forensics

Oct 27 2008   8:52PM GMT

Did you see this? - (Wire)Sharkfest 2008 videos - including Vint Cerf - now available

Posted by: Troy Tate
Networking, forensics, Security, tools, Microsoft Windows, Linux, Monitoring, web, reporting, Google, internet, IT education, WAN, LAN, performance monitoring, troubleshooting, Performance, Network TAPs, howto, network analysis, Metrics, wireshark, packet capture, research, education, toolkit, man-in-the-middle, analysis

Checkout the Sharkfest 2008 videos at LoveMyTool.com. If you use Wireshark or want to learn network troubleshooting, this is one of the best resources you can have in your toolkit. The videos will give you a better understanding of this tool and other tools out there.

There is even a video of Dr. Vinton G. Cerf, vice president and Chief Internet Evangelist for Google. He is responsible for identifying new enabling technologies and applications on the Internet and other platforms for the company. Widely known as a “Father of the Internet,” Vint is the co-designer with Robert Kahn of TCP/IP protocols and basic architecture of the Internet.

Have a great day and thanks for stopping by!

Oct 6 2008   1:12PM GMT

Did you see this? - Process monitor now does TCP/UDP monitoring

Posted by: Troy Tate
administration, Networking, forensics, Security, tools, Microsoft Windows, Monitoring, reporting, internet, LAN, debugging, Data security, malware, performance monitoring, recovery, Microsoft, anti-virus, troubleshooting, Performance, howto, network analysis, Sandbox, packet capture, research, diagnostics, Sysinternals, toolkit, analysis

If you ever need to get under the covers of running Windows processes for investigating why a system is running slow, then the Sysinternals toolkit has an updated tool that will help you. Per the website:

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Process Monitor runs on Windows 2000 SP4 with Update Rollup 1, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista as well as x64 versions of Windows XP, Windows Server 2003 SP1 and Windows Vista.

I had previously talked about the Sysinternals Live website. This update to one of the excellent tools is well worth your time in investigating. Take a look at the updated tool here. The entire Sysinternals toolset can be found here.

If you have not used these tools yet, then you are definitely missing a critical item for being successful in your IT position. Check them out… it may save your reputation some time!

Oct 3 2008   7:59PM GMT

Did you see this? - Open Source Tools University

Posted by: Troy Tate
administration, Networking, Firewalls, forensics, Security, tools, Monitoring, reporting, internet, IT education, WAN, LAN, debugging, Data security, SSL, performance monitoring, blogging, design, anti-virus, troubleshooting, Performance, howto, network analysis, Sandbox, Metrics, wireshark, packet capture, research, blog, podcast, diagnostics, toolkit, analysis

If you are like me, you like those little goodie tools like nmap and wireshark that do something that is actually pretty complex but do it well and have a great following. I just came across this website that I am going to have to take some time to go through and find all of the nuggets it offers. Hope you get some use out of it too and let us know what you discover and how it made your job easier.

LoveMyTool

There are presentations on this site like the Wireshark IO Graph for Response Time Analysis (by Ray Tompkins).This should be a great online learning experience. You will find contributors like Sake Blok, a Wireshark Core Developer and Denny K Miu of StartupforLess.org - A Survival Guide for Bootstrapping Entrepreneurs

Sep 30 2008   1:34PM GMT

Did you see this? - Laura Chappell’s Troubleshooting & Security Summit

Posted by: Troy Tate
Networking, forensics, Security, tools, Monitoring, reporting, DataManagement, WAN, LAN, Data security, malware, SSL, performance monitoring, troubleshooting, honeypot, Performance, Network TAPs, howto, network analysis, Metrics, wireshark, risk, packet capture, research, awareness, education, toolkit

Maybe you already know Laura Chappell (The Viral Bitgirl), if not then this is your chance to meet her and gain loads of knowledge in 2 days.

On November 4-5, 2008 - Las Colinas, TX (near Dallas-Ft Worth airport) Laura will be holding a Troubleshooting and Security Summit.

In two full days you will walk away with more security, optimization and troubleshooting knowledge than you’d get after spending months in the field figuring this out.

Learn the best practices and most efficient tools to use to analyze wired and wireless network performance to optimize and secure network communications from Laura Chappell, Founder of Wireshark University and Protocol Analysis Institute. See the Summit 08 special pricing and group discount information below. Register today at www.chappellsummit.com.

Key points include:
* TCP Enhancements in Vista/Server 2008
* Faster File Transfers with SMBv1 vs. SMBv2
* Traffic Analysis between Virtualized Hosts
* Proven Techniques to Baseline the Network
* Latency Chokepoints
* Automatic Traffic Capture and Analysis
* Network Security and Forensics Procedures
* Key Points to Deploying Decoys
* Suspicious Traffic Signatures
* Handling Traffic Evidence

Bring Your Own Laptop (BYOL) Format
This hands-on lab-based course offers a series of demonstrations and individual hands-on labs to rapidly improve and expand your skill set. You will leave with your laptop loaded with tools, trace files and configured to improve network performance and security immediately after class.

