System7

Spread the word, information is free.

Archive for category hardware & software

Maltego 3 creators interviewed

Jul 21

Posted by The Gunslinger in hardware & software, news, security | No Comments

In a recent Exotic Liability podcast (not PG13) Chris and Ryan interview folks from Paterva, the makers of Maltego.  You should definitely try Maltego if you’ve never used it.  They have a free version and it runs on both Windows and Linux.  The software allows you to create a visual mapping of gathered intel.  The tool is a must have for penetration testing as well as gathering intel on persons of interest, a la dossier.  Maltego includes a powerful feature called transforms which allow you to rapidly pivot from one piece of valuable information to another.

FYI:  Chris and Ryan hosted TruTV’s Tiger Team show which had a shorter life then the Microsoft Kin.

Tags:

win32 memory capture & analysis cheat sheet

Jun 14

Posted by The Gunslinger in forensics, malware, microsoft, pentest, security | No Comments

A high level overview to perform live memory captures and analysis:

  1. capture memory via moonsol’s win32dd
  2. parse memory snapshot with mandiant’s memoryze
  3. analyze results via audit viewer
  4. or analyze using the volatility framework — neatly packaged in SAN’S Sift Workstation

Tags: ,

Ubuntu can bypass iPhone pin to read data?

Jun 12

Posted by The Gunslinger in apple, news, privacy, security | 1 Comment

According to this zdnet article, when plugging your iPod into an Ubuntu machine the device is mounted without ever being prompted for a PIN code.  This is working on non jail broken iPhones.  I’m surprised the article only names Ubuntu — surely this must work for other distributions?  Unfortunately I don’t own an iPhone to test first hand.

On a side note, is Ubuntu taking over the world?  Sometimes you don’t want to make things too easy otherwise all of the idiots will flock from Mac and Windows and plague all of our favorite distributions with requests for ports of ___ (insert favorite fan boi single platform software here).

Tags: ,

DNS Performance & Security…

Jun 11

Posted by The Gunslinger in google, news, security | No Comments

I’ve gotten tired of Road Runner’s DNS redirection/hijacking service which I opt out of yet it keeps coming back.  I decided to do some DNS benchmarking, comparing my assigned ISP name servers against publicly provided DNS such as Google.   The results were very surprising.  It turns out I have less latency and hops reaching some of the publicly available DNS servers instead of those provided by my ISP (the servers actually resolve lookups faster).

Here’s what I did:

  1. Download and run DNS Benchmark (Windows or Wine): http://www.grc.com/dns/benchmark.htm
  2. Add your ISP assigned DNS servers into the DNS benchmark tool for comparison (Windows: ipconfig /all  Linux: cat /etc/resolv.conf)
  3. Load any additional public DNS servers into the tool: publicly provided DNS
  4. If public DNS is faster, configure your machine for hardcoded DNS (not to pickup from DHCP).

Coincidentally, Symantec has just released their own version of a public DNS that provides malware filtering.  You can read The H article here.  Symantec’s “secure” DNS servers are 198.153.192.1 and 198.153.194.1

Tags: ,

Google beta’s SSL for web searches

May 24

Posted by The Gunslinger in google, news, privacy | No Comments

According to this H article, Google is beginning to beta a new feature of providing SSL for their standard web search service. As one commenter noted, Google is still collecting the same information from your searches but this will limit 3rd parties from eavesdropping on your search queries. Remember SSL doesn’t guarantee absolute privacy as there’s Moxie Marlinspike’s work, chance of CA intermediaries, and your employer loading their own trusted CA’s into your corporate devices.

Tags: , ,

Google & Privacy

Apr 16

Posted by The Gunslinger in google, news, privacy | No Comments

Bruce Schneier recently posted an article about the erosion of privacy.  Specifically how the social networking sites are accelerating this “privacy decay.”  Along with attacked social networking sites he through in Google.  I just came across an interesting Forbes article where a Google engineer rebukes Schneier. You can find that article here: http://www.forbes.com/2010/04/12/privacy-facebook-gmail-technology-security-google.html

Two interesting tidbits in the article are Google’s privacy control pages which you may not be aware of:

  1. Google Dashboard – Control your Google privacy settings for all of google’s applications
  2. Ads Preferences Manager – Control whether ads are tailored to your viewing habits or not.  You can opt out here.  *Warning this site sneakily redirects through doubleclick.net — bastards!

Determining the optical cluster size for your volumes

Jan 31

Posted by The Gunslinger in hardware & software | No Comments

If you’re like most people then you have a separate partition where you store your data (mp3s, torrents, software, movies etc).  Most people set these partitions up with the default settings (NTFS, 4kb cluster size).  However, in most cases the 4kb cluster size is horribly inefficient for the purpose of these data partitions.  Chances are most of the files on this data partition will be at least 1mb.  The smaller cluster size causes your drive to perform extra seeks to read and write the data.  With the sudden rise of the new GUID Partition Table (GPT) and drives beginning to ship with a larger default sector size than 512bytes you should get ahead of the curve.

