October, 2014

now browsing by month


Windows 10 and the rumors of a keylogger

I have been looking at quite a few websites/ boards with people stating that Windows 10 Preview has a keylogger sending data back to Microsoft. My question is quite simple as I am skeptical about this claim. If Microsoft is sharing a preview of it’s next OS, doesn’t everyone know there are different reporting functions built in? Aren’t you signing up to be a tester by installing it in this stage? Of course you are. Nobody should be surprised that data is piping out to Microsoft. But a keylogger sending everything we type back to Microsoft? I find that a little bit over the top to believe. Keeping it simple here. Check out this link for more information.



Updated posting/linking

So, after some confusion with websites that we were posting articles to; it has become clear, that 556 Forensics needs to clean up the way we are posting articles, to ensure proper credit is given to who originally posted the article, and not to mention, that it would be more valuable for our customers to get some insight/commentary on the article from us, at 556 Forensics.

We are relatively new at this whole blogging thing, and there was some misunderstandings about the current culture of how proper notice should be given. Maybe it was in the old days, when trackbacks, and pinging the referring site was the norm, and it looks like it has moved away from that, and I understand, there is ad revenue, and credit issues to be given to websites, and so on.

While it was never our intention to steal, look like we owned/wrote the articles, we did take care to note the Source of the article, at the beginning of each article, and include the links that the original author had included in it, and also note the site in the trackbacks portion of the blog.

Again, we also feel that it will be more valuable to our customers, as well, if we give our comments and commentary on the articles mentioned on our blog.

We will be updating our posts over the next couple of days, to clear up this problem, and also include our commentary on them.

Windows Incident Response

Source: Windows IR

Here’s a really good…no, I take that back…a great blog post by Sean Mason on “IR muscle memory”.  Take the time to give it a read, it’ll be worth it, for no other reason than because it’s valuable advice.  Incident response cannot be something that you talk about once and never actually do; it needs to be part of muscle memory.  Can you detect an incident, and if so, how does your organization react?  Or, if you receive an external notification of a security incident, how does your organization respond?
Read more at Windows IR

Visualizing Security Information with Fiddler

Source: Telerik Blog

When building a modern website, there are many different security options which can be configured using HTTP response headers, for instance:

Fiddler has always made it easy for you to see these directives in the Headers Response Inspector:


… and you can easily add any individual header to the Web Sessions list as its own column. Simply right-click the column headers and choose Customize Columns… Select the Response Headers collection and type the name of the header you’d like to see:


Security Summary

New to Fiddler, a new Security Headers computed field is available to add to the columns list:


This custom column automatically summarizes the response’s Content-Security-Policy, Strict-Transport-Security, Public-Key-Pins, Access-Control-Allow-Origin, X-XSS-Protection, X-Frame-Options, and X-Content-Type options into one succinct string:


For Strict-Transport-Security and Public-Key-Pins, the duration of the policy is shown (e.g. 243Months for Twitter) as well as whether the includeSubdomains flag is set (+Sub). For X-Frame-Options, the policy is summarized (d=Deny, s=SameOrigin, a=AllowFrom); for X-XSS-Protection, the summary shows whether protection is enabled and whether blocking behavior (“block”) is enabled. Content-Security-Policy headers aren’t easily summarized, so a simple CSP token is shown if a policy is present.

If any of the headers contains an invalid value or appears in violation of the standards, an exclamation point will be shown in the policy string. You can thus easily search for any resources with invalid policies by simply searching the column:



Adding Custom Information

Of course, there may be other types of security-related information you want to see in Fiddler. For instance, you may want to identify HTTPS certificates that use the SHA-1 hash algorithm or weak RSA keys. Fiddler doesn’t have a built-in column provider that exposes this data, but you can easily add one with FiddlerScript. Simply click Rules > Customize Rules and inside your Handlers class, add the following block:

public static BindUIColumn(“CertInfo”)
function ShowCertHash(oS: Session): String
return oS.oFlags[“X-Cert-Info”];

