SIMCon retrieves deleted SMS messages

SIMCon is a program that allows the user to
securely image all files on a GSM SIM card to a computer file with a
standard smart card reader. The user can subsequently analyze the
contents of the card including stored numbers and text messages.

Some of SIMCon's features:

– Read all available files on a SIM card and store in an archive file
– Analyze and interpret content of files including text messages and stored numbers
Recover deleted text messages stored on the card but not readable on phones
– Manage PIN and PUK codes
– Print report that can be used as evidence based on user selection of items
– Secure file archive using hashing
– Export items to files that can be imported in popular spreadsheet programs
– Supports international charsets

SIMCon is made for use within law enforcement and is the investigating
officer's number one choice for securing evidence on SIM cards and
present them in court. SIMCon can however be a valuable tool for others
who need to secure evidence from SIM cards, and recover items such as
deleted text messages. SIMCon is available for Microsoft Windows only.


Inside Security Rescue Toolkit

INSERT (the Inside Security Rescue Toolkit) aims to be a multi-functional, multi-purpose disaster recovery and network analysis system. It boots from a credit card-sized CD-ROM and is basically a stripped-down version of Knoppix. It features good hardware detection, fluxbox, emelfm, links-hacked, ssh, tcpdump, nmap, chntpwd, and much more. It provides full read-write support for NTFS partitions (using captive), and the ClamAV virus scanner (including a fairly recent signature database and a GUI). It also has a network boot facility.

  • full read-write support for NTFS-partitions using captive and linux-ntfs
  • support for various file system types:
  • net based: NFS, SMBFS, CIFS, NCPFS, SSHFS, AFS
  • support for linux software RAID and LVM2
  • support for WLAN adapters
  • network analysis (e.g. nmap, tcpdump)
  • disaster recovery (e.g. gparted, gpart, partimage, testdisk, recover)
  • virus scanning (Clam Antivirus with GUI avscan)
  • computer forensics (e.g. chkrootkit, foremost, rootkit hunter)
  • surf the internet (e.g. the web browser dillo [enhanced version], the graphical FTP client gFTP)
  • network boot server to boot network boot enabled clients that cannot boot from the CD (insert-remote)
  • installation on a USB memory stick (usb-install)
    based on Linux kernel and Knoppix 4.0.2

Get it from Inside Security.

    Interview: John the Ripper 1.7, by Solar Designer

    Should we use password generators?

    …Now, this may sound like there's almost no way for an average person to
    pick secure passwords and for a system administrator to enforce the use
    of strong passwords (or passphrases). Luckily, there's a tool I wrote
    to help the situation. It's
    pam_passwdqc, a password
    strength checking module for the PAM (Pluggable Authentication Modules) framework.
    pam_passwdqc works on Linux, FreeBSD 5+ (in fact, it's been integrated
    into FreeBSD), Solaris, HP-UX 11+, and reportedly on recent versions of
    IRIX. Additionally, Damien Miller has developed a
    plugin password
    strength checker for OpenBSD's /usr/bin/passwd that uses the password
    complexity checking code from pam_passwdqc.

    What new features does the latest version 1.7 of
    John the Ripper include?

    Solar Designer:
    The new “features” this time are primarily performance improvements
    possible due to the use of better algorithms (bringing more inherent
    parallelism of trying multiple candidate passwords down to processor
    instruction level), better optimized code, and new hardware capabilities
    (such as AltiVec available on PowerPC G4 and G5 processors).

    Read the full interview on SecurityFocus.

    Official CISSP Study Guide riddled with plagiarism

    The official study guide for the CISSP Exam, created by (ISC)² appears to plagiarise several other works.

    The plagiarism was first noted by Dr Michael Workman, from the College of Information at Florida State University.

    In page 406 from the guide it states, “One of the main problems with
    simple substitution ciphers is that they are so vulnerable to frequency
    analysis…” It now appears this material was taken directly from the
    paper, “The Vigenere Cipher”

    Security Dump has the scoop.

    DNS as an IDS sensor

    SURFnet is looking for technologies to expand the ways they can detect network traffic anomalies like botnets. Since bots started using domain names for connection with their controller, tracking and removing them has become a hard task. This research is a first glance at the usability of DNS traffic and logs for detection of this malicious network activity. Detection of bots is possible by DNS information gathered from the network by placing counters and triggers on specific events in the data analysis. In combination with NetFlow information and IP addresses of known infected systems, detection of bots of network anomalies can be made visible. Also the behavior of a bot can be documented and additional information can be gathering about the bot. Using DNS data as a supplement to the existing detection systems can give more insight in< the suspicious network traffic. With some future research, this information can be used to compile a case against particular types of bot or spyware and help dismantling a remote controlled infrastructure as a whole.

    Read the full paper (PDF)by Antoine Schonewille and Dirk-Jan van Helmond from the University of Amsterdam.  This is the second research paper I have seen in the last month dealing with DNS's role is detecting malware.  This is the kind of reasearch that helps products like NeuSecure become more accurate.

    InqTana Bluetooth Worm member Kevin has published a paper
    detailing the techniques he used in the development of the InqTana
    Bluetooth worm that targets vulnerable Mac OS X systems. There has been
    significant confusion surrounding this worm, so here are some salient

    • The concurrent release of the OS X Leap.A and InqTana.A worms is coincidental
    • There is no conspiracy, AV vendors and Apple were notified about
      Kevin's progress in developing this worm in advance of making details
      publicly available
    • Both 10.3 and 10.4 systems are vulnerable until patched with APPLE-SA-2005-05-03 and APPLE-SA-2005-06-08
    • InqTana prompts before infecting *by design*, Kevin was just trying to be nice, but the worm could easily spread silently

    Kevin's paper is available at Comments can be directed to the BlueTraq
    mailing list. Our sympathies to those organizations who were affected
    by the false-positive signatures published by overzealous AV companies.

    From the

    Wireless Patent Fight

    AirDefense, the innovator that launched the wireless LAN security
    market, today announced it has invoked an interference action against a
    patent application accelerated by AirTight Networks related to
    “Monitoring a selected region of an air space associated with local
    area networks of computing devices” (U.S. patent No. 7,002,943).
    AirDefense has several pending patent applications which claim the same
    subject matter in the area of wireless intrusion protection. The
    AirDefense patents were filed in June 2002, predating the AirTight
    patent application which was filed in October 2004.

    This AirDefense press release, that was released today, comes one day after AirTight announced winning the patent:

    AirTight Networks™, the leading provider of wireless
    perimeter security solutions, today announced that the
    U.S. PTO (Patent and Trademarks Office) has issued U.S.
    patent No. 7,002,943 to AirTight Networks for a “METHOD
    This patent granted by the US PTO covers technologies that
    are key elements of wireless intrusion detection or

    This should be interesting.  I evaluated the technologies about a year ago and found AirTight to be a good step ahead of AirDefense as it came to technology and ease of use.  I was Director of Security Solutions at Microtek Systems, Inc at the time and we decided to partner with AirTight.  I was very happy with both the product and the company as a VAR.  I will rattle the cage over at AirTight and see if I can get an inside scoop.  From the looks of it, AirTight has won and AirDefense is crying foul.  I'll keep you posted.