Tuesday, May 27, 2014

New version of RemNux released

Lenny Zeltser has released the next major version, v5, of REMnux, an Ubuntu based virtual machine specializing in malware analysis. More information is available here.
If you're not familiar with REMnux, it's a distro with a wide assortment of tools for analyzing JavaScript, PDF files, executable binaries and the like and is a great resource for intrusion analysts investigating alerts from your IPS, packet capture devices, logging servers or network based malware tools.

Tuesday, May 13, 2014

Unzip Gzip

New intrusion analysts will find that web traffic is increasingly compressed due to more and more complex sites with lots of multimedia content. You might use wget to pull down a page in your investigation or use something like Spondulas and end up with a file of mostly "garbage", like this one (intentionally shortened).

HTTP/1.1 403 Forbidden
Server: cloudflare-nginx
Date: Tue, 27 April 2014 18:44:27 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: __cfduid=dda0ed9839b8fbbaadbee565b711a05951400006667162; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.yadayada.com; HttpOnly
Cache-Control: max-age=10
Expires: Tue, 13 May 2014 18:44:37 GMT
CF-RAY: 12a101e5c86a09ac-ORD
Content-Encoding: gzip
Transfer-Encoding: chunked
Connection: keep-alive

4e5
^_<8b>^H^@^@^@^@^@^@^CWmo6^P_j@^B^T^Gk<9b>&<96><86>"M|Z<8a>0hl1H<95>]<8e>H<93>6<80><8b>u{{x_O/>;#<85>+e6<9a><<98>^S^Yy)#^S@d<91>^R^A<89><96><80><88>H^Vi^D<8a>=BG^_Ab<89>[^V^GvBx^X
=PG^O<80>Z^V+vE<8d>Bi^_^@<96><8f>^SNB<8a>s<96>^D/Ru\<81>^S<96>kESCs]<92>E
...
...
...
0

Notice we see the Content-Encoding field tells us gzip compression is in use.

The Moloch packet capture program has a built-in gzip decompressor, but if you don't have a tool that will do this automatically, it's easily accomplished manually. Open the file in vi or some other text editor and remove the http header, blanks lines, etc down to the block of text (that starts with the first caret). Save the file with a .gz extension or rename it. Then just run gzip with the -d parameter (to decompress) on the filename. gzip -d
The resulting file should now be unzipped and readable (and no longer have the .gz extension).


Wednesday, May 7, 2014

Resource List

I recently put together a list of resources that a new NetSec/InfoSec associate could use to familiarize himself with some of the subject matter he'll come into contact with. It's by no means exhaustive, even of the bookmarks and articles and media that just I've saved over the years, but I think there's some useful content and thought I'd post it. I'm still in the process of fleshing it out (at which point it'd probably be overload for a new person) but I enjoy organizing study materials and absorbing as much as I can in my limited free time. Comments are welcome if you see something you think is a stinker and even more welcome would be you sharing some of your links to add to the list. Thanks in advance!
(Please remember the target here is someone new to NetSec/InfoSec. A 50 page white paper on optimizing ring buffers would be interesting to others but probably not what you want to lay on the new guy on the team.

Information Security Resources

Web sites:
Internet Storm Center - https://isc.sans.edu/index.html
Dark Reading Daily - http://www.darkreading.com/
InfoSec Island - http://www.infosecisland.com/
Ethical Hacker Magazine - http://www.ethicalhacker.net/
PaulDotCom Tech Segments - http://wiki.pauldotcom.com/wiki/index.php/TechSegments

Videos:
SecurityTube - http://www.securitytube.net/
Derbycon(2013) - http://www.irongeek.com/i.php?page=videos/derbycon3/mainlist
Academy Pro - http://www.theacademypro.com/
SourceFire - Chalk Talks  - https://www.youtube.com/playlist?list=PL272154EC1786E588
DefCon - https://www.youtube.com/user/defconvidoes
BlackHat - https://www.blackhat.com/html/archives.html
ShmooCon(2014) - https://archive.org/details/shmoocon-2014
Microsoft (End User) - http://www.microsoft.com/security/default.aspx

Reference:
Security Tems Glossary - http://www.sans.org/security-resources/glossary-of-terms/
Network Security Glossary - http://www.watchguard.com/glossary/
Mind Maps - http://www.amanhardikar.com/mindmaps.html

Dashboards:
Talisker Security Wizadry - http://www.securitywizardry.com/radar.htm
Kapersky Threat Map - http://cybermap.kaspersky.com/
Arbor Networks DDoS Map - http://www.arbornetworks.com/asert/map/
Mailing Lists:
Team Cyru Dragon Newsbytes(Private)  - https://lists.cymru.com/mailman/listinfo/ians_dragon_newsbytes
Full Disclosure - http://nmap.org/mailman/listinfo/fulldisclosure
SANS (all) - http://www.sans.org/newsletters/

Linux:
Linux Library - http://www.troubleshooters.com/linux/index.htm
Learn Linux at Linux.com - http://www.linux.com/learn
Linux Documentation - http://linux.die.net/

Classes:
Open Security Training - http://opensecuritytraining.info/Training.html
EDX Intro to Linux (starts Aug 1, $2,400.00 class for free) - https://www.edx.org/course/linuxfoundationx/linuxfoundationx-lfs101x-introduction-1621#.U2fY1Pl4C4I

PodCasts:
Getmon IT Security Podcasts - http://www.getmon.com/
ISC Podcasts (SANS Internet Storm Center) - http://isc.sans.edu/podcast.html

Vulnerability Information:
U.S. CERT - http://www.us-cert.gov/
SecurityFocus - http://www.securityfocus.com/

TCPDump/Wireshark and General Packet Capturing
TCPDump command fu - http://www.commandlinefu.com/commands/using/tcpdump
Wireshark Wiki - http://wiki.wireshark.org/

Malicious Javascript:
http://cansecwest.com/slides07/csw07-nazario.pdf
http://www.cs.bham.ac.uk/~covam/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html

Blogs:
Bruce Schneier - https://www.schneier.com/index.html
Anton Chuvakin - http://www.chuvakin.com/
Marcus J. Ranum - http://www.ranum.com/
Lance Spitzner - http://www.spitzner.net/
Snort - http://blog.snort.org/
VRT (Vulnerability Research Team of Sourcefire) - http://vrt-blog.snort.org/
Naked Security (Sophos) - http://nakedsecurity.sophos.com/
MalwareBytes - http://blog.malwarebytes.org/

MindMaps

I queried a group the other day for their favorite resource for new NetSec team members. I received a lot of good feedback, including one persons links to some really nice mind maps he'd made. The first two are unrelated to network security, but after that you'll find mind maps for subjects like crypto, PKI, securing home computers, reviewing wireless networks, PCI and more. The link is here. They are beautifully done and the author, Aman Hardikar, obviously put a lot of time and effort into them. I recommend you take a look at them.

Monday, May 5, 2014

2014 Verizon Data Breach Report

The 2014 edition of the Verizon Data Breach report is out. If you've never read this, it's a fascinating overview of the past year in respects to whom was compromised and how.
You can download your copy of the report at http://www.verizonenterprise.com/DBIR/2014/reports/rp_Verizon-DBIR-2014_en_xg.pdf
No sign up is required though they do give an option of registering to get advance notification of future editions.

Blog Archive