average admins

We have been looking at alternative means of surveillance for a while now. We have solutions deployed currently that are provided by Diebold but have found the solutions to be expensive and not very flexible. Our goal is to be able to produce images captured from cameras throughout our branch locations, storage facilities, and remote ATM machines, that are high quality and could be used in an internal investigation or provided as usable evidence to law enforcement if necessary. Our current solutions obviously work, but my superiors have requested larger, better quality images than what we are currently capturing.

(more…)

According to the press release over at Sourcefire.com, Check Point and Sourcefire will NOT be merging after all.

Columbia, Md., March 23, 2006 Sourcefire, Inc., the world leader in intrusion prevention, today announced that, with the consent of the US government, Sourcefire and Check Point Software Technologies have opted to withdraw their merger filing with the Committee on Foreign Investment in the United States (CFIUS). Sourcefire will continue to operate as the industry’s largest private Intrusion Prevention System (IPS) vendor.

I don’t really agree to the political reasons behind the merger withdraw, but nontheless, it’s apparently off.

I saw a post over at SecurityMonkey’s blog regarding sleep cell bots and immediately became interested - http://blogs.ittoolbox.com/security/investigator/archives/008389.asp

Apparently, there’s a bot running around creating accounts on various phpBB bulletin boards. No one really knows the true purpose of this activity. It’s possible, as you’ll read in SM’s blog entry, that this bot is registering all of these accounts so it will have access to thousands of phpBB sites for quick access when the next phpBB vulnerability comes out. And who’s to say they aren’t currently using an unpublished phpBB vulnerability?

Of course, that’s just speculation. We have a few users on our gaming site, oldschoolplayers.com, that are obviously bots. Their signatures have links to various websites that offer who-knows-what, possibly even automatic spyware(keylogging) software. These bots could be a simple way to generate traffic for these sites they’re promoting, or they could be malicous.

Big deal, you’re thinking. Who cares if a phpBB forum gets hacked? Who cares if they use XSS to get my password? Well, I guess that’s not so much a bad thing unless you use the same username/password for other sites. Surely you don’t use your forum username/password anywhere else, like oh, say eBay, Gmail, Paypal, Hotmail, other forums …etc. A simple Google search of your phpBB username and you can easily find other sites you’re registered at. How many of those share the same password? You get the point. People like to be mean so what would stop them from changing your password at every one of the sites you’ve registered at?

But phpBB isn’t just vulnerable to XSS. Do a search over at milw0rm.com or osvdb.org and you’ll find lots of cool phpBB hacks, including remote code execution on the phpBB server itself!

Here are links to some of the URLs mentioned in this post:
http://blogs.ittoolbox.com/security/investigator/archives/008389.asp
http://www.issociate.de/board/post/312809/phpBB_mass-hack_being_p…
http://area51.phpbb.com/phpBB/viewtopic.php?sid=&f=6&t=22880
http://www.milw0rm.com
http://www.osvdb.org
http://www.oldschoolplayers.com

As posted on PaulDotCom.com’s site: (http://www.pauldotcom.com/2006/03/more_fun_with_ie.html)

Here we go again:

“There is a new exploit for Internet Explorer that was released by Secunia today. The exploit allows for arbitrary code execution.”

And as Lorna puts it, “its a heap overflow just waiting to happen”. It most certainly is. And what does that mean? It means that bad people have probably known about this exploit for quite some time and have already developed an exploit. They are using this exploit to compromise unsuspecting people who are using IE, most likely in large organizations who refuse to support anything other than Internet Exposure, er, Explorer. And compromise they will, installing the latest round of Spyware, Adware, and bots that will launch the next DDoS and make some hacker a hefty sum of money per month for his or her troubles.

We still don’t have a patch, and we don’t have a workaround, other than to use Firefox.