This block creates a new column named “CertInfo” that will display the value of the Session’s X-Cert-Info flag. Now, that flag doesn’t exist in Fiddler’s set of existing flags, so we also must the following code inside the OnPeekAtResponseHeaders function:

if (oSession.isHTTPS)
var oC: System.Security.Cryptography.X509Certificates.X509Certificate2 = null;

if ((null == oSession.oResponse) || (null == oSession.oResponse.pipeServer) ||
!(oC = oSession.oResponse.pipeServer.ServerCertificate))
oSession[“X-Cert-Info”] = “No Path to cert”;
var sKey = “?”;
sKey = oC.PublicKey.Key.KeySize.ToString() + “bits”;
// .NET Throws on non-RSA/DSA keys like ECC
sKey = oC.GetKeyAlgorithm();
if (sKey == “1.2.840.10045.2.1”) sKey = “ECC”;

oSession[“X-Cert-Info”] = (“Key:” + sKey + ” Hash:”
+ oC.SignatureAlgorithm.FriendlyName);

catch (e) { oSession[“X-Cert-Info”] = “JSErr” + e.message;}

This block evaluates the server’s certificate and caches the key and hash information in the X-Cert-Info flag which will be displayed using the BindUIColumn block created earlier.

After you save your updated FiddlerScript file, the server’s certificate information is now displayed in its own column.


Fiddler is one of the easiest ways to expose important security information about your site. Even if Fiddler doesn’t natively show something you’re interested in, its versatility means you can usually easily extend it to show whatever you need.

Testing for opened ports with firewalk technique

Source: ISC Sans

There is an interesting way of knowing what kind of filters are placed in the gateway of a specific host. It is called firewalk and it is based on IP TTL expiration. The algorithm goes as follows:

  • The entire route is determined using any of the traceroute techniques available
  • A packet is sent with the TTL equal to the distance to the target
  • If the packet times out, it is resent with the TTL equal to the distance to the target minus one.
  • If an ICMP type 11 code 0 (Time-to-Live exceeded) is received, the packet was forwarded and so the port is not blocked.
  • If no response is received, the port is blocked on the gateway.

Let’s see this with a real example. Consider the following network diagram:

Firewalking happens with the following steps:

  1. Traceroute packets are sent to determine the gateway with decremental TTL:


2. An ICMP Time Exceeded message is received from the default gateway for the TTL=2 and TTL=1 packet, which means there are two gateways between origin and destination and TTL=3 is the distance to the destination

3. Several packets are sent with TTL=3 to the destination varying the destination port. The sequence goes as follows: A first packet is sent with TTL=3. If a timeout occurs, a second packet is sent with TTL=1. If an ICMP type 11 code 0 (Time-to-live exceeded) is received, the gateway is forwarding the packet.

Let’s see the first packet to port 1 and TTL=3:

Timeout occurs, so same packet is sent with TTL=2:

ICMP type 11 code 0 is sent from the gateway routing the destination host, which means the packet was forwarded and the port is opened:

How can we use this technique? Nmap has a firewalk script that can be used. For this example, the following command should be issued:

Manuel Humberto Santander Pelaez
SANS Internet Storm Center – Handler
e-mail: msantand at isc dot sans dot org

Detecting Irregular Programs and Services Installed on your Network

Source: ISC Sans

When the corporate network becomes target, auditing for security policy compliance can be challenging if you don’t have a software controlling irregular usage of administrator privilege granted and being used to install unauthorized software or to change configuration by installing services that could cause an interruption in network service. Examples of this possible issues are additional DHCP Servers (IPv4 and IPv6), Dropbox, Spotify or ARP scanning devices.

We can use nmap to detect all protocols that sends broadcast packets and are supported by packetdecoders.lua:

  • Ether
    • ARP requests (IPv4)
    • CDP – Cisco Discovery Protocol
    • EIGRP – Cisco Enhanced Interior Gateway Routing Protocol
    • OSPF – Open Shortest Path First
  • UDP
    • DHCP
    • Netbios
    • SSDP
    • HSRP
    • DropBox
    • Logitech SqueezeBox Discovery
    • Multicast DNS/Bonjour/ZeroConf
    • Spotify

The following example shows how to use nmap with the broadcast listener script and we can see the result of a device with dropbox installed, a device sending ARP request (a router in this case) and a device sending DHCPv6 requests:

nmap broadcast detection script

You can run this program periodically to track common security issues in your network, just in case your IPS could be missing something 😉

Manuel Humberto Santander Pelaez
SANS Internet Storm Center – Handler
e-mail: msantand at isc dot sans dot org

Another Story Of A ‘Fake’ Brilliant Inventor? Is ‘Scorpion Walter O’Brien’ A Real Computer Security Genius?

