Archive for January, 1970
Fingerprinting Wireless Device Drivers
"Motivated by the proliferation of wireless-enabled devices and the suspect nature of device driver code, we develop a passive fingerprinting technique that identifies the wireless device driver running on an IEEE 802.11 compliant device. This technique is valuable to an attacker wishing to conduct reconnaissance against a potential target so that he may launch a driver-specific exploit.
In particular, we develop a unique fingerprinting technique that accurately and efficiently identifies the wireless driver without modification to or cooperation from a wireless device. We perform an evaluation of this fingerprinting technique that shows it both quickly and accurately fingerprints wireless device drivers in real world wireless network conditions. Finally, we discuss ways to prevent fingerprinting that will aid in improving the security of wireless communication for devices that employ 802.11 networking."
[read full article]
In particular, we develop a unique fingerprinting technique that accurately and efficiently identifies the wireless driver without modification to or cooperation from a wireless device. We perform an evaluation of this fingerprinting technique that shows it both quickly and accurately fingerprints wireless device drivers in real world wireless network conditions. Finally, we discuss ways to prevent fingerprinting that will aid in improving the security of wireless communication for devices that employ 802.11 networking."
[read full article]
WiFi Radio Fingerprinting
"A new security technique promises to uniquely identify any WiFi device in the world, so hackers cannot hide behind a fake MAC address.
Every wireless device has a unique signal 'fingerprint' produced by variations produced in the manufacturing process for silicon components, according to Dr Jeyanthi Hall, of Carleton University in Ottawa.
As a doctoral student, Dr Hall analysed the RF signals of fifteen devices from six manufacturers, and found it was possible to distinguish clearly, even between devices from the same manufacturer.
Using 'transceiverprints,' Dr Hall got a detection rate of 95 percent, and a false positive rate of zero, according to papers submitted to various conferences, including IEEE events on wireless and security.
She achieved this reliability in the task of 'recognising' the transceiverprint from a pre-recorded set - a job which could usefully be built into a wireless IDS, she says in the paper. Beyond this, things could get even more exciting: 'It would be interesting to identify the correct transceiver (from the set of all profiled transceivers), using the same set of transceiverprints,' she goes on."
[read full article]
Every wireless device has a unique signal 'fingerprint' produced by variations produced in the manufacturing process for silicon components, according to Dr Jeyanthi Hall, of Carleton University in Ottawa.
As a doctoral student, Dr Hall analysed the RF signals of fifteen devices from six manufacturers, and found it was possible to distinguish clearly, even between devices from the same manufacturer.
Using 'transceiverprints,' Dr Hall got a detection rate of 95 percent, and a false positive rate of zero, according to papers submitted to various conferences, including IEEE events on wireless and security.
She achieved this reliability in the task of 'recognising' the transceiverprint from a pre-recorded set - a job which could usefully be built into a wireless IDS, she says in the paper. Beyond this, things could get even more exciting: 'It would be interesting to identify the correct transceiver (from the set of all profiled transceivers), using the same set of transceiverprints,' she goes on."
[read full article]
A Collection of Rootkit Removal Tools
"IN FOCUS: Rootkit Removal Tools
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Rootkits are a growing problem, and as you might expect, the list of tools that can help you prevent rootkit infiltration is also growing. The list of standalone tools that can help with rootkit detection and removal is also expanding. This week, I give you a list of the standalone detection and removal tools that I know about.
The alphabetical list below can be a resource to help you add some useful tools to your security toolkit. As with antivirus and antispyware tools, using multiple rootkit detection and removal tools is a good idea because not every tool can detect and remove every rootkit.
Of the tools listed, I've used RootkitRevealer, F-Secure BlackLight, Sophos Anti-Rootkit, and IceSword, all of which are from entities that I'm familiar with and trust to some extent or other.
A few of the tools on the list (GMER, DarkSpy, and Rootkit Unhooker) look interesting, but I have no idea who the authors are, nor do their Web sites offer much information to lend insight. So although I included them in the list, definitely use your own discretion.
There are undoubtedly other related tools available that I'm not aware of; if you know of one, please send me an email with details. If you've tried one of the tools below, let me know about your experiences with it.
