“System Service Descriptor Table (SSDT) patching has been widely used by rootkits and is usually easily detected.  BlackEnergy version 2 has implemented a technique which successfully hides from basic rootkit detection.  Basic rootkit detectors typically only check address ranges, on function pointers, listed in the SSDT.  If the pointers are outside the kernel address range, it implies that the SSDT is hooked.

The following will illustrate a procedural check, used to uncover this technique, using a kernel debugger…”

Read more here:

Rootkit Analysis – Hiding SSDT Hooks

Written by: Nick Jogie

We should be live around 8pm EST tonight, join us on IRC or listen in live at this link!

If you haven’t taken the Security 508 course yet we have an excellent opportunity for you!  Rob will be teaching the SEC508 (Forensics) course via the SANS vLive! platform beginning 3/23/2010.  Classes will occur every Tuesday and Thursday until 4/29/2010 from 7-10PM EDT.

Chris Gerling has taken the 508 course and recommend anyone who is interested in computer forensics take it as well.  Even if you aren’t a full-time forensic examiner, the information you take away from the class will help you in all aspects of information security.  Understanding how file systems and memory work can be crucial.

Please check out the course and register at this link!  Use code SB508 to get a free GCFA certification attempt with the purchase of the full course.

This week The Academy Pro released ten videos covering a range of topics applying to the FortiGate firewall, SAINT 7.2.3, Zscaler, and Gigamon . Here is a brief rundown of what’s new this week. So be sure to stop on by, sign up, sit back and learn something new!

(Please note, you must register with The Academy Pro before viewing these videos!)

-Blocking adult websites with Zscaler

-Defining virus alerts with Zscaler

-Configuring email alerts with a FortiGate firewall

-Configuring event logs with a FortiGate firewall

-Scanning OS X Snow Leopard with SAINT 7.2.3

-Viewing host information with SAINT 7.2.3

-Adding a new user to a TippingPoint device

-Configuring HTTPS on a Gigamon GigaVUE

-Configuring SNMP with Gigamon

-Configuring SNMP with Gigamon

Also, be sure to join in on The Academy Pro chat room where they will be interviewing Nir Zuk, CTO of Palo Alto Networks, Monday January 11th at 2PM EST.

Blog post by:  Sean Hausauer

Next we cover the details about SUMO LINUX 2.0 with our guest Marcus Carey.

SUMO LINUX 2.0
- Based on a stable version of Debian so we can update with Debian packages and Unbuntu Packages.
-Windows response tools will be added.
-Build a wiki with detailed documentation of all the tools included to make it easy for a newbie to get started.
-No plans for multi-boot.
-Distributed out via Bit Torrent.
-Memory analysis and RAM dumping. Cheap USB sticks have really helped with this. The analysis is also proving to be a big help in forensics.
-Will be coordinating the project on the Securabit forums (http://forums.securabit.com/index.php?showforum=9)
-User feedback will help us make it better for everyone.
-Post in the forum if you are interested in helping out.

Other News Items
-Homebrew patches for zero days in the enterprise.
-Cell phones and international roaming charges at the border.
-What hardware tools should you have in a forensic toolkit?

Have something you want plugged on Securabit? Send it to Feedback@securabit.com.

If you are interested in helping with the Richmond, VA area hackerspace contact Chris Gerling.

Hosts
Anthony Gartner – AnthonyGartner.com @AnthonyGartner
Chris Gerling – Hak5Chris, Chrisgerling.com @Hak5chris
Chris Mills – ChrisAM @packetsense
Jason Mueller – @Securabit_Jay

Guest
Marcus Carey ñ SUMO LINUX http://www.sumolinux.com

Links
Hackerspaces http://hackerspaces.org
SUMO LINUX http://www.sumolinux.com
Adobe Zero Day http://isc.sans.org/diary.html?storyid=5902&rss
Excel Zero Day http://isc.sans.org/diary.html?storyid=5923  & http://www.microsoft.com/technet/security/advisory/968272.mspx
Forensic Talon http://www.logicubeforensics.com/products/hd_duplication/talon.asp

The next part on the agenda was the new Windows 7 Beta. This caused Microsoft to DOS itself. Which really takes a LOT to happen.

After the break we started to go into some tools we actually use or have used and wanted to recommend. Jay spoke of his Retina software they use. We did play a nice practical joke on jay and left him hanging in the wind for a few moments, but he did recover. Spoke about running ISS for the nice pretty reports for the higher up’s and Nessus for the technicians. Anthony mentioned Hot Spot Shield which works on windows, mac, iphone and many other platforms. The chat room recommended Open VPN but none of us had used it. Chris Mills also went into one of the tools he used back in the day but recently started to use again called NTop.
Talked about itunes going DRM free. Always a good thing!!! This then drifted in to a conversation about players in general. Jay recommended engadget.com and how they covered CES so well. This then divulged into computers for kids as well as netbooks.
Anthony is getting close to being able to do the Mix MInus. This means there will be the chance to play the music / voice mails / audio feedback on to everyone so that we can comment or answer the questions. This will be a welcome addition to the show.
Jay stated our new goal – to be “Internet Famous”

Don’t forget to give us a feedback on Itunes so we can bump the old shows off the list.

Thanks again for all the donations for the Tip Jar.

Hosts:

Rob Fuller – Mubix, room362.com @mubix
Anthony Gartner – AnthonyGartner.com @AnthonyGartner
Chris Gerling – Hak5Chris, Chrisgerling.com @Hak5chris
Chris Mills – ChrisAM @packetsense
Jason Mueller – SecurabitJay

Important links for the show and documents used:

http://www.iss.net/

http://www.nessus.org/nessus

hotspotshield.com

http://openvpn.net

http://www.ntop.org

Check out the end of the cast for Jay’s audition for American 1dol!!!

