This post kinda goes in line with the last post. I kinda hoped to get all of this in one but I forgot to add this. In the last post, I talked about some good things to do to keep your home systems safe. This, of course, only pertains to Windows systems. It is part of my answer to "What should standard home users do, to secure their systems and information?"
Another issue that people run into is that they tend to use the same password in many places. Their password on their bank site, is their password on their Facebook account, is their password for their email. Others may use one password for "secure" things like banks, credit accounts, etc. Then another password for simple things like Facebook, blog sites, fantasy football sites etc.
This is not good! This is how people get their identity stolen a lot. There are many times where a criminal will find information on a Facebook or Myspace wall or posts that can lead them to either a password to get into their email or worse yet their bank. Another problem is that some banks and more secure sites will give you some questions to answer to reset your password. People use information like birthdays, pet names, favorite sports teams etc. The problem is that home users are also posting this information to these social network sites.
So what do we do Curt? Download a password manager such as the one I use here. A few things I like about this application is that it can generate good passwords for you. If you go the properties of a new entry you will see a password policy. I would recommend using 15 or more characters and use all available types of character such as !#%^ etc. Then click the Generate button on the main page of the new entry. This will create a password with the length you specified with the values you specified. (note: some passwords can contain such odd characters that your site or application might not accept them. You will then need to read the FAQ on that site to know what their password policies are and possibly make some adjustments).
After you have your new super strong password, your probably thinking how am I going to remember this? The good news is that you don't have to! When you create a password database, it will ask you for your main password. Make this as strong as you can, but the key here is to make one that you can remember. If you forget this password, there is no going back! No one I know can retrieve lost passwords from this system. Thats a good thing from security, but bad if you forget.
Now I will say something that you won't hear from me often! In this case, it might make sense to write down the password on a piece of paper and keep it in your home safe. You can also ask me for some whimsical ways to store this information in your phones contact lists and such as well. The only reason I say this is because if you loose it, you will not get this data back!!!
So if you run the Password Safe application, it will ask you for your password. Once you enter the correct password, you will see a list of all of your entries. Right click the entry and you can choose to copy the password. You can then paste this into your browser when the website asks for it. So you never have to remember this. You can also choose edit and display the password if you need to.
There is another nice option here. If you have an entry for a secure site such as a bank, it has a notes section. What I do when they ask for password restore questions, I give completely bogus information. To remember what questions and answers I used where, I put it in the notes section. This helps protect us against someone that might be trying to harvest information for our questions on the Internet because the information is completely false and off the wall. That is why I need to keep track of what I put :)
The only other thing I can add to this is to not save passwords in the browser. Do not use a site's (or browser) functionality to remember passwords. This is a bad idea. In some cases this information can be pulled by an attacker to obtain your passwords. Just keep your password safe handy and your passwords will be very secure.
But what happens when I'm away from home and don't have my laptop and password safe. Good question! Password Safe has an option to install to a USB drive. You can get a 1GB USB Thumb drive for $5 or $10 bucks tops these days. If you do that, you will always have your password safe with you.
One final recommendation is that some secure sites, banks especially, offer what is called multi factor authentication. If your not sure if your bank offers it, ask. This is basically a token that they will send to you, put on your card, or they can text to your phone. This value is a random number that changes normally every 30 seconds or so. When you enter a password on a site, you will also need to put a PIN number along with the numbers that are on this token at that very moment. This is probably one of the most secure ways to access secure data across the Internet at this time. Even things like online games are offering this type of security. When in doubt if they do offer it, ask.
Wednesday, November 24, 2010
Sunday, November 21, 2010
Need a little more security?
OK, so you have your Anti Virus and you keep it up to date. You are running some sort of Anti Malware program (such as Malwarebytes) once in a while to try to get things that your AV might have missed. Maybe you even downloaded the application I talked about in my last post to let you know when you have out of date applications. What else could there be you ask?
Glad you asked. Adobe finally released their "sandboxed" version of Adobe Reader. This is supposed to be their response to the problems they had. Guess what though? If your not running Windows Vista or higher, then it doesn't matter. If you are running Windows 7 or Vista, I recommend you go and install Adobe Reader X now, you can get it here.
But wait...there is more!
A while back, Microsoft released a tool called EMET. This stands for Enhanced Mitigation Experience Toolkit. You can download it here. I highly recommend you do that after you get the rest of your applications up to date. This program adds some additional protections for your programs. I have tested this in my lab environment and I have been unsuccessful in getting standard Adobe exploits to execute properly while running this. If you add it to the new Adobe Reader X, I can only image it will get even better (I haven't fully tested with Adobe X yet to say for sure).
Download and install EMET. After installing it, go to your Start menu and locate EMET 2.0 (note: it may be under the Enhanced Mitigation Experience Toolkit folder under All Programs.)
Once the application is running click the Configure System button. Change the values for DEP, SEHOP, and ASLR from Application Opt In to Always On or Application Opt In if Always on is not available for you. Click the OK Button.
