Apple Pushes Safari to iTunes and QuickTime Users
March 23, 2008 – 9:46 AMIf you use QuickTime or iTunes on Windows you might have seen something like this lately from your Apple Software Updates applet:
My First Autopsy
March 22, 2008 – 7:15 PMI have a System Forensics class this quarter at ITT Technical Institute and this was my first true lab where I actually got to use the tools and resources against “real” data. We are doing a simulated case from The HoneyNet Project and here was the documented police report:
The scenario is: Joe Jacobs, 28, was arrested yesterday on charges of
selling illegal drugs to high school students. A local police officer posed
as a high school student was approached by Jacobs in the parking lot of
Smith Hill High School. Jacobs asked the undercover cop if he would like to
buy some marijuana. Before the undercover cop could answer, Jacobs pulled
some out of his pocket and showed it to the officer. Jacobs said to the
officer “Look at this stuff, Colombians couldn’t grow it better! My supplier
not only sells it direct to me, he grows it himself.”Jacobs has been seen on numerous occasions hanging out at various local high
school parking lots around 2:30pm, the time school usually ends for the day.
School officials from multiple high schools have called the police regarding
Jacobs’ presence at their school and noted an increase in drug use among
students, since his arrival.The police need your help. They want to try and determine if Joe Jacobs has
been selling drugs to students at other schools besides Smith Hill. The
problem is no students will come forward and help the police. Based on Joe’s
comment regarding the Colombians, the police are interested in finding Joe
Jacob’s supplier/producer of marijuana.Jacobs has denied selling drugs at any other school besides Smith Hill and
refuses to provide the police with the name of his drug supplier/producer.
Jacobs also refuses to validate the statement that he made to the undercover
officer right before his arrest. Upon issuing a search warrant and searching
of the suspect’s house the police were able to obtain a small amount of
marijuana. The police also seized a single floppy disk, but no computer
and/or other media was present in the house.The police have imaged the suspect’s floppy disk and have provided you with
a copy. They would like you to examine the floppy disk and provide answers
to the following questions. The police would like you to pay special
attention to any information that might prove that Joe Jacobs was in fact
selling drugs at other high schools besides Smith Hill. They would also
like you to try and determine if possible who Joe Jacob’s supplier is.Jacob’s posted bail set at $10,000.00. Afraid he may skip town, the police
would like to get him locked up as soon as possible. To do so, the police
have asked that you have the results fully completed and submitted by
October 25, 2002. Please provide the police with a strong case consisting of
your specific findings related to the questions, where the findings are
located on the disk, processes and techniques used, and any actions that the
suspect may have taken to intentionally delete, hide and/or alter data on
the floppy disk. Good Luck!Any names, locations, and situations presented are completely made up. Any
resemblance to any name, locations and/or situation is purely coincidence.
I am using Ubuntu 7.10 Linux and the Sleuth Kit/Autopsy forensics program. I was given the image of a 1.44MB floppy disk and asked to obtain as much information as I could get from it. I wasn’t sure at first if the files were still intact or if they have been deleted from the disk to try and hide the evidence. I launched the Autopsy engine from a Terminal:
(each picture below is a thumbnail. Click for the full screenshot in a new window)
I then launched Firefox and browsed to the Autopsy home page and pointed the program to my image file. Having never used the program before, I fumbled around for a few minutes until I started to figure it out. I was then looking at the raw data that was on the floppy:
Browsing through the different data units (sectors of the disk) I stumbled upon something that caught my eye. At data unit 19 I started to see what looks to be filenames and possible extensions:
The next few units were empty so I knew that must have just been some kind of index of the files to come. I continued on sector by sector until I got to sector 38. I saw what appears to be a letter:
I backed up a few sectors until I saw the start of “something” and noted the sector number. It seemed to start at sector 33. I continued on until I saw what looked like the end of one thing and the start of another and documented that ending sector. That was sector 72. It also stated in the footer of the file that it was a Microsoft Word Document:
I knew this document spanned from sector 33-72 of the disk. I used Autopsy’s built-in export feature and exported sectors 33-72 as raw data and saved it to my desktop. I then renamed this raw export file to a .doc file and re-saved it. Sure enough, it opened up in OpenOffice and I could read it just fine:
First piece of evidence has been recovered from the disk. I moved on to the next sector and I saw another chunk of code starting with JFIF:
A quick Google search for JFIF revealed that this is in the header of all .jpg files. I knew then I had an image starting at sector 73. I continued on trying to find the end of the file. I came across what appeared to be the end of it at sector 103:
So again, I knew I had something – this time a jpg image – between sectors 73-103. I exported that raw data and renamed to a .jpg file. It then opened up with GIMP and showed me the image:
Two files successfully recovered. But I saw something else at the end of sector 103 that really stuck out. It doesn’t take an expert to know that this is a password for something:
The next sector was 104 and this sector started with a PK. Again, a search or two or three on Google revealed that this is the header for a PKZip file. A few characters down it explicitly states a filename of Scheduled Visits.xls.
