tag:blogger.com,1999:blog-32850059820041548482012-01-01T18:08:36.882-06:00InfoSec Thoughts Ideas and PracticeJoseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.comBlogger261100tag:blogger.com,1999:blog-3285005982004154848.post-2953157430540384662011-12-28T15:42:00.000-06:002011-12-28T15:42:02.985-06:00

Loop every 1 minute for 7 hours, provide a date stamp, listen for syslog traffic with TCPDUMP, put the output to screen.  This was to have a check running in a Putty screen so I could keep a manual check on syslog not feeding my appliance. #!/bin/bash COUNTER=0 while [ $COUNTER -lt 421 ]; do            date            tcpdump -i eth0 port 514 -c 3            let COUNTER=COUNTER+1           

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-23011313218615600212011-12-11T18:42:00.001-06:002011-12-11T19:11:46.005-06:00

Study notes from Hacking: The Art of Exploitation and C Programming in Easy Steps. This is a table of format parameters in the C programming language   .

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-64327089863521339112011-12-04T18:24:00.001-06:002012-01-01T18:08:36.890-06:00

Notes taken from "Hacking: The Art of Exploitation, 2nd ed."  Author Jon Erickson; Publisher No Starch Press. Take aways: Compiled programs on x86 systems memory is divided into 5 segements each with specific purposes.  The segments are: text, data, bss, heap, and stack. Fortunately my career is also my hobby; information security.  Forgiving all of the tired cliches, it is true; to really

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-62576733767675701562011-06-28T20:57:00.019-05:002011-07-05T11:45:41.094-05:00

A security incident as defined in NIST SP800-61 rev 1 is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. That being the case then triggered web filters, IDS/IPS alerts, AV alerts, failed login attempts etc all combined can easily add up to hundreds if not thousands, possibly millions of "incidents" a day within an

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-52944174134337108872011-05-08T19:14:00.001-05:002011-05-08T19:15:25.193-05:00

I am excited and honored to have tied for third place. Many thanks to Honeynet for offering these challenges! Forensic Challenge 7 – “Forensic Analysis of a Compromised System” - And the winners are...Sat, 05/07/2011 - 15:09 — angelo.dellaeraFolks, Guillame and Hugo have judged all submissions and results have been posted on the challenge web site. The winners are:1. Dev Anand2. Fernando

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-77531279552324669362011-04-12T08:23:00.006-05:002011-04-12T08:42:54.496-05:00

Takeaways: Perl Compatible Regular Expression Cheat SheetThis is straight from the horses mouth: http://www.pcre.org/pcre.txt. The information below is a copy and paste from of the PCRESYNTAX (3) section. As it mentions below this a quick reference for syntax to perform matching. A deep description of the below can be found at the same link in the PCREPATTERN (3).This comes in handy for me

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-38888612707986437622011-01-16T17:44:00.002-06:002011-01-16T18:31:13.657-06:00

Takeaways: 3 websites to query to help determine if a site is or has possibly hosted malicious software: http://www.google.com/safebrowsing/diagnostic?site=whyjoseph.com, http://www.siteadvisor.com/ and http://www.malwaredomainlist.com/mdl.php During the course of my duties I want to verify if a URL visited is indeed possibly malicious. You see I have a "trust but verify" philosophy when it

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-44642929861165007352010-07-04T19:50:00.007-05:002010-08-06T21:51:57.155-05:00

I have had the iPhone 3G for a little over a 1/2 a year now and in that time have accumulated some apps that could come in handy for the InfoSec Engineer / Analyst. In this write up I quickly describe one of my two folders of tools.Screen shot 1:RBL Status: A nice look up tool to see if a domain is on any one of 13 Black List services.Nice Trace: A handy little trace route tool that

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-62709280099830862912010-03-14T22:30:00.006-05:002010-03-14T22:52:03.520-05:00

Take away: Topics: To turn off security measures for a penetration test or not.I have just started the SANS 560 course Network Penetration Testing and Ethical Hacking and the initial reading brought some topics back to mind.I have discussed and seen debates on such sites as Linkedin.com that covers the topic of whether or not to turn off security controls during a penetration test. My stance is

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-71282375445103661012010-01-28T09:49:00.000-06:002010-01-28T09:50:03.071-06:00

Sitting at a friends computer trying to install McAfee right now so I figure I will jot down some notes about this virus removal.When I arrived the virus had changed their desktop wall paper to a nasty lime green and red warning that that there system was infected. Pop ups were also being presented repeatedly that their system was infected a provided a link to install an AV program to have it

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-13459992868983846362009-11-17T09:12:00.005-06:002009-11-17T14:56:57.300-06:00

G. Joseph Kahlich; MBA, CISSP2417 Havard OakPlano, Texas 75074214 797-3701joseph@whyjoseph.comEmployment and ResponsibilitiesMedAssets 2008 - 2009Information Security Analyst• Perform internal audits and reporting towards compliance, risk analysis, threats• Security architecture; research, development, and improvement• Consulting for Customers, RFP’s, Projects, Host External Audits: HIPAA, SAS 70

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-44474681667277690352009-11-17T08:14:00.003-06:002009-11-17T08:22:42.026-06:00

My position of Information Security Analyst was downsized November 16th. I am in the process of updating my resume; in the mean time please feel free to learn more about me on LinkedIn at:http://www.linkedin.com/pub/joseph-kahlich-cissp/2/145/a33I may be contacted at: Joseph@whyjoseph.com or 214 797-3701.