Next you want to click the Configure Apps button in the lower right hand corner. This will bring up the Configure Application Window. Click the Add button in the lower left hand side. Double Click on your C Drive. Double click on Program Files (or Program Files x86 if your running a 64 bit machine. You will know you are if you see a Program Files x86 folder here). Double click the Adobe folder. Double click on Reader 10.0 (if you installed Adobe X as instructed, if not, choose the version you have listed such as 9.0). Double click the Reader folder. Finally double click AcroRd32.exe Ensure all of the boxes are checked for DEP, SEHOP, NullPage, HeapSpray, EAF, and Mandatory ASLR.
Click Add again. This time, click your C drive, Program files (or Program Files x86), and then double click the Java folder. Double click the jre6 folder. Double click the bin folder. Double click the java executable and ensure all of the check boxes are selected.
Next click Add again. This time navigate to C:\Program Files\Internet Explorer. (note: if your running a 64 bit machine and have the Program Files x86 folder, you will want to do these steps for both C:\Program Files\Internet Explorer and C:\Program Files (x86)\Internet Explorer files. In each of those folders, choose the iexplore.exe file. Ensure that the check boxes are all checked for these as well.
You will want to do these same thing for any other browser you might use such as Firefox or Google Chrome. Just find their exe files and choose them. (note: you can normally find these by right clicking the icon on your desktop or Start menu folder and choosing properties.) I would also recommend you do the same thing for your Anti Virus, Anti Malware applications and Office applications.
When your done adding all of your programs, click the OK button. This will bring you back to the main screen of EMET. Click the Red button with the white X in the upper right hand corner. This will pop up a warning saying the changes you made will require you to restart your system. Click OK. This does not force you to restart. Save all your documents and what not and reboot your machine.
This is not a silver bullet to keep you safe, but I can guarentee it will make it more difficult to be infected with malware if you do the following:
Keep your OS and third party applications up to date.
Keep your Anti Virus application and signatures up to date.
Keep your Anti Malware application and signatures up to date.
Upgrade Adobe reader to Adobe Reader X.
Install EMET and configure it to protect all of the commonly exploited applications (Adobe, Java, Anti Virus applications, web browsers, Office applications etc)
If you have any questions, please let me know!
Glad you asked. Adobe finally released their "sandboxed" version of Adobe Reader. This is supposed to be their response to the problems they had. Guess what though? If your not running Windows Vista or higher, then it doesn't matter. If you are running Windows 7 or Vista, I recommend you go and install Adobe Reader X now, you can get it here.
But wait...there is more!
A while back, Microsoft released a tool called EMET. This stands for Enhanced Mitigation Experience Toolkit. You can download it here. I highly recommend you do that after you get the rest of your applications up to date. This program adds some additional protections for your programs. I have tested this in my lab environment and I have been unsuccessful in getting standard Adobe exploits to execute properly while running this. If you add it to the new Adobe Reader X, I can only image it will get even better (I haven't fully tested with Adobe X yet to say for sure).
Download and install EMET. After installing it, go to your Start menu and locate EMET 2.0 (note: it may be under the Enhanced Mitigation Experience Toolkit folder under All Programs.)
Once the application is running click the Configure System button. Change the values for DEP, SEHOP, and ASLR from Application Opt In to Always On or Application Opt In if Always on is not available for you. Click the OK Button.
Next you want to click the Configure Apps button in the lower right hand corner. This will bring up the Configure Application Window. Click the Add button in the lower left hand side. Double Click on your C Drive. Double click on Program Files (or Program Files x86 if your running a 64 bit machine. You will know you are if you see a Program Files x86 folder here). Double click the Adobe folder. Double click on Reader 10.0 (if you installed Adobe X as instructed, if not, choose the version you have listed such as 9.0). Double click the Reader folder. Finally double click AcroRd32.exe Ensure all of the boxes are checked for DEP, SEHOP, NullPage, HeapSpray, EAF, and Mandatory ASLR.
Click Add again. This time, click your C drive, Program files (or Program Files x86), and then double click the Java folder. Double click the jre6 folder. Double click the bin folder. Double click the java executable and ensure all of the check boxes are selected.
Next click Add again. This time navigate to C:\Program Files\Internet Explorer. (note: if your running a 64 bit machine and have the Program Files x86 folder, you will want to do these steps for both C:\Program Files\Internet Explorer and C:\Program Files (x86)\Internet Explorer files. In each of those folders, choose the iexplore.exe file. Ensure that the check boxes are all checked for these as well.
You will want to do these same thing for any other browser you might use such as Firefox or Google Chrome. Just find their exe files and choose them. (note: you can normally find these by right clicking the icon on your desktop or Start menu folder and choosing properties.) I would also recommend you do the same thing for your Anti Virus, Anti Malware applications and Office applications.