First, you need to determine what the optimal cluster(block) size is for your data.  The best way to figure this out is taking the median file size of the partition.  Once you know the best cluster size then you will need to copy the data to another partition or drive.  Finally, you can repartition with the new cluster size and then copy your data back.

Here are the steps:

  1. Run one of the below scripts, open in Excel/Calc and run the median() function — does anyone have a quicker way to determine median file size?  keyboard kung fu?
  2. Calculate the median size of files on the volume (listFilesSize – vbscript) (listFileSizes_python/linux — first attempt at python!)
  3. Move data off the volume
  4. Reformat volume using optimal cluster size
  5. Verify new cluster size: [root@localhost]# ntfsinfo -m -d /dev/sdaX

Try something new…. AskEraser….

Nov 13

Posted by The Gunslinger in google, privacy | 1 Comment

I’ve been looking around for a new search engine besides Google.  I’m worried about giving them all the business and their privacy policy scares me.  They’re collecting more and more of our information and no one seems to notice.  (Take a look at Google’s new Dashboard if you want to see what they’re collecting on you)  I’ll admit, I haven’t started running my own MTA again but I’m getting close. Do you want my public key?  I hope you have one.  There’s guys in Utah and St. Louis looking through your email contents as I write this….

Anyways…back on track….

It’s not the easiest task comparing privacy policies even if you limit your search to the big players (google, yahoo, bing, baidu, ask, altavista).  Besides Scroogle which is a Google proxy — returning scrubbed results cookie free, most of the large search engines are very similar with their policies.  They all store some type of tracking cookie and say they can use this to target specific advertisements towards you and or share with third parties.  HOWEVER, all is not lost, I did come across the Ask.com AskEraser.  Navigate over to Ask.com and in the top right corner you’ll see “AskEraser On | Off”  turn this guy and check your cookies for yourself….it does make a difference…

When enabled, AskEraser will completely delete your search queries and data from Ask.com servers, including: your IP address, User ID and Session ID cookies, as well as the complete text of your search query–all within a matter of hours,

We’ll have to take Ask’s word that they’re actually removing our search data from their servers unless someone has a better idea?  Raid one of their NOCs on a Friday night hoping to bribe the night security guard with a pizza and a hooker? (maybe the pizza and a mountain dew would be enough)

Windows Anti Forensics Tip of the Day…

Nov 11

Posted by The Gunslinger in forensics, microsoft | No Comments

I previously wrote about how to have your system automatically clear the pagefile before a reboot or shutdown.  There’s a couple other steps I recommend you make on your system…

Automatically permanently delete (Nuke on Delete)- Normally Delete sends files to the Recycle Bin and a Shift+Delete will permanently delete them.  With the registry tweak below the normal Delete will also behave as a permanent delete. ***Note: Delete does not mean a file is deleted.  It only frees up the file record and clusters so they _could_ be overwritten.

  1. Go to Start -> Run and type Regedit
  2. On the left hand side select the “+” to navigate to the following.
  3. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ BitBucket
  4. On the right look for NukeOnDelete
  5. Right click it and set the key value for NukeOnDelete to 1

Scheduled Task to Zero out unused disk space – As I mentioned above a deleted file only insures that there is a _chance_ the file will be overwritten.  If you run the below command it will zero out all unused disk space which _should_ be good enough to prevent file content recovery. ***Note: The deleted file name will still be lying around until a new file happens to overwrite it.

>cipher /W:[directory_to_wipe]

Here’s my scheduled task: C:\WINDOWS\system32\cmd.exe /c cipher /W:C:\

Scheduled Task to Delete Recent Items – Even if you permanently delete a file and or use Eraser there’s a copy of the filename in your Recent directory.  I have the following scheduled task command which clears my Recent items once a day….

Task for Recent Items:

>C:\WINDOWS\system32\cmd.exe /c del “c:\documents and settings\[username]\recent\*.lnk”

Task for Recent Office Items:

>C:\WINDOWS\system32\cmd.exe /c del /Q “C:\Documents and Settings\[username]\Application Data\Microsoft\Office\Recent\*.*”

Eraser - I highly recommend using this great freeware utility.  One of many things it does is adds a new option in your content menu to permanently delete a file and zero out the contents all at the same time.

Jailbreak: Export non-exportable Windows certificates

Oct 13

Posted by The Gunslinger in microsoft, security | No Comments

I came across a handy (& free) Windows utility that allows you to export “non exportable” certificates.  Do you want to get at those recovery certificates or private keys? Jailbreak can be snatched here: https://www.isecpartners.com/jailbreak.html