Tuesday, November 17, 2009

G. Joseph Kahlich; MBA, CISSP
2417 Havard Oak
Plano, Texas 75074
214 797-3701
joseph@whyjoseph.com

Employment and Responsibilities
MedAssets 2008 - 2009
Information Security Analyst
• Perform internal audits and reporting towards compliance, risk analysis, threats
• Security architecture; research, development, and improvement• Consulting for Customers, RFP’s, Projects, Host External Audits: HIPAA, SAS 70, SOX 404
• Awareness and education employees and vendors• Incident Management and Investigation

A public nationwide technology company providing Group Purchasing Organizations and web based applications to the financial offices of hospitals and doctors offices. Datacenters are located in Texas, Georgia and Missouri; there are 16 physical locations, and approximately 2000 employees. Regulations include HIPAA, HITECH, and Sarbanes.


Accuro Healthcare Solutions
2003 - 2008
IT Manager and HIPAA Security Officer
• 8 direct reports
• IT projects and budget
• Network and system architecture development and enhancement
• Vendor evaluation

A private nationwide technology company providing web based applications to the financial offices of hospitals and doctors. Primarily a Microsoft, Dell, EMC, SonicWall environment with 1 datacenter, 5 physical locations throughout the United States and approximately 800 employees. Regulation included HIPAA.


Innovative Managed Care Solutions
1999 - 2003
IT Supervisor
• 3 direct reports
• IT projects
• Network and Desktop support

A private technology company providing software and web based applications to the business offices of hospitals. This was a single location that primarily consisted of a Microsoft, Dell, and Linksys environment and 180 employees.



Expert Solution Technical Training Center May – Oct 1999
Technical Instructor
• Instruction of hardware, software, programming, and operation
• Prepare and delivering lectures
• Lead classroom discussions and administer “hands on” sessions and scenarios• Create, administer and grade examinations

Education and Certifications

Master of Business Administration in Information Assurance University of Dallas – Graduate School of Management
2007
Irving, Texas

Bachelor of Science in Business / e-Business
University of Phoenix – Dallas Campus 2004
Dallas, Texas

Associates of Arts and Science
Brookhaven Community College 1992
Farmers Branch, Texas
Certifications and Memberships
CISSP, MCSE, MCP+I, A+
ISSA
Information Security Experience and Skills
I am actively attending “Digital Forensics Investigation” training which involves corporate investigation practices, data acquisition, chain of custody, and presentation practices.

Personnel
• Alerts to staff of threats and risks
• Security training employees
Policies and Plans
• Communications Policy
• Disaster Recovery
• HIPAA Privacy and Security
Patching
• Automated AV updates
• Monthly software patching
Investigation and Reporting
• Malicious / Accidental
• Breach / Infection
• Complaints / Notifications

Auditing and Analysis Tools
• MBSA
• Nessus
• NMAP
• Qualys
• WSUS
• SecureWorks
• Snort
• Sourcefire
• Chubb
• NetIQ
• S-Alive
• Video
• Consoles
• Dump Sec
• Log Parser
• Scripts
• SQL Query
Accomplishments

SecureWorld Expo; Steering Committee 2008 and 2009
Participated in advisement on conference topics and direction

IANS Lone Star Security Conference; Speaking Appearance 2007
Intrusion detection/prevention solutions

HFMA; Speaking Appearance 2003
Patient information data security

References upon request or many may be found at LinkedIn.com
.

Looking for a New Opportunity

My position of Information Security Analyst was downsized November 16th. I am in the process of updating my resume; in the mean time please feel free to learn more about me on LinkedIn at:

http://www.linkedin.com/pub/joseph-kahlich-cissp/2/145/a33

I may be contacted at: Joseph@whyjoseph.com or 214 797-3701.

Sunday, July 26, 2009

Bootable BackTrack 3 USB drive that allows Persistent Changes: article 200914



Take Aways: Using at least a 2 Gig USB stick create 2 partitions one for the BT3 OS the other to write files too.