GUEST SPEAKERS
*Gerald Combs, Creator of Wireshark - Must-Know Steps to Analyzing Virtualized Communications and the Future of Wireshark

* Tom Quilty, Cybercrime Investigator for BD Consulting and Investigation - Preparing for and Handling a Data Breach or Theft

Register Today - Seating is Limited
Register online at www.chappellsummit.com. Registration $1,295 - Early Bird $995 (ends midnight PDT Tuesday 9/30/08)

Group Discounts: Bring in two or more people from your company and receive $100 off each additional registration. Contact Brenda Czech at +1 408-378-7841 for more details.

Wireshark University Savings: Attendees receive the Wireshark University WSU03 Troubleshooting Network Communications self-paced course free with the student kits. Registered attendees also receive a 50%-off coupon on Wireshark University Self-Paced Courses.

Register today.
www.chappellsummit.com

If you go, please share some of the tips and tricks you gained with the ITKE population. Help spread the word!

Sep 19 2008   12:53PM GMT

Did you see this? - Encyclopedia of internal network security threats

Posted by: Troy Tate
Networking, forensics, Security, tools, Microsoft Windows, Monitoring, Browsers, web, reporting, WWW, antivirus, homeland security, Data security, malware, Policy, design, Firefox, Microsoft, website, troubleshooting, honeypot, botnet, risk, research, awareness, vulnerability, man-in-the-middle

Promisec has released an online encyclopedia of internal network security threats. This is available online for free. There is a lot of information to look through and decide how the risks affect your organization.

Take for example the entry describing GoogleTalk. The site rates it as one of the top 5 internal threats.

The more we know about these risks the better prepared we can be. Thanks for your time. Let’s be good network citizens together & practice safe networking!

Aug 22 2008   8:02PM GMT

Poor Spelling = Identity Lost

Posted by: Troy Tate
administration, Networking, forensics, Security, Browsers, web, reporting, WWW, intellectual property, CA, certificate authority, malware, SSL, design, website, howto, network analysis, online identity, risk, awareness, blog, vulnerability, MITM, man-in-the-middle

Well, I am not the best speller and I know that is true for most people. I have recently discovered how this human weakness can get you into trouble and cause identity loss as well as potential financial loss.

This issue has recently come to light with some of the Black Hat presentations. The actual presentation can be found here. This example actually refers to SSL VPN attacks but consider what would happen if an attacker was able to create a man-in-the-middle SSL proxy using a typosquatting domain name. For example, what if you typed https://www.mybnak.com/myaccount into your browser. The actual address should be https://www.mybank.com/myaccount. This is just a simple typographical error right? Hmmmmm… maybe not!

Consider if an attacker purchased the domain name mybnak.com. They then were able to get an SSL certificate or create a self-signed one that to an uneducated user looked ok. Have you ever seen a message like the following?

How many of you (come on, admit it now) have clicked on this or know someone who would click on this without thinking a second time? Say you did click on Yes and proceeded. The website you go to looks exactly like the one where you intended to go! This is because the address you mistyped into your browser actually goes to an SSL proxy and you just said you trusted the website. You have now fallen into the man-in-the-middle attack.

This looks like the following picture:

This attacker now takes all the traffic you send it, reads it, saves what it wants, repackages it, sends it to your intended destination and returns information back to you (keeping copies of what information is returned) without you knowing that someone is between you and your intended bank. Phishers do use a similar mechanism although a savvy consumer might actually see that the address in the address bar does not match their intended destination at all. In my example, YOU mistyped the address!

Well if this does not scare you into making sure you can type addresses or keep accurate bookmarks then read some of the following and make up your own mind:

Mozilla SSL Policy Considered Bad for the Web

SSL VPN might not be as secure as you think

Black Hat 2008 Aftermath

But, on the other side of this argument consider this story about how a MITM attack saved Columbian hostages.

The internet is not a place to be ignorant about your surroundings. Users must be vigilent and savvy about its use. Maybe there should be internet driver testing and licences?

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Aug 21 2008   8:08PM GMT

IT Equipment search & seizure at the US borders

Posted by: Troy Tate
administration, Networking, forensics, Security, Monitoring, reporting, internet, CIO, Mobile, DataManagement, IT education, WAN, intellectual property, Data security, government, Policy, design, online identity, risk, research, policy enforcement, awareness, blog, data loss

I have recently been hearing some rumblings about this issue. I work for a firm with international locations and have travelled out of the country myself. So, this is a personal issue.

What I am referring to is the situation described in this article by David Jonas of The Transnational: Airport Laptop Seizures Debated in Washington. I know that I should have nothing to worry about if I do nothing wrong like any law abiding citizen of the world. However, what about the risk to an organization’s intellectual property?

Look at the comment …the laptop seizure policy is not analogous to physical searches of persons and belongings at airports: “Not only does the government get access to an unprecedented wealth of material with a laptop border search, but the government now has the ability to copy, store and analyze that information at its leisure. In traditional border searches, travelers carried their suitcases with them once they cleared customs. With laptop border searches, the government can keep everything in the computer in perpetuity.” So, who is responsible for the data once it is out of the traveller’s hands? What is the care & duty of the government with regards to a company’s intellectual capital?

