The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for June, 2008

Pass-the-Hash still works on XP SP3

Posted by Xavier Ashe on June 30, 2008

Ok, so Windows XP SP3 is out.

With this new version:

whosthere-alt.exe still works without requiring any modifications.
whosthere.exe does not work because this is the more ‘gentle’ and ‘stealth’ 🙂 version of the tool and requires precise memory addresses.

But that’s why I released the passthehash.idc IDA script; so you can easily get these addresses yourself.

And that’s also the reason why the new version of whosthere.exe has a new -a switch that allows you to use specify these addresses without having to recompile the tool.

This new version is going to be released soon, but if you want it right now, email me (please, try to email me if you REALLY need it :)).

I haven’t tested iam/iam-alt but the same thing observed with whosthere/whosthere-alt should apply to these tools.

In case you were wondering, the new addresses you need for Windows XP SP3 English are:

whosthere -a 75753BA0:7573FDEC:757D0C98:757D0CA0:757CFC60:757CFE54

From Hexale’s BlogDownload Pass-the-Hash Toolkit.


Posted in Uncategorized | Leave a Comment »

Videos of Hacker Cons

Posted by Xavier Ashe on June 27, 2008

Almost every security conference we’ve attended in the last year has uploaded videos from their speaker tracks. Explore the archives below, and you’re bound to find an interesting talk.

Found on Hack-a-day.

Posted in Uncategorized | Leave a Comment »

DecaffeinatID: A Very Simple IDS

Posted by Xavier Ashe on June 25, 2008

This project started because I wanted a simple ARP Watch like application for Windows. In a short matter of time, feature creep set in. DecaffeinatID is a simple little app that acts as an Intrusion Detection System (more of a log watcher really) to notify the user whenever fellow users at their local WiFi hotspot/ LAN are up to the kind of “reindeer games” that often happen at coffee shops and hacker cons. For more information on the sort of attacks I’m talking about see my article Caffeinated Computer Crackers.  It’s not meant to be a replacement for something more feature rich (but complicated) like Snort. DecaffeinatID watches the Windows logs for three main things and pops up a message in the Windows Systray when it sees any of the following:

Read more and download DecaffeinatID from Irongeek.

Posted in Security, Tools | Leave a Comment »

Redbook Draft: z/OS Mainframe Security and Audit Management using IBM Tivoli zSecure

Posted by Xavier Ashe on June 13, 2008

Every organization has a core set of mission-critical data that must be protected. Security lapses and failures are not simply disruptions—they can be catastrophic events, and the consequences can be felt across the entire organization. As a result, security administrators face serious challenges in protecting the company’s sensitive data. IT staff are challenged to provide detailed audit and controls documentation at a time when they are already facing increasing demands on their time, due to events such as mergers, reorganizations, and other changes. Many organizations do not have enough experienced mainframe security administrators to meet these objectives, and expanding employee skillsets with low-level mainframe security technologies can be time-consuming.

The IBM Tivoli zSecure suite consists of multiple components designed to help you administer your mainframe security server, monitor for threats, audit usage and configurations, and enforce policy compliance. Administration, provisioning and management components can significantly reduce administration, contributing to improved productivity, faster response time and reduced training time needed for new administrators.

This book is a valuable resource for security officers, administrators, and architects who wish to better understand their mainframe security solutions.

Table of Contents

Part 1. Architecture and design

  • Chapter 1. Business context
  • Chapter 2. Tivoli zSecure component structure
  • Chapter 3. zSecure Admin
  • Chapter 4. zSecure Alert
  • Chapter 5. zSecure Audit
  • Chapter 6. zSecure Visual
  • Chapter 7. zSecure Command Verifier
  • Chapter 8. z/OS compliance enablers
  • Chapter 9. zSecure CICS Toolkit
  • Chapter 10. Planning for deployment

Part 2. Customer scenario

  • Chapter 11. Delft Transport Authority
  • Chapter 12. Project requirements and design
  • Chapter 13. Implementation phase I
  • Chapter 14. Implementation phase II
  • Chapter 15. Implementation phase III

Part 3. Appendixes

  • Appendix A. Troubleshooting
  • Appendix B. An introduction to CARLa
  • Appendix C. User roles for zSecure Visual
  • Appendix D. A look at the Consul/Tivoli transformation

Download the PDF here.

Posted in IBM, Security | Leave a Comment »

‘The Best Of 2600’ To Be Released At Last Hope

Posted by Xavier Ashe on June 12, 2008

Since its introduction in January of 1984, 2600 has been a unique source of information for readers with a strong sense of curiosity and an affinity for technology. The articles in 2600 have been consistently fascinating and frequently controversial. Over the past couple of decades the magazine has evolved from three sheets of loose-leaf paper stuffed into an envelope (readers “subscribed” by responding to a notice on a popular BBS frequented by hackers and sending in a SASE) to a professionally produced quarterly magazine. At the same time, the creators’ anticipated audience of “a few dozen people tied together in a closely knit circle of conspiracy and mischief” grew to a global audience of tens of thousands of subscribers.

In The Best of 2600, Emmanuel Goldstein collects some of the strongest, most interesting, and often controversial articles, chronicling milestone events and technology changes that have occurred during the last 24 years – all from the hacker perspective. Examples:

  • The creation of the infamous tone dialer “red box” that drove Radio Shack and the phone companies crazy. It was in the pages of 2600 that this simple conversion was first brought to light. By modifying an inexpensive Radio Shack touch tone dialer with a readily available crystal, free phone calls could easily be made from all of the nation’s payphones.
  • An historical chronology of events in the hacker world that led to the founding of the Electronic Frontier Foundation.
  • A close looks at the insecurity of modern locks through an article entitled “An Illusion of Security” that debunked the value of Simplex pushbutton locks, used on everything from schools to homes to FedEx boxes.
  • The stories of famed hackers Kevin Mitnick, Bernie S., and Phiber Optik as they unfolded. Through 2600, the world heard these controversial tales despite the efforts of authorities and the mass media.

Hackers invariably find the one hole in an otherwise perfect system or will spend inordinate amounts of time to get around a barrier previously thought to be impenetrable. But the one thing hackers do more than anything else is share information with those who are interested. This book is a gateway into this mysterious yet familiar world of endless technology and security experimenting.

Man am I drooling!  It’s going to be release at the Last Hope in NY next month.  Here’s the post on and here’s where you can preorder it on Amazon.  You bet I am going to preorder it.  Now I have to figure out what to do with my large stack of 2600 zines in my closet.  Ebay?

Posted in Security | Leave a Comment »

IBM releases FISMA add-on for Tivoli Compliance Insight Manager (TCIM)

Posted by Xavier Ashe on June 9, 2008

IBM has released a module for its IBM Tivoli Compliance Insight Manager that watches traffic for compliance with the Federal Information Security Management Act. The FISMA Compliance Management Module includes automated log collection, a compliance dashboard, regulatory compliance reports and report distribution. Agencies can generate FISMA-specific reports using the module’s policy and report definition engines. It can be used as a part of an agency wide program to ensure FISMA compliance, according to the company.

Government Computer News picked this one up.

Posted in Uncategorized | Leave a Comment »

On Amazon’s Outage…

Posted by Xavier Ashe on June 6, 2008

Amazon suffered an outage today starting 10:30 am PST. For a few hours the main page of Amazon seemed inaccessible and users would get an error message ‘HTTP/1.1 Service Not Available’. There are reports though that users are now able to access the site since 1:30 pm PST.

Using NarusInsight Secure Suite, we are continuing to investigate whether this outage was a result of a network-initiated attack against Amazon. Preliminary analysis doesn’t suggest any Distributed Denial-of-Service (DDoS) attack or any other foul play against the main web site.

Contrary to emerging reports that sites that use Amazon Web Services (AWS) do seem to be running well, we’ve seen that IMDB (Internet Movie DataBase) does appear to have been affected by the outage. My preliminary analysis using NarusInsight Secure Suite shows that at least one of the ip-addresses used to host IMDB was under a sustained denial-of-service attack.

I got a good look at the Narus suite of tools a while back and was impressed. The team behind them are equally impressive. Keep a lookout on their blog for updates.

Posted in Security | Leave a Comment »

Help crack Gpcode

Posted by Xavier Ashe on June 6, 2008

If you read Vitaly’s blogpost yesterday, you’ll know that on the 4th June 2008 we detected a new variant of Gpcode, a dangerous file encryptor. Details of the encryption algorithms used by the virus are all in Vitaly’s post and the description of Gpcode.ak.Along with antivirus companies around the world, we’re faced with the task of cracking the RSA 1024-bit key. This is a huge cryptographic challenge. We estimate it would take around 15 million modern computers, running for about a year, to crack such a key.

Of course, we don’t have that type of computing power at our disposal. This is a case where we need to work together and apply all our collective knowledge and resources to the problem.

So we’re calling on you: crytographers, governmental and scientific institutions, antivirus companies, independent researchers…join with us to stop Gpcode. This is a unique project – uniting brain-power and resources out of ethical, rather than theoretical or malicious considerations.

Read more from Kaspersky Lab.

Posted in Security | Leave a Comment »

Redbook: Enterprise Security Architecture using IBM ISS Security Solutions

Posted by Xavier Ashe on June 6, 2008

Threats come from a unique variety of sources. Insider threats, as well as malicious hackers are not only difficult to detect and prevent, but many times they have been using resources without the business even aware they are there.

This IBM Redbook deliverable describes the various threats and how to prevent them through a distributed array of protection technologies and services. We take a closer look at preemptive security that is designed to stop Internet threats before they can impact networks. We also explore technologies that can help complement threat mitigation techniques such as identity management solutions as well as network mapping tools and behavior techniques.

This book is a valuable resource for senior officers, architects as well as C level executives who want to understand and implement enterprise security following architectural guidelines.

Table of Contents

Part 1. Terminology and infrastructure

  • Chapter 1. Business context
  • Chapter 2. Common security architecture and network models
  • Chapter 3. IT threat mitigation concept.

Part 2. Threat mitigation components

  • Chapter 4. Security intelligence and research
  • Chapter 5. Centralized Management
  • Chapter 6. Network intrusions and anomalies
  • Chapter 7. Vulnerability management
  • Chapter 8. E-mail, instant messaging and Web content security
  • Chapter 9. Host security solutions
  • Chapter 10. Managed Security Services

Part 3. Business scenarios

  • Chapter 11. Threat mitigation deployment guide
  • Chapter 12. Business scenarios

Part 4. Appendixes

  • Appendix A. Method for Architecting Secure Solutions
  • Appendix B. Base technologies

Download the Redbook here.

Posted in IBM, Security | Leave a Comment »


Posted by Xavier Ashe on June 6, 2008

Many (if not most) VoIP devices have available a Web GUI for their configuration, management, and report generation. These Web GUIs are often on default, meaning that the moment you install the IP phone or IP PBX, the Web GUI is immediately available on the network. And unfortunately it is also common for the username and password to have the default values. Sipflanker will help you find these SIP devices with potentially vulnerable Web GUIs in your network.

Download it here

You can find a list of default IP phones and other SIP devices here.

Posted in Security, Tools | Leave a Comment »

DISA FSO: Updated Security Checklists and Security

Posted by Xavier Ashe on June 4, 2008

Classification: UNCLASSIFIED
Caveats: NONE

DISA FSO has released the following updated Security Checklists and Security

Readiness Review Scripts Checklists:

Application Security Checklist Ver 2 Release 1.11 Desktop Application
Checklist Ver 3 Release 1.5 Domain Name System Security Checklist Ver 4
Release 1.3 Network Security Checklist Ver 7, Release 1.4
W2K3 Checklist, Ver 6 Release 1.6
WIN2K Checklist, Ver 6 Release 1.6
WINXP Checklist Ver 6 Release 1.6
Vista Checklist Ver 6 Release 1.6
Unix Security Checklist Ver 5 Release 1.12 Web IIS Checklist Ver 6, Release
1.8 Web Apache Checklist Ver 6, Release 1.6 Wireless Windows Mobile
Messaging Wireless Email System Security Checklist Ver 5, Release 2.2

SRR Scripts:

UNIX Scripts and Hash Files:

Gold Disk:

Gold Disk Version 2 Scan Disk
Gold Disk Version 2 Known Issues

PKI Checklists, Procedures and STIGS:

DoD Information Assurance Enterprise Solutions STIG Ver 1, Release 2
HBSS Checklist, Version 1 Release 2.1

PKI Checklists and Procedures:

Backbone Transport Services Checklist Ver 2, Release 1.2
Classification: UNCLASSIFIED
Caveats: NONE

Posted in Security | 2 Comments »

FBI worried as DoD sold counterfeit Cisco gear

Posted by Xavier Ashe on June 4, 2008

The U.S. Federal Bureau of Investigation is taking the issue of counterfeit Cisco equipment very seriously, according to a leaked FBI presentation that underscores problems in the Cisco supply chain.

The presentation gives an overview of the FBI Cyber Division’s effort to crack down on counterfeit network hardware, the FBI said Friday in a statement. “It was never intended for broad distribution across the Internet.”

In late February the FBI broke up a counterfeit distribution network, seizing an estimated $3.5 million worth of components manufactured in China. This two-year FBI effort, called Operation Cisco Raider, involved 15 investigations run out of nine FBI field offices.

According to the FBI presentation, the fake Cisco routers, switches, and cards were sold to the U.S. Navy, the U.S. Marine Corps., the U.S. Air Force, the U.S. Federal Aviation Administration, and even the FBI itself.

One slide refers to the problem as a “critical infrastructure threat.”

The U.S. Department of Defense is taking the issue seriously. Since 2007, the Defense Advanced Research Projects Agency has funded a program called Trust in IC, which does research in this area.

Last month, researcher Samuel King demonstrated how it was possible to alter a computer chip to give attackers virtually undetectable back-door access to a computer system.

Read the full article on Infoworld.

Posted in Security | Leave a Comment »

%d bloggers like this: