Irregular Expressions

September 25, 2011  8:08 PM

Sabu’s twitter account

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Is back up and flowing, after about a month of silence the anonmoyuSabu twitter account is alive again.  A lot of the posts are mostly about the presents in Wall Street.  There is talk about operations on going but I did not find anything specific.  I have not seen anything mentioning if this is the same as some of the other accounts where there was two people operating one alias.  This could be the second person coming on, Sabu seemed pretty intent to disappear before.

I am sure there will be public analysis of the style of writing as there was with the others.

September 24, 2011  12:26 AM

You think they would be running out of people to arrest

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

A few more people have been picked up on Thursday connected to lulzsec and Anon.  The article raises a good point about the amount of publicity the received and the fact that they might have let a little too much slip.

Unfortunately the individuals that are the best at his kind of thing are the ones you don’t hear about, it’s kinda cliche, but it’s true.  Doing that kind of damage and publishing it, will gather you a lot of attention.  Then put you on a short list, especially if you live in country with legal cooperation agreements.

I often wonder if this will be a shift in the way law enforcement reacts to these types of attacks, or if this is an anomaly because of the amount of attention it received.

September 23, 2011  9:32 PM

Last BEAST Post

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Best one I have found yet, I won’t even waste time trying to paraphrase it.

Just give it a read.

September 22, 2011  8:34 PM

Payroll hackers

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

This case a few good items from a incident handling side and a few more bad things.

This group used physical break and enters along with wireless penetration to get in to company’s to mess with the payroll.  Once in the system they stole identities, setup more back accounts with the employee’s and then gave raises.

They were even in a position to monitor the response to the incident in at least one of the company’s including phone calls to authorities.

A couple good incident handling ideas from all this.

  • Use out of band communication, cell’s.  Using a VOIP phone on an unknown network may be bad.
  • Auditing systems is a must, things like changes to a payroll DB are a good example.
  • Logging is great for coming out of an issue, you can use them to try and track them around the network.

September 22, 2011  8:04 PM

More TLS info

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Good info about what can and will be done in the current state of things and what is capable of running what version of TLS.

September 20, 2011  8:47 PM

BEAST Part – 2

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

The basic premise of the attack that BEAST will preform is a chosen plain text attack.  A chosen plain text is a type of crypto attack that the attacker is in a position to feed text in to the cypher then analyze the output.  This allows the attacker to gain a good understanding of the crypto system and even deduce the key.

Everything I have found says that this has been in TLS since it’s initial release, but was considered too difficult.  Also It does not exist in the later releases.

The best advice I can give is for everyone to move off of it.

September 20, 2011  2:45 PM


Dan O'Connor Dan O'Connor Profile: Dan O'Connor

A working tool to exploit TLS v1 will be release this Friday (Sept 23rd).  Major browser vendors have been warned already.  I have done some spot checking and found a few secure sites I use are on v1 still.

I am still looking for more details, but I think this may have had something to do with the vulnerability that was one of my first blog posts way back when.

If I find more I will post it.


Another link

September 19, 2011  9:02 PM

New Certification

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I got a new cert last week, which is the explanation for my lack of posting so far this month.

I am now a GIAC GCFA, .

The course with the cert is the FOR508.  The material covered was excellent, and the hands on was very valuable.  There was several forensics challenges throughout the course that were really well done and covered the material well.

I did well on the exam, not as well as I wanted to but I found some of the material challenging.  The 508.5 book is all law and international law as it relates to digital forensics and evidence.  I was not as prepared for those questions as I was the technical ones in relation to the file systems.

But I am still happy with the end result.

August 30, 2011  8:38 AM

New project, BayFiles

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

The guys that created PirateBay are in the midst of creating a new site called BayFiles.  It appears the site will operate like Megaupload and Rapidshare allowing users to upload content from the browser.  It has a cost model that limits the free users to 250 MB, the also controls the amount of files you can download per hour.

It also does not have a search feature, so you need the link created when the file is uploaded to have access.

It also appears that they are going to “respect copyrights” now.  Many analysts don’t seem to share that opinion.

August 29, 2011  8:28 PM

The Red Cyber Army

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

There is a lot of speculation on that China has been a hot bed for cyber attacks against various targets around the world.

Apparently there is a “smoking gun” floating around that proves this program.

There story is being updated, currently I am on the fence.  It’s been a week and the fallout is less then what I would expect if this was true, rather then a misinterpretation of the screen.  It does seem pretty strait forward, a US IP and a button that says “Attack” ( not that I can read that part ).

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: