| mario's profileMontreal blog on Interne...BlogLists |  Tools  Help |
|
|
May 08 SuperShield When running an App you just aren't sure about...If you go to my http://superconfigure.com website you will find my latest (my 3rd such utility) tool.
I write such things in my spare time, which isn't oo often.
SuperShield launches an application with Low Integrity and severely restricts what is can access.
Here is a snapshot showing IE launched as a chile process of SuperShield, notice the ILlevel.
 Here is a snapshot showing file IE8 reads normally.
 Absolutely none of these files are touched by IE 8 if it is launched by SuperShield!! April 22 More Good Security papersThwarting Virtual Machine Detection (Tom Liston, Ed Skoudis,)
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf The Art of Unpacking (Mark Vincent Yason)
https://www.blackhat.com/presentations/bh-usa-07/Yason/Presentation/bh-usa-07-yason.pdf The following are from the Helsinki University of Technology:
Malware Situation in 2009 (Mikko Hyppönen)
https://noppa.tkk.fi/noppa/kurssi/t-110.6220/luennot/malware_in_2009.pdf Reverse Engineering I (Gergely Erdelyi) https://noppa.tkk.fi/noppa/kurssi/t-110.6220/luennot/introduction_to_reverse_engineering.pdf Windows Operating System: Antivirus Perspective (Kimmo Kasslin) https://noppa.tkk.fi/noppa/kurssi/t-110.6220/luennot/windows_operating_system.pdf Reverse Engineering II (Antti Tikkanen)
https://noppa.tkk.fi/noppa/kurssi/t-110.6220/luennot/reverse_engineering_basics.pdf Mobile Malware (Jarno Niemelä)
https://noppa.tkk.fi/noppa/kurssi/t-110.6220/luennot/current_mobile_phone_threats.pdf Using Debuggers to Analyze Malware (Antti Tikkanen) https://noppa.tkk.fi/noppa/kurssi/t-110.6220/luennot/using_debuggers_to_analyze_malware.pdf Emulators and Disassemblers (Jarkko Turkulainen)
https://noppa.tkk.fi/noppa/kurssi/t-110.6220/luennot/emulators_and_disassemblers.pdf Reverse Engineering III (Gergely Erdelyi)
https://noppa.tkk.fi/noppa/kurssi/t-110.6220/luennot/reverse_engineering__pe_format.pdf Unpacking and Decrypting Malware (Jarkko Turkulainen) https://noppa.tkk.fi/noppa/kurssi/t-110.6220/luennot/unpacking_and_decrypting_malware.pdf Windows Kernel Malware (Kimmo Kasslin)
https://noppa.tkk.fi/noppa/kurssi/t-110.6220/luennot/windows_kernel_malware.pdf Antivirus Engine Design. Introduction to the Course Assignment (Mika Ståhlberg) https://noppa.tkk.fi/noppa/kurssi/t-110.6220/luennot/antivirus_engines.pdf https://noppa.tkk.fi/noppa/kurssi/t-110.6220/luennot/simple_deobfuscating_antivirus_engine.pdf April 17 Notes for Windows 7 for DevelopersUse the following GetVersionEx() fields to determine iff running on Windows 7
osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 1 Windows 7 has a policy control that can optionally enforce that AppInit DLLs must be digitally signed in order to load; and some DLLs may
not load into critical OS processes. A service can be started or stopped based on an event.
IE 8, User Agent string contains "Trident/4.0", even in IE7 compatibility mode.
IE 8 will have DEP enabled by default.
IE 8 will have a malware Url filtering, on top of the existing phishing Url filtering. April 15 Collection of Security PresentationsBrowser Forensics
http://www.techsec.com/agendaforensic08/monday/Browser_Forensics_Matthew_McFadden.pdf Industry/Government Infrastructure Vulnerability Assessment: Background and Recommendations http://www.nanog.org/mtg-0206/ppt/avi.ppt ISP Security - Real World Techniques Remote Triggered Black Hole Filtering and Backscatter Traceback http://www.nanog.org/mtg-0110/ppt/greene.pdf Upcoming Security Conferences30th IEEE Symposium on Security & Privacy
http://oakland09.cs.virginia.edu/ May 17-20, 2009, Oakland, California ISS World Intelligence Support Systems for Lawful Interception, Criminal Investigations and Intelligence Gathering http://www.issworldtraining.com/ISS_EUROPE/ 3-5 June 2009, Prague, CZ 2009 Techno Conference http://www.techsec.com/html/Techno2009.html May 31 - June 3, 2009, Myrtle Beach The North American Network Operators' Group, NANOG http://www.nanog.org/ June 14-17, 2009, Philadelphia, Pennsylvania 12th International Symposium On Recent Advances In Intrusion Detection http://www.rennes.supelec.fr/RAID2009/ September 23-25, 2009, Saint-Malo, Brittany, France ISC East International Security Conference http://www.isc365.com/isc_east_08.aspx October 28-29, 2009 New York Deep Sec Annual European two-day in-depth conference on computer, network, and application security. https://deepsec.net/ November 17-20, 2009, Vienna Austria March 27 News...Good article on IE 8 Anti-Spoofing by Aditya K Sood @ SecNiche Security.
The 2009 Techno Security Conference, May 31 Myrtle Beach.
They seem to be giving a Certified Ethical Course, I recommend this certification to any serious IT security person, perhaps even more than the infamous CISSP!
BadwareBusters.org launches online community to people with their malware issues.
March 13 Before giving your sister your old PC, here's some tips on how to clean it, while leaving it bootable and usable afterwards1- In an admin command prompt, execute the following cipher.exe /W:C:
This will physically overwrite the bits from your hard Drive. Remember that removing files simply removes these from the NTFS index, you still want them gone otherwise any forensic tool will easily recover your secret data.
Keep this tool running all the time while performing all the following actions, and re-run the tool after rebooting and as many times as you feel comfortable.
2- Clear your browser's cached information using the browser itself
So if you have three browsers installed, use each browser's cache clearing ability.
That means IE, Chrome, and Firefox...
3- Uninstall applications using the straightforward built-in Add/Remove feature
MSN Live Messenger, Jungledisk, are good candidates, along with any app which stores local data.
4- Find the data store of your mail program, and clear the folder
For example, Windows Live Mail has this under Tools-Options-Advanced-Maintenance button-Store Folder
Go in the folder, or even better the subfolder, and delete everything.
Hold the [Ctrl] key while deleting files to circumvent the recycle bin.
5- Using User Accounts, remove all other users
6- Delete data files
Run this command from an admin prompt (replacing XXX with the user name) in XP in this folder:
C:\Documents and Settings\
rmdir /S /Q "XXX"
and this on Vista:
C:\ProgramData
rmdir /S /Q "XXX"
7- Run cccleaner
You can download this from http://www.ccleaner.com/
I create a root folder called "byebyePc" when setting up a new machine, and keep it there.
When the time comes to clean the machine it may not have Internet access.
8- Remove installed personal certificates
Using certmgr.exe (you can do this from IE Internet Options - Content tab) remove your personal certificates you may have installed.
9- Use Windows Install Cleanup
You can get it from: http://support.microsoft.com/kb/290301
Select All and Remove
10- Reboot
But only after the cipher command has finished. Re-run it as you see fit.
As per previous posting...pandora.com and spotify.com, two online music sites are also unavailable from Canada.. February 25 In Canada, we have diminished Amazon, Audible, Hulu, and Slacker service...Slacker.com 
Amazon.com 
Hulu.com 
Audible.com 
February 06 wwwwThe 2009 CWE/SANS Top 25 Most Dangerous Programming Errors
More PDF exploits seen in wild- Adobe Reader and Acrobat flaws open way for further document attacks.
Adobe Flash Player plugin exploits
February 03 Jungle Disk + Zune = I$PIt took me some time to figure it out, but I was getting a monthly 30$ overcharge for data from my ISP.
Too much xbox? Nope! Seems if you put your MP3 songs on a Jungle disk drive, and configure your Zune software to look there it may download the same MP3 files EVERY 10 minutes I noticed that looking through the jungle disk logs; So, No more Zune! I sync with iTunes to the jungle disk drive... January 15 Need to submit an Internet Fraud (US) ?is the place to go.
The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA). CastleCops is no moreWhen going to
you are now greeted with
"You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end."
Shame, it was quite usefull. December 09 *New* Network Impact ToolI wanted a web performance measurement tool, but didn't find one that fit my needs, so I created NIP
Network Impact Tool
The highlights are:
- Uses real IE engine to load and web pages.
- Waits for the web page to finish loading
- Uses your domain-names file so you can configure what servers to use in your analysis
- Resolves hostnames to exclude DNS from the equation
- Clears IE cache and does not use it for its tests
I put it on my superconfigure.com website November 12 What is Clickjacking? See for yourselfSome of you may of heard the latest security buzz word, clickjacking.
To better understand what it is all about, visit this page and see for yourself:
XSS Prevention in IE 8IE 8 has great XSS prevention built-in.
