Category Archives: InfoSec

HD Moore and Metasploit go to Rapid7

Leave a reply

This is most likely not breaking news to anyone in the InfoSec community, as it came out last week. However I thought it might be of interest to those who live under a rock and have yet to hear.

So its true, HD Moore and Metasploit have been acquired by Rapid7. Oh no I hear you cry, bye bye to the awesomeness of opensource Metasploit. Well apparently not (and I hope its true), its my understanding that Metasploit will continue to have the Opensource side of the project we know and love. I am not sure how much of a reflection this will have to the Rapid7 NeXpose offering that they are looking to enhance with this acquisition, I am sure time will tell.

Personally, HD Moore has always come across as a great guy, and I wish him all the best to him and his family, and any of the other guys that are fortunate enough to be involved. Of course I also have a selfish side, so I do home we continue to be able to benefit from opensource Metasploit, and it continues to grow and develop.

October 21, 2009

I’m extremely pleased to announce Rapid7’s acquisition of Metasploit, the leading open source penetration testing framework and world’s largest database of public, tested exploits. We believe the acquisition deepens our leadership as the leading provider of vulnerability management, compliance and penetration testing solutions and will provide great value for our customers and partners.

As a result of the acquisition, we will leverage Metasploit technology to enhance our vulnerability management solution, Rapid7 NeXposeTM. At the same time we will not only maintain, but accelerate the open source framework Metasploit with dedicated resources and contributions. I’m also pleased to announce that HD Moore, the founder of Metasploit, will be joining Rapid7 full-time as Chief Architect of Metasploit and Chief Security Officer of Rapid7.

Mike Tuchen,
President & CEO, Rapid7

UK Government still looking to disconnect the so called “Net Pirates”

Leave a reply

According to the BBC News Website today, the UK Government are on the disconnect net pirates band wagon again.

People who persistently download illegal content will be cut off from the net, Business Secretary Peter Mandelson has announced.

Speaking at a government-sponsored forum he said the UK would introduce a similar policy to France.

It means persistent pirates will be sent two warning letters before facing disconnection from the network.

This really is going to lead to no end of problems, and this has been echoed recently by the ISP Talk Talk in recent weeks.
Its going to be difficult to clearly identify (without extreme costs, forensic investigation and more) if the actual ISP customer is responsible for the infringement on downloaded material they shouldn’t, be that audio, video or other.

To me it makes the assumption that all UK consumers are security savvy, and the products they purchase and use are configured securely. As you can see from one of my previous posts on wardriving, so many Wireless Access Points are not secure, or use weak easily hackable security controls. So with this in mind many people could be stealing the bandwidth from these consumers, and getting up to all sorts. People may argue that its the consumers responsibility to protect their Internet connection, and your probably correct, however in reality we know this isn’t currently the case. I think there may be some interesting court cases if this goes ahead.

Its also worth considering what this actually means to the ISPs. Surely its going to require investment and resource for them to monitor, track and act on this possible new legislation. Will this be paid for by the Government (tax payer), or will the ISPs need to look to pass this cost onto its customers. Either way its most probably Joe Public will end up paying.

I apologies for being cynical, but surely this time could be spent resolving another problem. Oh well 😀

Adobe Zero Day…. Its like the duracell bunny

Leave a reply

Earlier on this month we had yet another Adobe Reader Zero Day, its really becoming a common theme this year and who knows when its going to end.

Adobe are once again telling users to disable javascript to protect yourself from attack, now this just seems to be the ongoing standard response. Many customers I work with do not need or use the javascript functionality anyway so I recommend its disabled permanently. So some turn it off, and then turn it back on again when a patch is released, because for some reason they think its safe and another zero day isn’t just around the corner.

So my question has to be, who does actually need the javascript functionility? I have met very few individuals and organisations, so why not have this disabled as a standard and put the reliance on the user to enable with a caveat (it might mess you up).

I think Adobe make some good products, but they just seem to be having some issues with secure coding or something. Perhaps the tools are not being used the way they were intended I dont know, so why not do something about it.

