WSUS 3.0 – Multiple stand-alone domains

2010.05.31

Well, some one-time job, WSUS server in closed env, no remote access and management options, all strict and closed. Domains for each dept, no trusts, nothing.

WSUS 3.0 installed in  one network, few other networks connected,  error reported by Clientdiag:

“VerifyWUServerURL() failed with hr=0×80190193

Need to:

Add Anonimous access and remove IP restrictions for the following folders in IIS where WSUS installed:

/selfupdate

/ClientWebService

/UpdateServices

And then execute iisreset

After that started working for me.

BTW:

Default WSUS port: 8530 (SSL 8531)

Clientdiag.exe can be downloaded from Microsoft

Tags :   

Off The Record

2010.05.27

Black Hat Europe updated materials from Last conf

Well, Moxie Marlinspike’s voice&slides published – “Threats to Privacy”.
Heh… You should see it, if You think Google is a problem. And if You not yet – then You definitely should see it.
One of new for me ideas was OTR security philosophy  – using 2step keys and adding “deniability” to all Your data. Few days before some friend of mine told me about otr plugin for Pidgin. Since all IM logging is problem, this plugin allow You to communicate securely. Logs in Gmail\Chats looks awesome when You use it. So – recommended 2install&use now if You use Pidgin. And if not – go to [link] and write\participate in creation of Your own IM client’s plugin.
During using this plugin, ICQ (as far as I see) correctly worked, but in Gtalk (aha!!) I saw some problem – When You request auth, it somehow (for me) approved automatically, and Keys were not the same. Example:
User A & user B exchange keys, at the end user A see:
Your key: AAAAA-AAAAA-AAAAA-AAAAA
User’s B key: XXXXX-XXXXX-XXXXX-XXXXX
And  user B see:
Your key: BBBBB-BBBBB-BBBBB-BBBBB
User’s A key: YYYYY-YYYYY-YYYYY-YYYYY
In ICQ, for example, Keys are AAAA and BBBB  for both participants.
Strange, and for me it looks like automatic MITM attempt when OTR plugin detected. Anyway, we exchanged shared passphrase. Hope it better.

Morgan Kaufmann – Computer and Information Security Handbook (2009)

2010.05.24

Well, nice bunch of articles, some of them really useful. At least review it in case You have some time.

From interesting things (for me of couse):

Built-in data wiping tool in Windows (XP\2003 at least):

cipher /w:[folder path]

upd1: More info on Microsoft KB

How to review list of connected USB devices in Vista\Win7:
HKEY_Local_Machine\Software\Microsoft\Windows Portable Devices\Devices

As way of Intellectual Property stealing, usage of Internet disks (Gmail Disk, MobileMe etc), also with USB disabled, or Sharing services (rapidshare\hotfile\filefactory etc) – all of them allow You transfer massive amount of data via network. Use portable version of browsers, clean cache and make sure You not going thru company proxy server, and tracing will be much harder.

Need to look at PowerShell closer, finally. Got few books, but no free time :(

Tags :   

Metasploit 3.4 Framework – new ver

2010.05.23

Released finally :)

http://www.metasploit.com/framework/download/

Have fun.

News, news…

2010.05.17

Well, some interesting news, currently no comments:

KHOBE – 8.0 earthquake for Windows desktop security software

MatouSec reported new attack on antivirus software for Windows, based on kernel hooks interception. Original is here.

upd: and Jeffrey Walton updated on Full disclosure, that attack know since 1996 as TOCTOU

Facebook added some new features need to be explorer further, that provide additional “security” by adding “safe surfing area” of devices You work with.

Hacking Exposed, Computer Forensic (Second Edition)

2010.05.13

Hacking Exposed, Computer Forensic (Second Edition) by Aaron Philip, David Cowen and Chris Davis (2010).

Finished. Big book, lots of words…

Few interesting places:

White Hat intruders use known Black Hat techniques to perform covert investigation:
- Minimize the number of simultaneous operations to minimize system resource usage. For example, don’t perform a keyword search, file signature analysis, and hash analysis all at the same time.
- Give the remote investigative agent an operating system–friendly name such as svchost.exe and run it from the system directory, or in the case of Paraben Enterprise, choose Secure Mode.
- If your organization uses personal firewalls, make sure a standard policy is in place to allow inbound connections from the examiner’s machine. Otherwise, the subject could be alerted by the firewall that somebody is trying to connect to his or her system.
- Ensure that the remote investigative agent does not leave any events in the event logs, because many savvy users check them regularly.
- Minimize the number of people who know about the investigation to reduce the risk of the subject finding out accidentally or intentionally that he or she is being investigated.
-To keep from alerting the subject, try to use an agent that runs as a system service each time the machine is started. That way, you aren’t required to connect to the remote machine and start the service before beginning the examination.
-For sensitive cases, conduct the investigation during the evening when the suspect is most likely not at his or her machine.
- Time the investigation for periods when the subject expects a lot of hard drive activity, such as during regular antivirus scans or recent security vulnerability announcements.
- Search only the data that is relevant to the case. For instance, if you are looking for documents, narrow your search to specific areas and data types.
- Determine whether the target machine is a laptop or desktop machine. If the suspect is using a laptop, sustained hard drive activity can alert him or her to the investigation.
- Be patient and don’t rush the investigation; if necessary, break it up into several phases.

Well, the only difference between good and bad is piece of paper, sighned by employer?

New for me was UserAssist service and additional logging options:

Use UserAssist log to review user activity (in NTUSER.DAT):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Encrypted with ROT13 (Caesar cipher) – letter +13 next alphabetic symbols. store all major user activity.

One of most frustrating part of book is Chapter 9 – Defeating Anti-Forensics.
I was expecting a lot of elite technics for anti-forensics defeating, but it was quite regular – use backups, restored files and in case You got any PGP traces – just leave it – “You have nothing to do with it“.

And another sentence: “Increasing globalization and the spread of capitalism has brought about a new day in malicious hacking, where threats no longer involve the kid in the basement, but organized, multinational corporations and crime syndicates that have one goal in mind: to use technology to defraud the western society.” (page 454). Oooooo, poor western [censored] – everyone “have in mind” to offend you…

Anyway, based on book recommendations I created some anti-forensics manual, now I will fill it with tools and examples and add here to.

BTW – for those who work in US – all Lawyers part of book should be quite interesting.

Gmail – Mobile phone must have?

2010.05.03

Today I tried to register gmail account for some client, and:
Verify your account
You’re almost done! We just need to verify your account before we can create it.

Account verification helps with:

* Preventing spam: we try to verify that real people, not robots, are creating accounts.
* Recovering account access: we will use your information to verify your identity if you ever lose access to your account.
* Communication: we will use your information to notify you of important changes to your account (for example, password changes from a new location).

Unless you explicitly tell us to do so, your phone number will never be sold or shared with other companies, and we will not use it for any purpose other than during this verification step and for password recovery and account security issues. In other words, you don’t have to worry about getting spam calls or text messages from us, ever.

For more information, please read our frequently asked questions.
Verification Options:
Text Message
Google will send a text message containing a verification code to your mobile phone.
Voice Call
Google will make an automated voice call to your phone with a verification code.

Since when, and more important question – WHY?

Soon old (not mobile attached) Gmail accounts will be sold on black market…