Tools I used: 2 GB USB stick, Unebootin for Windows, a Desktop running XP and a laptop running a LIVE CD of BackTrack3

First giving credit where it is due: wirelessdefence.org Which is where I pulled my info on how to partition the USB stick and set it for persistent changes.

http://wirelessdefence.org/Contents/Backtrack3_USB_Howto.htm

There are several ways to do this and I am sure mine it not the most elegant but it worked for me.

I booted my Dell Inspiron 5150 with a live CD of BT3, inserted the USB stick and followed wirelessdefence's instructions for creating the partitions:
<>


1. Boot up your Linux machine (this is only required for initial installation a VMware machine will work fine).

2. In the Linux machine run "tail -f /var/log/messages" and insert the USB drive. In my case the following is displayed "[sdb] Attached SCSI removable disk" so we now know the USB device is sdb.

3. fdisk /dev/sdb

4. Command (m for help): p (to see what is on the drive).

5. If there are any existing partitions on the device delete them using d you will then be prompted for the partition number.

6. Command (m for help): n (to create a new partition)

7. Command action e extended, p primary partition (1-4): p (for primary)

8. Partition number (1-4): 1 (for first partition)

9. First cylinder (1-245, default 1): 1 or Enter (to start at the first cylinder)

10. Last cylinder or +size or +sizeM or +sizeK (1-245, default 245): +1024M (to create a 1Gb partition)

11. Command (m for help): t (to set partition type)

12. Hex code (type L to list codes): b

13. Command (m for help): n (to create a new partition)

14. Command action e extended, p primary partition (1-4): p (for primary)

15. Partition number (1-4): 2 (for the second partition)

16. First cylinder (126-245, default 126): Enter (to accept default)

17. Last cylinder or +size or +sizeM or +sizeK (126-245, default 245): Enter (to use the rest of the disk this will create a 1Gb partition if you're using a 1Gb disk)

18. Command (m for help): t (to set partition type)

19. Partition number (1-4): 2

20. Hex code (type L to list codes): 83

21. Command (m for help): p (to make sure there are two partitions of the type and size you are expecting)

22. Command (m for help): w (to write you changed to the disk, without this step nothing is actioned).


Mounting the new partitions in Linux:

1. Create 2 mount points e.g. mkdir /usb and mkdir /usb1

2. mount /dev/sdb1 /usb (mount the FAT partition). You made need to specify the file system e.g. mount -t vfat /dev/sdb1 /usb

3. mount /dev/sdb2 /usb1 (mount the Linux partition). You made need to specify the file system e.g. mount -t ext3 /dev/sdb2 /usb1

Note: If you are having trouble mounting any particular drive do a format on the windows partition or an fsck on the Linux partition prior to performing the mount.

< >

I don't know why but I did have trouble mounting my sda2 device and none of the suggestions above worked for me so I ran "mke2fs /dev/sda2" to format the partition and that did the trick.

Now that I had my 2 partitions I shutdown the my BT3 OS (this just worked best for me with adding and removing the USB stick) and pulled my USB stick out and placed it into my XP machine.

Now here is a jewel for making the USB stick bootable: UNetbootin from SourceForge. This app will automatically create a bootable USB drive for you with about 50 different OS types plus many over their versions! Of course BackTrack 3 is one of the options.


If you do not already have the ISO image downloaded it will go an snag it for you. In my case I had downloaded locally already so I clicked DiskImage and pointed it to my file.

In a manner of about 5 minutes I was ready to go.

I once again booted my laptop to the BT3, inserted the USB stick and once again looked to Wirelessdefence.com for assistance.