The next part on the agenda was the new Windows 7 Beta. This caused Microsoft to DOS itself. Which really takes a LOT to happen.

After the break we started to go into some tools we actually use or have used and wanted to recommend. Jay spoke of his Retina software they use. We did play a nice practical joke on jay and left him hanging in the wind for a few moments, but he did recover. Spoke about running ISS for the nice pretty reports for the higher up’s and Nessus for the technicians. Anthony mentioned Hot Spot Shield which works on windows, mac, iphone and many other platforms. The chat room recommended Open VPN but none of us had used it. Chris Mills also went into one of the tools he used back in the day but recently started to use again called NTop.
Talked about itunes going DRM free. Always a good thing!!! This then drifted in to a conversation about players in general. Jay recommended engadget.com and how they covered CES so well. This then divulged into computers for kids as well as netbooks.
Anthony is getting close to being able to do the Mix MInus. This means there will be the chance to play the music / voice mails / audio feedback on to everyone so that we can comment or answer the questions. This will be a welcome addition to the show.
Jay stated our new goal – to be “Internet Famous”

Don’t forget to give us a feedback on Itunes so we can bump the old shows off the list.

Thanks again for all the donations for the Tip Jar.

Hosts:

Rob Fuller – Mubix, room362.com @mubix
Anthony Gartner – AnthonyGartner.com @AnthonyGartner
Chris Gerling – Hak5Chris, Chrisgerling.com @Hak5chris
Chris Mills – ChrisAM @packetsense
Jason Mueller – SecurabitJay

Important links for the show and documents used:

http://www.iss.net/

http://www.nessus.org/nessus

hotspotshield.com

http://openvpn.net

http://www.ntop.org

Check out the end of the cast for Jay’s audition for American 1dol!!!

We opened the show but because Jay needed to switch some things out we actually went to a break faster than normal. When we returned from the break Jay was back with us. We started to go into the new Microsoft Zero Day, and Jay informed us that he had been out of the loop for a week but since the patch only came out 73 minutes before he found out about it he figured he was right on time.

The next topic was Chris Gerling going to SANS and taking the forensics 508 course. Chris then told us that he felt like he should never have picked up a helix disk based on the level of knowledge he has now compared to before the course. We also discussed that many states are requiring a Private Investigators license to do forensics. That none of us on the show agreed that this was a good idea, but yet several lobbyists have been pushing for this very idea. Jay asked the question about what was thought about the BGP security vulnerability. Anthony discussed a new site he went to as a security review.

After the break, we went into the trivia question. The trivia Question was: What are the flags you have to set in order to do an NMAP-style XMAS scan in Unicornscan? We will post the winner soon in conjunction with the Security Justice podcast. After the trivia question we went into thoughts on what to do about prior employees, handling creditials, voice mails, and emails. We referenced the guy in San Francisco who was fired from the job, but yet still was able to hold the network he left hostage.

Send all answers to the trivia question to feedback@securabit.com

Don’t forget to give us a feedback on Itunes so we can bump the old shows off the list.

Thanks again for all the donations for the Tip Jar.

Hosts:

Rob Fuller – Mubix, room362.com
Anthony Gartner – AnthonyGartner.com
Chris Gerling – Hak5Chris, Chrisgerling.com
Chris Mills – ChrisAM
Jason Mueller – SecurabitJay

Important links for the show and documents used:

No links this time!

By now, most people know that you should have a complex password of at least 8 characters that are composed of upper case, lower case, numbers, punctuation marks and ,as Dilbert said, doodles, sign language and squirrel noises. Your password requirements are so secure that it would take a Beowulf cluster 10,000,000 years to crack. Your users know that if they write down their passwords on a post-it-note, they will be shot. Are your passwords secure?

The problem with a “good password” is that it is extremely difficult to remember. Passwords that are used daily can be easily remembered after a few days. Passwords that are used infrequently can be a point of vulnerability.

Unfortunately, password aging systems do not consider the frequency of use or the number of unsuccessful login attempts prior to a successful login. Sure, you can reset the error count before lockout after x number of minutes but, it treats all accounts equally. An attacker could come in “low and slow” by limiting password attempts to every 3 minutes.

If your password aging rules dictate that all passwords must be changed every 30 days, the password that is only used every two weeks will expire at the same interval as the password that is used 5 times per day. A better method for password aging systems would be to consider the number of times a password is used and maintain a counter of unsuccessful logins before a successful login in addition to a maximum password lifetime. How would this be an improvement?

If you have a complex password that is only used once every two weeks, you will probably need to write it down somewhere that is (hopefully) secure. If you don’t write it down, you may forget your password, requiring a password reset. Password resets are the unsung vulnerability in password management. Many organizations do not properly authenticate the person requesting a password reset, reset passwords to a default value, or send the new password to the user in an insecure method. Social engineering can often bypass the “authorized password requestor” list. Are your passwords really secure?

Latest tools from DC16!

And if Jay Beale is reading this, we want Middler to come out!

Implement at your own risk! Simply cut and paste as it looks pretty nasty below:

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:”DNS large number of NXDOMAIN replies – possible DNS cache poisoning”; byte_test:1,&,3,3; classtype:misc-attack; reference:cve,2008-0087; reference:url,www.microsoft.com/technet/security/bulletin/MS08-020.mspx; reference:cve,2008-1447;
reference:url,www.microsoft.com/technet/security/bulletin/MS08-037.mspx; threshold: type threshold, track by_src, count 1000, seconds 30;)

Hope this helps!