Forensics Image of Windows Memory

ManTech Memory DD captures a record of physical, or random access memory which is lost when the computer is shutdown. Released at no charge under the GPL license for government and private use, ManTech’s Memory DD (MDD) is capable of acquiring memory images from the following Microsoft® products: Windows® 2000, Windows Server 2003, Windows XP®, Windows Vista®, and Windows Server 2008.

ManTech’s Memory DD 1.0 acquires a forensic image of physical memory and stores it as a raw binary file. To help verify data integrity and aid in the preservation of the evidence, the information captured by ManTech Memory DD is checked by the Message-Digest algorithm 5 (MD5), the common Internet standard used in security applications. The binary file can then be analyzed using external tools to identify items of interest to the examiner... [ more ]

How to own Vista with physical access

See a video demonstration at:
http://www.offensive-security.com/movies/vistahack/vistahack.html

LiarCar - Voice Polygraph (legit?)

LiarCard is the most advanced voice analysis technology for personal use available today, giving you an indication if your subject is being truthful. You can now have a competitive edge to negotiate a sweeter deal, hire better personnel, choose a more reliable supplier, and even just to let you know if the person talking with you is not being honest on a specific issue.

In simple terms, LiarCard's patented technology detects the emotional content of speech patterns revealing the mental state and emotional makeup of the speaker.

How Do I Use LiarCard?

• Dial the toll-free number from any phone and input the PIN provided upon signup.
• Enter the destination number and wait for the call to be connected.
• During your conversation, the voice of the person of whom you called is analyzed in real-time, during which a heartbeat pulse is played in the background which only you will hear. A buzz is also played when the called party is suspected of not telling the truth or is in an extreme state of mind.
• After the call, login to the web control panel to replay calls, view the graphs and read the analysis.

TSA's Millimeter scanners can see through your clothes - already installed at 10 airports!

Find out more here...

and here...

ZoneAlarm® ForceField™

Virtualized Browser Security

Bank, shop, and browse the Web safely and privately.
ZoneAlarm ForceField provides a protective layer around your browser, shielding you from drive-by downloads, browser exploits, phishing attempts, spyware and keyloggers. So your passwords, your confidential information, and your financial data remain protected.

Nothing else protects you like ZoneAlarm ForceField.

• • Block unauthorized downloads and malicious software installations
• • Protect your identity by blocking phishers and stopping keyloggers
• • Browse the internet in complete privacy–erases all cache, cookies, history and passwords
• • Run it with your existing security software–it's fast, lightweight, and easy to use

http://download.zonealarm.com/bin/forcefield_x/index.html

Hacker writes rootkit for Cisco's routers

"A security researcher has developed malicious rootkit software for Cisco's routers, a development that has placed increasing scrutiny on the routers that carry the majority of the Internet's traffic.

Sebastian Muniz, a researcher with Core Security Technologies, developed the software, which he will unveil on May 22 at the EuSecWest conference in London..."

http://www.networkworld.com/news/2008/051408-hacker-writes-rootkit-for-ciscos.html

The Yubikey

It works seamlessly with any hardware and operating system combination supporting USB keyboards such as Windows, MacOS, Linux and others. The Key generates and sends unique time-variant authentication codes by emulating keystrokes through the standard keyboard interface. The computer to which the Key is attached receives this authentication code character by character just as if it were being typed in from the keyboard – yet it's all performed automatically. This process allows the Key to be used with any application or Web-based service without any need for special client computer interaction or drivers.

The YubiKey differs from traditional authentication tokens based on time-variant codes in that it needs no battery and therefore does not rely on an absolute time generated by an accurate time source. No battery means unlimited shelf life, no synchronization and customer support issues, and enables significant cost reduction.

http://www.yubico.com/products/yubikey/

Identity

The YubiKey provides a means of identity that allows the device to identify itself without the user having to provide the identity manually.

Authentication and singularity

Pivotal for any hardware authentication token is singularity, i.e. that an identity cannot be copied and/or be adversely used without knowledge of the legitimate user. Static identification schemes, such as username/password are highly vulnerable to eavesdropping and what has been known as "Phishing". Even "predictable" schemes, such as one-time-pad cards have shown vulnerability to these threats.

The introduction of a time-variant code including a certain level of randomness, all encrypted with strong encryption, means that attacks of this type can be thwarted and singularity maintained.

The time-variant code

Different from present hardware authentication tokens, the YubiKey does not rely on a two-way challenge-response protocol, battery-powered time base, keyboard or a display.

Yet, how can a device be so secure when four of the most common security measures present in state-of-the-art authentication devices have been removed?

The YubiKey generates a unique 128-bit code at each authentication event and there is no time window during which two authentication codes are equal. All of the unique codes are encrypted with AES-128 and is then encoded to "readable form", where the resulting string is transmitted in its full length.

The main components of the unique code comprise:

1. A hidden identity field to verify the decrypted result to a non-published identity.
2. A volatile counter is incremented by one for each code that has been generated. This code is reset at each power-up.
3. A non-volatile counter is incremented by one for each power-up event. The value of this counter is preserved even when power is lost.
4. A non-predictable counter value is fed by a time-base that is highly device and session dependent. Together with a server-based authentication module, this counter can provide a strong protection against "Phishing" attempts.
5. A random seed.
6. A simple checksum.

Together, these fields are encrypted using a 128-bit key. A 128-bit number is larger than a 3 followed by thirty-eight zeroes. Combined with the fact that a hacker has so little information about the plaintext, cryptanalysis is futile assuming the industry standard AES-128 is secure.

Device varieties and integration with legacy applications

Two types of Keys are available– Basic and Plus. Basic offers baseline security where release of the time-variant code is controlled from the keyboard of the computer to which the YubiKey is connected. By monitoring the Caps Lock indicator LED, the device can be triggered with a quick double-click on the Caps Lock button.

YubiKey Plus offers increased protection against advanced Trojans, where the release of the time-variant code is controlled by an integrated button. This design provides a further level of confidence from a "perceived security" perspective, as the user understands that a code cannot be released without a physical action by the key holder.

YubiKey is highly flexible and can be configured to support legacy applications using one or two factor authentication. User supplied usernames and passwords can be selected to match the security requirements and fit existing screen layouts.

Optionally the Key can be pre-programmed for automatic navigation to a website. This functionality adds speed and simplicity for the user, but is limited to PC Window and national applications, as it needs to be programmed for the specific computer keyboard layout, which varies between different countries and languages.

SSL Capable NetCat

"You all know what is netcat (written by Hobbit in 1996), how to use it and that it should have been integrated in all UNIX systems a long time ago. netcat lacked some features, and I tried to add them in this Perl version. For example, SSL support, TCP and UDP proxying and IPv4/IPv6 proxying features. This is now done, unless I missed a bug. Now, enjoy." - Author

http://www.gomor.org/bin/view/GomorOrg/SslNetcat

Usage

SSL Capable NetCat 1.01

Usage: scnc [-options] target port

  -c            use SSL (default to not)
  -a            use SSL certificate authority file
  -f            use SSL certificate file (PEM format)
  -k            use SSL private key file (PEM format)
  -t            do telnet negociation (default to not)
  -6            use IPv6 (default to not)
  -e cmd        command to execute
  -l            listen for connections (default to not)
  -p port       use local port number (default to random high)
  -s address    use address for bindings (default to all addresses)
  -u            use UDP socket (default to TCP)
  -v            be verbose (default to not)
  -z            test port for openness
  -r host:port           proxy connection to host:port
  -r host:port:ipv6      proxy connection to host:port using IPv6
  -r host:port::ssl      proxy connection to host:port using SSL
  -r host:port:ipv6:ssl  proxy connection to host:port using IPv6 and SSL

Geekonomics: The Real Cost of Insecure Software

by David Rice (Author)

"What is Geekonomics about?

Geekonomics is about the astonishing lack of consumer protection in the software market and how this impacts economic and national security. Software buyers are literally crash test dummies for an industry that is remarkably insulated against liability, accountability, and responsibility for any harm, damages or loss that should occur because of manufacturing defects or weaknesses that allow cyber attackers to break into and hijack our computer systems. As a matter of good public policy, this is unacceptable and must change.