< >

1. mkdir /usb1/changes (manually create a "changes" folder on the Linux partition)

2. vi /usb/boot/syslinux.cfg (or use another text editor to open the file)

3. At the end of the APPEND line, under the mode you are planning to use e.g. KDE, add the following:

changes=/dev/sdb2

So, for the MENU LABEL BT3 Graphics mode (KDE)

"......rw autoexec=xconf;kdm" becomes "......rw autoexec=xconf;kdm changes=/dev/sdb2"

After you have made the changes save the file.

< >

I then rebooted the laptop choosing this time to boot to the USB key and "Boom, goes the dynamite"

The writable partition, for me, was under /mnt/sda2

.


Sunday, June 28, 2009

FOLLOW UP Hacking Practical 1: Cracking WEP: article 200912

Quick Follow Up

My buddy was able to crack WEP 128 just fine on his Linksys today as well as another 3COM 7760. I went and verified and I was able to crack 128 as well on my Linksys. ODD!

.

Hacking Practical 1: Cracking WEP: article 200911

Takeway: Cracked 64 bit WEP in 5 minutes, could get 128 to break

With the help of a friend brining over a 3 COM 7760 Wireless AP last night we were able to practice and observe from the victims standpoint the cracking of WEP 64 and 128.
Booting to BackTrack 3 we first tested that we could crack the WEP 64 using SpoonWep.





SpoonWep is a graphical interface that does just what it says spoon feeds the WEP cracking for you all you need to know is the channel and BSSID, which is the MAC address of the victim AP (Access Point). You can snag this info using Kismet, which we did for practice, but obviously we knew the MAC since we were also in possession of the AP.


By the way some definitions of SSID, ESSID, BSSID:

SSID
Short for Service Set Identifier, a 32-character unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to the BSS. The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the BSS unless it can provide the unique SSID. Because an SSID can be sniffed in plain text from a packet it does not supply any security to the network.

ESSID
The Extended Service Set ID (ESSID) is the name of the network you want to access. It is used to identify different wireless networks. ESSID is just an extended SSID allowing for more features.

BSSID
The BSSID is a 48bit identity used to identify a particular BSS (Basic Service Set) within an area. In Infrastructure BSS networks, the BSSID is the MAC (Medium Access Control) address of the AP (Access Point) and in Independent BSS or ad hoc networks, the BSSID is generated randomly.

SpoonWep cracked the key in about 5 minutes so we knew it was doable. We wanted not to be so spoon fed and get our hands dirty so we attempted the crack again using:

Airodump-NG
Aireplay-NG
Aircrack-NG



First we needed to capture data to crack, for 64 bit WEP at least 5000 IVS would be needed. We used airoducmp to capture these.

Typing: Airodump-NG --help will give the list of options and filters. We went with the command:

airodump-ng –ivs -w dumpfile –bssid aa:bb:cc:dd:ee:ff –channel 11 ath0


Breaking this down:
airodump-ng is the command
--ivs tells airodump to save only captured injection vectors
-w dumpfile tells airodump to write to a file I called dumpfile
--bssid aa:bb:cc:dd:ee:ff the AP to capture data from; the mac is made up for the case of this blog
--channel 11 the channel to capture data on
ath0 the name of my NIC

Once airodump was capturing IVS we saw that the data being captured was not increasing very fast, because there was little communication going on between the AP and a node already connected to it. we wanted it to capture faster; this is where Aireplay comes in.

Like Airodump, using the command aireplay-ng --help lists your command options. Notice when doing this there are several attack modes:

--deauth count : deauthenticate 1 or all stations (-0)
--fakeauth delay : fake authentication with AP (-1)
--interactive : interactive frame selection (-2)
--arpreplay : standard ARP-request replay (-3)
--chopchop : decrypt/chopchop WEP packet (-4)
--fragment : generates valid keystream (-5)
--caffe-latte : query a client for new IVs (-6)
--cfrag : fragments against a client (-7)



