of products and services from which to choose, each with its own pros and cons.

Monday, January 27, 2003

Saturday, January 25, 2003

Naval Surface Warfare Center
SHADOW is the result of a project that was originally called the Cooperative Intrusion Detection Evaluation and Response (CIDER) project. It was an effort of NSWC Dahlgren, NFR, NSA, the SANS community and other interested parties to locate, document, and improve security software. The material on this page is approved for public release, distribution is unlimited.
Today, SHADOW is maintained and developed by NSWC.

Friday, January 24, 2003


Outsourcing Managed Security Services
As computer attack patterns shift and threats to networks change and grow almost daily, it is critical that organizations achieve reliable information security. Investment decisions about information security are best considered in the context of managing business risk. Risks can be accepted, mitigated, avoided, or transferred. Outsourcing selected managed security services (MSS) by forming a partnership with a Managed Security Service Provider (MSSP) is often a good solution for transferring information security responsibility and operations. Although the organization still owns information security risk and business risk, contracting with an MSSP allows it to share risk management and mitigation approaches
Secure your WLAN: Authenticate
Inherently flawed security protocols and a strong grassroots push to adopt wireless local-area networks (LANs) are creating substantial security risks for enterprises. The first priority should be to establish a comprehensive policy to address wireless deployments, with user authentication as a key component.
SMAC
SMAC is a free GUI tool, which allows users to change MAC address for almost any Network Interface Cards (NIC) on the Windows 2000 and XP systems, whether the manufactures allow this option or not.

Monday, January 20, 2003

Computer News: The Mother of All Linux Servers
The SGI Altix is a new approach to Linux clustering that puts up to 64 processors in each node -- a far cry from the one or two processors per node in typical cluster systems.
KnownGoods Database Information
Unless you've built your OS from source (more than likely you have not),the executable applications from the original distribution should never change in content, and/or size. The checksums in this database can quickly tell you if a file has been modified since it was first installed from the distrubution.

Of course, applications installed after the distribution will be different, or possibly not in this database. This repository is meant to provide a quick check of known goods.
How to find hidden cameras
A PDF document.
Avoid Wireless LAN Security Pitfalls
Wireless Local Area Networks (WLANs) are taking off. Enterprises are turning to WLANs in droves because they offer mobility and huge cost advantages. In fact, studies show that wireless workers are more productive, less pressured and save businesses money. Gartner, Inc., for instance, finds WLANs to be cheaper to install than wired LANs, especially for small organizations. And once they're in, wireless LANs are less expensive to operate and maintain.

Saturday, January 18, 2003

Technical Analysis Group (TAG) - The Law Enforcement Tools and Technologies for Investigating Cyber Attacks
What are the technological impediments facing law enforcement when investigating and responding to cyber attacks, for which research and development might provide solutions?

Friday, January 17, 2003

Computer Secure-It, Inc.
Secure-It, Inc. has been providing the highest quality computer security products since 1983. With it's new array of computer security products including access control, motion alarms, tracking and recovery software, enclosures, and more, Secure-It knows it can be your one source for all your computer security solutions.

Thursday, January 16, 2003

Transmeta builds crypto into Crusoe
Transmeta yesterday said it has begun sampling versions of its Crusoe TM5800 processor embedded with proprietary security technologies. The chip designer claims its approach offers increased security for wireless computing, protects sensitive data, "deters intellectual property theft" (read Digital Rights Management (DRM) Inside) and delivers tamper-resistant, x86 storage environments. Putting security onto the main processor increases security over existing multi-chip solutions, it argues. Initially, the TM580 will feature technologies including "secure hidden storage of confidential information" (initially tamper-resistant storage of crypto keys) and crypto acceleration. Transmeta's hardware support for DES, DES-X and Triple-DES is designed to accelerate security applications such as file and disk data encryption and the Internet Protocol Security (IPSec) algorithm commonly used in VPNs. The company reckons its processor architecture will make an extension of this to support the recently approved Advanced Encryption Standard (AES) straightforward. Intel and AMD plan to introduce security functions directly into their microprocessors, but Transmeta argues its ahead in building these technologies into chips thanks to its combined software and hardware approach to microprocessor design.