BitDefender RootkitUncover beta, from SoftWin
This tool is currently available as a free beta and looks promising, particularly because it's from SoftWin, makers of BitDefender.
http://download.bitdefender.com/windows/desktop/internet_security/beta/
DarkSpy, from DarkSpy Security Group
This tool is from a group of Chinese security researchers that I'm unfamiliar with. The download page for the tool says, "Use at your own risk," and you'd be wise to take that advice; however, it might give you a little comfort to know that this tool was recently mentioned in the SANS Internet Storm Center's Handler's Diary. Click the second URL under the Helios entry below to link to that mention.
http://www.fyyre.net/~cardmagic/index_en.html
F-Secure BlackLight
This is a standalone "trialware" tool, meaning that it periodically expires after a certain date--currently October 1. It's also a standard component of F-Secure's Internet Security 2006 package.
http://www.f-secure.com/blacklight/blacklight.html
GMER, from an unknown independent Polish developer
Although no information is readily available about who developed this tool, its Web site has several screenshots and some movies (in .wmv and .avi format) that show the tool in action. So you can get a good idea of what it's like before using it.
http://www.gmer.net/
Helios, from MIEL e-Security
This is a new tool, currently in "alpha" development, that looks promising. For some good insight into Helios, go to the second URL below to read the SANS Handler's Diary entry for July 26, in which you can also see some screen shots of the tool in action.
http://helios.miel-labs.com/
http://isc.sans.org/diary.php?storyid=1487
IceSword, by Xfocus Team
IceSword has proven useful to many security administrators. Xfocus is a group of Chinese security researchers, and while the site is written in Chinese, you can use AltaVista's Babel Fish Translation engine (at the second URL below) to view it in English. You can also
use Babel Fish to translate the Chinese documentation.
http://www.xfocus.net/tools/200509/
http://babelfish.altavista.com/babelfish/tr?trurl=http://www.xfocus.net/tools/200509/&lp=zt_en
RKDetector, by Miguel Tarasco Acuna
This toolkit comes in two parts: A file system analyzer and an Import Address Table (IAT) analyzer. The file system analyzer scans the file system and registry, and the IAT analyzer scans memory space for alterations that would allow rootkits to hook into the system. Screen shots are available to give you a good idea of what the tool looks like.
http://www.rkdetector.com/
RootKit Hook Analyzer, from Resplendence Software Projects
Although most rootkit detection tools look at kernel hooks, the file system, the registry, user accounts, and so on, this particular tool focuses exclusively on kernel hooks.
http://www.resplendence.com/hookanalyzer
RootkitRevealer, from Sysinternals
A tool written by Mark Russinovich and Bryce Cogswell, two very well known Windows experts.
http://www.sysinternals.com/utilities/rootkitrevealer.html
Rootkit Unhooker, from UG North
Although I have no idea who UG North is, the tool looks promising. It checks for unwanted processes and system hooks and can help terminate such processes.
http://www.rkunhooker.narod.ru/
Sophos Anti-Rootkit
This standalone tool offers both a GUI and a command line version and is similar to the antirootkit technology built into the Sophos Anti-Virus for Windows solution.
http://sophos.com/products/free-tools/sophos-anti-rootkit.html
System Virginity Verifier, FLISTER, and KLISTER, by Joanna Rutkowska
These tools specifically look for hidden files and at various system components that might be modified by various rootkit techniques. Source code is included. Rutkowska is a well-known researcher.
http://www.invisiblethings.org/tools.html
UnHackMe, from Greatis Software
While all the other listed tools are free, this tool is priced starting at $19.95 for a single license. You can view screen shots of the tool to see what it looks like and download a working demo if you're interested.
http://greatis.com/unhackme/
===
Copyright 2006, Penton Media, Inc. All rights reserved."
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Rootkits are a growing problem, and as you might expect, the list of tools that can help you prevent rootkit infiltration is also growing. The list of standalone tools that can help with rootkit detection and removal is also expanding. This week, I give you a list of the standalone detection and removal tools that I know about.
The alphabetical list below can be a resource to help you add some useful tools to your security toolkit. As with antivirus and antispyware tools, using multiple rootkit detection and removal tools is a good idea because not every tool can detect and remove every rootkit.
Of the tools listed, I've used RootkitRevealer, F-Secure BlackLight, Sophos Anti-Rootkit, and IceSword, all of which are from entities that I'm familiar with and trust to some extent or other.