The attack we chose was ARP Replay since that was what SpoonWep used. Our initial command looked like this

aireplay-ng -3 -b aa:bb:cc:dd:ee:ff -x 1024 ath0


Breaking this down:
aireplay-ng is the command
-3 is the number of the attack we chose, this could also be - - arpreplay
-b aa:bb:cc:dd:ee:ff is again the AP we are attacking
-x 1024 is number of packets per second we are injecting the default is 500, we found 1024 is the max
ath0 is my NIC


This still did not appear to greatly speed up the data capture rate then watching AiroDump we saw the mac of a computer connected to the AP we were attacking. So we rewrote our aireplay command to include a source MAC address. The MAC we used was the one already connected to the AP, thus forcing traffic between the two. Notice the -h we placed in the command.


aireplay-ng -3 -b aa:bb:cc:dd:ee:ff -h 00:22:44:66:88:00 -x 1024 ath0


This ramped up data capture and in time we were at 5000 IVS and beyond. Now it was time to set up the crack.

AirCrack actually performs the cracking to determine the WEP key needed to connect to the network Again - - help will show the options needed. The command we ran was:

aircrack-ng -a 1 -b aa:bb:cc:dd:ee:ff -n 64 dumpfile.ivs

Breaking the down:
aircrack-ng is the command
-a 1 tells aircrack it is working agains WEP
-b aa:bb:cc:dd:ee:ff is the BSSID we are attacking
-n 64 is the key strength, 64 bit
dumpfile.ivs is the file holding all the data airodump has “dumped”, remember the first command I wrote about? Airodump created a dumpfile.txt and dumpfile.ivs; IVS is what you need to crack against

You can begin the cracking process while the airodump is still running aircrack will continue to read the file as it is updated.

All in all it took about 5 minutes to crack the 64 bit WEP.

Using the same process as above, but configuring for 128 we tried to attack 128 bit WEP. The thing is we had no luck. All reading we have performed said around 20000 IVS is needed, we had over 500,000 IVS and still no luck; it was late so we gave up on that and plan to try again in the near future.
.

Tuesday, June 23, 2009

Script the World 2; Know Your Variables: article 200910

Take Away: Know your windows variables for portability of your scripts

%time%, %date%, and %computername% are my most commonly used Windows variables. A lot of times when I run a script I am spitting text out to log file and this is where the 3 variables come in handy. I place them at the top of my script preceded with an echo command. This helps me to know when the script kicked off and on what machine it is running.

echo %computername% # spits out the name of your computer

echo %date% # spits out the current date on the system

echo %time% # you guessed it; spits out the current time on the system

Open a command window and try it out there. At the command prompt just type one of my echo statements above, without the # sign and everything behind it and you will see what I am talking about.

I especially like the %time% variable. I perform a %time% echo at the beginning and again at the end of the script to determine how long the script ran. I also use %computername% to help make the script portable. For example notice the following command:

eventquery.vbs /fi "Datetime Ge %1,11:00:00PM" /fi "ID eq 680" /fi "type eq failureaudit" /l security /v /fo csv > %computername%.csv

call c:\evtqury\namedate /Yxz:"ymd" %computername%.csv

blat.exe file.txt -to "joseph@whyjoseph.com" -serverSMTP 10.10.10.20 -f "%computername%@whyjoseph.com" -attacht %computername%*.csv -subject "%computername% login failure audit" -body "This came from c:\evtqury on %computername% where a scheduled task runs to execute this report"

del %computername%*.csv


exit


Now, I am to tired to break down what all this script is doing beyond saying I am reading the security logs for event 680 on a daily basis, mailing a CSV log to myself with the results to see if there are any failed domain logins I need to investigate.

Just notice how I am using the Windows variable %computername% I am using it to name my the output file so it easily differentiated from all of the files from other systems I receive, I am also using it it build the “from” email address so I can sort the messages from each of the servers in my .pst folder. I am using the variable in the body of the email and finally I am using when I delete the my output file.

Because I am using the variable I write one script and copy it out to many servers, such as Server1, Server2 and Server3. If I were to use the server's actual names in the script well then obviously I would have to create script for each server.

