Author Archives: Dale

Google, Bing, Twitter Mashup.. Social Networking / Engineering Heaven

2 Replies

So if for some reason you are naive enough to think that your mindless twittering is somehow private, this should really make you think again.

It has been recently announced that both Microsoft’s Bing and Google search engines will now be featuring tweets in its search results, with Bing also having something going on with Facebook.

From the Google blog:

“Given this new type of information and its value to search, we are very excited to announce that we have reached an agreement with Twitter to include their updates in our search results. We believe that our search results and user experience will greatly benefit from the inclusion of this up-to-the-minute data, and we look forward to having a product that showcases how tweets can make search better in the coming months. That way, the next time you search for something that can be aided by a real-time observation, say, snow conditions at your favorite ski resort, you’ll find tweets from other users who are there and sharing the latest and greatest information.”

So what does this mean to you? Well it means every time your tweet to the world you have had a bathroom break, or that your going on holiday, or your not at home, or your goldfish has died, the whole world will see this in their search results in Google and Bing.

Something to be mindful of perhaps?? Remember, there is no privacy on the Interwebs.

HD Moore and Metasploit go to Rapid7

Leave a reply

This is most likely not breaking news to anyone in the InfoSec community, as it came out last week. However I thought it might be of interest to those who live under a rock and have yet to hear.

So its true, HD Moore and Metasploit have been acquired by Rapid7. Oh no I hear you cry, bye bye to the awesomeness of opensource Metasploit. Well apparently not (and I hope its true), its my understanding that Metasploit will continue to have the Opensource side of the project we know and love. I am not sure how much of a reflection this will have to the Rapid7 NeXpose offering that they are looking to enhance with this acquisition, I am sure time will tell.

Personally, HD Moore has always come across as a great guy, and I wish him all the best to him and his family, and any of the other guys that are fortunate enough to be involved. Of course I also have a selfish side, so I do home we continue to be able to benefit from opensource Metasploit, and it continues to grow and develop.

October 21, 2009

I’m extremely pleased to announce Rapid7’s acquisition of Metasploit, the leading open source penetration testing framework and world’s largest database of public, tested exploits. We believe the acquisition deepens our leadership as the leading provider of vulnerability management, compliance and penetration testing solutions and will provide great value for our customers and partners.

As a result of the acquisition, we will leverage Metasploit technology to enhance our vulnerability management solution, Rapid7 NeXposeTM. At the same time we will not only maintain, but accelerate the open source framework Metasploit with dedicated resources and contributions. I’m also pleased to announce that HD Moore, the founder of Metasploit, will be joining Rapid7 full-time as Chief Architect of Metasploit and Chief Security Officer of Rapid7.

Mike Tuchen,
President & CEO, Rapid7

UK Government still looking to disconnect the so called “Net Pirates”

Leave a reply

According to the BBC News Website today, the UK Government are on the disconnect net pirates band wagon again.

People who persistently download illegal content will be cut off from the net, Business Secretary Peter Mandelson has announced.

Speaking at a government-sponsored forum he said the UK would introduce a similar policy to France.

It means persistent pirates will be sent two warning letters before facing disconnection from the network.

This really is going to lead to no end of problems, and this has been echoed recently by the ISP Talk Talk in recent weeks.
Its going to be difficult to clearly identify (without extreme costs, forensic investigation and more) if the actual ISP customer is responsible for the infringement on downloaded material they shouldn’t, be that audio, video or other.

To me it makes the assumption that all UK consumers are security savvy, and the products they purchase and use are configured securely. As you can see from one of my previous posts on wardriving, so many Wireless Access Points are not secure, or use weak easily hackable security controls. So with this in mind many people could be stealing the bandwidth from these consumers, and getting up to all sorts. People may argue that its the consumers responsibility to protect their Internet connection, and your probably correct, however in reality we know this isn’t currently the case. I think there may be some interesting court cases if this goes ahead.

Its also worth considering what this actually means to the ISPs. Surely its going to require investment and resource for them to monitor, track and act on this possible new legislation. Will this be paid for by the Government (tax payer), or will the ISPs need to look to pass this cost onto its customers. Either way its most probably Joe Public will end up paying.

I apologies for being cynical, but surely this time could be spent resolving another problem. Oh well 😀

Adobe Zero Day…. Its like the duracell bunny

Leave a reply

Earlier on this month we had yet another Adobe Reader Zero Day, its really becoming a common theme this year and who knows when its going to end.

