Cyber Crime 101

I have partnered with Matt Churchill, who has recently created a new resource for the community- www.forensicartifacts.com. The aim of the site is to provide a reference database for forensic examiners looking for specific information on artifacts of operating systems, programs, and user activity. The website was set up in blog format allowing examiners to subscribe to the RSS feed or simply visit the site and use the global search functions.

There is also a Twitter Feed to keep examiners up to date on new submissions to the site.

The main goal for this site is to become a useful resource for the forensic community. As such, we also rely on the community for submissions. Please take a look at our Submit page and consider donating some of your time and expertise to populating the website.

As this is truly meant to become a community resource, we welcome any and all input from the forensic community. Please feel free to let us know if you think something should be added or changed

Joe

Apple updates iOS for iPhone/iPod & iPad

Cyber Crime 101 — Wed, 11 Aug 2010 22:23:44 +0000

Apple has released iOS 4.0.2 for iPhone and iOS 3.2.2 for iPad. This fixes a vulnerability with a user viewing a maliciously crafted PDF that allowed for code to be arbitrarily executed.

Make sure to update your iOS as soon as possible!

Apple support article for iPhone/iPod iOS 4.0.2 update- http://support.apple.com/kb/HT4291

Apple support article for iPad iOS 3.2.2 – http://support.apple.com/kb/HT4292

Joe

Trusting Your Tools

Cyber Crime 101 — Wed, 04 Aug 2010 17:18:06 +0000

I recently had an article posted to the SANS Forensics & Incident Response Blog titled “Trusting Your Tools”. It covers how, as a Forensicator, you can trust where you get your tools from and the results that they are providing to you.

If you haven’t read it yet, head on over to the SANS Forensics & IR Blog to check it out:

http://blogs.sans.org/computer-forensics/2010/07/29/trusing-tools/

Episode 17- Mac Security

Cyber Crime 101 — Wed, 28 Jul 2010 14:45:18 +0000

In this episode, I talk with Dave Melvin of the Inside the Core podcast about how to secure your Mac. Also, updates to the HacKid Conference & the Dissecting the Hack auction that has proceeds going to Hackers for Charity.

Show Notes:

HacKid Con, which is being held Oct. 9-10, 2010 in Boston, now has it’s registration live. Pricing is as follows:

$50 Early Bird registration until August 30th.

$75 from August 30th until the Conference

$100 at the door

Jayson Street is auctioning off a copy of his book Dissecting the Hack: The F0rb1dd3n Network at DefCon this year on Friday July 30th. In addition to his signature, Jayson is trying to get as many of the people who helped him out with the revised edition of the book to sign it also. Make sure you pass by the I Hack Charities booth and put in your bid.

I posted this last week, but here is the link to Microsoft’s Support page regarding the .lnk vulnerability

Make sure to check out the Inside the Core podcast, which my guest this episode Dave Melvin is co-host for.

Joe

Microsoft advises of fixes to avoid the .lnk/.pif file vulnerability

Cyber Crime 101 — Fri, 23 Jul 2010 13:22:34 +0000

Microsoft has posted both a software and a manual fix/workaround that will help mitigate the .lnk and .pif file vulnerability on their Support page. This vulnerability can allow a someone remote access to your Windows machine from Windows XP all the way up through Windows 7. Use either of the workarounds until Microsoft issues an official patch. If you are not comfortable with editing the Windows Registry manually, I suggest using the software utility provided on the Support page.

For those that haven’t heard about it, Windows incorrectly handles (parses) shortcuts in a way that malicious code may be executed when the icon of a specially crafted (read: Malicious) shortcut is displayed.

Microsoft TechNet Advisory:
http://www.microsoft.com/technet/security/advisory/2286198.mspx

Microsoft Support Page for KB2286198:
http://support.microsoft.com/kb/2286198#LetMeFixItMyself

Joe

Ubuntu Firewall Prep

Cyber Crime 101 — Mon, 19 Jul 2010 19:36:05 +0000

I originally posted this to Anthony Gartner’s Grass Roots Security blog a few months ago. It covers how to get setup with the GUFW Firewall in Ubuntu (Linux). I figure that there may be some of you that might not have checked out Anthony’s blog (which is excellent BTW!) and might benefit from this little tutorial.

There may be some of you that just shook your head and asked “What the hell is Linux?”. Well, it is an Open Source Operating System that has been around since 1991 and is worked on by thousands of developers. It is probably the most configurable OS out there, but the heavy use of command line tends to scare many average users away. There are many different distributions of Linux, with one of them being Ubuntu. With the development of Ubuntu, Linux is now not only for the technically savvy (read: command line junkies). Ubuntu has become a very popular version of Debian-Linux, which is a fairly stable Distro, that is excellent for average computer users and is focused on usability & ease of installation (read: lots of GUI).

With that said, I am going to focus on Ubuntu here. The firewall that is used by Linux distributions is called iptables. It is a command line utility that would make the average user faint. In Ubuntu, the UFW or Uncomplicated Firewall was created, but is still another command line utility. So, eventually, Gufw or Graphical Uncomplicated Firewall was born. It is the GUI frontend for the UFW firewall utility.