To learn what the Microsoft's variables are, or how to create your own see their site:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ntcmds_shelloverview.mspx?mfr=true
.

Monday, June 22, 2009

Unetbootin for OS on a USB Stick: article 200909

OS on a Stick; Super Quick with just a Click!
(sorry)

For father's day I received an Acer Netbook. What a great toy and what I was most excited about was to have an Atheros wireless NIC compatible with BackTrack 3 and Kismet. I was actually dreading that I was going to have to work to get BackTrack installed onto a USB to boot the OS on my XP OS Netbook. To my suprise while researching the web on how to do this and proactively search for any gotcha's I came accross a great tool found on Source Forge; Unetbootin. This is a stand alone app that will not only go and retieve the ISO image for you but will install it onto the USB as well! Viola, with selection of a couple of drop downs and radio buttons you are ready to go; click the OK button and sit back. In less than 30 minutes I had downloaded (thanks to my 20 down 5 up ISP) and installed two USB bootable OS'es. Ubuntu and BackTrack 3.

Check it out: http://unetbootin.sourceforge.net/


.

Saturday, June 20, 2009

XCACLS over SubInACL: article 200908



FOR THE BUSY (or IMPATIANT): Point of the Story: SubINACL scans every single folder and file unless you tell it not to.


I am working on modifying permissions on up to 3 million folder and file objects on one root drive. In a Microsoft environment. I obviously am scripting this as well as performing the process in stages; right now I am in the testing stage in a non-production environment (see my first posting of “Script the World” series).

The initial command I chose was to use was XCACLS from Microsoft. It is a fairly simple command to view and edit permissions on files and folders. I noticed that it ran a little slow for my tastes and was discussing this with a co-worker who mentioned he used Microsoft's SubInACL. SubInACL can be used for similar purposes but appears to be more robust that XCACLS.

When I tried SubInACL it took much, much, longer than XCACLS to complete and in some of my tests even “hung”. This was very odd as my co-worker had successfully used SubInACL for his tasks. I began researching using Google and Microsoft's ProcMon and realized upon what I would call at best a nuance and at worst a bug.

Let me set the stage: I have a root drive for testing; “H:” and in this root drive I have 10 directories:

AAA
BBB
CCC
DDD
EEE
FFF
GGG
HHH
III
JJJ


Inside each of the directories I have 20,000 folder and file objects. Since I will perform these permission changes in stages when I am working with production folders I only want to a select group of folders at one time; for example


Stage 1
AAA
BBB
CCC


Stage 2
DDD
EEE
FFF
etc....


So using scripting and reading from a list (another reference to my Script the World 1 post) I am able to automate these changes; however, as mentioned above, SubInACL seemed to “hang”. I researched this issue on the web and stumbled across a forum posting that had a similar issue; one the posters stated that SubInACL scans all folders and files in the parent directory on which you are making changes, even though you did call it touch those folders. For example using the command to change permissions folder AAA:


C:\>subinacl /subdirectoires h:\AAA /grant=DomainName\GrantGroup:F /revoke=DomainName\RemoveGroup


would result in SubInACL changing those permissions but then going to SCAN, (NOT MODIFY; I WANT TO BE CLEAR. It only performs a read) the remainder of the folders and files in H:
Using Sysinternal's (now Microsoft's) Process Monitor confirms this. I turned on ProcMon, filtered for SUBINACL.EXE and sure enough I see it work on the AAA folder and its files but then it goes on read every other folder and file in the H: drive before finishing the command!


Now there is an “Exclude” switch in SubInACL but it does not work for what I am doing since I am working at the root of the directory. The command would be


C:\>subinacl /subdirectoires h:\AAA /grant=DomainName\GrantGroup:F /revoke=DomainName\RemoveGroup /pathexclude=H:\*.*


Notice that at the end I am trying to exclude (H:\) the very directory I am working in (H:\AAA).


