Tuesday, December 29, 2009
two calls to comcast
800-391-3000
1st prompt: new or existing crusty
2nd prompt: Zip Code
3rd prompt: tech support, billing....
4th prompt: account details menu
so comcast takes your phone number and zip code, then authenticates you into an account.
In this particular case it happed to not be my account. I before I realized what was happening, I heard info on last payment date/amount, total balance due. hung up.
call #2
existing crust
zip
tech support --> Human
name, address, phone number
three accounts pop (account from 1st call was not one of them).
tech support explanation was that phone number links accounts across all comcast boards (biz/residential).
busted.
Sunday, December 27, 2009
new gmail privacy feature
Wednesday, December 23, 2009
ubuntu security
1. automated sniffing: Snort
2. View Log Files:
sudo gedit /var/log/XXX
3. manual sniffing: TCPDump & WireShark
sudo tcpdump -vvi eth1
installing wireShark ubuntu:
sudo apt-get install wireshark
4.
vulnerability scanner:Nessus
http://ubuntuforums.org/showthread.php?t=27674
sudo apt-get install nessusd nessus nessus-plugins
sudo /etc/init.d/nessusd restart
register nessus.
use this path if you used apt-get:
sudo /bin/nessus-fetch XXXXXXX
sudo update-nessus-plugins
not sure of your path?
dpkg -L nessus
scan result break down
checks for rootKits.
http://www.chkrootkit.org/
./chkrootkit -x | more
examine suspicious strings in the
binary programs that may indicate a trojan
RooTkit Hunter:
sudo apt-get install rkhunter
sudo rkhunter --propupd
then:
sudo rkhunter --check
5. AV
http://www.itsecurity.com/features/ubuntu-secure-install-resource/
Antivirus
- Clam AntiVirus - One of the most popular UNIX based antivirus solutions. Works well with email gateways.
- AVG Anti-Virus - Free version of a popular commercial virus scanner.
- BitDefender - On demand command line/shell script scanner.
- Panda Antivirus - Uses sophisticated software to remove viruses from workstations connected to a Linux server.
turn off bonjour -->
sudo /etc/init.d/avahi-daemon stop
sudo nano /etc/default/avahi-daemon
AVAHI_DAEMON_START=0
sudo /etc/init.d/cups stop
http://www.zolved.com/synapse/view_content/27995/Top_Ten_basic_things_to_know_about_securing_Ubuntu
1. http://ubuntuforums.org/showthread.php?t=7353
Tuesday, December 22, 2009
youtube's Privacy Options
I noticed today that there is flag for "privacy mode" in the "customize" options menu for embedding a youTube video. According to google this feature is designed to give user's more control:
We've been working to give our users more options and control over these cookies. One such option is the privacy-enhanced mode for our embed player. This mode restricts YouTube's ability to set cookies for a user who views a web page that contains a privacy-enhanced YouTube embed video player, but does not click on the video to begin playback. YouTube may still set cookies on the user's computer once the visitor clicks on the YouTube video player, but YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode.
Awesome, thanks for the option. But hey, wait. If privacy mode "on" means that you don't set cookies when a "user" views the page (instead when they actually click play), the past, and often current method, privacy mode "off", is that you set cookies on a "user" machine every time someone views a web page with a youtube video embedded (regardless of whether or not they actually click play).
Ok, so tracking cookies, no big deal right. Old news. Just wanted to point that out.
Monday, December 7, 2009
chess.com + meebo
I told her many stories about how the world could be, and she listened calmly. she knew right when I was going to finish my sentences, and saw my words in a clear and distant vision. we stood on the deck looking out into the valley. the cold mountain air was no match for our combined warmth. i held her close to me and felt the future from many years away. before I could see it up close, my attention snapped and I was tugged back to the evening. Maybe I wasnt supposed to get that close? We stepped back in side, having seen something beautiful, strange and frightening.
Thursday, May 7, 2009
Saturday, April 18, 2009
random text from CIPAV PDF
received Comcast Internet services for the following subscriber:
14
Sam Spiering
:IS
6133 W i w o o d Loop SE, Lacey, WA 98513
Telephdne (360) 455-0569
17
Dynamically Assigned Active Account
Account Number: 8498380070269681
19
On June 4.2007. Cioogle provided subscriber, registration. and IF Address
25
log history for e-mail address "douebriggS11236email.corn"with the following results:
26
E a l d (user deleted account)
nbe
27 Status:
Setvims: Talk, Search History, Gmail
28
*
On June 7,2007, a request to MySpace for subscriber and IP
b.
)
ddress l&s for Myspace user "Timberlinebombinfo"provided the foilowing results:
User I :
D 199219316
Fs Name:
it
r Doug
last Name: , Briggs
Male
Gender; .
Dt of B r h
ae i t : 12110J1992
Age; 14
"
US
couq:
Law
City:
stal Code: 985003
Western Australia
Region:
Email'Address:' tirnberljne.sucksB~mai1
.corn
User Name: timberlinebambinfo
Sign up I Address:
P 80.76.80.103
Sign up Date: Juae 7,2007 7:49PM
NIA
Delete Date:
June 7,20077:49:32:247 PM I Address 80.76.80.103
P
Login Date
:page 76:
15. The C P A V will be deployed through an electronic messaging program
,
conaolled by the FBI. The computers sending and receiving the
CIPVA will be machines controlled by the FBI. The electtonic message deploying the
CIPAV will be directed to the administrator(s) of the "Timberlinebambinfo"
Electronic messaging accouuts commonly require a unique user
a).
same and password.