When your done adding all of your programs, click the OK button. This will bring you back to the main screen of EMET. Click the Red button with the white X in the upper right hand corner. This will pop up a warning saying the changes you made will require you to restart your system. Click OK. This does not force you to restart. Save all your documents and what not and reboot your machine.
This is not a silver bullet to keep you safe, but I can guarentee it will make it more difficult to be infected with malware if you do the following:
Keep your OS and third party applications up to date.
Keep your Anti Virus application and signatures up to date.
Keep your Anti Malware application and signatures up to date.
Upgrade Adobe reader to Adobe Reader X.
Install EMET and configure it to protect all of the commonly exploited applications (Adobe, Java, Anti Virus applications, web browsers, Office applications etc)
If you have any questions, please let me know!
Sunday, October 24, 2010
Are you Up 2 Date?
Many people keep up on their Windows Patches which is a good thing. If you don't, shame on you! You should. It's easy, just turn on Automatic Updates located in your control panel of your Windows operating system.
Here is something you might not have known, a lot of the the malware coming out these days is targeting vulnerabilities in 3rd party applications such as Adobe, Java, Chrome etc. How often do you update these applications?
Agreed that it's a pain to update each individual application you may have. Enter Secunia's Personal Software Inspector (PSI). This is a free application that will let you know when you have programs that have known vulnerabilities or patches available. It will also assist you in getting all of your patches for each program.
They also have an online version called Online Software Inspector, but this one covers less applications than the PSI. I would recommend installing the PSI and give it a try. It's highly important to keep ALL of your applications up to date, not just the Windows applications!
Here is something you might not have known, a lot of the the malware coming out these days is targeting vulnerabilities in 3rd party applications such as Adobe, Java, Chrome etc. How often do you update these applications?
Agreed that it's a pain to update each individual application you may have. Enter Secunia's Personal Software Inspector (PSI). This is a free application that will let you know when you have programs that have known vulnerabilities or patches available. It will also assist you in getting all of your patches for each program.
They also have an online version called Online Software Inspector, but this one covers less applications than the PSI. I would recommend installing the PSI and give it a try. It's highly important to keep ALL of your applications up to date, not just the Windows applications!
Friday, October 22, 2010
Interesting DNS results
Most of you have probably heard of Wikipedia. If not, where you been? Under a rock? I saw a demo the other day of something rather interesting that they were doing. Aparently, you can look up quick references from WikiPedia by using DNS tools such as NSLOOKUP and DIG. All you need to do is specify what you want to look up followed by .wp.dg.cx. Here are a few examples with their output:
With DIG (looking up dogs):
dig txt dogs.wp.dg.cx
;; QUESTION SECTION:
;dogs.wp.dg.cx. IN TXT
;; ANSWER SECTION:
dogs.wp.dg.cx. 86400 IN TXT "The dog (Canis lupus familiaris) is a domesticated subspecies of the gray wolf, a member of the Canidae family of the order Carnivora. The term is used for both feral and pet varieties. The domestic dog has been one of the most widely kept working and com" "panion animals in human history. http://en.wikipedia.org/wiki/Dog"
With NSLOOKUP (looking up Cats):
nslookup -querytype=txt cats.wp.dg.cx
Non-authoritative answer:
cats.wp.dg.cx text =
"The cat (Felis catus), also known as the domestic cat or house cat to distinguish it from other felines and felids, is a small predatory carnivorous species of crepuscular mammal that is valued by humans for its companionship and its ability to hunt vermi" "n, snakes, scorpions, and other unwanted household pests. It has been associated with humans for at least 9,500 years... http://a.vu/w:Cat"
I'm not sure how they are doing it yet, but it's a geeky little feature that I thought I would share :). You do need to specify that you want TXT records only. You do that by specifying txt in your DIG command or -querytype=txt in your NSLOOKUP command if you are typing it all on one line. If you use interactive NSLOOKUP you should use set type=txt.
With DIG (looking up dogs):
dig txt dogs.wp.dg.cx
;; QUESTION SECTION:
;dogs.wp.dg.cx. IN TXT
;; ANSWER SECTION:
dogs.wp.dg.cx. 86400 IN TXT "The dog (Canis lupus familiaris) is a domesticated subspecies of the gray wolf, a member of the Canidae family of the order Carnivora. The term is used for both feral and pet varieties. The domestic dog has been one of the most widely kept working and com" "panion animals in human history. http://en.wikipedia.org/wiki/Dog"
With NSLOOKUP (looking up Cats):
nslookup -querytype=txt cats.wp.dg.cx
Non-authoritative answer:
cats.wp.dg.cx text =
"The cat (Felis catus), also known as the domestic cat or house cat to distinguish it from other felines and felids, is a small predatory carnivorous species of crepuscular mammal that is valued by humans for its companionship and its ability to hunt vermi" "n, snakes, scorpions, and other unwanted household pests. It has been associated with humans for at least 9,500 years... http://a.vu/w:Cat"
I'm not sure how they are doing it yet, but it's a geeky little feature that I thought I would share :). You do need to specify that you want TXT records only. You do that by specifying txt in your DIG command or -querytype=txt in your NSLOOKUP command if you are typing it all on one line. If you use interactive NSLOOKUP you should use set type=txt.