(This is probably how my teenage son feels when I am barking orders at him “DO THIS! DON”T DO THAT!)


Bottom line I am going to stick with XCACLS. I did notice after further testing that tends to run slow at first but given a greater amount of objects it moves along a pretty good pace.


I will post later more about XCACLS and some of findings there as well how I scripted this.

.

Wednesday, June 17, 2009

Script the World 1; Simple Scripting Reading from a List: article 200907

INTRO AND READING FROM A LIST


A programmer I am not! I do study scripting languages but with my positition and other tools we utilze scripting can be spread far enough apart that I have to pull the books back off the shelf or dig around google to refresh my memory. I try and practice shell scripting, PERL, and VB Script when I need to automate a task and I do keep my scripts around as I have found over the years I continually refer back to them and borrow from one another to accomplish new tasks. Speaking of "referring back" take my advice and take the time to write notes either via comments in the script itself or in a text file in the same directory where you keep the script about the purpose of the script, how it works, why you used it; and WHERE! Over the past 10 years I have become better at this but I also still get bit by digging up scripts years back and have to re-figure why I did what I did.

The stuff I am going to present here is actually a bit embarrassing I mean the stuff I write is SIMPLE! There is also quite a bit of bailing wire and bubble gum involved which leads me to say; test your script in a non-production, non-critical environment before ever using it in a place that could harm your company and possibly your employment status.

As stated this is simple stuff but like me there may be others that need a little idea or hint on how to get things going for themselves.

In this post I am going to show what I do to read from a list and execute a command against each item in that list in a Microsoft Windows environment using a batch file as your executable. In this example I am going to do a ping command against a list of URLs. DON'T BLINK!


STEP 1: Select or create a directory to work from. I like to keep the items below in the same folder, it makes calls that much easier.

STEP 2: Open NOTEPAD.EXE and make a list of urls you want to ping; for example

google.com
slashdot.org
bassproshops.com

For this example save the document as LIST.TXT; and place LIST.TXT in the directory from STEP 1.

STEP 3: Open NOTEPAD.EXE and type in the following:

FOR /F %%A IN (LIST.TXT) DO PING %%A
Save this file as PINGURL.BAT in the directory from step one.
You are done! Execute the script in the method you prefer. For this example lets lets do it from the command prompt.
BTW: Jing is a handy little program. I am not ready to give it a rating but below is a link to the video of me executing the script and showing you where the files are stored.


One last little tip. If you want to spit the scripts output to a text file run the command with ">" and a file name for the output.

c:\pingurl>PINGURL.BAT > OUTPUT.TXT
Remember two big rules:
1. Take the time to write notes
2. Test your script in a non-production, non-critical environment
.

Tuesday, June 2, 2009

Free Great Educational Security Videos: article 200906

Been busy and too burnt to type anything up after work but I have found a great site for security videos and its free.

http://securitytube.net

Really good stuff especially a great series of videos on learning assembly language for hackers.

Sunday, March 1, 2009

A Little Malware Research: article 200905

The past few days I decided to wade into some application security and forensics; especially down at the assembly language level. Since my last post I have been playing with the malicious PDF I downloaded from the Internet into a VM with Windows 2000 Professional SP 4. I have installed Adobe 9.0 and FoxIT readers. I used Sysinternals Filemon, Regmon, Olly DBG, and Win Diff to try and determine what exactly was being done by this PDF to see if there was any further malicious activity other than crashing the Adobe program. The only suspicious activity I saw was what appeared to be a reading of the root of the C drive but keep in mind I am not a forensics expert and the only coding I do are simple administration scripts with shell, VB and PERL (I am planning on adding Python to that list soon).

My process started with a clean 2000 Pro VM with Adobe 9.0 and FoxIT installed, from here I took a snapshot to always revert back to.

I downloaded the malicious PDF onto the VM without incident then opened it with Adobe reader which after some struggling finally crashed.