Source: TechDirt

Another Story Of A ‘Fake’ Brilliant Inventor? Is ‘Scorpion Walter O’Brien’ A Real Computer Security Genius?

from the more-of-this-crap? dept

There’s apparently a new TV show on CBS called Scorpion that has received mixed-to-decent reviews. It supposedly is about some computer security geniuses/outcasts who help “solve complex, global problems.” However, Annalee Newitz’s description of the stupidest, most batshit insane hacker scene ever from the first episode, suggests that the show is not worth watching. In the past few years, it had been kind of nice to see Hollywood actually seem to have some clue about accurately portraying hacking in some situations, but that’s all apparently been tossed out the window with Scorpion. Even if you don’t read Newitz’s story (or view the video clip), just know it involves an ethernet cable hanging from a flying plane with a car racing beneath it to download some backup software needed by the airport so planes can land. Yeah.A big part of the show’s marketing is the claim that the story is partially based on the life of one of the show’s executive producers, Walter O’Brien. CBS News has an article talking up these claims of O’Brien’s amazing feats, helping out its parent company, CBS, who broadcasts the show. But… for such a “genius,” many of O’Brien’s claims are coming under scrutiny, and they’re not holding up well. Having just gone through the whole Shiva Ayyadurai / inventor of emailcrap, it’s beginning to sound like a similar case of someone pumping up their own past for publicity purposes.

The claims about O’Brien are both odd and oddly specific. Here’s CBS’s reporting:

Walter O’Brien has the fourth highest IQ in the world.

Elsewhere, he claims that he was “diagnosed as a child prodigy with an IQ of 197.” First off, there are significant questions about IQ as a particularly useful measurement of anything. Furthermore, the idea that there’s some definitive list of those with the highest IQs seems equally questionable. A quick Google search will show you a whole bunch of “top 10 lists” of IQs — all of them different, and none of them including anyone named Walter O’Brien.

O’Brien’s story started unraveling when he made the somewhat unwise decision to do a Reddit AMA. Redditors are pretty good at sniffing out completely bogus claims, and it didn’t take them long here. Also, Asher Langton has been doing a bang up job debunking basically every claim that O’Brien makes.

Among other things, O’Brien’s story claims that he began Scorpion Computer Services in the mid-1980s and that “Scorpion has mitigated risk for 7 years on $1.9 trillion of investments and has invented and applied Artificial Intelligence engines to protect United States war fighters in Afghanistan.” It’s not even entirely clear what that means. It goes on:

Since 1988, Scorpion’s team of world class experts partner with clients on a global basis, across industries, to add real measurable value in mission-critical initiatives from planning, to execution, to running the business. Scorpion’s senior management has a collective knowledge of more than 413 technologies, 210 years in IT, and 1,360 projects. Scorpion himself has created over 177 unique technology inventions including ScenGen and WinLocX and is one of the world’s leading experts in the application of computer science and artificial intelligence to solve complex industry challenges.”

Again with the odd, and oddly specific claims. They have knowledge of 413 technologies? Do they have a list somewhere? Does it include the coffee machine in the lunch room? Did they send someone out to get the new iPhone 6 to make it 414? Either way, there are… just a few problems with these claims. As Langton points out, the “headquarters” of Scorpion Computer Services Inc.does not appear to be a particularly large or impressive company. Its headquarters is actually… a UPS store address That report notes that it has one employee, and revenue of $66k. It’s possible that the report is inaccurate, but for such a big and successful company, you’d expect to see… at least a bit more historical evidence of its existence. But there is none.

And then there’s this page (and here’s the web archive version in case O’Brien figures out how to delete the old page), which apparently used to be the site for Walter’s Scorpion computer Services, that, um, looks like it was built on GeoCities — complete with the animated fire torches next to the dreadfully designed logo.

