Bits and Bytes

[Author's Note: This is the 2nd in a multi-part series on the topic of "Protecting Privileged Domain Accounts". My primary goal is to help incident responders protect their privileged accounts when interacting with comprised hosts, though I also believe this information will be useful to anyone administering and defending a Windows environment.]I realize the LanMan (LM) hash is old-hat for many, but I’ve recently discovered that the LM hash is even more dangerous than I previously realized. This is due to both the ease of cracking LM hashes on today’s hardware, as well as the obscure fact that there is currently no Microsoft-provided feature to remove LM hashes from memory. So even if you think you’ve heard it all with regard to LM hashes, I encourage you to read on to make sure you are aware of LM hashes lurking in memory.The BadAlthough the issues with LM hashes are well-documented, let me just briefly describe how LM hashes are …

In my day job I publish two large information security studies a year. This involves completing hundreds of live interviews with security professionals in all types of industries. What’s produced is some of the most comprehensive market research on information security I’ve ever been involved with. But I need your help.

A new version of the Personal Software Inspector (PSI) tool from vulnerability management firm Secunia automates the updating of third-party programs that don’t already have auto-updaters built-in. The new version is a welcome development for the sort of Internet users who occasionally still search their keyboards for the “any” key, but experienced PSI users will probably want to stick with the comparatively feature-rich current version.

PSI 3.0 Beta's simplified interface.

PSI 3.0 introduces one major new feature: Auto-updating by default. The program installs quickly and immediately begins scanning installed applications for missing security updates. When I ran the beta version, it found and automatically began downloading and installing fixes for about half of the apps that it detected were outdated. The program did find several insecure apps that it left alone, including iTunes, PHP and Skype; I suspect that this was based on user feedback. It may also just avoid auto-patching busy programs (all three of those applications were running on my test machine when I installed PSI 3.0); for these, PSI presents the “run manual update,” or “click to update,” option.

But users familiar with previous versions of PSI may be frustrated with the beta version’s intentional lack of options. The beta is devoid of all settings that are present in the current version of PSI, and the user dashboard that listed updated software alongside outdated programs and other options no longer exists. In fact, once a program is updated, it is removed from the update panel, leaving no record of what was updated (I had to sort my Program Files folder by date to learn which programs were touched after running PSI 3.0).

In a blog post accompanying this beta release, Secunia said it wanted to offer a new version that answered the question, “Would your grandparents, or mum or dad, be able to use it easily?” I’d have to agree that this version has a decent chance of succeeding on that front. But assuming that this beta will morph into a standard offering, I hope that Secunia continues to offer two versions of this useful free product: a speedier, more reliable version of the geek-friendly traditional PSI program, and the “light” version for all of our non-geek friends and family.

Last year I showed how to use a Teensy micro-controller to drop a PDF file with embedded executable. But I was limited to a file of a few kilobytes, because of the Arduino programming language I used for the Teensy.

In this post, I’m using WinAVR and I’m only limited by the amount of flash memory on my Teensy++.

First we use a new version of my PDF tools to create a PDF file with embedded file:

Filter i is exactly like filter h (ASCIIHexDecode), except that the lines of hex code are wrapped at 512 hex digits, making them digestible to our C compiler.

Another new feature of my make PDF tools is Python 3 support.

Here is a sample of our C code showing how to embed each line of the pure-ASCII PDF document as strings:

Macro PSTR makes that the string is stored in flash memory. The embedded executable is 57KB large, but still only takes half of the flash memory of my Teensy++.

After programming my Teensy++, I can fire up Notepad and let my Teensy++ type out the PDF document:

You can download my example for the WinAVR compiler here:

avr-teensy-pdf-dropper_V0_0_0_1.zip (https)
MD5: EA14100A1BEDA4614D1AE9DE0F71B747
SHA256: 2C9A5DF1831B564D82548C72F1050737BCF17E5A25DCDC41D7FA4EA446A8FDED

In this week’s edition of Case Leads we have updates to a couple of tools, Bulk_extractor and FTK as well as two new blogs featuring malware analysis and digital forensics tutorials.If you have an item you’d like to contribute toDigital Forensics CaseLeads, please send it to caseleads@sans.org.Tools: A new version of Bulk_extractor has been released. This tool scans a disk image, file, or directory and extracts useful information without parsing the file system or file system structures. The tool will also create histograms of the information it finds. A new version of FTK was recently made available. The release notes are available as a PDF.Good …

In this week’s edition of Case Leads we have updates to a couple of tools, Bulk_extractor and FTK as well as two new blogs featuring malware analysis and digital forensics tutorials.If you have an item you’d like to contribute toDigital Forensics CaseLeads, please send it to caseleads@sans.org.Tools: A new version of Bulk_extractor has been released. This tool scans a disk image, file, or directory and extracts useful information without parsing the file system or file system structures. The tool will also create histograms of the information it finds. A new version of FTK was recently made available. The release notes are available as a PDF.Good …

Sweet! SANS DFIR 2012 summit picked up Sniper Forensics v3: Hunt!

Stepping away from the trenches of the daily grind for a week of training can seem next to impossible, given today’s tight training budgets and operational tempo. Yet, for information security professionals, keeping technical skills current and staying abreast of the latest security vulnerabilities and “best practices” is a matter of necessity. So, how can you fit in the training without breaking the budget and creating a security incident? SANS Mentor sessions provides an excellent solution to this problem by delivering high quality SANS curriculum in your local community by GIAC certified instructors. Most mentor sessions are taught in smaller class settings over a 10-week period, allowing students more time to absorb course material that is typically taught over a 6-day period. With a strong focus on hands-on exercises, the mentor format is the ideal way to integrate the SANS course material presented into your daily routines at work.One upcoming SANS Mentor …