I then reverted back to my snapshot this time disabling the Java in Adobe and I again downloaded the malicious PDF and opened it. A dialog box announced I would need to enable Java to open the attachment and asked if I wanted to enable Java; I selected not to and immediately Adobe Reader crashed.

During each test I had Filemon running. I went to compare the crashes with each other. The Adobe Reader processes were cranking along just fine until a call for Java was made at which point the one with Java disabled reported an attribute error and the other went ahead and loaded Java; as was expected. (Click the image for a larger view)






The processes fell in sync again until a call to glob.js was called and executed. I am not sure what glob.js does but when I see glob I think of searches and reg-ex; my Google searches did not produce much.



The processes synced up again until a 3rd and final time when the reader program with Java disabled made a call to admplugin.apl which according to http://www.processlibrary.com/ is the Adobe Dialog Manager, which is probably what asked me to enable Java, and the reader that had Java enabled started making reads to the root of my C:\ drive. That is where I would throw a flag; but interesting that I never saw a WRITE.











I also used Windiff to compare before and after registry settings of opening with the PDF with and with out Java I really saw no critical changes there, also using Regmon I compared the two and did not see anything that stood out.

I did attach the Adobe Reader process as well and watched it crash in a debugger, again nothing really stood out to me, but that could be lack of knowledge of the code processes down at such a low level.

Using CamStudio I captured the crashing of the Adobe application as well as FoxIT successfully opening the malicious PDF. Nothing too exciting, the apps just crash. It was interesting to see Foxit open the PDF to see what was inside.



The first video is with Java enabled


video

This is with Java disabled

video

And this opening the document with FoxIT

video


Overall this was just a fun exercise to get my hands dirty with some very basic application and forensic investigation. The PDF I was using had already been crafted but could easily be re-engineered to be more malicious. Even more concerning is that at the same site where I grabbed this PDF there is another download of a PERL script that was created to easily produce these malicious PDFs. Opening the script in notepad one can easily see how to create such a PDF and modify it to their liking.

Wednesday, February 25, 2009

Adobe Vulnerabilty More Info and Mitigations: article 200904

Yesterday I wrote about the Adobe flaw and reviewing my post realized I did not mention that another step to help mitigate this vulnerability is to use an alternative PDF reader that is offered free by Foxit Software . ZD Net posted an article today that pretty much bashes on Adobe but if get past that down towards the end of the Secunia (who has a great free tool I will write about in a future post) announced it was able to perform the exploit without the use of Java. If this is true then some the mitigations proposed by Adobe may not be affective.

In an isolated environment I too created a malicious PDF with exploit code found on Milw0rm and disabled both the Javascript and open in Internet explorer and it still crashed my Adobe reader program while Foxit opened just fine.

There is also a link that points to information that gives you a URL to an actual malicious PDF. I am going to stop "blogging" now and am going to reset my environment and try it next.

Tuesday, February 24, 2009

Adobe and Excel exploits in the Wild: article 200903

Adobe announced last week that there is an exploit affecting their Reader and Acrobat programs and that they would not be releasing a fix until March 11th and then on the heels of that today Microsoft announced that their Excel program has an exploit affecting versions 2007 and earlier.

So whats the good news in all of this? It was announced that the exploits do exist! It has been reported that Microsoft themselves in the past have known of a vulnerability and not rushed fix it. Now we are up to speed and awareness can be heightened. The other silver lining is that this is an opportunity to raise security awareness with the use of real world examples.

There are some configuration changes you can make in Adobe to help mitigate the risk such as disabling java script and not allowing PDF's to open in a web browser; beyond that good security practice can a long way as well; such as making sure AV is running and up to data, not untrusted documents and attachments and if receiving an attachment via email call or write the sender back confirming they intended to send the document to you.

By the way; in defense of the software companies there is much work, especially for Microsoft, to test software patches, think of all the versions and languages they support.