For a big, massively successful company… you’d expect, um, something a bit more professional. Walter’s own Linkedin profile notes that he actually worked at Capital Group for a while, with redditors claiming he was just a QA guy there, though his profile says he was a “technology executive.” Many other claims on the company’s website read like self-promotional gibberish. “We saved $43 billion in opportunity risks over a five-year period.” “We invented an efficiency engine that performs 250 human years of work every 1.5 hrs with over 99% improvement over human error.” By the way, the “see how” link on that last one doesn’t actually show you “how” it just takes you to a page about how the company is a value added reseller “for proven IT products.” The entire website looks like gibberish from someone trying to sound like a real tech company. It reminds me of Jukt Micronics.

Langton also turned up that O’Brien appears to have another “company” called Strike Force, using the same UPS Store address, and with very, very, very, very similar website design and bullshittery. That site has a really bizarre “what others say” page, listing out random referrals for O’Brien, which are generally just the standard empty “personal reference letters” people without much experience tend to ask some former colleagues for when looking for a new job. The first one is from Steven Messino (with the date conveniently stripped off) which looks like the generic job reference letter:

Note that O’Brien claims that Messino is the co-founder of Sun. That’s… not true. Anyone who knows anything about the history of Sun knows it was co-founded by Andy Bechtolsheim, Bill Joy, Scott McNealy and Vinod Khosla in 1982. Messino’s own LinkedIn page shows he joined Sun in 1988. Six years after it was founded. Also, Sun had its IPO in 1986. So it’s not like this was a small company when Messino joined… as a “regional sales manager.”

Basically, everywhere you look, O’Brien’s claims are either massively exaggerated to downright ridiculous.

There are also some odd personal claims about “Homeland Security” coming to find him as a 13-year old boy for hacking into NASA. Except, when he was 13, there was no Homeland Security — an agency established after the September 11, 2001 attacks. O’Brien also claims this:

Scorpion was born and raised in Ireland, and at 16, ranked first in national high speed computer problem solving competitions. At 18, he competed in the World Olympics in Informatics and has ranked as high as the sixth fastest programmer in the world.

Sixth fastest programmer in the world? Really? Some folks on Reddit noted that it doesn’t appear Ireland competed in the “International Olympiad in Informatics” in 1993, though someone else found a report from the University of Sussex, which O’Brien attended, noting that O’Brien hadcome in 6th in a different contest, but in the Olympiad itself, he came in 90th. I mean that’s great for an 18 year old, but it hardly makes him into some programming genius.

And we won’t even touch the claims that his programming helped catch the Boston Marathon bombers, because… well… really?

Frankly, the parallels with Ayyadurai and the email story are there. It certainly appears that, like Ayyadurai, O’Brien was a bright kid who did some impressive programming as a teenager, but then didn’t appear to amount to all that much noteworthy beyond that. Try searching for any news references or evidence of O’Brien doing anything other than in the last few months in the publicity leading up to this new TV show. However, he is trying to reinvent himself and rewrite his history as some sort of genius programmer responsible for all sorts of amazing things, very little of which seems directly supportable. Of course, CBS doesn’t really care, so long as they have a fun TV show that people watch, but at the very least, they shouldn’t continue to spread the exaggerated myths about O’Brien that appear to have little basis in fact.

New and Improved Utilities – Windows DFIR tools

Source: Grand Stream Dreams

New and Improved Utilities

Network Stuff Found and Updated

Which brings me back to the pretty cool Windows “firewall” application GlassWire. Previously featured viatinyapps.org, I spotted a new review of it that had some fresh examples of its usefulness; illustrating alert event marking for later examination. In one case, it helped a user discover network activity from malware that had gone undetected.

Then in those comments there was a reference to the KDE application KNemo – Network Monitor.