Wednesday, October 20, 2010
WinRM
What is it? Well, it appears that it is a way to manage Windows systems over HTTP or HTTPS. This just sounds like a bad idea to me! I haven't looked much into this yet, so I cannot say it is definitely a bad idea just yet. So it seems I can get system information remotely to include disk information, process information, start or stop services or make system changes remotely.
So, why would this be a bad idea? Well first of all it supports HTTPS which is a secure web protocol. That's a good thing right? Doesn't that take away some of the problem? NO! Now an attacker has secure communications to your workstations! This is going to bypass your network security defenses, unless of course you are using some sort of SSL man in the middle which allows you to see into encrypted sessions. Since most are not doing that, this is a serious risk.
Think of it this way. In my last post I was discussing how I was attempting to bypass application whitelisting by attempting to provide a valid signature which would be trusted on such a system. Why would I do that now if I can use WinRM which is probably not only signed my Microsoft, but it's a Microsoft built in tool (on Vista and above). Of course this tool is going to be trusted. Now it's even easier to control your system without using these evading techniques.
Expect to see more from me on this. I'm going to continue to test it out and see how far one can actually go with this technology.
So, why would this be a bad idea? Well first of all it supports HTTPS which is a secure web protocol. That's a good thing right? Doesn't that take away some of the problem? NO! Now an attacker has secure communications to your workstations! This is going to bypass your network security defenses, unless of course you are using some sort of SSL man in the middle which allows you to see into encrypted sessions. Since most are not doing that, this is a serious risk.
Think of it this way. In my last post I was discussing how I was attempting to bypass application whitelisting by attempting to provide a valid signature which would be trusted on such a system. Why would I do that now if I can use WinRM which is probably not only signed my Microsoft, but it's a Microsoft built in tool (on Vista and above). Of course this tool is going to be trusted. Now it's even easier to control your system without using these evading techniques.
Expect to see more from me on this. I'm going to continue to test it out and see how far one can actually go with this technology.
Sunday, October 17, 2010
New leaf on blogging
OK. I'm sorry it's been so long. It is harder to keep up with blogging than I thought. I think I have a new plan. I tend to take at least 15 minutes to learn something new in computers, probably more computer security than just computers, every day. What I plan to do is just post a synopsis of what I learned each day. That way I can share what I am learning and attempt to solidify the concept in my mind as well. So this will be my first.
The first thing I'd like to announce is a second blog that I now have to keep up with. http://internetopenurla.blogspot.com/. On that blog we will basically be taking malware samples from the wild that we have come across or people have submitted. We will reverse engineer the malware step by step and show how we do it. This will help people learn common techniques that are used to find out what malicious software is doing and thus how to stop it. We plan to post there once a month. You can follow the updates on Twitter @inetopenurla.
So on to the regular schedule program. What did I learn today? Glad you asked.
I have been looking at ways to get around application whitelisting programs such as Bit9 or Microsoft's AppLocker. For those who may not know, application whitelisting is a technique to state that you only want to allow certain applications that you know to be good. All other applications will not run because they are not approved. Now you can approve applications in a number of ways. You can approve it by a digital signature of the publisher of the application (i.e. Microsoft), you can allow files to run based on their hash value. A hash value is a mathematical computation of the code so even if the name changes or if someone renames other files to it, they are still seen as different. You can also allow applications based on where they are installed on your system (i.e. C:\Program Files or C:\Windows\System32).
So I have been trying to see how I can get around this. It turns out that Microsoft includes an application called iexpress on Windows XP and above systems. This application allows you to combine multiple applications into one self extracting executable. The interesting thing is, if you look at the publisher information, it appears to be signed by Microsoft. These files are generally in your Allow list in whitelisting because we should all trust Microsoft right ;)
You can see an example of how to do this with Metasploit and the iexpress tool mentioned above here. It turns out that my testing with Microsoft App Locker with default rules still blocks this technique. I'm continuing my journey to see if I can figure out a way around that.
The first thing I'd like to announce is a second blog that I now have to keep up with. http://internetopenurla.blogspot.com/. On that blog we will basically be taking malware samples from the wild that we have come across or people have submitted. We will reverse engineer the malware step by step and show how we do it. This will help people learn common techniques that are used to find out what malicious software is doing and thus how to stop it. We plan to post there once a month. You can follow the updates on Twitter @inetopenurla.
So on to the regular schedule program. What did I learn today? Glad you asked.