The prep for the Ubuntu firewall is not as simple as with Mac OS X or Windows XP/Vista/7, but it is a very easy application to work with. Let’s get started….

First off, Gufw is not installed by default. Let’s get that taken care of. Open a terminal and type apt-get install gufw:

Or, you can use the GUI, Synaptic Package Manger by going to System->Administration->Synaptic Package Manager, go to the search box and type in gufw and mark it for installation & click Apply:

Once that is done, open up Gufw by going to System->Administration->Firewall configuration:

Gufw will now open and you will see this when it first starts:

When you first enable the firewall, it will be set to Allow both Incoming & Outgoing traffic. You will want to change the Outgoing traffic from Allow to Deny to start off:

Also, if you check in Edit->Preferences you will notice that both logging options are turned on by default and that you can set the log detail level you want. You will need to play with this to get your desired results:

From there you can Add rules for your firewall:

Let’s start at the Preconfigured tab. For example, let us say you have no intentions to use FTP (File Transfer Protocol) to remotely push files to your computer, you can use the options under the Preconfigured tab to set it up like so:

You can also go to the Simple tab and choose to either Allow, Deny, Reject or Limit incoming or outgoing communications over a specific port. In the next example, I chose to reject incoming TCP connections to Port 23 (TELNET):

Finally, you can go to the Advanced tab and set rules that will Allow, Deny, Reject or Limit incoming or outgoing communications (TCP, UDP or both) from a range of IP Addresses and Ports:

Well, I hope this post sets you in the right direction. For more information, check out the following resources:

The Gufw Project homepage: http://gufw.tuxfamily.org/wp/

The Ubuntu Community Help page: https://help.ubuntu.com/community/Gufw

Hope you found this helpful!

Joe

Episode 16: Review- 2010 SANS Forensics & IR Summit

Cyber Crime 101 — Fri, 16 Jul 2010 13:57:08 +0000

In this episode, in addition to some news bits, I give a review of the 2010 SANS Forensics & Incident Response Summit. The Summit was held on July 8-9, 2010 in Washington D.C. at the Fairmont Hotel.

Show Notes:

HacKid Con is looking for sponsors- Link to Sponsor package PDF and the HacKid.org website. If you are interested in donating or sponsoring email sponsors@hackid.org

Malicious Firefox addon (Mozilla Sniffer)-

http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/

http://www.computerworld.com/s/article/9179167/Mozilla_yanks_password_stealing_Firefox_add_on

Apple updates iPhone & iPad software- http://www.mobilecrunch.com/2010/07/15/ios-4-0-1-update-now-available-through-itunes/

Shadow Analyzer website- http://www.shadowanalyzer.com/

Yay, I’m going to the 2010 SANS Forensics & IR Summit

Cyber Crime 101 — Tue, 06 Jul 2010 12:55:21 +0000

I had been trying to find a way to go to the 2010 SANS Forensics & IR Summit for some time. My work and home budgets wouldn’t allow for it. Then just as things were getting grim, I was contacted on Friday by my good friend Lee Whitfield of the Forensic4Cast podcast, asking if I wanted to go. He had been given a pass to the Summit to give away and he gave me an opportunity to go. I am both ecstatic and grateful to be going (Thanks Lee, I owe you a few pints!). It gives me a chance to meet some of the other Forensicators that I have been in contact with over Twitter, Facebook, LinkedIn, etc…. It also gives me the chance to see the new SANS “Lethal Forensicator” challenge coin (or RMO) up close and personal (to quote Eric J. Huber- “My Precious”). So, since I have been given this opportunity, I am hoping to be able to share with all of you.

First, make sure to check out the Summit agenda here.

Then, if you have any questions for any of the presenters, email them to me at: cybercrime101 [at] gmail {dot} com. I will try and get your questions answered, based on the availability of the presenter.

Also, if you follow along on the show’s Twitter feed, stay tuned. I am going to try and do some streaming content from the Summit.

Joe

SANS Introduces the Digital Forensics “Lethal Forensicator” Coin

Cyber Crime 101 — Thu, 01 Jul 2010 23:46:32 +0000

Rob Lee has unveiled the new SANS Institute Digital Forensics “Lethal Forensicator” Coin over at the SANS Computer Forensic Investigations & Incident Response Blog. Rob announced that the first time these coins will be awarded will be at the 2010 SANS Digital Forensics & Incident Response Summit next week (July 8-9, 2010).

Here is an excerpt from the post:

What is the SANS Lethal Forensicator Coin?

The Coin is designed to be awarded to those who demonstrate exceptional talent, contributions, or helps to lead in the digital forensics profession and community. The Coin is meant to be an honor to receive it; it is also intended to be rare.

Rob goes on to detail what credentials one must have to receive or be nominated to receive the coin, as well as what the rules of a “Coin Check” are.

Head on over to the SANS CFI & IR Blog to see the full post, including pictures of the Lethal Forensicator coin itself.

Joe