Putting two and two together to get five, I had a hunch that he had a password protected spreadsheet zipped up to easily send or distribute to somebody. I kept going through the sectors and finally saw the ending PK at sector 108:
I exported the raw data from sectors 104-108 and renamed it with a .zip extension. I tried to open it with the Archive Manager in Ubuntu and sure enough, it exposed the above named spreadsheet showing it as being password protected:
It prompted me for the password when I tried to open it and I keyed in the “goodtimes” password that I found at the end of sector 103 and it let me right in. Bingo. I found a spreadsheet of all his scheduled drug-selling “visits” at other high schools:
Continuing through the remainder of the sectors found nothing. The rest of the disk was blank. Three pieces of good evidence have been recovered against Jimmy Jungle.
Case closed.
Javascript Malware Source Code
March 22, 2008 – 12:38 PMThis is how dangerous the web has become. Lately it is estimated that over 10K of websites fell victim to a large attack that included a remote Javascript file into the title tag of a web page. The JS malware exploits vulnerabilities in Windows, RealPlayer, and other applications to break into insecure PC’s. The McAfee researchers didn’t release the JS malware source, but luckily I’m on Ph4nt0m’s feed list and they found it’s source. What can I say, it’s interesting code and heavily obfuscated. I haven’t got the time to analyze it yet, because I wanted to share it with all my readers first. It is very important that this knowledge is being shared instead of being swept under the rug, and so I place the file here so that we can all learn from it. One cool feature seems that it requires a spoofed header to locate the and retrieve the JS malware, another clever way of hiding it.
Thanks to Ph4nt0m for finding the source.
Source Code:
Microsoft Warns of New Attack on Word
March 22, 2008 – 7:01 AMBe extra careful when opening documents in Windows, especially if they are Word files.
Microsoft on Friday warned that cyber criminals may be taking advantage of an unpatched flaw in the Windows operating system to install malicious software on a victim’s PC.
The reported attack, now under investigation by Microsoft, involves a malicious Word document, but there may be other ways of exploiting the flaw, Microsoft said.
“Do not open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources,” Microsoft said in a security advisory posted to its Web site late in the day.
Other Apps May be Vulnerable
The flaw lies in the Jet Database Engine that is used by a number of products including Microsoft Access. Microsoft is investigating whether other programs may also be exploited in this type of attack.
Although this kind of unpatched, “zero day” attack is always cause for concern, Microsoft downplayed the risk.
“At this time, we are aware only of targeted attacks that attempt to use this vulnerability,” the company said. “Current attacks require customers to take multiple steps in order to be successful; we believe the risk to be limited.”
Following its usual policy, Microsoft didn’t say when — or if — it planned to patch the bug. But in a statement sent to the press, the company did not rule out the possibility of an emergency patch, released ahead of its next set of security updates, which are expected on April 8.
Users of many versions of Word, including Word 2007, 2003, 2002 and 2000 are at risk, unless they are running Windows Vista or Windows Server 2003, Service Pack 2. Those two operating systems include a newer version of the Jet Database Engine that does not have the bug, Microsoft said.
For the technically savvy: this means that PCs with a version of the Msjet40.dll that is lower than 4.0.9505.0 are vulnerable.
There have been other reports of attacks targeting this database software recently. In December, the US-CERT (United States Computer Emergency Readiness Team) warned that attackers were sending out malicious Microsoft Access Database (.mdb) files in a similar type of attack. Security experts speculated that this exploit could have been based on a publicly reported flaw in the Jet Database Engine.
Source: PC World
Comcast cameras to start watching you?
March 22, 2008 – 6:55 AMIf you have some tinfoil handy, now might be a good time to fashion a hat. At the Digital Living Room conference today, Gerard Kunkel, Comcast’s senior VP of user experience, told me the cable company is experimenting with different camera technologies built into devices so it can know who’s in your living room.
The idea being that if you turn on your cable box, it recognizes you and pulls up shows already in your profile or makes recommendations. If parents are watching TV with their children, for example, parental controls could appear to block certain content from appearing on the screen. Kunkel also said this type of monitoring is the “holy grail” because it could help serve up specifically tailored ads. Yikes.
Kunkel said the system wouldn’t be based on facial recognition, so there wouldn’t be a picture of you on file (we hope). Instead, it would distinguish between different members of your household by recognizing body forms. He stressed that the system is still in the experimental phase, that there hasn’t been consumer testing, and that any rollout “must add value” to the viewing experience beyond serving ads.
Perhaps I’ve seen Enemy of the State too many times, or perhaps I’m just naive about the depths to which Comcast currently tracks my every move. I can’t trust Comcast with BitTorrent, so why should I trust them with my must-be-kept-secret, DVR-clogging addiction to Keeping Up with the Kardashians?
Kunkel also spoke on camera with me about fixing bad Comcast user experiences, the ongoing BitTorrent battle and VOD. But he mostly towed the corporate line on these issues (the monitoring your living room came up after my camera was put away).
Source: NewTeeVee