Geekonomics is also about us and why we behave the way we do when it comes to protecting ourselves in cyber space. As such, Geekonomics is about incentives. Specifically, Geekonomics is about incentives that affect three groups of people: consumers, software manufacturers, and hackers. Each group has incentives for making, buying, and breaking into computer systems that are rife with defects, errors, and weaknesses. This book explains these incentives and how new and different incentives are necessary to address the problem of “bad” software.

Finally, Geekonomics is a book for everyone, not just for geeks or technophiles, because frankly, in modern civilization, how and when software touches us is less our choice every day."

http://www.geekonomicsbook.com/
http://www.amazon.com/dp/0321477898/

Nmap 4.60 Released

http://nmap.org/changelog.html

BigDog Quadruped Robot

http://gizmodo.com/368651/new-video-of-bigdog-quadruped-robot-is-so-stunning-its-spooky

PhishMe

Brilliant!

Phishing attacks have become so prevalent and effective that they have made it to the SANS Top 20 list recently. While everyone agrees it is a major issue what has been lacking until now was an easy-to-use, effective and secure way to test one's own organization against this growing threat over time with a tangible ROI.

Now you can. The Intrepidus Group has put together http://phishme.com/ to do just that.

"Effective, memorable, and secure user awareness testing and training is now available with just a few clicks.Using PhishMe.com’s built-in templates and WYSIWYG functionality, you can emulate real phishing attacks against your employees within minutes. Focus your training efforts on the most susceptible employees by providing immediate feedback to anyone that falls victim to these exercises.Phish your employees before hackers do!"

Nice work!

Universal Command Guide for Operating Systems

Every command, every operating system, cross-referenced together!

The Universal Command Guide includes commands for the following Operating Systems:

• AIX 4.3.3
• OpenBSD 2.7
• Red Hat Linux
• Solaris 7 and 8
• Macintosh OS 9.1
• DOS 6.22
• Windows 9x
• Windows ME
• Windows NT 4.0
• Windows 2000
• Windows XP
• Novell Netware 3,4,5 and 6

http://www.tomshardware.com/ucg/

Internet Explorer 8 Beta 1 announced at MIX08

"The Internet Explorer team hit an important milestone today and divulged as much at MIX08. IE's General Manager Dean Hachamovitch today announced the availability of IE8 Beta 1, downloadable for testing by all..."

More...

Cain & Abel v4.9.14 released

Cain & Abel v4.9.14 released
- Added GRE/PPP sniffer filter for PAP, CHAP and MS-CHAPv1 (LM & NTLM) authentications.
- Added CHAP-MD5 (Dictionary and Brute-Force Attacks).
- Added sniffer analysis on GRE/PPP incapsulated traffic; MPPC compression not supported yet.

Cain & Abel v4.9.12 released
New features:
- Added Windows Vista compatibility in all APR-SSL sniffers.
- Added support for new Aircrack-ng's IVs file format in WEP IVs sniffer and cracker.
- Modified separator character in cracker's and sniffer's LST files from ";" to "TAB".

WARNING !!! The password list file format is changed and old LST files are not compatible anymore. It is strongly suggested to backup your files before upgrade to this new release.

http://www.oxid.it/

Wireshark 0.99.8 Released

http://www.wireshark.org/news/20080227.html

Using MSF v3 Meterpreter and its many options. Using the IRB shell, Using hashdump, Using timestomp, Process Migration, Uploading and Downloading file

How-to video:
http://learnsecurityonline.com/vid/MSF3-met/MSF3-met.html

SANS - Top Ten Cyber Security Menaces for 2008

Twelve cyber security veterans, with significant knowledge about emerging attack patterns, worked together to compile a list of the attacks most likely to cause substantial damage during 2008.

Participants included Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller.

http://www.sans.org/2008menaces/

Here's their consensus list in ranked order:

1. Increasingly Sophisticated Web Site Attacks That Exploit Browser Vulnerabilities - Especially On Trusted Web Sites

   Web site attacks on browsers are increasingly targeting components, such as Flash and QuickTime, that are not automatically patched when the browser is patched. At the same time, web site attacks have migrated from simple ones based one or two exploits posted on a web site to more sophisticated attacks based on scripts that cycle through multiple exploits to even more sophisticated attacks that increasingly utilize packaged modules that can effectively disguise their payloads. One of the latest such modules, mpack, produces a claimed 10-25% success rate in exploiting browsers that visit sites infected with the module. While all this is happening, attackers are actively placing exploit code on popular, trusted web sites where users have an expectation of effective security. Placing better attack tools on trusted sites is giving attackers a huge advantage over the unwary public.

2. Increasing Sophistication And Effectiveness In Botnets

   The so-called Storm worm (which was not really a worm at all) started spreading in January, 2007 with an email saying, "230 dead as storm batters Europe," and was followed by subsequent variants. Within a week it accounted for one out of every twelve infections on the Internet, installing rootkits and making each infected system a member of a new type of botnet. Previous botnets used centralized command and control; the Storm worm uses peer-to-peer control, so there is no central controller to take down. Additional variants have used messages with different subjects and improved the capabilities of the rootkit. In 2008 additional variants and continually increasing sophistication will keep this worm and other even more sophisticated worms near the top of any list of menaces.

3. Cyber Espionage Efforts By Well Resourced Organizations Looking To Extract Large Amounts Of Data - Particularly Using Targeted Phishing

   One of the biggest security stories of 2007 was disclosure in Congressional hearings and by senior DoD officials of massive penetration of federal agencies and defense contractors and theft of terabytes of data by the Chinese and other nation states. In 2008, despite intense scrutiny, these nation-state attacks will expand; more targets and increased sophistication will mean many successes for attackers. Economic espionage will be increasingly common as nation-states use cyber theft of data to gain economic advantage in multinational deals. The attack of choice involves targeted spear phishing with attachments, using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source, and using newly discovered Microsoft Office vulnerabilities and hiding techniques to circumvent virus checking.

4. Mobile Phone Threats, Especially Against iPhones And Android-Based Phones; Plus VOIP

   Mobile phones are general purpose computers, so worms, viruses, and other malware will increasingly target them. Google's recent announcement of "android" and the formation of the "open handset alliance" is a watershed moment for the mobile industry. A truly open mobile platform will usher in completely unforeseen security nightmares. The developer toolkits provide easy access for hackers. And hackers are taking note. The author of Metasploit, H.D. Moore, plans a mobile payload presentation webcast this month.
   
   Attacks on VoIP systems are on the horizon and may surge in 2008. VoIP phones and the IP PBXs have had numerous published vulnerabilities. Attack tools exploiting these vulnerabilities have been written and are available on the Internet. In short, the VoIP attack surface is enormous.

5. Insider Attacks

   Insider attacks are initiated by rogue employees, consultants and/or contractors of an organization. Insider-related risk has long been exacerbated by the fact that insiders usually have been granted some degree of physical and logical access to systems, databases, and networks that they attack, giving them a significant head start in attacks that they launch. More recently, however, security perimeters have broken down, something that allows insiders to attack both from the inside and from outside an organization's network boundaries. Insider-related risk (as well as outsider risk) has thus skyrocketed. Organizations need to put into place substantial defenses against this kind of risk, one of the most basic of which is limiting access according to what users need to do their jobs.

6. Advanced Identity Theft from Persistent Bots

   A new generation of identity theft is being powered by bots that stay on machines for three to five months collecting passwords, bank account information, surfing history, frequently used email addresses, and more. They'll gather enough data to enable extortion attempts (against people who surf child porn sites, for example) and advanced identify theft attempts where criminals have enough data to pass basic security checks.

7. Increasingly Malicious Spyware

   Criminal and nation-state attackers continue to refine the capabilities of their malicious code, expanding on flux techniques to obscure their infrastructure, making it even harder to locate their servers. Additionally, the recent Storm variants' capabilities of being able to detect investigators' activity and then respond with a flooding attack against the investigators will become more mainstream and even more powerful, protecting the attackers and making investigation more difficult. Tools will also increasingly target and dodge anti-virus, anti-spyware, and anti-rootkit tools to help preserve the attacker's control of a victim machine for as long as possible. In short, malware will become stickier on target machines and more difficult to shut down.