I am by no means a PDF expert so I am not really the best person to comment, but I know a man who is. Didier Stevens is the master, just check out his blog.
Didier will be speaking to us on the first episode of the eurotrash security podcast.

Microsoft handing out free COFEE.. Its not Starbucks related

3 Replies

You have heard me mention COFEE (Computer Online Forensic Evidence Extractor) before when I was speaking about EnCase’s latest portable forensics tool.
Microsoft have now published a press release detailing how COFEE is going to be given out to US Law Enforcement types at no cost.

Today at the Digital Crimes Consortium, Microsoft Corp. and the National White Collar Crime Center (NW3C) — the nation’s premier provider of economic and high-tech crime training to law enforcement agencies — announced an agreement establishing NW3C as the first U.S.-based distributor of the Computer Online Forensic Evidence Extractor (COFEE). A Microsoft-developed program, COFEE uses digital forensic technologies to help investigators gather evidence of live computer activity at the scene of a crime, regardless of their technical expertise. This agreement will make COFEE available to law enforcement agencies at no charge so they can better combat the growing and increasingly complex ways that criminals use the Internet to commit crimes. This distribution agreement broadens availability for law enforcement agencies, building on Microsoft’s April 2009 distribution agreement with INTERPOL, which is making the COFEE tool available to law enforcement in each of its 187 member countries.

This is interesting for Microsoft, and I think in some ways it does show some continued commitment to InfoSec, but it also doesnt do their publicity any harm.

I have not got my hands on a copy of COFEE, I guess for obvious reasons. However I would guess at it being abit similar to WOLF (Windows Online Forensics) which Microsoft use for their internal incident response. I have seen this tool, and it is quick and simple to use. This is the basic selling (I know its free) of COFEE for law enforcement, they can simply plug and go. It my understanding they will plug it in, it will run a few scripts and collect all the relevant digital evidence and volatile data. I don’t see this as being a replacement for EnCase and FTK type offerings, but its going to be a handy bit of kit for law enforcement response units, I just hope it doesn’t dumb down the forensics skill set.

Microsoft COFEE

Microsoft COFEE

Law enforcement agents with less than 10 minutes training can capture live evidence of illegal activity by inserting the COFEE USB device into a computer. The evidence is then preserved for analysis, protecting it from being destroyed when the computer is turned off for moving.

My not so evil maid – Truecrypt encryption attack

Leave a reply

Joanna Rutkowska of The Invisible Things Lab recently made an interesting post on her blog about the work they have been doing to capture the passphrase of users using TrueCrypt full disk encryption.

Due to the requirement for physical interaction to plug in a USB device, they have coined this the Evil Maid attack. The scenario being that a maid in a hotel with evil intent gets upto no good with someones laptop who is staying in the hotel.

Look out Evil Maid is about

Look out Evil Maid is about

How the Evil Maid USB works
The provided implementation is extremely simple. It first reads the first 63 sectors of the primary disk (/dev/sda) and checks (looking at the first sector) if the code there looks like a valid TrueCrypt loader. If it does, the rest of the code is unpacked (using gzip) and hooked. Evil Maid hooks the TC’s function that asks user for the passphrase, so that the hook records whatever passphrase is provided to this function. We also take care about adjusting some fields in the MBR, like the boot loader size and its checksum. After the hooking is done, the loader is packed again and written back to the disk.

Its my belief that this sort of solution could be used to bypass other full disk encryption products that dont use a TPM (Trusted Platform Module).

This does look like a really interesting project, but for one reason or another I cant get my evil maid attack to work. I have tried to create a couple of USB drives, but all of them just end up with a flashing cursor at boot time, and thats it.

When I get this working, I will post an update. For now enjoy reading the informative blog post from Joanna.

Dissecting The Hack Community

Leave a reply

I wanted to put a quick post out to invite you guys to check out a new community that has been set up by excellent buddy Jayson Street called Dissecting The Hack.

I dont want to get into the discussion of what happened with regards to The F0rb1dd3n Network, you can read about that elsewhere and on the site. I do want to focus on the positive message that the book was getting accross through a great story.

So to keep upto date with what happening, and contribute to this new community, share thoughts and opinions then please check out the site.