Once the CIPAV is successfully deployed, it will conduct a one-
b.
)
time search of the activat'ing computer and capture the information
desctibed in paragraph seven.
The captured information will be forwarded to a computer
c).
conmlled by the FBI located within the Eastern Disuicc of
,
Virginia.
After the onetime search, the CIPAV will function asa pen register
d).
device anxl record the muting and destination addressing information
for electronic communications originating f o the activahg
rm
computer.
The pen register will recod PB address, dates, m d times of the
e).
electronic comwnicatiom, but not the aoutents of such
ccmmunieatioas or the contents contained on the computer, and
address data to a computer cantroned by bhye
U'mard the
FBI,P r p d o d of (60) days.
w
more info released on FBI's home brewed malware, CIPAV
The newly released PDF weighs in at a healthy 150 pages, with info on various requests and cases where CIPAV was used.
At this time it does not seem to be public knowledge exactly what the software does and more importantly, how it gets on the "victims" machine.
After a 2007 affidavit some of the security community's finest had put together a pretty good profile of what the software was likely doing:
The full capabilities of the FBI's "computer and internet protocol address verifier" are closely guarded secrets, but here's some of the data the malware collects from a computer immediately after infiltrating it, according to a bureau affidavit acquired by Wired News.
- IP address
- MAC address of ethernet cards
- A list of open TCP and UDP ports
- A list of running programs
- The operating system type, version and serial number
- The default internet browser and version
- The registered user of the operating system, and registered company name, if any
- The current logged-in user name
- The last visited URL
More clues are likely to emerge from the recently released documents, but my guess is that it will still remain a guessing game as to what exactly the software does.
Regardless of what information the malware collects, the new documents shed some interesting light on the complicated and precise environment that the malware is supposed to run in on one particular case. On page 78 of the PDF it is noted that the software should only be deployed between the hours of 6AM and 10PM PST. Once deployed, messages can read coming from the infected machine at any time. Interesting for sure, perhaps even a bit strange. My guess is that the deployment hours correlate to previous bomb threats, and thus the regulated window, but thats purely speculation.
In the following page of the PDF, 79 it is noted that if the CIPAV does not activate on the victims machine, they will attempt to deploy and activate until successful. This with in the 10 day allotted window for deployment. This seems to be a key factor in understanding how this malware works. An application to collect the above mentioned data could be written in any number of languages and hidden on the machine in an overwhelming number of ways. When you consider the infection from the FBI's point of view, it would probably make the most sense to send a windows based app first, but maybe its all universal now anway?. First thing it does after activation is open up an SSL connection and phone home, IP, MAC, last URL and so on... Now, if activation does not occur right away, they act quickly while the Myspace vunerablilty is still active and send over a totally different app, wait for phone home and repeat.
The Wired article does a great job of looking at the attack vector.
Lots more interesting info coming out of that PDF. I'm looking forward to the next fews days.
Tuesday, April 14, 2009
Malware String Analysis Part 1 - Getting the Strings
If you are doing your research on a windows machine, one of the easiest ways to extract the strings of a file is to use the Sysinternals tool Strings. I like to run application against files with a batch file in the "send to" folder. This allows me to simply right click on the file in question and click "send to", then, Strings". As instructed by my batch file, the app pushes the extracted strings into a txt file for me. You can set your research box up in a similar fashion by doing the following:
click start, run, the type "sendto"
This will open the sendto folder. Right click, "new", "text document". Here's what I use, but you could of course modify as you like:
strings -a %1 >"C:\strings.txt"Make sure you save the file with the extension .bat, and not .txt. Strings.bat is a pretty good name.
"C:\strings.txt"
exit
As stated on the man page on in the link above, there are various options you can use with the Strings command:
Using Strings
Usage: strings.exe [-a] [-b bytes] [-n length] [-o] [-q] [-s] [-u]
Strings takes wild-card expressions for file names, and additional command line parameters are defined as follows:
-s | Recurse subdirectories. |
-o | Print offset in file string is located. |
-a | Scan for ASCII only. |
-u | Scan for UNICODE only. |
-b bytes | Bytes of file to scan. |
-n X | Strings must be a minimum of X characters in length. |
To search one or more files for the presence of a particular string using strings use a command like this:
strings * | findstr /i TextToSearchFor
Using the above method you should be able to extract the strings of a file pretty quickly with out much of a hassle.
If you want to do the same on Linux, chances are that you already have the necessary tool. If you type "strings" at the command prompt you know pretty quickly. In order to get this working the same as the Sysinternals tool you will need to add some extra arguments as its defualt output is pretty raw. I'm not entierly sure what those are as I usually just rip the strings off my windows research box, but if anyone know the equivilant command please post it up.
Really basic stuff, but there is all kinds of interesting things that can come from those strings. Next time we'll looks at some output files and a cool tool called Yara, that helps parse the strings all quick like.
Thursday, January 8, 2009
Virtual box w/Ubuntu 8.10 x64
Ok, well that was so easy and worked exactly as expected that there is no need to write anything up. awesome.