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-34580956277575039702009-07-26T15:16:00.009-05:002009-07-26T16:36:07.637-05:00

Take Aways: Using at least a 2 Gig USB stick create 2 partitions one for the BT3 OS the other to write files too.Tools I used: 2 GB USB stick, Unebootin for Windows, a Desktop running XP and a laptop running a LIVE CD of BackTrack3First giving credit where it is due: wirelessdefence.org Which is where I pulled my info on how to partition the USB stick and set it for persistent changes.http://

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-74369458655041724662009-07-05T15:26:00.011-05:002009-07-05T15:40:24.120-05:00

.

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com1tag:blogger.com,1999:blog-3285005982004154848.post-74623053626573755342009-06-28T18:27:00.004-05:002009-06-28T18:29:00.329-05:00

Quick Follow UpMy buddy was able to crack WEP 128 just fine on his Linksys today as well as another 3COM 7760. I went and verified and I was able to crack 128 as well on my Linksys. ODD!.

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-62374659230856084262009-06-28T12:14:00.006-05:002009-06-28T18:47:03.039-05:00

Takeway: Cracked 64 bit WEP in 5 minutes, could get 128 to breakWith the help of a friend brining over a 3 COM 7760 Wireless AP last night we were able to practice and observe from the victims standpoint the cracking of WEP 64 and 128.Booting to BackTrack 3 we first tested that we could crack the WEP 64 using SpoonWep.SpoonWep is a graphical interface that does just what it says spoon feeds the

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com2tag:blogger.com,1999:blog-3285005982004154848.post-90642591686770314252009-06-23T19:43:00.006-05:002009-06-23T20:31:53.678-05:00

Take Away: Know your windows variables for portability of your scripts%time%, %date%, and %computername% are my most commonly used Windows variables. A lot of times when I run a script I am spitting text out to log file and this is where the 3 variables come in handy. I place them at the top of my script preceded with an echo command. This helps me to know when the script kicked off and on what

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-24209716120888899372009-06-22T22:42:00.004-05:002009-06-22T22:59:01.385-05:00

OS on a Stick; Super Quick with just a Click!(sorry)For father's day I received an Acer Netbook. What a great toy and what I was most excited about was to have an Atheros wireless NIC compatible with BackTrack 3 and Kismet. I was actually dreading that I was going to have to work to get BackTrack installed onto a USB to boot the OS on my XP OS Netbook. To my suprise while researching the web on

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-42505847667882946402009-06-20T19:43:00.005-05:002009-06-20T20:46:56.410-05:00

FOR THE BUSY (or IMPATIANT): Point of the Story: SubINACL scans every single folder and file unless you tell it not to.I am working on modifying permissions on up to 3 million folder and file objects on one root drive. In a Microsoft environment. I obviously am scripting this as well as performing the process in stages; right now I am in the testing stage in a non-production environment (see my

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com1tag:blogger.com,1999:blog-3285005982004154848.post-68304229639615303692009-06-17T20:02:00.017-05:002009-06-20T19:53:16.727-05:00

INTRO AND READING FROM A LISTA programmer I am not! I do study scripting languages but with my positition and other tools we utilze scripting can be spread far enough apart that I have to pull the books back off the shelf or dig around google to refresh my memory. I try and practice shell scripting, PERL, and VB Script when I need to automate a task and I do keep my scripts around as I have found

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-53817444068580488602009-06-02T22:26:00.002-05:002009-06-02T22:30:40.333-05:00

Been busy and too burnt to type anything up after work but I have found a great site for security videos and its free. http://securitytube.netReally good stuff especially a great series of videos on learning assembly language for hackers.

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-80681946203214560802009-03-01T22:18:00.013-06:002009-03-01T23:45:54.717-06:00

The past few days I decided to wade into some application security and forensics; especially down at the assembly language level. Since my last post I have been playing with the malicious PDF I downloaded from the Internet into a VM with Windows 2000 Professional SP 4. I have installed Adobe 9.0 and FoxIT readers. I used Sysinternals Filemon, Regmon, Olly DBG, and Win Diff to try and determine

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-86506910602351752672009-02-25T19:51:00.009-06:002009-03-04T06:48:13.611-06:00

Yesterday I wrote about the Adobe flaw and reviewing my post realized I did not mention that another step to help mitigate this vulnerability is to use an alternative PDF reader that is offered free by Foxit Software . ZD Net posted an article today that pretty much bashes on Adobe but if get past that down towards the end of the Secunia (who has a great free tool I will write about in a future

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-38680224874431984122009-02-24T22:15:00.005-06:002009-03-04T06:45:50.101-06:00

Adobe announced last week that there is an exploit affecting their Reader and Acrobat programs and that they would not be releasing a fix until March 11th and then on the heels of that today Microsoft announced that their Excel program has an exploit affecting versions 2007 and earlier.So whats the good news in all of this? It was announced that the exploits do exist! It has been reported that

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-48735376449507205222009-02-23T22:04:00.001-06:002009-03-04T06:43:03.753-06:00

I am not a lawyer and the below statements are only my understanding of the laws. Therefore nothing below is legal advice but merely the suggestions of what I would do to best protect myself.In the past much attention has been paid to the confidentiality of data as it flows across the Internet (a.k.a data in transit). Well have you ever thought about data in transit from different perspective say

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0tag:blogger.com,1999:blog-3285005982004154848.post-10049002683165448382009-02-22T08:57:00.001-06:002009-03-04T06:29:31.156-06:00

Below is a nice video and some great links that can help you wade into using Nmap.Nmap nmap.org created by Fyodor is one of my favorite tools for everything from pen-testing to network inventory and the price is right; free. I find it helpful for discovering nodes on a network and if you come across something interesting it's helpful for determining what that node possibly could be.An example of

Joseph Kahlichhttp://www.blogger.com/profile/04732459645244314872noreply@blogger.com0