Here’s the link to the Secunia advisory: http://secunia.com/advisories/18680/

I used to have a 512MB iPod Shuffle and, minus the limited disk space and lack of a display to see what was playing, how long the song/podcast was, etc., I was very happy with it. The device, of course, worked flawlessly in Windows, and surprisingly, FreeBSD with an open source tool called GNUpod. I was able to copy non-copyrighted MP3s (songs and other audio materials not purchased through iTunes) to the device in FreeBSD without a hitch. When I plugged the device in to my laptop in FreeBSD, I would mount it as any other FAT32/MS-DOS USB device, /dev/da0s1 in my case if no other USB devices were connected. Like I said before, it worked flawlessly.

A day or so ago I acquired a 30GB iPod Video. Let me just say that this device is very impressive. I have put about as much music, podcasts, music videos, Comedy Central Stand-Up videos, video podcasts, and ShmooCon video sessions on it as I care to have at the moment and I am only at around 4GB of used disk space. The 2.5-inch color display is very nice. I can see what song I am listening to, along with any available album art, my playlists, number of songs on the device, as well as play 3 built-in games and watch videos at 320×240 pixels. The only downfall thus far is that devfs doesn’t create a device in the /dev folder when it is connected under FreeBSD. All I get is the following output in /var/log/messages:

umass0: Apple iPod, rev 2.00/0.01, addr 2

No big deal. I just boot into Windows to do all of my file swapping and arranging between my laptop and the device. It is still very cool and I don’t regret getting it one bit!

(more…)

I found this link while surfing around this weekend and thought it would make a great bookmark. It’s a list of available documentation for each version of the PIX software.

Very handy!

I took some time out over the weekend to catch up on some reading material that I’ve been sitting on for a while.

One of the things I’ve been sitting on was a sample chapter from the book  Sockets, Shellcode, Porting, and Coding : Reverse Engineering Exploits and Tool Coding for Security Professionals.

The sample chapter is called Writing Exploits III.   If the rest of the book is written like this chapter, then this is a really good book.  I definitely learned a lot from reading this chapter.  The material deals with how to find vulnerabilities in applications and then how to use MetaSploit to exploit those vulnerabilities.  It will show you how to send a string of characters to an application and how to watch the debugging application to see where you need to insert your malicious payload.  It will show you how to find which hex characters to avoid in your payload.  It will show you how to use MetaSploit to generate and encode the proper shellcode to use in your exploit.  And finally, it will show you how to port an existing exploit so you can use it from within Metasploit.

I was very impressed with the chapter and learned quite a lot.  If this is a topic you’re interested in, I highly recommend reading through this chapter.  There are a lot of pictures, also, to help you understand exactly what the author is demonstrating.

You can find the sample chapter at  http://www.syngress.com/book_catalog/327_SSPC/sample.pdf

I’ve mentioned in a few posts that some of the newer rootkits can only be found in physical memory (RAM). That’s great and all, but how do you analyze your physical memory? What tools do you use to “dump” your memory and what tools are available to analyze your image?

I ran across a post today on a really interesting blog called Windows Incident Response. The post is titled Windows Physical Memory Analysis, but it also covers analysis of Linux memory as well.

If you’re interested in this sort of thing, you’ll definitely enjoy this post.

Hacking Made Easy

This article discusses how some of these hackers are able to install keyloggers on their victims by hacking into the companies you visit, like online banking sites, and using unpublished or unpatched web browser holes to install the malicious software. They’ve managed to get their software installed on some key people’s computers in a few big organizations.

It’s also easy for them to install new software, delete files, or update their software on their victims computers by simply dropping a list down on a website.

It’s definitely scary stuff!
If you haven’t heard about or read some of the other Washington Post articles, you can find them here:

Invasion of the Computer Snatchers

Here’s a Q&A session with the author of the article:

Q and A session with the author

Okay, the Crossisms post has kind of gotten out of hand with the non-Crossisms related posts. So, let’s use this posts to see how many different Country/Browser/OS combinations we can get going. Every time you post a comment, if your browser is configured to send the HTTP headers that tell your country code, browser type and version, and OS version, your comment will show these details in a graphical format.

So, let the games begin!