Vädret gick definitivt inte att klaga på när Atea Bootcamp 2010 gick av stapeln på Tylösand Hotell!
Över 700 deltagare samlades i tre dagar för att skapa kontakter, umgås, lyssna på över 100 seminarier eller delta i något av de 60 rundabordsamtalen som genomfördes!

Se inspelade keynotes från Atea Bootcamp!

Jag höll två seminarier under bootcampen:

Säkerhet i sjunde himlen: Windows 7 är här!
Beskrivning: Applockerfokus, signerad kod. Så här kommer ni igång med att begränsa programkörning baserat på Authenticodesignaturer.

Länkar:
KSoftware (Signeringscertifikat till riktigt bra priser, återförsäljare av Comodo-certifikat som är godkända)

Signing and Checking Code with Authenticode

Microsoft: Applocker (på svenska)

Windows 7 Virtual Labs (Labba online direkt med produkterna, testa t ex Applocker eller någon av de andra funktionerna i Windows 7!!)

Atea7 (Samarbete mellan Microsoft och Atea för att bl a leverera Windows 7 på ett så kostnadseffektivt sätt som möjligt!)

Hacking the Matrix – avancerade attacker mot Era IT-system
Beskrivning: Riktade attacker, webbapplikationssäkerhet. Logiska problem i webbapplikationer.

Länkar:

Teensy USB board development (Visade upp en Teensy som utnyttjar USB-keyboardfunktioner i Operativsystem för att leverera tangenttryckningar. Bra t ex vid bruteforce av Windows 2003 maskiner som inte låser ut Administrator om försöken görs lokalt vid terminalen.)

OWASP – Open Application Security Community

Artikel: US appoints first cyber warfare general

Klicka för att se alla Twitterinlägg med tag #AteaBC!

Avslutningsvis några bilder från Atea Bootcamp, ett STORT tack till alla medarbetare på Atea som gjort Bootcampen möjlig och alla kunder och leverantörer som gjort årets Bootcamp till den bästa hittils!

Vi ses nästa år igen!!!

Pratade igår om antivirus på Techdemo som hölls i Skyddsrummet på Södermälarstrand 25.
Skulle lagt upp länkar redan igår men som nybliven småbarnsförälder så blir kvällarna inte alltid som man tänkt sig!

För er som vill veta mer om PE-formatet (Windows körbara filer är som jag gick igenom exempel på Portable Executable filer):

- An In-Depth Look into the Win32 Portable Executable File Format
- Peering Inside the PE: A Tour of the Win32 Portable Executable File Format

Metasploit exploit framework (Windows, Linux, Mac OS, Unix): http://www.metasploit.com

Packare:
UPX: http://upx.sourceforge.net/
Armadillo: http://www.siliconrealms.com/software-passport-armadillo.html
ASPack: http://www.aspack.com/asprotect.html

Böcker:


Om du har några frågor så tveka inte att kontakta mig på jj (snabel-a) jonathanj.com

One of the most important traits of a security professional is of course knowledge of the current security landscape.
Therefore it is imperative to keep tabs on the latest news, trends and reports detailing what kind of threat trends are on the uprise, decline etc.

I’ve compiled a somewhat comprehensive list of commercial reports below which give you a good picture of the threat landscape.
There are a lot of reports out there, nearly every security oriented company releases some kind of report describing the threat landscape.
I’ve picked some of the (in my opinion) important/influential reports, let me know if there is a report which has slipped my pick.