This IE Blog entry:
explains the details. If you are using IE8 , you can navigate to
and see it in action! October 29 Smart Software Development VS. Good Software DevelopmentHere's a technical question: You have a full path to a file, the task is to replace the file with another one.
For example:
C:\temp\folder\this.exe
is the input, and you need to end up with
C:\temp\folder\that.exe
In this code "currentDir" is the string we want to change, "C:\temp\folder\this.exe" above.
And the program parameter 1 is what we want to change it to, "szArglist[1]"
Solution 1, the smart way:
Notice the developer here takes into account buffer overflows and tries to protect his application.
#include <strsafe.h>
wchar_t strDrive[_MAX_DRIVE+1] = {0};
wchar_t strDir[_MAX_DIR+1] = {0}; _wsplitpath_s( currentDir, strDrive, _MAX_DRIVE, strDir, _MAX_DIR, NULL, 0, NULL, 0 ); lstrcpyn(currentDir, strDrive, MAX_PATH);
StringCchCatN(currentDir, MAX_PATH, strDir,_MAX_DIR); StringCchCatN(currentDir, MAX_PATH, szArglist[1],_MAX_FNAME); That's one smart C++ developer, notice the splitpath SAFE api is used.
Notice the strcpyN() is used too.
And notice the safe string library is used to concatenate strings.
Solution 2, the good way:
Here is the exact same thing,
PathRemoveFileSpec(currentDir);
PathAppend(currentDir, szArglist[1]); Hmm, which is better, the smart way or the good way ?? October 13 Mafia Boy you Media WhoreOver Eight years ago, a 15 year old Montreal kid came across online tools to perform DDOS attacks; Back then DDOS attacks were grabbing headlines, and he did what any other 15-year old kid would do, he made headlines of his own.
The knowledge required to carry out such an "attack" is nil, I am therefore wondering what Michael Calce, aka Mafia Boy, has to say that merits him putting out a book ?!?
I'm sure there will be countless anecdotes on his childhood, but essentially zero technical info; blame the MSM for pimping this (and promoting their own show); they get the ratings and he gets the book sales.
See the CBC interview on the Hour here: http://www.cbc.ca/thehour/videos.html?id=882780325
So what would I like to see instead? How about the history around the Mebroot (MBR Rootkit); it's authors and who is paying them.
There's some real work, malicious or not... September 30 From the author of cryptLib Peter GutmannI Had to pass this along:
Date: Tue, 30 Sep 2008 21:02:35 +1300 From: pgut001@cs.auckland.ac.nz (Peter Gutmann) Subject: Risks of all-encompassing backups
With users squirreling their data away in ever more obscure locations (this "disk drive" is an iPod, that "disk drive" is a cellphone, the other "disk drive" is an SD card, ...) it's necessary for backup software to be very methodical in what it backs up or face the risk of losing user data. So what happens when your software to uses a comprehensive backup policy? Here's one example, with identifying marks deleted:
This programme, always running in the background, monitors files on your computer and notices when they have been modified. It then copies the files, compresses and encrypts them, and sends them through the net to a backup computer. This system reads and preserves ALL FILES on each computer. Users are not allowed to restrict files from being read and backed up.
If you have a laptop, you may have noticed that this programme uses huge amounts of bandwidth initially, because it starts out by dumping all the files on your disk. I discovered this when most of my ISP monthly allocation was used up over one weekend, largely by this backup. I quickly learned to put the application on "pause" whenever it was plugged in at home. I don't always remember to "unpause" it when I am at work, and I'm having second thoughts about whether I even want to.
After some consultation, I was assured that the bandwidth for uploading files would decline rapidly once all the files had been transferred, but the high upload rate continued for over a month. I was mystified why it should be taking so long to finish this initial task for an 80GB drive until I discovered that the programme is not simply monitoring the internal hard disk, but all memory devices accessible to the computer. So when I took it home, it was, among other things, backing up the 300MB drive I use for family and personal matters, and another 500MB drive that I used as a "hot backup". In fact, apparently, every time you drop a CD or DVD into a drive, or connect a memory stick, it also grabs those files and uploads them. Even connecting a camera, apparently will result in your pictures being uploaded and saved. I haven't yet been able to determine whether it is also accessing remote disks that are available to my computer at home through my network behind a firewall, where sharing is wide open, and other members of my family have information they definitely do not want uploaded.
It seems the vendors are stuck between a rock and a hard place. If they miss some obscure storage location, then customers get upset. But if they do scour every piece of storage media, then other customers get upset. You can't even exclude "obvious" media like CDs/DVDs because with packet-writing software you don't know whether what's in there isn't being used as general R/W data storage and therefore in need of backup.
|
|
|