Wednesday, January 15, 2003

Instant Insecurity: Security Issues of Instant Messaging
Instant messaging is an increasingly popular method for communicating over the Internet. Instant messaging (IM) is a real-time supplement to and, in some regards, a replacement for e-mailing. Unlike e-mail, instant messaging allows users to see whether a chosen friend or co-worker is connected to the Internet. Typically, the instant messaging service will alert a user if somebody on the user's list of correspondents is on-line. Instant messaging also differs from e-mail in that messages are exchanged directly almost instantly, allowing for a two-way communication in real-time.
VOICE TRUST
VOICE.TRUST enables secure user authentication via the voice as a valuable alternative to unreliable password mechanisms or technologically complex and costly authentication systems. The easy-to-install VOICE.TRUST Server makes it possible for the user to authenticate himself via existing telephone hardware - secure, convenient and inexpensive.

Monday, January 13, 2003

How Warchalking Died
The purpose of this article is to explain how Warchalking has become obsolete. It is being replaced by Wi-Fi Zones that are being fueled by home networks, corporate networks, and even payphones. The internet will be all around you in all places but you won't ever need to care about Warchalking. Let's bury the idea and move along.
SLAM
Slam is a module based concept tool providing techniques of brute force logon. The slam concept is to inherit knowledge from previously executed modules and previously assased targets in order to gain as much access as possible with little information.

Sunday, January 12, 2003

The Open Web Application Security Project
Invalidated parameters and broken access control are among the most serious security vulnerabilities in today's Web applications, according to a list released today by the Open Web Application Security Project (OWASP).

In an attempt to aid developers' project planning and boost security for Web sites, dozens of leading application security experts have devised a top 10 list of the most significant problems with Web apps today. These flaws are far from new but remain serious threats to enterprises.

For starters, information from Web requests isn't being validated before being used by a Web application, a situation being actively exploited by attackers. Similarly, authentication flaws can allow attackers to access user accounts and view or steal sensitive information.

Friday, January 10, 2003

Group aims to strengthen Web services
A group of information technology companies published a specification Thursday designed to improve the reliability of business applications that use Web services.
WS-Reliability, if accepted as a standard and adopted by Web services providers, will let a company ensure that a message sent between two different applications is delivered reliably. For example, a company could send a purchase order to a supplier via a Web service and be guaranteed that the message was either successfully delivered and performed its function, or that the transmission failed.

Wednesday, January 08, 2003

E-Evidence Info
Welcome to the E-Evidence Information and Resource site. Within these pages, you will find a compilation of links to material related to all aspects of Digital Forensics and Electronic Evidence.
This site is a 'side effect' of my research and learning process conducted in connection with my position as Project Manager at the Computer Forensic Research and Development Center at Utica College, and in my ongoing search to find timely material to present to the students enrolled in the Computer Forensic course that I have been teaching here at Utica College.
I had found few sites providing more than a handful of resources, or links to other sites that may contain such material (see 'Links to Links' for a compilation of other such sites). So, I have decided to share this compilation of resources with the Digital Forensics community.

Tuesday, January 07, 2003

Flaw Found in Ethernet Device Drivers
Security researchers have discovered a serious vulnerability that may be present in many Ethernet device drivers that is causing the devices to broadcast sensitive information over networks.
According to the IEEE's Ethernet standard, packets transmitted on an Ethernet network should be a minimum of 46 bytes. If, as sometimes happens with protocols such as IP, a higher layer protocol requires less than 46 bytes, the Ethernet frames are supposed to be padded with null data. However, researchers at @stake Inc., in Cambridge, Mass., have discovered that many drivers instead pad packets with data from previously transmitted Ethernet frames.

Monday, January 06, 2003

LogAnalysis.Org
Loganalysis.org is a volunteer not-for-profit organization devoted to furthering the state of the art in computer systems log analysis through dissemination of information and sharing of resources.
The work on this site is based on tbird's log analysis page that has been a work-in-progress for a number of years. Marcus Ranum expanded it into a full-blown website. Today the information on loganalysis.org is managed by tbird and Marcus as a community resource.