I have been looking at ways to get around application whitelisting programs such as Bit9 or Microsoft's AppLocker. For those who may not know, application whitelisting is a technique to state that you only want to allow certain applications that you know to be good. All other applications will not run because they are not approved. Now you can approve applications in a number of ways. You can approve it by a digital signature of the publisher of the application (i.e. Microsoft), you can allow files to run based on their hash value. A hash value is a mathematical computation of the code so even if the name changes or if someone renames other files to it, they are still seen as different. You can also allow applications based on where they are installed on your system (i.e. C:\Program Files or C:\Windows\System32).
So I have been trying to see how I can get around this. It turns out that Microsoft includes an application called iexpress on Windows XP and above systems. This application allows you to combine multiple applications into one self extracting executable. The interesting thing is, if you look at the publisher information, it appears to be signed by Microsoft. These files are generally in your Allow list in whitelisting because we should all trust Microsoft right ;)
You can see an example of how to do this with Metasploit and the iexpress tool mentioned above here. It turns out that my testing with Microsoft App Locker with default rules still blocks this technique. I'm continuing my journey to see if I can figure out a way around that.
Friday, April 30, 2010
When good sites go bad
This is a follow up from a question from a reader of the previous post. Paraphrased it was, can websites become malicious at any time? Should we scan websites that we go to frequently or just new ones? That is an excellent question. So good that I figured I would follow up on the last post.
The short answer is yes. I would scan sites semi regular, even ones you go to all of the time. I would especially recommend this for sites that involve financial transactions. I am including some links here to some stories where well known sites have been found to distribute malicious content. This isn't necessarily them doing it, more of the fact that people target these sites in attempt to infect more people.
Another thing that can be helpful is to make sure you are doing your Microsoft Updates. Move to the IE 8 Web browser (should get this from Microsoft Updates), if not you can go to microsoft.com and download it. To know if you are running IE 8; open the browser, go to the Help menu, then about Internet Explorer. Alternatively you can use Firefox as well. Remember to keep that updated as well.
Finally you can go so far as to run your browser in a virtual machine or with a program such as sandboxie. Sandboxie keeps the browser session you are running in a protected memory space. This isn't a silver bullet, just another arrow for the quiver.
CNN Malware
When malware strikes via bad ads on good sites
Malware Delivered by Yahoo, Fox, Google ads
Relax, the Internet isn't all bad stuff. Here is a palette cleanser for you to show you that:
Surprised Kitty
Charlie Bit Me!
The short answer is yes. I would scan sites semi regular, even ones you go to all of the time. I would especially recommend this for sites that involve financial transactions. I am including some links here to some stories where well known sites have been found to distribute malicious content. This isn't necessarily them doing it, more of the fact that people target these sites in attempt to infect more people.
Another thing that can be helpful is to make sure you are doing your Microsoft Updates. Move to the IE 8 Web browser (should get this from Microsoft Updates), if not you can go to microsoft.com and download it. To know if you are running IE 8; open the browser, go to the Help menu, then about Internet Explorer. Alternatively you can use Firefox as well. Remember to keep that updated as well.
Finally you can go so far as to run your browser in a virtual machine or with a program such as sandboxie. Sandboxie keeps the browser session you are running in a protected memory space. This isn't a silver bullet, just another arrow for the quiver.
CNN Malware
When malware strikes via bad ads on good sites
Malware Delivered by Yahoo, Fox, Google ads
Relax, the Internet isn't all bad stuff. Here is a palette cleanser for you to show you that:
Surprised Kitty
Charlie Bit Me!
Thursday, April 29, 2010
Is that site malicious?
I know I promised my next article would be how to create a malware lab with VMWare. I had to side step for a moment for an idea that came to me from one of my avid readers (Thanks Sara! :))
Some who read my blog don't know a whole bunch about security or possibly computers in general. They have come to enjoy the things that the Internet and systems can do for them. This is great! I encourage all to see what can be done to learn and do things on the computer. This does raise some issues though.
With all of the good stuff on the web, there is also a bunch of bad stuff. I get the question a lot of how to know if a site is legit. This is not completely clear cut, but I wanted to share some links with everyone so they can do some testing of the sites before going or returning.
I will start with some links I use to check sites:
AVG Link Scanner
Finjan URL Analysis
Norton Safe Web
Malware Domain List
I normally run a URL through those to see if the sight may or may not be malicious. This isn't all I do, but the rest is a little difficult without more advanced understanding of web site code. I would like to say that this isn't a guarantee either. It is just another thing to do to check. If you ever need a site analyzed and you want to know my opinion, just email me at cshaffer(remove this and change at to @)atgmail.com. I would be more than happy to check it out for you.
There are other sites where you can check the validity as well. Here is my final link with links from above and more in case you want to really check.
Lenny Zeltser: Fighting Malicious Software
Enjoy and please reach out if you have any questions. Next post will be how to build a malware analysis lab with VMWare....I promise :)
Some who read my blog don't know a whole bunch about security or possibly computers in general. They have come to enjoy the things that the Internet and systems can do for them. This is great! I encourage all to see what can be done to learn and do things on the computer. This does raise some issues though.
With all of the good stuff on the web, there is also a bunch of bad stuff. I get the question a lot of how to know if a site is legit. This is not completely clear cut, but I wanted to share some links with everyone so they can do some testing of the sites before going or returning.
I will start with some links I use to check sites:
AVG Link Scanner
Finjan URL Analysis
Norton Safe Web
Malware Domain List
I normally run a URL through those to see if the sight may or may not be malicious. This isn't all I do, but the rest is a little difficult without more advanced understanding of web site code. I would like to say that this isn't a guarantee either. It is just another thing to do to check. If you ever need a site analyzed and you want to know my opinion, just email me at cshaffer(remove this and change at to @)atgmail.com. I would be more than happy to check it out for you.
There are other sites where you can check the validity as well. Here is my final link with links from above and more in case you want to really check.
Lenny Zeltser: Fighting Malicious Software
Enjoy and please reach out if you have any questions. Next post will be how to build a malware analysis lab with VMWare....I promise :)
Tuesday, April 20, 2010
niaga emit gnol a neeb s'tI
What is that gibberish? It says, It's been a long time again, but reversed. Why reversed? Well to make it short, I have been submersed in reverse engineering the past few weeks. I do a good bit of this at work and it has become my focal point in security these days. I really enjoy it. I wanted to post this because I wanted to provide some beginner steps to anyone that wants to go down this road.
One of the first things I think everyone asks is "yeah but I hate programming, do I need to learn how to program?". I think it is important to understand programming concepts very strongly. Do I think you need to be able to write out a full object oriented application for the masses? No, but you should know solid programming structures such as variables, loops and functions. Now the more you know about programming, I think the easier it will be. I think one also has to have a pretty decent knowledge of Assembly Language programming. Again, you don't need to be writing applications that are enterprise worthy, but knowing how the stack and heap work, knowing push and pop, and the registers such as EAX, EBX etc. Also knowing the comparison functions such as XOR and some of the jump statements such as JMP, JNZ etc.
Your probably saying "I thought you said I don't have to learn programming!". OK, you may need to spend some time getting familar. I would recommend Assembly Language Step-by-step by Jeff Duntemann. I know it's an older book, but to be honest with the exception of 64 bit addressing (which is a big change) there isn't much more new in Assembly. Depending on your higher level programming skills, you may want to grab something like Algorithms in C++ Parts 1-4: Fundamentals, Data Structure, Sorting, Searching.
Next I want to preface what I am about to say with a warning. My giving these links is not in any way shape or form condoning what one does with the information. I'm just saying there are many options available to really learn reversing. Some use it for evil, while others use it for good.
With that out of the way, the best way to learn how to reverse is to, well, reverse stuff :). There are a lot of collections of files out there, that are not bound by copyright, called crackmes. These are little applications that people who know and enjoy reversing provide for others to learn. They are small snippets of applications, normally built by the creator of the crackme tutorial, used to show by example. Starting here is probably not a bad thing. Find as many as you can, trying to follow the tutorials less and less as you go on. Then you might move on to finding sites that have samples of found and known malware. Be careful here, you need to make sure you have an isolated machine when playing with malware. Reversing malware can lead to infection. I personally use VMWare on my Mac and it works great because I can revert back to a clean state after every sample. In my next post, I will give some simple instructions on how to build an analysis machine using VMWare.
I am leaving you with some links to some of the things I mentioned. Remember, I do not condone or hold responsibility for what you do with this information. I can only hope you are going to use it for good.
Binary Auditing Free Training
Reverse Engineering Community Forum
ARTeam crackme examples and tutorials
SANS Reverse Engineering Course
You can also search for crackme tutorials, reverse engineering, or reverse engineering malware on youtube or securitytube
Enjoy!
One of the first things I think everyone asks is "yeah but I hate programming, do I need to learn how to program?". I think it is important to understand programming concepts very strongly. Do I think you need to be able to write out a full object oriented application for the masses? No, but you should know solid programming structures such as variables, loops and functions. Now the more you know about programming, I think the easier it will be. I think one also has to have a pretty decent knowledge of Assembly Language programming. Again, you don't need to be writing applications that are enterprise worthy, but knowing how the stack and heap work, knowing push and pop, and the registers such as EAX, EBX etc. Also knowing the comparison functions such as XOR and some of the jump statements such as JMP, JNZ etc.
Your probably saying "I thought you said I don't have to learn programming!". OK, you may need to spend some time getting familar. I would recommend Assembly Language Step-by-step by Jeff Duntemann. I know it's an older book, but to be honest with the exception of 64 bit addressing (which is a big change) there isn't much more new in Assembly. Depending on your higher level programming skills, you may want to grab something like Algorithms in C++ Parts 1-4: Fundamentals, Data Structure, Sorting, Searching.
Next I want to preface what I am about to say with a warning. My giving these links is not in any way shape or form condoning what one does with the information. I'm just saying there are many options available to really learn reversing. Some use it for evil, while others use it for good.
