Malicious Domain Check: article 201101

Takeaways: 3 websites to query to help determine if a site is or has possibly hosted malicious software: http://www.google.com/safebrowsing/diagnostic?site=whyjoseph.com, http://www.siteadvisor.com/ and http://www.malwaredomainlist.com/mdl.php

During the course of my duties I want to verify if a URL visited is indeed possibly malicious. You see I have a "trust but verify" philosophy when it comes to vendors and technology. This bit of doubt should not be taken as offensive as it merely stems from the fact that we are all human and we make mistakes. Beyond mistakes there is also the fact that technologies can be subverted; but I have digressed.

The point of this post is that I use 3 or more sources to help verify a security tool I use that reports that a domain is malicious.

Google Safe Browsing Project
http://www.google.com/safebrowsing/diagnostic?site=

Google's link gives good info for the past 90 days. It will report the last time it visited the site and if malicious pages are found it will give a count of those pages along with a short list of additional malicious sites if the primary is acting as a host. In case you don't know when using the the link above replace the part after the "=" sign, in this case , with the actual domain name. For example: http://www.google.com/safebrowsing/diagnostic?site=whyjoseph.com

McAfee Site Advisor
http://www.siteadvisor.com/
On this page you simply enter the name of the domain into a field on the web page. This site provides a green check or a red x based it's finding of the site. I did notice once that it actually showed what malicious software file would be downloaded if the malicious site were visited.

Malware Domain List (MDL)
http://www.malwaredomainlist.com/mdl.php
This site is the foundation a great community for malware analysis. But since we are just looking to determine if they have posted a site as possibly malicious you can query their database. The page has a field where you can enter the domain name or just use partial names to see if there is a match.

Well I hope this helps anybody that comes across this page and if there are any other sources or thoughts on this please comment!

.

iPHONE Apps for Information Security: article 201003

I have had the iPhone 3G for a little over a 1/2 a year now and in that time have accumulated some apps that could come in handy for the InfoSec Engineer / Analyst. In this write up I quickly describe one of my two folders of tools.

Screen shot 1:


RBL Status: A nice look up tool to see if a domain is on any one of 13 Black List services.

Nice Trace: A handy little trace route tool that constantly updates connection times to each hop; results can be emailed.

Scanner: A handy little tool that will automatically scan the network your device is connected and report back any other hosts it finds.

Scany: The closest to NMAP I could find. This is great little enumeration tool for open ports on systems.

Deep Whois: A great WHOIS lookup tool enumerate more info on a FQDN.

Base 2 Converter: Decimal to and from Binary conversion and ASCII to and From Binary conversion. This little tool comes in handy when I perform analysis and need help with data normalization.

ASCII2BIN: More conversion options than Base 2; HEX and Octal conversions too.

iRegex: Regex tool that verifies your expression for you and then you can email it off to cut and paste if needed. Handles POSIX and PCRE.

PING: The name speaks for itself but this tool also pings a subnet, performs traceroute, and telnet.

CP HexCalc: Calculator and converter for HEX, DEC, BIN, and OCT.

Subnet Calc: A nice calculator for carving up subnets.

RDP: A bear to use on the iPhone because of the screen size but does work in a pinch.

Folder 2 tools coming soon.

Penetration Testing Debate: Security Controls On or Off: article 201002

Take away: Topics: To turn off security measures for a penetration test or not.

I have just started the SANS 560 course Network Penetration Testing and Ethical Hacking and the initial reading brought some topics back to mind.
I have discussed and seen debates on such sites as Linkedin.com that covers the topic of whether or not to turn off security controls during a penetration test. My stance is against turning off such controls. If the security controls block such attacks doesn't that equate to a successful test of your security? I have heard and seen arguments against this such as, what if there is ever a misconfiguration and the attacker gets past the first levels of defense. To that my answer is; that is the purpose of change control, audit, and future testing. Organizations should not just test once and then feel pacified indefinitely. The amount and recurrence of change in an organization should dictate how often Pen Tests occur. At the least they should be once a year even if changes have not been made new found vulnerabilities could have developed in the systems used.

.

First virus removal of 2010: article 201001

Sitting at a friends computer trying to install McAfee right now so I figure I will jot down some notes about this virus removal.

When I arrived the virus had changed their desktop wall paper to a nasty lime green and red warning that that there system was infected. Pop ups were also being presented repeatedly that their system was infected a provided a link to install an AV program to have it removed.