Monday, February 23, 2009

Personal and Small Business Data Encryption: article 200902

I am not a lawyer and the below statements are only my understanding of the laws. Therefore nothing below is legal advice but merely the suggestions of what I would do to best protect myself.

In the past much attention has been paid to the confidentiality of data as it flows across the Internet (a.k.a data in transit). Well have you ever thought about data in transit from different perspective say when a guy runs off with your Acer laptop, or Western Digital Passport, or one of your many thumb drives you picked up as swag as the latest convention? Now that is some data in transit that can reach a 10 on the pucker factor; quick!

Alright so I am really talking about data at rest that is only in transit because your goods got swiped when you got up for that second stove top donut at Starbucks. Hey you were only 15 feet away the force field should cast that far; right?

The point is that it is import to protect the confidentiality of data while it is at rest too and there is a great FREE tool that will do just the job; TrueCrypt. I personally use Truecrypt to encrypt my USB keys, my pocket drives, and my laptop. I opt to encrypt the entire drives but the program can be used in a number of ways and it really is quite simple.

For those that are not so technical there is a great beginners tutorial where you simply create an encrypted container and drag your items into it. For a more advanced user you can encrypt your entire hard drive with pre-boot authentication and rescue disk. My personal laptop with a 60 GB hard drive took about 3 hours to encrypt and honestly I do not notice a performance hit; to give you a base line I pretty much surf the web and use the Microsoft Office Suite and watch CBT's.

An important note is when setting passwords, anywhere, not just TrueCrypt; make sure to select strong multi-character/multi-case alpha numeric passwords of at least 8 characters 10 or 12 are nice numbers actually. An example 0u812V@nH@l3n

Now this is good personal security info but you small (and large I suppose) business owners should take heed of this tool, especially if your toting around customer information. Personally Identifiable Information (PII) laws are in affect and my understanding is that here in Texas our Attorney General Greg Abott is serious about the protection of citizens' information.

If you are a small business owner and you must lug customer data around make sure that you document that you encrypted the data. It is my understanding that TrueCrypt does not offer a solution for this. One Idea I would suggest is to give your storage devices serial numbers and document the information and include in the documentation those that you do encrypt.

Why all this trouble? Well going back to the PII laws if you lose customer data that is considered a breach and based on where you do business you must notify those whose data you lost. Now some states, with your proof of encryption, will wave this, but other states, and Texas is one of them, will not. Now, I have had multiple lawyers in round tables that I have sat in tell me that you have the chance to argue your case if you can prove you did encrypt and the encryption was strong.

I really like TrueCrypt but there are other alternatives. You can buy devices with encryption already enabled at the hardware level such as Dell laptops with encypted hard drives (FDE - Full Disk Encryption) and for a thumb drive Iron Key. The bottom line is keep your data safe and if for some reason you carry around customer do yourself and them a huge favor; encrypt it.

Sunday, February 22, 2009

Nmap: article 200901

Below is a nice video and some great links that can help you wade into using Nmap.



Nmap nmap.org created by Fyodor is one of my favorite tools for everything from pen-testing to network inventory and the price is right; free. I find it helpful for discovering nodes on a network and if you come across something interesting it's helpful for determining what that node possibly could be.
An example of some handy commands are:




"nmap -O " - this gives me list of possible open ports and a solid guess as to what OS is running. I nice simple evaluation to make sure nothing more is open than should be.



"nmap -sP -PP " This is useful when scanning a range that may be behind a firewall and you recieve false information. The -sP goes no further than ping, this is handy for me when I want to just pipe the output to file that I later edit to have list of host names, if they resolve and IPs. The -PP sends a timestamp request as opposed to the typical echo request.





Darren Kitchen from HAK5 gives a nice intro in the video below.









Mark Wolfgang gives a nice quick read on some advanced scanning tecniques.



http://moonpie.org/writings/discovery.pdf



And straight from the horse's mouth: NMAP Network Scanning written by Fyodor himself.


http://nmap.org/book/