OWASP Top 10 2010 (Top 10 Web Application Security Risks for 2010) http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf

SANS: The top cyber security risks http://www.sans.org/top-cyber-security-risks/

Microsoft Security Intelligence Report volume 8 (July – December 2009) http://www.microsoft.com/downloads/details.aspx?FamilyID=2c4938a0-4d64-4c65-b951-754f4d1af0b5&displaylang=en

Symantec Internet Security Threat Report http://www.symantec.com/business/theme.jsp?themeid=threatreport

IBM X-Force Threat Reports http://www-935.ibm.com/services/us/iss/xforce/trendreports/

CSI Computer Crime and Security Survey http://gocsi.com/survey

Verizon Business, Data breach investigations supplemental report 2009 http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach-investigations-supplemental-report_en_xg.pdf

McAfee 2010 Threat Predictions http://www.mcafee.com/us/local_content/white_papers/7985rpt_labs_threat_predict_1209_v2.pdf

McAfee January 2010 Spam Report http://www.mcafee.com/us/local_content/reports/8216rpt_spam_0110_v2.pdf

McAfee Labs Technical White Papers http://www.mcafee.com/us/threat_center/white_paper.html

Happy reading!

One of the most important traits of a security professional is of course knowledge of the current security landscape.
Therefore it is imperative to keep tabs on the latest news, trends and reports detailing what kind of threat trends are on the uprise, decline etc.
I’ve compiled a somewhat comprehensive list of commercial reports below which give you a good picture of the threat landscape.
There are a lot of reports out there, nearly every security oriented company releases some kind of report describing the threat landscape.
I’ve picked some of the (in my opinion) important/influential reports, let me know if there is a report which has slipped my pick.

OWASP Top 10 2010 (Top 10 Web Application Security Risks for 2010)

http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf

SANS: The top cyber security risks

http://www.sans.org/top-cyber-security-risks/

Microsoft Security Intelligence Report volume 8 (July – December 2009)

http://www.microsoft.com/downloads/details.aspx?FamilyID=2c4938a0-4d64-4c65-b951-754f4d1af0b5&displaylang=en

Symantec Internet Security Threat Report

http://www.symantec.com/business/theme.jsp?themeid=threatreport

IBM X-Force Threat Reports

http://www-935.ibm.com/services/us/iss/xforce/trendreports/

CSI Computer Crime and Security Survey

http://gocsi.com/survey

Verizon Business, Data breach investigations supplemental report 2009

http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach-investigations-supplemental-report_en_xg.pdf

McAfee 2010 Threat Predictions

http://www.mcafee.com/us/local_content/white_papers/7985rpt_labs_threat_predict_1209_v2.pdf

McAfee January 2010 Spam Report

http://www.mcafee.com/us/local_content/reports/8216rpt_spam_0110_v2.pdf

McAfee Labs Technical White Papers

http://www.mcafee.com/us/threat_center/white_paper.html

Happy reading!

Atea
http://www.atea.se

Metasploit 3.3.3
http://www.metasploit.com

Nmap 5.2
http://www.nmap.org

Nessus 4.2
http://www.nessus.org

Social Engineer
http://www.social-engineer.org

OWASP Broken Web apps project
http://code.google.com/p/owaspbwa/

Exploit-db
http://www.exploit-db.com

NeXpose CE
http://www.rapid7.com/products/nexpose-community-edition.jsp

Greg Hoglunds paper on Aurora
http://www.hbgary.com/wpcontent/themes/blackhat/images/hbgthreatreport_aurora.pdf Atea
http://www.atea.se

Metasploit 3.3.3
www.metasploit.com

Nmap 5.2
http://www.nmap.org

Nessus 4.2
http://www.nessus.org

Social Engineer / Social manipulation
http://www.social-engineer.org

OWASP Broken Web apps projekt
http://code.google.com/p/owaspbwa/

Exploit-db
http://www.exploit-db.com

NeXpose CE
http://www.rapid7.com/products/nexpose-community-edition.jsp

Greg Hoglunds rapport beträffande Aurora-attacken
http://www.hbgary.com/wpcontent/themes/blackhat/images/hbgthreatreport_aurora.pdf

Problem description: An external disk is constantly spinning, never spinning down to sleep. This occurs even without any visible applications running.

If you are still stuck with your problem you can try to monitor low-level disk-operations using some of the utilities included in recent versions of Mac OS 10.x.