8. Web Application Security Exploits

   Large percentages of web sites have cross site scripting, SQL injection, and other vulnerabilities resulting from programming errors. Until 2007 few criminals attacked these vulnerable sites because other attack vectors were more likely to lead to an advantage in unauthorized economic or information access. Increasingly, however, advances in XSS and other attacks have demonstrated that criminals looking for financial gain can exploit vulnerabilities resulting from web programming errors as new ways of penetrating important organizations. Web 2.0 applications are vulnerable because user-supplied data cannot be trusted; your script running in the users' browser still constitutes "user supplied data." In 2008, web 2.0 vulnerabilities will be added to more traditional programming flaws and web application attacks will grow substantially.

9. Increasingly Sophisticated Social Engineering Including Blending Phishing with VOIP and Event Phishing

   Blended approaches will amplify the impact of many more common attacks. For example, the success of phishing is being radically increased by first stealing IDs of users of other technologies. Salesforce.com users were targeted for an "FTC complaint" phishing email. Monster.com users were targeted for a job offer phishing email. Even if it is non-targeted, event phishing is gaining in sophistication. Tax filing scams and scams based on the U.S. Presidential elections will be widely used this year, and many of them will succeed. A note with the subject "Hillary drops out of the race" or "Rudy and female staffer caught on film" could generate huge new botnets of people who are interested in politics, but may not have patched their systems fully. Add to those opportunities potential bogus fund raising sites and even political dirty tricks going digital, and you'll have an explosive junction of hacking and politics.
   
   A second area of blended phishing combines email and VoIP. An inbound email, apparently being sent by a credit card company, asks recipients to "re-authorize" their credit cards by calling a 1-800 number. The number leads them (via VoIP) to an automated system in a foreign country that, quite convincingly, asks that they key in their credit card number, CVV, and expiration date.

10. Supply Chain Attacks Infecting Consumer Devices (USB Thumb Drives, GPS Systems, Photo Frames, etc.) Distributed by Trusted Organizations

    Retail outlets are increasingly becoming unwitting distributors of malware. Devices with USB connections and the CDs packaged with those devices sometimes contain malware that infect victims' computers and connect them into botnets. Even more targeted attacks using the same technique are starting to hit conference attendees who are given USB thumb drives and CDs that supposedly contain just the conference papers, but increasingly also contain malicious software.

Cold Boot Attacks on Encryption Keys

"Abstract Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them."

http://citp.princeton.edu/memory/

Can you hear me...before I speak?

Sub-vocalization - Imagine being able to tell what someone is about to say, BEFORE they actually say (vocalize) it. It sounds like science fiction but I was fortunate enough to actually witness this amazing technology with my own eyes last week. One of the cool things about working in IT is that there is always something new and interesting to explore but sub-vocalization is one of the coolest things I've ever seen.

"Subvocal speech is the use of electromyographic (EMG) signals from the surface of the larynx and lingual areas of the throat to control devices and silently communicate."

More details:
http://ti.arc.nasa.gov/projects/nel/Projects/subvocal_speech.htm

Video Demonstration:
http://ti.arc.nasa.gov/projects/nel/container/2005-09%20NEL%20General%20Clip.wmv

Imagine totally silent, verbal, communications - say again!?

One party nearly speaks (sub-vocalizes) what they need to communicate. The computer interprets the EMG signals to determine what is about to be said. It then transmits what would have been the digitized words had they been spoken (vocalized) to the recipient - amazing.

What will they think of next? Well...

It turns out this technology can be applied to other EMG signals in the body. Imagine being able to control a robotic device without actually moving your hands - saw it. Imagine being able to control robot prosthetics by merely thinking about moving your "arm" or "hand" - coming. Imagine being able to "read" peoples thoughts...hmm.

Maybe these guys aren't as "out there" as I once thought ;)
http://zapatopi.net/afdb/

I'll let your imagination run with all the security-related implications...

Maybe HD Moore and company can develop the MentalSploit Framework next...

(Bryce thinks: "Let's see, what was my pass phrase again? <*PWND!*> Oh yeah, I remember.)