Sunday, January 05, 2003

rpat - Realtime Proxy Abuse Triangulation
A customer in the web hosting business was experiencing repeated attempts at password guessing for a subscription site on his servers. The source IP addresses were scattered all over the world, and a bit of investigation showed that they were unrelated anonymous web proxies: clearly the perpetrator was trying to avoid detection.
He had methods to detect hacked accounts, so in practice this wasn't impacting his business too much, but it was an annoyance nevertheless. He asked me to investigate.

Friday, January 03, 2003

File Signature Database
This is the first release of the File Signature Database, designed to assist examiners primarily for the process of searching unallocated space. With the ever growing number of forensic tools being produced I have attempted to create a portable database, allowing examiners to export the data within, for use on the majority of the leading forensic computing tools.

Thursday, January 02, 2003

F.A.C.T.
The Forensic Association of Computer Technologists was formed in 1993 as a not-for-profit association for the purpose of training law enforcement in the scientific techniques of examining computers. The association originates from Des Moines, Iowa, and holds annual training conferences that provide introductory and advanced instruction in the areas of computer forensics.

F.A.C.T. is made up primarily of law enforcement personnel from federal, state, and local agencies from around the United States. Membership is available to those involved in corporate security for companies which support law enforcement goals.
PMDump
PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process. This can be useful in a forensic investigation.
Burn-Eye
Teso has a program (“burn-eye”) that encrypts binaries, and it can be used with machine fingerprinting (virtual memory, routing table, partitioning, hostname) so it cannot be run on another machine.
Forensic Links
Digital Forensics Liniks.
Digital Forensic Links
This is a growing list of [digital/cyber/computational] forensic related resources.
IP mapping
IP address to country mapping.
Anti-keylogger.com
Anti-keylogger™ for Microsoft® Windows® 95/98/ME/NT/2000/XP is the FIRST product of its kind in the world that can provide every computer with strong protection against most types of unauthorized activity monitoring software, both KNOWN and UNKNOWN.

Anti-keylogger™ is a program designed to combat against various types of intrusion and monitoring programs currently in use or presently being developed worldwide.Unlike the typical "antivirus" approach, it does not rely on pattern-matching, so it may work on new or unknown types of monitoring programs.
Our applications are the result of extensive mathematical research and modeling carried out by in-house specialists. They are based on operating principles common to all types of activity monitoring programs running under full range of Microsoft® Windows® operating systems.
Using Linux, VMware and SMART to create a virtual computer to recreate a suspect's computer
An interesting whitepaper on some of SMART's acquisition options.
MS Exchange Server Security
Microsoft Exchange Server runs on Windows NT Server platform and is using Windows NT security features. In addition to this it is using a custom mechanism to control access to its MAPI public folders. Also, Exchange offers advanced security on top it by providing means of encryption and digital signatures for messages. These advanced features require installation of Key Management Server (can be installed from Microsoft Exchange Server CD). It provides its features to end users via Exchange client programs such as Outlook. Key Management Server does not expose any documented API. Because of this it will not be discussed here, as well as advanced security features offered through it.
When describing Exchange server security the following topics need to be addressed:
How logon to Exchange server is secured? What exactly protects user's mailboxes against attacks?
How the Directory is protected? How can one observe and change security attributes associated with Directory objects?
How access to public folders is controlled?
SQLSecurity.com
MS SQLSecurity Checklist.
Windows XP Baseline Security Checklists
These checklists outline the steps you should take to reach a baseline of security with Windows XP Home Edition and Windows XP Professional computers, either on their own or as part of a Windows NT or Windows 2000 domain.
Windows XP Security Checklist
Although Windows XP Professional is built on the Windows 2000 kernel, there are significant differences between the operating systems - especially when it comes to security. This checklist is partially based on our popular Windows 2000 security checklist and covers both Windows XP Professional and XP Home Edition. Unfortunately, Windows XP Home Edition doesn't have all of the security features of XP Professional, so not all of the options are available for both versions. If you're concerned about your data, we strongly recommend upgrading to XP Professional as soon as possible. When implementing these recommendations, keep in mind that there is a trade off between increased security levels and usability for any Operating System. To help you decide how much security you need, we've divided the checklist into Basic, Intermediate, and Advanced Security options. You should assess your potential security risks, determine the value of your data, and balance your needs accordingly.