Utilities of Usefulness

  • AOMEI PE Builder – I’m always keeping one eye open on new WinPE building tools and this seems useful for the non-tech crowd who may not be up to taking on a project from the WinBuilder tool or one of the many specialized building sets at reboot.pro. For someone just getting their feet wet, this might be a good place to get started.
  • OPSWAT AppRemover – I keep rediscovering this tool every year or so. It is updated regularly and can aid in the removal of many Supported Applications. Good for a first-pass on a new OEM system.
  • GEGeek Tech Toolkit – Considering the work I do finding and maintaining all the tools and utilities on my own USB stick, this seems like a cheat, but if you are lazy, here you go. Related are the NirLauncher package builder and KLS Soft’s WSCC – Windows System Control Center(also update to version as of Sept 2014).
  • OpenSaveFilesView – NirSoft – new utility that displays files previously opened with the open/save dialog box. More on NirBlog.  Spotted via this Betanews post.
  • FixWin v 2 for Windows 8, Windows 8.1 – The Windows Club – Easy but powerful tool to fix common Windows issues. Use with caution. Similar tool may be (the no longer developed but still available) d7 Free tool from Foolish IT LLC.

Lights, Sound, Action!

Marriott fined $600,000 for jamming guest hotspots

Souce: Slashgear.com

Marriott fined $600,000 for jamming guest hotspots

Marriott will cough up $600,000 in penalties after being caught blocking mobile hotspots so that guests would have to pay for its own WiFi services, the FCC has confirmed today. The fine comes after staff at the Gaylord Opryland Hotel and Convention Center in Nashville, Tennessee were found to be jamming individual hotspots and then charging people up to $1,000 per device to get online.

Marriott has been operating the center since 2012, and is believed to have been running its interruption scheme since then. The first complaint to the FCC, however, wasn’t until March 2013, when one guest warned the Commission that they suspected their hardware had been jammed.

An investigation by the FCC’s Enforcement Bureau revealed that was, in fact, the case. A WiFi monitoring system installed at the Gaylord Opryland would target access points with de-authentication packets, disconnecting users so that their browsing was interrupted.

In the meantime, Marriott would offer its own wireless internet service to attendees and exhibitors, charging between $250 and $1,000 per device that was to be connected.

The FCC deemed Marriott’s behaviors as contravening Section 333 of the Communications Act, which states that “no person shall willfully or maliciously interfere with or cause interference to any radio communications of any station licensed or authorized by or under this chapter or operated by the United States Government.”

In addition to the $600,000 civil penalty, Marriott will have to cease blocking guests, hand over details of any access point containment features to the FCC across its entire portfolio of owned or managed properties, and finally file compliance and usage reports each quarter for the next three years.

Update: Marriott has issued the following statement on the FCC ruling:

“Marriott has a strong interest in ensuring that when our guests use our Wi-Fi service, they will be protected from rogue wireless hotspots that can cause degraded service, insidious cyber-attacks and identity theft. Like many other institutions and companies in a wide variety of industries, including hospitals and universities, the Gaylord Opryland protected its Wi-Fi network by using FCC-authorized equipment provided by well-known, reputable manufacturers. We believe that the Gaylord Opryland’s actions were lawful. We will continue to encourage the FCC to pursue a rulemaking in order to eliminate the ongoing confusion resulting from today’s action and to assess the merits of its underlying policy.”


Silk Road Lawyers Poke Holes in the FBI’s Story

Source: Slashdot and Krebs on Security

From Brian Krebs about the court proceedings against Ross Ulbricht for his involvement in Silk Road, the online drug marketplace that was shut down (at least temporarily) by law enforcement last year. Ulbricht’s lawyers have demanded information from the FBI in the course of discovery, and the documents provided by the government don’t seem to confirm the FBI’s story.For starters, the defense asked the government for the name of the software that FBI agents used to record evidence of the CAPTCHA traffic that allegedly leaked from the Silk Road servers. The government essentially responded (PDF) that it could not comply with that request because the FBI maintained no records of its own access, meaning that the only record of their activity is in the logs of the seized Silk Road servers. … The FBI claims that it found the Silk Road server by examining plain text Internet traffic to and from the Silk Road CAPTCHA, and that it visited the address using a regular browser and received the CAPTCHA page. But Weaver says the traffic logs from the Silk Road server (PDF) that also were released by the government this week tell a different story. … “What happened is they contacted that IP directly and got a PHPMyAdmin configuration page.” See this PDF file for a look at that PHPMyAdmin page. Here is the PHPMyAdmin server configuration.