security

Windows command line utilities

On May 28, 2008, In microsoft, security, By eugenekogan

We all know that Windows can’t compete with Linux or UNIX when it comes to useful command line utilities (excluding Cygwin). But what most people don’t know is how many commands actually are available in Windows. If your job is to investigate intrusions on Windows machines, there are some nifty little command line tools that can help make your job easier.

This article by Ed Skoudis lists a few of them, with handy examples of how the commands might be used in a security investigation. He mostly talks about wmic, openfiles (which I had never heard of before), and netstat. Unless you’ve done recent Windows administration work, you’ve probably never had to use wmic, but it’s really powerful, with tons of options. Also, be sure to check out the second part of his article, which goes into more advanced command line tricks – like “for” loops and querying the registry.

A more comprehensive list, although less detailed, was published by Kevin Beaver. There is overlap, but Kevin mentions a few addiontal commands.

Web Security

On May 12, 2008, In google, hacking, security, By eugenekogan

Google has some good content about web security available on their Google Code University portal. There’s introdutory course material, and even some videos. The one titled “How to Break Web Software” is pretty interesting.

Malicious CHM file targets PGP

On March 27, 2008, In hacking, reversing, security, By eugenekogan

Let’s not forget that CHM files can be dangerous. They can contain embedded executables that get launched automatically when you open them. This post on SANS ISC details a particular malicious CHM file that was sent out via email. After some investigation, it was determined that the program it ran specifically targeted PGP keyrings.

The code searched for these files (.pkr and .skr) and copied them off to the attacker’s system. To really make use of a PGP keyring, you need the passphrase. Well, this is why the malware came bundled with a keylogger, just in case you happened to be using PGP while it was running. The ISC post also notes that it collected .doc files, which could be an attempt to harvest documents that users created to help them keep track of their passphrases.

I’m not sure if I see enough evidence to agree with the conclusion that the attacker was simply trying to map relationships between PGP users, but I guess that is a possibility. Do recent versions of PGP even use these same keyring files?

G-Archiver is evil

On March 12, 2008, In google, reversing, security, By eugenekogan

This is a great lesson in why not to blindly trust random software that you find on the Internet. G-Archiver, a program created to help users locally save their Gmail messages, has a piece of code in it that sends your Gmail login and password to the author. You can see a scary screen shot of his inbox, since the guy had his own Gmail credentials hard coded right into the program, which was obviously discovered.

The details are at SANS ISC (source code) and Coding Horror (screen shot).

Leave your laptop at home

On February 13, 2008, In encryption, legal, security, By eugenekogan

Most people don’t realize how limited their rights are when they are crossing the U.S. border. This is especially true when it comes to portable electronics, such as your laptop. Of course border guards can search your luggage to look for contraband, such as drugs, illegal food items, or even animals. But did you know that they can also search within your personal laptop? They don’t need just cause or any suspicion of illegal activity. It doesn’t matter if it’s your personal laptop, or one owned by your company. Not only can they ask you to turn it on, but they can also request that you login and allow them to examine the contents of your system.

My advice: leave the laptop at home, unless you absolutely need it on your trip. At the very least, don’t bring any sensitive data with you, especially in an obvious and unencrypted state. Ideally, if you travel often, you may want to have a basic laptop without any real data just for this purpose.

Let’s just hope these laws never apply to crossing state borders, as well…

Philosophically Secure

Eugene Kogan's blog on information security and software engineering

Windows command line utilities

Web Security

Malicious CHM file targets PGP

G-Archiver is evil

Leave your laptop at home

Links

Categories

Archives

Meta