1. Use the fs_usage command to list file-system activity.
See to it that all unnecessary applications are closed before running this tool since it will produce alot of info.
a) Open a terminal window
b) Type: sudo fs_usage -w -f ”filesys” > ./fs_usage.log
c) Wait for a number of seconds while your disk is making sounds (hopefully working and not due to mechanical error), then press Ctrl + c to end the logging-session.
d) Type: nano fs_usage.log to view the log (or open it in your fav. texteditor)
e) There are just a couple of Columns which are interesting to us right now. The second column which shows us the action taken (i.e. open, stat, getattrlist, access_extended and so on), the fourth column containing path-data (i.e. /Volumes/My Drive, /Users/username/directory, /Applications/Appname.app) and the sixth column entailing which process is responsible for the action.

This may give you a hint what is causing your disk activity to be at a constant.
Try finding processes which use your disk and start killing those processes one by one.

2) Identify and kill processes to find the culprit
2 a) In your terminal window, type: sudo ps aux | grep [A]pplication
Example: sudo ps aux | grep [F]inder
jonathanjames 489 0.0 1.6 2925792 65644 ?? S Tue05PM 1:30.20 /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder

The second value ”489″ is the PID (process-ID) which is our handle to the process.
2 b) Type: sudo kill PID
2 c) Check that the process got killed, if not, it is probably involved in some kernel or I/O-activity. Type: sudo ps aux | grep [F]inder – which should return an empty result meaning that the process is killed.

Did the disk-activity stop? Then we might have found the culprit. If not, it could be caused by a system-process, kernel-involved process or a process currently performing I/O-operations (which prevents kill from killing the process). In this case, see to it that you keep the amount of open applications to an absolute minimum (preferably no open applications at all) and perform the following kill-statement: sudo kill -9 PID

This should kill off any running process, even if it is currently doing I/O, certain kernel operations (at least storage-related ones).

This technique is enough most of the time, you could check out a service called diskarbitrationd (launchd is used to launch this in Snow Leopard, use the launchctl command). If you supply diskarbitrationd with a debug-flag you can get all disk-access logged to /var/log/diskarbitrationd.log.

The tftpd-server is included in Mac OS X but is not loaded by default.
The configuration-file is found in the LaunchDaemons directory /System/Library/LaunchDaemons/tftp.plist.
I’ll step through the whole process to get the TFTPd server up and running.

We will first have a look at the configuration file (use your editor of choice, I use nano):
$ sudo nano /System/Library/LaunchDaemons/tftp.plist


There are a couple of arguments which I want to add here and I’ll explain why. The first one I would like to add is logging to syslog.

Inside the span of <array></array>  just after <key>ProgramArguments</key> add:
<string>-l</string>

If you want extra verbose logging add the following
<string>-d</string>

We want to add some security by chroot:ing to the specified directory (/private/ftpboot in the xml-file displayed above) upon startup.
<string>-s</string>

Start the tftp daemon.
$ sudo launchctl load -wF /System/Library/LaunchDaemons/tftp.plist

The –w switch tells launchctl (same as launchd but takes arguments) to change the Disabled-key to true. The –F switch forces the loading of our plist-file, even though the key is set to “Disabled”. This all means that we will be able to pass our plist-xml-file without getting an error telling us “nothing found to load”.

We can check that our tftp is running by using the lsof-command:

$ sudo lsof –i:69
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
launchd 1 root 77u IPv6 0x08adc8ec 0t0 UDP *:tftp
launchd 1 root 89u IPv4 0x09bfeb2c 0t0 UDP *:tftp

or by using netstat

$ sudo netstat –a | grep ‘tftp’
udp4 0 0 *.tftp *.*
udp6 0 0 *.tftp *.*

Your tftpd should now be up and running. Remember, you may only upload files which are already created and which you have write access to (or you will get an “Access violation” error in both cases).