With that out of the way, the best way to learn how to reverse is to, well, reverse stuff :). There are a lot of collections of files out there, that are not bound by copyright, called crackmes. These are little applications that people who know and enjoy reversing provide for others to learn. They are small snippets of applications, normally built by the creator of the crackme tutorial, used to show by example. Starting here is probably not a bad thing. Find as many as you can, trying to follow the tutorials less and less as you go on. Then you might move on to finding sites that have samples of found and known malware. Be careful here, you need to make sure you have an isolated machine when playing with malware. Reversing malware can lead to infection. I personally use VMWare on my Mac and it works great because I can revert back to a clean state after every sample. In my next post, I will give some simple instructions on how to build an analysis machine using VMWare.
I am leaving you with some links to some of the things I mentioned. Remember, I do not condone or hold responsibility for what you do with this information. I can only hope you are going to use it for good.
Binary Auditing Free Training
Reverse Engineering Community Forum
ARTeam crackme examples and tutorials
SANS Reverse Engineering Course
You can also search for crackme tutorials, reverse engineering, or reverse engineering malware on youtube or securitytube
Enjoy!
Friday, February 12, 2010
P90x day 31
If you read my last blog post, you know that I started P90X. It's hard to believe it has been 30 days! It was really rough at first. I actually even had an issue where I started to get headaches every day. With that said, it was nothing major and it was repairable. Heed this warning! Use a heart rate monitor. My problem was that my heart rate was over 90% the whole time. This causes symptoms, at least in me, that resemble high blood pressure. Headaches, light headedness, and could lead to stroke! I'm not a Dr. but I highly recommend it. After getting a heart rate monitor and keeping under 80% on the hardest workouts, I have alleviated the problem.
Now a word on day 31. Just when you think you got the hang of this. Your feeling good, completing the workouts, maybe you have even worked up to doing much the same reps that they are doing on the video. FORGET YOU EVER STARTED! Day 31 makes it feel like day one again. No Joke! I'm having trouble typing this right now because my shoulders hurt so bad and my muscles are shaking. It burns! Good luck!
I will say this. Taking the 30 day pictures and seeing a result along with feeling better in my clothes and just the general healthy feeling is worth every minute! I will check in on this topic again on day 61. I can only hope it's not like 31 :)
Now a word on day 31. Just when you think you got the hang of this. Your feeling good, completing the workouts, maybe you have even worked up to doing much the same reps that they are doing on the video. FORGET YOU EVER STARTED! Day 31 makes it feel like day one again. No Joke! I'm having trouble typing this right now because my shoulders hurt so bad and my muscles are shaking. It burns! Good luck!
I will say this. Taking the 30 day pictures and seeing a result along with feeling better in my clothes and just the general healthy feeling is worth every minute! I will check in on this topic again on day 61. I can only hope it's not like 31 :)
Friday, January 15, 2010
Off of Security for a few
I just wanted to start a small series of posts that are off the security topic a little. I will intersperse these with the same good 'ol security posts as well, but I wanted to mention a few things as well.
A lot of people like me, some call them geeks I suppose, have desk jobs and type all day long. When you work long hours in such an environment, some of us tend to get out of shape. I have certainly gotten out of shape over the years and decided to do something about it. An old colleague of mine tried this workout system called P90x. He said "it's not for the faint of heart", but he posted some pictures of his progress and it was enough for me to think "I can do this".
It's an action/pain packed 90 days, but if you do it, you will see results. Now, I just started today and let me tell you, it is painful! I feel much better now after a shower, but I'm sure I'll be in more pain as the day goes on and even more tomorrow.
This plan is no joke! It's 7 days a week for 90 days. There are "rest" weeks, but don't think relax when you read rest. It is just a little lighter. So I wanted to say I will continue to post my comments on how it is going and any tips I can give from someone that is in probably the worst shape of their life but doing this.
So first thing is first. They have a pre workout test. A few moves that you can do to see if you are ready. I passed 90% of it. I'm the kind of person that goes for a challenge and feel that 10% wasn't bad enough to halt progress in my goal. If you get anything less than that, they recommend, as do I, that you don't do it. The workouts are much worse, not easier. If you want to know what this is before you buy it, let me know and I can give you some examples. If you can't do them, don't even think about it! Your well being is more important than meeting a goal. They do have other workouts which can bring you up to speed before you do this. Take that heed!
Tips on the first day. All I can say is be realistic if you are in as bad of shape as me. Endurance is important so you can finish the workout. Keep that in mind when you are counting reps. Make a goal for each set and try to get it. Don't risk form for reps, it's not worth it. The people on the video were knocking out huge numbers of push ups and pull ups. Don't put yourself on that level, just know that is where you want to be. I averaged probably half of what they were doing. This is not a bad thing, just keep in mind, these people did this program already, and I guarantee some of them were in a similar boat.
