Wednesday, May 14, 2008

Headed to Techno Security

Looks like I am headed to Techno Security 2008 in Myrtle Beach. I'm looking forward to meeting up with some people and sitting in on some interesting talks. Good times...

Monday, May 12, 2008

Spot the fake

When I've instructed people on IR I have run them through a live response scenario where the scenario is fairly obvious (I provide a friendly popup). My favorite thing to do to folks is transposition of letters in commonly associated programs and services. Apparently attackers still like doing this. Can you spot the fake? What are the inconsistencies between the two? Which one is real?
Finally..why does this work? Read this paper if you're interested.


Service Name: Event Log

Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.

Path to Executable:
C:\windows\system32\services.exe

Logon:
LocalSystem

Service Name: Events Log

Description: Enables event logs messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.

Path to Executable:
C:\WINDOWS\system32\drivers\csrss.exe -k NetworkService

Logon as:
.\Administrator

My arch-nemesis

Over the weekend my honeynet got pwned. I mean that in every sense of the word. I'm looking at a 50% rate of compromise. I contained the honeynet and planned on dealing with it this morning. While performing some live response on what I'd targeted as patient-0 my screen went black and my room suddenly got quiet. My office usually hums at about 70DB so when my poweredge server, firewall, precision workstation, switches, kvm, mac mini, 2 workstations AND MY HONEYNET go quiet it's pretty noticeable. I had been in the process of collecting physical memory and...poof.

At first I thought I had popped the breaker. Let's face it I have quite a bit plugged in. Then my thought process started up again...wait I've never popped the breaker..why all of a sudden?

There was a bit of shouting and people started running down the hall to see if I'd broken something..kind of funny. I then remembered something..electricians had been sighted early in the day. My subordinate confirmed this.

"I just saw someone run from that office in to the other room" he said pointing further down the hall.



I walked to the next office and poked my head in..

ME: "Hey are the electricians screwing with stuff?"

COWORKER: "They shouldn't be".

ME: "Well my office just went dark, where are they?"

COWORKER: "Oh, they're next door, let's go talk to them"

ME: "Probably a good idea".

We both poke our heads in to the next room and I spot a power whip laying in the middle of the floor as if to mock me and display the prowess of the master electrician and 3 guys looking at prints. On the wall I spot an open single gang box with wires mashed in a wire nut. That wall is the exact wall where I get power...

ME: "Are you guys messing with power in here?"

ELECTRICIAN: "We saw a few extra wires attached to that whip and had to disconnect it" he says looking at me sheepishly.

...silence...
...silence...
...silence..

ME: "You just took down my office".

ELECTRICIAN: "Yeah sorry about that, that's my bad. I had to disconnect the leads on that whip".

I was lost for words. My arch-nemesis killed all reasonable hope of me collecting information. The vm on bootup gave me some corrupted filesystem errors and the other virtual machines I had running had obviously lost power as well.

Why is the electrician my arch-nemesis you ask? Let's just say this isn't the first time they've struck.