In the example displayed below I first create a text-file in our tftpd-directory /private/tftpboot with the contents of “testserver”. I then switch to my home directory and create another file called test.txt with the contents of “testclient” this is to illustrate that the tftp actually works once we get everything up and running.
In this example we get an access denied error, due to our file-access permissions not permitting us to write to the file.

$ cd /private/tftpboot
$ echo testserver > test.txt
$ cd ~
$ echo testclient > test.txt

$ tftp localhost
tftp> trace
Packet tracing on.
tftp> verbose
Verbose mode on.
tftp> put test.txt
putting test.txt to localhost:test.txt [netascii]
sent WRQ
received ERROR
Error code 512: Access violation
tftp> quit

We set our permissions so that the file becomes writable
$ chmod 666 /private/tftpboot/test.txt

Lets try it again:

$ tftp localhost
tftp> trace
Packet tracing on.
tftp> verbose
Verbose mode on.
tftp> put test.txt
putting test.txt to localhost:test.txt [netascii]
sent WRQ
received ACK
sent DATA
received ACK
Sent 12 bytes in 0.1 seconds [960 bits/sec]
tftp>

Now lets try to get the file.

tftp> get test.txt
getting from localhost:test.txt to test.txt [netascii]
sent RRQ
received DATA
Received 12 bytes in 0.0 seconds [inf bits/sec]
tftp> quit

If everything works, both our test.txt files which previously held “testserver” and “testclient” should now hold “testclient”.

$ cat /private/tftpboot/test.txt
testclient
$ cat ~/test.txt
testclient


We are up and running.
If we want to shut down the tftp daemon we execute the following command
$ sudo launchctl unload /System/Library/LaunchDaemons/tftp.plist

Check that the daemon isn’t running anymore
$ sudo lsof –i:69
$

More information on tftpd for Mac OS X:
Enter “man tftpd” (without quotes) in a terminal window or visit
http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man8/tftpd.8.html

In this paper, we report on our efforts to take control of the Torpig botnet and study its operations for a period of ten days. During this time, we observed more than 180 thousand infections and recorded almost 70 GB of data that the bots col- lected. While botnets have been “hijacked” and studied previously, the Torpig botnet exhibits certain properties that make the analysis of the data particularly interesting. First, it is possible (with rea- sonable accuracy) to identify unique bot infections and relate that number to the more than 1.2 million IP addresses that contacted our command and control server.

The paper may be downloaded at http://www.cs.ucsb.edu/%7Eseclab/projects/torpig/torpig.pdf

The so-called “Great Firewall of China” operates, in part, by inspecting TCP packets for keywords that are to be blocked. If the keyword is present, TCP reset packets (viz: with the RST flag set) are sent to both endpoints of the connection, which then close. However, be- cause the original packets are passed through the firewall unscathed, if the endpoints completely ignore the firewall’s resets, then the connection will proceed unhindered. Once one connection has been blocked, the fire- wall makes further easy-to-evade attempts to block further connections from the same machine. This latter behaviour can be leveraged into a denial-of-service attack on third-party machines.

Read the paper here

VMWare and RSA just released a best practice guide for security in a cloud environment. The guide is 17 pages in total and should be seen as an overview of

trust-, encryption and authentication related issues in the cloud. It is not a in-depth implementation guide.

Download link:

http://www.rsa.com/innovation/docs/CLWD_BRF_1009.pdf

Solid oak software accuses Jinhui Computer Systems Engineering of stealing parts of its ”Cybersitter” software and claiming it as their own for use in the upcoming Internet censor campaign in China.
The US-based firm Solid oak software is now preparing to battle Jinhui (they probably won’t have any luck getting Chinese courts to stop Jinhui ) by getting US courts to prohibit american computer manufacturers from selling computers with Jinhui’s software on them.

More on this story here: http://blogs.channelinsider.com/secure_channel/content/data_security/us_firm_accuses_chinese_of_stealing_web_filtering_software.html

And there is already a public exploit available for exploiting Jinhui’s ”Green Dam”: http://milw0rm.org/exploits/8938