A few of the tools on the list (GMER, DarkSpy, and Rootkit Unhooker) look interesting, but I have no idea who the authors are, nor do their Web sites offer much information to lend insight. So although I included them in the list, definitely use your own discretion.
There are undoubtedly other related tools available that I'm not aware of; if you know of one, please send me an email with details. If you've tried one of the tools below, let me know about your experiences with it.
BitDefender RootkitUncover beta, from SoftWin
This tool is currently available as a free beta and looks promising, particularly because it's from SoftWin, makers of BitDefender.
http://download.bitdefender.com/windows/desktop/internet_security/beta/
DarkSpy, from DarkSpy Security Group
This tool is from a group of Chinese security researchers that I'm unfamiliar with. The download page for the tool says, "Use at your own risk," and you'd be wise to take that advice; however, it might give you a little comfort to know that this tool was recently mentioned in the SANS Internet Storm Center's Handler's Diary. Click the second URL under the Helios entry below to link to that mention.
http://www.fyyre.net/~cardmagic/index_en.html
F-Secure BlackLight
This is a standalone "trialware" tool, meaning that it periodically expires after a certain date--currently October 1. It's also a standard component of F-Secure's Internet Security 2006 package.
http://www.f-secure.com/blacklight/blacklight.html
GMER, from an unknown independent Polish developer
Although no information is readily available about who developed this tool, its Web site has several screenshots and some movies (in .wmv and .avi format) that show the tool in action. So you can get a good idea of what it's like before using it.
http://www.gmer.net/
Helios, from MIEL e-Security
This is a new tool, currently in "alpha" development, that looks promising. For some good insight into Helios, go to the second URL below to read the SANS Handler's Diary entry for July 26, in which you can also see some screen shots of the tool in action.
http://helios.miel-labs.com/
http://isc.sans.org/diary.php?storyid=1487
IceSword, by Xfocus Team
IceSword has proven useful to many security administrators. Xfocus is a group of Chinese security researchers, and while the site is written in Chinese, you can use AltaVista's Babel Fish Translation engine (at the second URL below) to view it in English. You can also
use Babel Fish to translate the Chinese documentation.
http://www.xfocus.net/tools/200509/
http://babelfish.altavista.com/babelfish/tr?trurl=http://www.xfocus.net/tools/200509/&lp=zt_en
RKDetector, by Miguel Tarasco Acuna
This toolkit comes in two parts: A file system analyzer and an Import Address Table (IAT) analyzer. The file system analyzer scans the file system and registry, and the IAT analyzer scans memory space for alterations that would allow rootkits to hook into the system. Screen shots are available to give you a good idea of what the tool looks like.
http://www.rkdetector.com/
RootKit Hook Analyzer, from Resplendence Software Projects
Although most rootkit detection tools look at kernel hooks, the file system, the registry, user accounts, and so on, this particular tool focuses exclusively on kernel hooks.
http://www.resplendence.com/hookanalyzer
RootkitRevealer, from Sysinternals
A tool written by Mark Russinovich and Bryce Cogswell, two very well known Windows experts.
http://www.sysinternals.com/utilities/rootkitrevealer.html
Rootkit Unhooker, from UG North
Although I have no idea who UG North is, the tool looks promising. It checks for unwanted processes and system hooks and can help terminate such processes.
http://www.rkunhooker.narod.ru/
Sophos Anti-Rootkit
This standalone tool offers both a GUI and a command line version and is similar to the antirootkit technology built into the Sophos Anti-Virus for Windows solution.
http://sophos.com/products/free-tools/sophos-anti-rootkit.html
System Virginity Verifier, FLISTER, and KLISTER, by Joanna Rutkowska
These tools specifically look for hidden files and at various system components that might be modified by various rootkit techniques. Source code is included. Rutkowska is a well-known researcher.
http://www.invisiblethings.org/tools.html
UnHackMe, from Greatis Software
While all the other listed tools are free, this tool is priced starting at $19.95 for a single license. You can view screen shots of the tool to see what it looks like and download a working demo if you're interested.
http://greatis.com/unhackme/
===
Copyright 2006, Penton Media, Inc. All rights reserved."
VMware Forensics Using Live View
"Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to 'boot up' the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra 'throw away' copies of the disk or image to create the virtual machine.