I went to run McAfee but it was no where to be found. Instead bit defender showed available yet Bit Defender had never been installed.

I tried to run the system restore exec (rstrui.exe) but was told the executable was infected. I put a clean system restore executable on the computer and tried to run it but a message popped up saying it too had become infected.

I then ran rstrui.exe from a read only thumb drive; again I was told the file was infected. How could that be? I renamed the file to 1rstrui.exe and boom goes the dynamite. I restored the system to 2 weeks back installed multiple AV programs and root kit detectors and all came back clean.

Now I am always suspicious that a machine could be infected since encryption, polymorphism and zero days do exist but all apears fine now.

- Posted using BlogPress from my iPhone

G. Joseph Kahlich; MBA, CISSP
2417 Havard Oak
Plano, Texas 75074
214 797-3701
joseph@whyjoseph.com

Employment and Responsibilities

MedAssets 2008 - 2009
Information Security Analyst
• Perform internal audits and reporting towards compliance, risk analysis, threats
• Security architecture; research, development, and improvement• Consulting for Customers, RFP’s, Projects, Host External Audits: HIPAA, SAS 70, SOX 404
• Awareness and education employees and vendors• Incident Management and Investigation

A public nationwide technology company providing Group Purchasing Organizations and web based applications to the financial offices of hospitals and doctors offices. Datacenters are located in Texas, Georgia and Missouri; there are 16 physical locations, and approximately 2000 employees. Regulations include HIPAA, HITECH, and Sarbanes.


Accuro Healthcare Solutions
2003 - 2008
IT Manager and HIPAA Security Officer
• 8 direct reports
• IT projects and budget
• Network and system architecture development and enhancement
• Vendor evaluation

A private nationwide technology company providing web based applications to the financial offices of hospitals and doctors. Primarily a Microsoft, Dell, EMC, SonicWall environment with 1 datacenter, 5 physical locations throughout the United States and approximately 800 employees. Regulation included HIPAA.


Innovative Managed Care Solutions

1999 - 2003
IT Supervisor
• 3 direct reports
• IT projects
• Network and Desktop support

A private technology company providing software and web based applications to the business offices of hospitals. This was a single location that primarily consisted of a Microsoft, Dell, and Linksys environment and 180 employees.



Expert Solution Technical Training Center May – Oct 1999
Technical Instructor
• Instruction of hardware, software, programming, and operation
• Prepare and delivering lectures
• Lead classroom discussions and administer “hands on” sessions and scenarios• Create, administer and grade examinations

Education and Certifications

Master of Business Administration in Information Assurance University of Dallas – Graduate School of Management

2007
Irving, Texas

Bachelor of Science in Business / e-Business

University of Phoenix – Dallas Campus 2004
Dallas, Texas

Associates of Arts and Science

Brookhaven Community College 1992
Farmers Branch, Texas

Certifications and Memberships
CISSP, MCSE, MCP+I, A+
ISSA

Information Security Experience and Skills

I am actively attending “Digital Forensics Investigation” training which involves corporate investigation practices, data acquisition, chain of custody, and presentation practices.

Personnel
• Alerts to staff of threats and risks
• Security training employees

Policies and Plans

• Communications Policy

• Disaster Recovery
• HIPAA Privacy and Security

Patching
• Automated AV updates

• Monthly software patching

Investigation and Reporting
• Malicious / Accidental
• Breach / Infection

• Complaints / Notifications

Auditing and Analysis Tools
• MBSA

• Nessus

• NMAP
• Qualys
• WSUS
• SecureWorks
• Snort
• Sourcefire
• Chubb

• NetIQ
• S-Alive

• Video
• Consoles
• Dump Sec

• Log Parser
• Scripts

• SQL Query

Accomplishments

SecureWorld Expo; Steering Committee 2008 and 2009
Participated in advisement on conference topics and direction

IANS Lone Star Security Conference; Speaking Appearance 2007

Intrusion detection/prevention solutions

HFMA; Speaking Appearance 2003
Patient information data security

References upon request or many may be found at LinkedIn.com

http://www.linkedin.com/in/whyjoseph1

.

Looking for a New Opportunity

My position of Information Security Analyst was downsized November 16th. I am in the process of updating my resume; in the mean time please feel free to learn more about me on LinkedIn at:

http://www.linkedin.com/pub/joseph-kahlich-cissp/2/145/a33

I may be contacted at: Joseph@whyjoseph.com or 214 797-3701.

Bootable BackTrack 3 USB drive that allows Persistent Changes: article 200914

Take Aways: Using at least a 2 Gig USB stick create 2 partitions one for the BT3 OS the other to write files too.

Tools I used: 2 GB USB stick, Unebootin for Windows, a Desktop running XP and a laptop running a LIVE CD of BackTrack3

First giving credit where it is due: wirelessdefence.org Which is where I pulled my info on how to partition the USB stick and set it for persistent changes.

http://wirelessdefence.org/Contents/Backtrack3_USB_Howto.htm

There are several ways to do this and I am sure mine it not the most elegant but it worked for me.

I booted my Dell Inspiron 5150 with a live CD of BT3, inserted the USB stick and followed wirelessdefence's instructions for creating the partitions:

<>

1. Boot up your Linux machine (this is only required for initial installation a VMware machine will work fine).

2. In the Linux machine run "tail -f /var/log/messages" and insert the USB drive. In my case the following is displayed "[sdb] Attached SCSI removable disk" so we now know the USB device is sdb.

3. fdisk /dev/sdb

4. Command (m for help): p (to see what is on the drive).

5. If there are any existing partitions on the device delete them using d you will then be prompted for the partition number.

6. Command (m for help): n (to create a new partition)

7. Command action e extended, p primary partition (1-4): p (for primary)

8. Partition number (1-4): 1 (for first partition)

9. First cylinder (1-245, default 1): 1 or Enter (to start at the first cylinder)

10. Last cylinder or +size or +sizeM or +sizeK (1-245, default 245): +1024M (to create a 1Gb partition)

11. Command (m for help): t (to set partition type)

12. Hex code (type L to list codes): b

13. Command (m for help): n (to create a new partition)

14. Command action e extended, p primary partition (1-4): p (for primary)

15. Partition number (1-4): 2 (for the second partition)

16. First cylinder (126-245, default 126): Enter (to accept default)

17. Last cylinder or +size or +sizeM or +sizeK (126-245, default 245): Enter (to use the rest of the disk this will create a 1Gb partition if you're using a 1Gb disk)

18. Command (m for help): t (to set partition type)

19. Partition number (1-4): 2

20. Hex code (type L to list codes): 83

21. Command (m for help): p (to make sure there are two partitions of the type and size you are expecting)

22. Command (m for help): w (to write you changed to the disk, without this step nothing is actioned).


Mounting the new partitions in Linux:

1. Create 2 mount points e.g. mkdir /usb and mkdir /usb1

2. mount /dev/sdb1 /usb (mount the FAT partition). You made need to specify the file system e.g. mount -t vfat /dev/sdb1 /usb

3. mount /dev/sdb2 /usb1 (mount the Linux partition). You made need to specify the file system e.g. mount -t ext3 /dev/sdb2 /usb1

Note: If you are having trouble mounting any particular drive do a format on the windows partition or an fsck on the Linux partition prior to performing the mount.

< >

I don't know why but I did have trouble mounting my sda2 device and none of the suggestions above worked for me so I ran "mke2fs /dev/sda2" to format the partition and that did the trick.

Now that I had my 2 partitions I shutdown the my BT3 OS (this just worked best for me with adding and removing the USB stick) and pulled my USB stick out and placed it into my XP machine.

Now here is a jewel for making the USB stick bootable: UNetbootin from SourceForge. This app will automatically create a bootable USB drive for you with about 50 different OS types plus many over their versions! Of course BackTrack 3 is one of the options.

If you do not already have the ISO image downloaded it will go an snag it for you. In my case I had downloaded locally already so I clicked DiskImage and pointed it to my file.

In a manner of about 5 minutes I was ready to go.

I once again booted my laptop to the BT3, inserted the USB stick and once again looked to Wirelessdefence.com for assistance.

< >

1. mkdir /usb1/changes (manually create a "changes" folder on the Linux partition)

2. vi /usb/boot/syslinux.cfg (or use another text editor to open the file)

3. At the end of the APPEND line, under the mode you are planning to use e.g. KDE, add the following:

changes=/dev/sdb2

So, for the MENU LABEL BT3 Graphics mode (KDE)

"......rw autoexec=xconf;kdm" becomes "......rw autoexec=xconf;kdm changes=/dev/sdb2"

After you have made the changes save the file.

< >

I then rebooted the laptop choosing this time to boot to the USB key and "Boom, goes the dynamite"

The writable partition, for me, was under /mnt/sda2

.