July, 2006
By Chetan Gupta, NII Consulting
In accordance with NII’s mantra of innovation and research, we have developed our own tool to conduct initial response on compromised Linux systems. This tool is appropriately titled LINReS which stand for “Linux INcident Response Script”.
LINReS is a Live Response script designed to run on suspect/compromised Linux systems. LINReS consists of mostly statically compiled binaries and includes the various shared libraries that may be required to run the binaries (a few which are not statically compiled). All in all, no binary from the compromised system is used by this tool which mitigates the risk of collecting information on a trojaned system.
Read the full article »
Securing your passwords against Rainbow Table Attacks
By Bhushan Shah, NII Consulting
In the previous article we looked at the Rainbow Tables and how it can crack windows passwords in a matter of seconds. In this article we will look at different ways to add complexity to the passwords and protocols to secure your system so that you can survive the rainbow table attack. (Or at least try to)
Read the full article »
July, 2006
NII Consulting’s Chetan Gupta (GCFA) has published an article at ForensicFocus on the Alternate Data Streams in NTFS, and how these can be detected.
This article discusses a “…particular feature of this file system which was designed to offer compatibility with Macintosh Hierarchical File System (HFS) and store additional data called metadata for a file. This feature is known as Alternate Data Streams (ADS). The Macintosh file system stores its data in two parts, the resource fork and the data fork. The data fork is where the data is actually contained and the resource fork tells the operating system how to interpret the data fork. Alternate Data Streams is the Microsoft way of implementing resource fork. The ADS is a hidden stream in addition to the regular data stream which contains the main data for the file. This hidden stream contains metadata for the file such as the file access/modification times, attributes etc. ”
Click here to read more.
By Bhushan Shah, NII Consulting
Windows passwords are stored in the registry (encrypted) in the form of a hash. LMHash was the first hash function used by Microsoft to secure their passwords. Eventually when the security issues popped up (as LMHash is quite insecure) they had to come up with NLTM and the most recent one being NTLM Version 2.
A hash function - is a way of creating a small digital “fingerprint” from any kind of data. The function chops and mixes the data to create the fingerprint, often called a hash value.
The LMHash - LM hash or LAN Manager hash is one of the formats that Microsoft LAN Manager and Microsoft Windows use to store Windows user passwords that are less than 15 characters long.
Read the full article »
July, 2006
By Kush Wadhwa, NII Consulting
Welcome to the world of log analysis. Log analysis plays a crucial role in intrusion detection. If the compromised system is running on Linux platform one of the first steps which the investigator will perform is the analysis of log files.
Linux has an ability to store the logs of different services like for apache, squid logs, syslogs, and cron logs. These logs help users to resolve different problems and auditing of user actions. In this article we will talk about apache logs & squid logs since they are very closely related to each other and we will also see how to read apache & squid log files.
Read the full article »
By Chetan Gupta, NII Consulting
In my previous article on Userassist, I had mentioned how UserAssist records user access of specific objects on the system and how it would greatly aid forensic investigations.
Although, I had shown how to decrypt the keys, the important thing that was missing was how to interpret the 16 bytes of data associated with the entries. (Thanks to Harlan Carvey for providing his valuable inputs on this.)
Here is a cool piece of code I found here that allows to decrypt the entries.
Read the full article »
July, 2006
Penetration Testing
Fyodor’s back with his top 100 security tools for 2006.
One of the most significant, but not surprising, entries is that of Metasploit Framework at #5 on the list. Since the launch of the 2.0 series, Metasploit has become one of the most popular security tools out there. The 3.0 series is a completely rehauled and very powerful piece of software. Re-written in Ruby and with extensive API’s, it is no longer simply a platform to develop and test exploits. It is now a platform to develop advanced security tools. Check out some cool features such as the recon modules and the sophisticated IDS-IPS evasion techniques. You can download the alpha version of the 3.0 series here.
July, 2006
K K Mookhey, NII Consulting
Two recent events bring to light how the lacunae in India’s privacy laws are now hitting where it hurts most - the bottomline. According to this report in the Economic Times, Apple and Powergen have moved their back-office operations out of India. This follows closely on the heels of the HSBC data theft scam, where an employee in HSBC’s BPO operations siphoned off close to a quarter million pounds from customers. This is just the latest in a series of BPO scandals that have left the Indian ITES industry floundering for explanations and NASSCOM issuing face-saving statements.
The other story is about a spy stealing sensitive data from the National Security Council Secretariat. The data was carried out using USB drives as well as print outs and SMSes. Apparently, Roasanne Minchew the spy in question did this under the cover of the much-hyped Indo-US Cyber Security Forum.
The fact of the matter is that all of the suggestions being put forward - such as establishment of a global database of BPO employees, frisking of employees, banning cellphones and cameras in offices - are ad-hoc. Nothing is likely to change until the IT Act is radically modified. And this has to be accompanied by the establishment of special courts for the quick dispensation of justice and punitive measures against violators of data privacy.