Live View is capable of booting
* Full disk raw images
* Bootable partition raw images
* Physical Disks (attached via a USB or Firewire bridge)
Containing the following operating systems
* Windows XP, 2000, 2003, NT, Me, 98
* Linux (limited support)
Behind the scenes, Live View automates a wide array of technical tasks. Some of these include: resolving hardware conflicts resulting from booting on hardware other than that on which the OS was originally installed; creating a customized MBR for partition-only images; and correctly specifying a virtual disk to match the original image or physical disk."
[read full article]
Live View is capable of booting
* Full disk raw images
* Bootable partition raw images
* Physical Disks (attached via a USB or Firewire bridge)
Containing the following operating systems
* Windows XP, 2000, 2003, NT, Me, 98
* Linux (limited support)
Behind the scenes, Live View automates a wide array of technical tasks. Some of these include: resolving hardware conflicts resulting from booting on hardware other than that on which the OS was originally installed; creating a customized MBR for partition-only images; and correctly specifying a virtual disk to match the original image or physical disk."
[read full article]
Intro to OpenBSD
"OpenBSD is quite possibly the most secure operating system on the planet. Every step of the development process focuses on building a secure, open, and free platform. UNIX® and Linux® administrators take note: Without realizing it, you probably use tools ported from OpenBSD every day. Maybe it's time to give the whole operating system a closer look.
When security is of the utmost importance, it's only logical to look to the same operating system that spawned today's standard in secure remote access, OpenSSH (Open Secure Shell). OpenSSH is just one part of OpenBSD, a distribution that has focused on security from the ground up, accomplishing a goal of creating a UNIX®-like operating system that is secure by default. This stand is in contrast to most operating systems today, which require significant time and energy to harden the environment before going live. In fact, OpenBSD is so secure that it was once banned for use in a DEF CON competition, where crackers go after each other's systems.
An overview of BSD
Berkeley Software Distribution (BSD) is one of the oldest and most common flavors of UNIX. Today, it has been split into multiple versions, with three common open source distributions leading the way:
* FreeBSD
* OpenBSD
* NetBSD
While FreeBSD is the most widely used of the three distributions, each version has significant upsides that make choosing the correct solution an important decision. FreeBSD is the most general of the three and thrives in i386 environments. When security is the highest item on your priority list, OpenBSD is the right distribution. NetBSD offers a small and extremely portable alternative, running on a huge variety of architectures.
The OpenBSD audit process
The OpenBSD audit process might be the biggest factor in the consistent security found in this distribution. A team of experienced developers focused on auditing each piece of code entered into the source tree. Codes are analyzed for security flaws as well as bugs in general -- bugs that might not affect general functionality but could be exploited as security flaws down the line. Every bug is taken seriously and immediately addressed. This proactive approach has kept OpenBSD from being susceptible to unknown exploits, which other distributions have to scramble to cover upon discovery."
[read full article]
When security is of the utmost importance, it's only logical to look to the same operating system that spawned today's standard in secure remote access, OpenSSH (Open Secure Shell). OpenSSH is just one part of OpenBSD, a distribution that has focused on security from the ground up, accomplishing a goal of creating a UNIX®-like operating system that is secure by default. This stand is in contrast to most operating systems today, which require significant time and energy to harden the environment before going live. In fact, OpenBSD is so secure that it was once banned for use in a DEF CON competition, where crackers go after each other's systems.
An overview of BSD
Berkeley Software Distribution (BSD) is one of the oldest and most common flavors of UNIX. Today, it has been split into multiple versions, with three common open source distributions leading the way:
* FreeBSD
* OpenBSD
* NetBSD
While FreeBSD is the most widely used of the three distributions, each version has significant upsides that make choosing the correct solution an important decision. FreeBSD is the most general of the three and thrives in i386 environments. When security is the highest item on your priority list, OpenBSD is the right distribution. NetBSD offers a small and extremely portable alternative, running on a huge variety of architectures.
The OpenBSD audit process
The OpenBSD audit process might be the biggest factor in the consistent security found in this distribution. A team of experienced developers focused on auditing each piece of code entered into the source tree. Codes are analyzed for security flaws as well as bugs in general -- bugs that might not affect general functionality but could be exploited as security flaws down the line. Every bug is taken seriously and immediately addressed. This proactive approach has kept OpenBSD from being susceptible to unknown exploits, which other distributions have to scramble to cover upon discovery."
[read full article]