This issue seems like a bureaucratic (and maybe totalitarian leaning - think “Big Brother”) nightmare! Who would be considered the appropriate person to review the data on a device? What is their liability if the device or data is damaged during their review?

I know I don’t have an easy answer to these nagging questions and it will take much better minds and skills than mine to work through the protection and liability issues for an organization. What mechanisms do you use to protect equipment and data during travel? Maybe this situation is a boon to shipping organizations. More people may be shipping their gear ahead of them when travelling across the border or use equipment at a remote site and transfer data across a network.

This situation is definitely one to watch and be concerned about as world citizens.

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Aug 18 2008   7:11PM GMT

Did you see this? - Boot CD tutorial

Posted by: Troy Tate
administration, forensics, Security, tools, Microsoft Windows, Monitoring, Mobile, DataCenter, DataManagement, antivirus, recovery, Microsoft, troubleshooting, Performance, howto, risk, packet capture, research, diagnostics, bootcd

How often have you needed to recover a Windows system or use some type of boot disk? It’s not easy to create a bootdisk in the current versions of Windows (XP or Vista). There’s still a need for this capability. One source of how-to information can be found on the BootCD.US website. I recommend that you check out this fine resource and test this capability before you are in need and don’t have a lot of time to wade through a lot of how-to documentation.

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Aug 14 2008   2:58AM GMT

Managing risk & vulnerability

Posted by: Troy Tate
administration, forensics, Security, Monitoring, CIO, DataCenter, DataManagement, IT education, antivirus, Data security, malware, Policy, design, honeypot, risk, policy enforcement, awareness, vulnerability

Jotting some quick thoughts here after answering a user post. Thought I would place the same information here for all to see. This list is by no means complete and your thoughts are always welcome.

Some ways to measure risk include:

How valuable is the asset?
How much of a threat exists?
What is the impact if the system/service is exploited?
Is the vulnerability rated high/medium/low?
Can the risk be reduced?
How easily can it be reduced considering costs, technology, staffing & skills?
What is the probability of the vulnerability being exploited?

You are asking yourself:
What are you protecting?
What can happen to it? - How can it happen?
What does it mean to the business?
How can the risk be reduced?
How likely is it to happen given the existing conditions?

Risk assessment goal: identify & prioritize risks.
Risk management goal: manage risks to an acceptable level. This can be done by:

• Mitigate: select controls; implement; monitor
• Transfer: purchase insurance
• Accept: do nothing
• Avoid: discontinue activity

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Jul 8 2008   5:12PM GMT

Browser warnings - Danger Will Robinson! - or did it just cry “Wolf!”?

Posted by: Troy Tate
forensics, Security, Development, web, reporting, Google, WWW, IT education, antivirus, Data security, malware, Policy, Firefox, website, anti-virus, honeypot, botnet, online identity, Metrics, honeynet, policy enforcement, awareness

I sometimes browse the internet using Firefox. I say sometimes because Internet Explorer is the standard browser at my company and Firefox is not supported by IT. Well, since I work in IT, sometimes you have to test things on behalf of users and also to see how certain sites are different depending on the client browser.

Well, I recently upgraded Firefox to v3. It does seem much better than v2 although some of my useful addins are now broken (when will YSlow get fixed for v3?). One of the new features of Firefox v3 is the ability to report to the user if the visited website is a known potential malware site. This is a good feature! It provides the user with some useful information and education about the dangers on the internet. However, how accurate is this feature? What if you are visiting a trusted website that you frequently visit and now get this message?

For your information, this is the message that you will see when you attempt to visit a site deemed as risky.

Reported Attack Site!

This web site at certification.xxxxxxx.org has been reported as an attack site and has been blocked based on your security preferences.

Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.

I blanked out the actual website address above. However, those of you with a bit of detective in you are likely going to figure it out.

What is interesting about this particular warning message is that it is referring to a website that has security as a guiding principle. When you see this message in Firefox, you have three options presented:

• Get me out of here!
• Why was this site blocked?
• Ignore this warning - in very tiny print at bottom of message.

I was curious as to why this site would be considered as a danger. I clicked on the Why was this site blocked? option. The report I received was interesting and as I mentioned earlier, could this be an example of someone crying “Wolf!”?

The report was as follows:

What is the current listing status for certification.xxxxxxx.org

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 6 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 07/06/2008, and the last time suspicious content was found on this site was on 07/06/2008.

Malicious software includes 1 scripting exploit(s). Successful infection resulted in an average of 3 new processes on the target machine.

Malicious software is hosted on 3 domain(s), including lokriet.com, clrbbd.com, catdbw.mobi.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including catdbw.mobi.

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, certification.xxxxxxx.org did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

• Return to the previous page.
• If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google’s Webmaster Help Center.

This is great educational stuff, but did it really happen to this particular website? I don’t know, but apparently Google does. With the report of just one incident, does it make this site really worth the notification? How many incidents should it take before a site is considered malicious and who determines what malicious is?

Just something else to mull over in your copious time as you go perusing websites in Firefox.

Thanks for your time. Let’s be good network citizens together & practice safe networking!