Just be consistent and know when you need to stop. Drink, drink, drink! Keep hydrated it is huge! If you are working with a partner, they may be able to push you a bit. If you are by yourself you need to be true to yourself, know your goals and try your best. Don't quit because "it's too hard" unless it really is. Case in point is that on the next to last set of pushups, I went down and could not get back up. I'm OK with that. That was really all I can do. My body said no, my mind didn't! I think that is key.
I'll post more as time progresses. I can only stress to make goals. My first goal is to be doing the reps they are doing on the video by then end of the first phase of 30 days. I think that's respectable and if I can't, then I can't, but that's what I'm shooting for.
A lot of people like me, some call them geeks I suppose, have desk jobs and type all day long. When you work long hours in such an environment, some of us tend to get out of shape. I have certainly gotten out of shape over the years and decided to do something about it. An old colleague of mine tried this workout system called P90x. He said "it's not for the faint of heart", but he posted some pictures of his progress and it was enough for me to think "I can do this".
It's an action/pain packed 90 days, but if you do it, you will see results. Now, I just started today and let me tell you, it is painful! I feel much better now after a shower, but I'm sure I'll be in more pain as the day goes on and even more tomorrow.
This plan is no joke! It's 7 days a week for 90 days. There are "rest" weeks, but don't think relax when you read rest. It is just a little lighter. So I wanted to say I will continue to post my comments on how it is going and any tips I can give from someone that is in probably the worst shape of their life but doing this.
So first thing is first. They have a pre workout test. A few moves that you can do to see if you are ready. I passed 90% of it. I'm the kind of person that goes for a challenge and feel that 10% wasn't bad enough to halt progress in my goal. If you get anything less than that, they recommend, as do I, that you don't do it. The workouts are much worse, not easier. If you want to know what this is before you buy it, let me know and I can give you some examples. If you can't do them, don't even think about it! Your well being is more important than meeting a goal. They do have other workouts which can bring you up to speed before you do this. Take that heed!
Tips on the first day. All I can say is be realistic if you are in as bad of shape as me. Endurance is important so you can finish the workout. Keep that in mind when you are counting reps. Make a goal for each set and try to get it. Don't risk form for reps, it's not worth it. The people on the video were knocking out huge numbers of push ups and pull ups. Don't put yourself on that level, just know that is where you want to be. I averaged probably half of what they were doing. This is not a bad thing, just keep in mind, these people did this program already, and I guarantee some of them were in a similar boat.
Just be consistent and know when you need to stop. Drink, drink, drink! Keep hydrated it is huge! If you are working with a partner, they may be able to push you a bit. If you are by yourself you need to be true to yourself, know your goals and try your best. Don't quit because "it's too hard" unless it really is. Case in point is that on the next to last set of pushups, I went down and could not get back up. I'm OK with that. That was really all I can do. My body said no, my mind didn't! I think that is key.
I'll post more as time progresses. I can only stress to make goals. My first goal is to be doing the reps they are doing on the video by then end of the first phase of 30 days. I think that's respectable and if I can't, then I can't, but that's what I'm shooting for.
Monday, January 4, 2010
Top 10 Home Anti Virus Applications
I stumbled on this top 10 list of home paid for anti virus applications. I tend to get the question of which AV I recommend from friends and family. Generally I have been a fan of the Symantec product. This is all relative as you may have seen in a previous post where I showed generally how easy it was to pass a virus though current AV techniques. With all of this in mind Symantec showed up as #2 on this list by PC world. Not a bad standing. G Data was number one which I have personally never heard of. The article does say that it was a close race between the two.
So was this post to say "I told you so"? No! It was just to show the top 10. You can make your decision. What I wanted to get across, as I have mentioned before, the freebies are good but it really adds serious protection to pay for your subscription. All AV subscriptions end up around the same ball park of $25-$50 bucks per year. That is a small price to pay for the protection of your system and data. PC techs tend to charge $75-$100/hour to do clean up after the fact so you can do the math! Even if you have a good friend or family member that will do the work for you, your gonna pay the same price at minimum of what you could have paid to have good protection in the first place.
It can seem like insurance, but like insurance, it's worth it if it does happen! Remember AV isn't the silver bullet for a secure system but it should definitely be a part of your armor!
So was this post to say "I told you so"? No! It was just to show the top 10. You can make your decision. What I wanted to get across, as I have mentioned before, the freebies are good but it really adds serious protection to pay for your subscription. All AV subscriptions end up around the same ball park of $25-$50 bucks per year. That is a small price to pay for the protection of your system and data. PC techs tend to charge $75-$100/hour to do clean up after the fact so you can do the math! Even if you have a good friend or family member that will do the work for you, your gonna pay the same price at minimum of what you could have paid to have good protection in the first place.
It can seem like insurance, but like insurance, it's worth it if it does happen! Remember AV isn't the silver bullet for a secure system but it should definitely be a part of your armor!
Subscribe to:
Posts (Atom)