Adobe are once again telling users to disable javascript to protect yourself from attack, now this just seems to be the ongoing standard response. Many customers I work with do not need or use the javascript functionality anyway so I recommend its disabled permanently. So some turn it off, and then turn it back on again when a patch is released, because for some reason they think its safe and another zero day isn’t just around the corner.

So my question has to be, who does actually need the javascript functionility? I have met very few individuals and organisations, so why not have this disabled as a standard and put the reliance on the user to enable with a caveat (it might mess you up).

I think Adobe make some good products, but they just seem to be having some issues with secure coding or something. Perhaps the tools are not being used the way they were intended I dont know, so why not do something about it.

I am by no means a PDF expert so I am not really the best person to comment, but I know a man who is. Didier Stevens is the master, just check out his blog.
Didier will be speaking to us on the first episode of the eurotrash security podcast.

Microsoft handing out free COFEE.. Its not Starbucks related

3 Replies

You have heard me mention COFEE (Computer Online Forensic Evidence Extractor) before when I was speaking about EnCase’s latest portable forensics tool.
Microsoft have now published a press release detailing how COFEE is going to be given out to US Law Enforcement types at no cost.

Today at the Digital Crimes Consortium, Microsoft Corp. and the National White Collar Crime Center (NW3C) — the nation’s premier provider of economic and high-tech crime training to law enforcement agencies — announced an agreement establishing NW3C as the first U.S.-based distributor of the Computer Online Forensic Evidence Extractor (COFEE). A Microsoft-developed program, COFEE uses digital forensic technologies to help investigators gather evidence of live computer activity at the scene of a crime, regardless of their technical expertise. This agreement will make COFEE available to law enforcement agencies at no charge so they can better combat the growing and increasingly complex ways that criminals use the Internet to commit crimes. This distribution agreement broadens availability for law enforcement agencies, building on Microsoft’s April 2009 distribution agreement with INTERPOL, which is making the COFEE tool available to law enforcement in each of its 187 member countries.

This is interesting for Microsoft, and I think in some ways it does show some continued commitment to InfoSec, but it also doesnt do their publicity any harm.

I have not got my hands on a copy of COFEE, I guess for obvious reasons. However I would guess at it being abit similar to WOLF (Windows Online Forensics) which Microsoft use for their internal incident response. I have seen this tool, and it is quick and simple to use. This is the basic selling (I know its free) of COFEE for law enforcement, they can simply plug and go. It my understanding they will plug it in, it will run a few scripts and collect all the relevant digital evidence and volatile data. I don’t see this as being a replacement for EnCase and FTK type offerings, but its going to be a handy bit of kit for law enforcement response units, I just hope it doesn’t dumb down the forensics skill set.

Microsoft COFEE

Microsoft COFEE

Law enforcement agents with less than 10 minutes training can capture live evidence of illegal activity by inserting the COFEE USB device into a computer. The evidence is then preserved for analysis, protecting it from being destroyed when the computer is turned off for moving.

My not so evil maid – Truecrypt encryption attack

Leave a reply

Joanna Rutkowska of The Invisible Things Lab recently made an interesting post on her blog about the work they have been doing to capture the passphrase of users using TrueCrypt full disk encryption.

Due to the requirement for physical interaction to plug in a USB device, they have coined this the Evil Maid attack. The scenario being that a maid in a hotel with evil intent gets upto no good with someones laptop who is staying in the hotel.

Look out Evil Maid is about

Look out Evil Maid is about

How the Evil Maid USB works
The provided implementation is extremely simple. It first reads the first 63 sectors of the primary disk (/dev/sda) and checks (looking at the first sector) if the code there looks like a valid TrueCrypt loader. If it does, the rest of the code is unpacked (using gzip) and hooked. Evil Maid hooks the TC’s function that asks user for the passphrase, so that the hook records whatever passphrase is provided to this function. We also take care about adjusting some fields in the MBR, like the boot loader size and its checksum. After the hooking is done, the loader is packed again and written back to the disk.

Its my belief that this sort of solution could be used to bypass other full disk encryption products that dont use a TPM (Trusted Platform Module).

This does look like a really interesting project, but for one reason or another I cant get my evil maid attack to work. I have tried to create a couple of USB drives, but all of them just end up with a flashing cursor at boot time, and thats it.

When I get this working, I will post an update. For now enjoy reading the informative blog post from Joanna.