November 22nd, 2014

Helix v2.0 released

Helix is the definitive computer forensics, incident response live CD distribution, and it has recently released version 2.0. Here is the listed of updated features. Among lots of new tools and tool upgrades, one big change is that it is now based on Ubuntu rather than Knoppix. Some other cool new tools that have been added to Helix are winlockpwn which bypasses windows authentication via firewire, Volitility for parsing processes, network information and many other things out of raw memory, and something else cool from metlstorm, bioskbsnarf, which parses the realmode keyboard buffer out of the bios data area. It looks like a couple of the newer memory dumping utilities for windows have also been added to the windows live portion of the distro.

The only bad thing that I’ve noticed is that the static binaries (important for incident response) are no longer distributed directly on the CD, but at least they are still available for download. Maybe they (or someone else) will put together a DVD that includes these.

I was told a while before the release came out that it was no longer going to be free, so
I’m pretty glad to see this release is public and still free. That being said, it’s a worthwhile project to contribute to, so I’d suggest buying a pressed CD to help them out. If not — happy downloading, :) .

PS — And yes, it is v2.0 that has been released despite them calling the distribution “Helix 3″ for some slightly confusing reason. :)

Toorcon (en route)

I’m at the airport at a very unearthly hour, but the bright side is that I’m headed to Toorcon. If you’re around at Toorcon, I’ll be the one in a black t-shirt, :) . I’m looking forward to hanging out with some people that I haven’t seen since the last conference. See you there…

XSRF and Identity Misbinding Attacks

I thought this was kind of a clever chain of attack vectors. I think it illustrates well how you can take multiple smaller security problems, and use the series to exploit something greater (in this case youtube accounts).

In the post Jeremiah links to a good paper that has some other interesting attack vectors. The paper starts with basic XSRF and current remediation strategies, but then goes into some new attacks that cause a victim user to log into a site with the attackers credentials. They outline a couple of scenarios where this could allow them to gather credit cards through PayPal, or credentials for iGoogle. They also poke holes in some of the current remediation strategies and even some of the tools that implement them. Defense against this kind of login XSRF is difficult because it requires maintaining some type of pre-session session/token, so they also have some recommendations for adding a new standard Origin HTTP header which has a number of advantages. It’s good reading, you should go read it if you’re at all interested in web security.

(In)secure Magazine Issue 18

There’s a new issue of (In)secure Magazine out and available for download. It looks like it has a few interesting articles in it on different security tools, PCI (WAF vs. code review) and secure web programming. They usually have some interesting content to flip through, and it’s nice to have it as download-able content.

Wireless keyboards

I ran across this comic recently, and thought it was pretty funny. There’s more research being done on the topic these days, and I think it would be pretty interesting to take a closer look at it. The Gnu Radio project seems to be pretty popular. I’ll put it on the queue of things to do, :) .

(Script to) Locate Any WiFi Router By Its MAC Address

I saw a slashdot post earlier today about a not-so-secret API from SkyHook Wireless to Locate Any WiFi Router By Its MAC Address. I thought this was pretty cool and useful, so I wrote up a quick python hack/script that would use the API, and I thought that I’d add this as a wicrawl plug-in shortly. It takes the BSSID as an input, and outputs all of the information it finds, and also can output a google earth KML file to import the location.

I found the information amazingly and scarily accurate so far. When I check for my local Access Point it gives me my physical address (in addition to the coordinates) within two street numbers.

Here’s some anonymized output from the script:

./ 00:11:22:33:aa:c6 ~/tmp/output.kml [*] City: Boston [*] Country: United States [*] Address: Fancy Pants Rd [*] Longitude: -70.17905 [*] County: Middlesex [*] State: Massachusetts [*] Output KML File: /Users/aaronp/tmp/output.kml [*] Street Number: 1337 [*] Postal Code: 02138 [*] Latitude: 40.3823964 [*] Finished..

Let me know if you find it in any way useful. I would guess though now that it’s been slashdot’d that the service will likely change as soon as people really start using it. Hopefully not though, :)

Last day of Toorcon X pre-registration

Today’s the last day to pre-register for this year’s Toorcon X. Held in sunny San Diego, Toorcon is always a blast. There are always a lot of interesting people (speakers, attendees and staff included) to meet and hang out with. In my opinion it’s one of the best security conferences out there, and you should definitely check it out. Hope to see you there!

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS