Sunday 14 April 2013

10 Tips for Spotting and Handling Misinformation during Security Assessment and Forensics Investigation


Here are my 10 tips for dealing with misinformation during security assessments and forensic investigations:
  • Remember that interview subjects might purposefully or inadvertently present you with incorrect information.
  • Watch out for “lies by omission,” which is another form of misinformation.
  • Look for discrepancies between the information provided by different subjects and also between what you heard and what you saw in documentation.
  • Ask similar questions several times, though not in direct sequence, watching out for the discrepancies in the answers you might receive.
  • Collect your own data to collaborate or refute what you heard during interviews. You may be unable to check all information, but spot-checks should be within the realm of possibility.
  • Consider whether it’s wise to directly confront the subject when you notice misinformation—this might create friction without helping your objectives
  • If you have the opportunity, give the people whom you’ll interview a chance to get to know you—if they feel comfortable with you, they might be more truthful.
  • Remind subjects that it’s very important for you to have accurate information to provide meaningful analysis.
  • Take notes of the answers, confirming with subjects what you heard them say to avoid concerns over incorrect recollection of the statements.
  • Keep in mind that sometimes people don’t realize that they are providing misinformation—they might be simply misinformed.
The problem of misinformation is common in other professions, including lawyers and doctors.

Latest IT Security tools

REMnux 4

There is a release of version 4 of the REMnux Linux distribution for reverse-engineering malicious software. The new version includes a variety of new malware analysis tools and updates the utilities that have already been present on the distro.

What’s New in REMnux v4
REMnux is now available as a Open Virtualization Format (OVF/OVA) file for improved compatibility with virtualization software, including VMware and VirtualBox. A proprietary VMware file is also available. You can also get REMnux as an ISO image of a Live CD.
Key updates to existing tools and components:
  • Core system: Upgraded the underlying Ubuntu OS components and packages; increased default RAM of the virtual appliance to 512MB; replaced OpenJDK with Oracle Java 7 runtime.
  • Memory analysis: Updated Volatility to version 2.2.
  • PDF analysis: Updated pdfid and pdf-parser, Origami, peepdf
  • Web analysis: Updated SWFTools, V8, libemu, NetworkMiner, Burp Proxy, Wireshark, Firefox and its add-ons.
  • Other changes: Updated xorsearch, DensityScout, Pyew, passive-dns, ClamAV, capabilities.yara; replaced FreeMind with XMind
New tools added to REMnux:
  • Windows tools: Installed Wine; added OfficeMalScanner, Malzilla
  • XOR analysis: Added NoMoreXOR, brutexor, XORBruteForcer
  • PE file analysis: Added pev, dism-this, ExeScan, udis86 (udcli), autorule (/usr/local/autorule), distool
  • Other file analysis: Added extract_swf.py, ExifTool, MASTIFF
  • Other additions: Added hack-functions (/usr/local/hack-functions), bulk_extractor, ProcDot

Proxify and BadAssProxy

GNUCITIZEN released a lightweight proxy called Proxify, designed to conveniently integrate with other tools. Proxify can handle both HTTP and HTTPS, displaying or saving the interactions between the client and the server. Its authors expect the tool to be embedded in applications that require proxy functionality, explaining that:
“The tool will do all the hard work and you just need to provide a very simple restful HTTP service to do the forwarding of data between the browser and the remote target. “
Proxify is easy to run from the command-line, as you can see in the video attached to this post. In this example, I directed Proxify to listen on port 8080 and save all requests and responses it intercepts to the “output” directory.

Proxify is free for non-commercial use, and is available in a binary form for Windows, Linux and OS X.

Anonymous Hackers threaten to name 'rapists' if police don't act

The hacking group Anonymous has threatened to make public the identities of four boys accused of gang-raping a Canadian teenager who later killed herself after images of the attack went viral.
The group, notorious for its unique brand of justice, said it was responding to calls from those who felt incensed that police had failed to arrest or convict any of the four accused of raping Rehtaeh Parsons.
Rehtaeh, who was 15 years old at the time of the alleged attack in 2011, suffered almost two years of depression and bullying after pictures purporting to be of the incident were spread around her school, her family has said.
She hanged herself in the bathroom of her home in Nova Scotia on Thursday and died in hospital on Sunday evening.
No one was ever charged for the attack, with police saying the investigation was scuppered by a lack of evidence.
In a video statement, Anonymous said it had already identified two of the alleged attackers and was "confirming a third". The group said it was "only a matter of time" before they found the fourth.
In a message directed to Canadian Justice Minister Ross Landry, Anonymous said it was seeking justice for Rehtaeh and her family.
It said: "Our demands are simple – we want the Nova Scotian police to take immediate legal action against the individuals in question.
"We encourage you to act fast. If we were able to locate these boys within two hours, it will not be long before someone else finds them."
Although claiming it did "not approve of vigilante justice", the group said it would make the names of the alleged rapists public if it believed not enough was being done by the police.
Mr Landry, who reportedly met with Rehtaeh's mother yesterday, condemned the threats, saying: "Leah (Parsons) said she didn't want harm to come to the other young people, that her daughter would not have wanted that."
It is not the first time Anonymous has waded in on such a case.
In August last year, members of the hacking group released information relating to the rape of a young girl in Steubenville, Ohio.
Trent Mays (17) and Ma'lik Richmond (16) were eventually found guilty of the rape last month. (© Daily Telegraph, London)

Cyber attack on Dutch Railways

Dutch Railways (NS) travel planer website was under DDoS attack and unreachable for hours on friday night reports the NS.
The NS will report the cyber attack to the police, "because this can not be tolerated," explains the spokesperson from. The NS puts extra staff and will take action. "We're on top of it,'' said the spokesman.
Several Dutch companies, including ING Bank and the payment system PayPal , struggled this week with DDoS attacks on their computer systems. The National Institute for Budget Information (Nibud) therefore recommended people Thursday to have enough cash in pocket.