Saturday, 29 December 2007

The last Sunday for 2007!

Well another year is nearly over again.

I am on vacation this week and saw the family for Christmas in Qld.

I am working on completing 1 more SANS cert this year (I know, another exam tomorrow) and a paper tonight, Psychology. I am writing a paper on whether behaviour is determined by external forces (determinism) or is it a result of choices made by an act of will (free will).

Hence the image. The image is Hartsoeker’s sketch of a homunculus in the head of a sperm from the 18th century CE.

Slacker, or hiding files in NTFS slack space

Slacker is a tool designed for hiding files in NTFS slack space. It is another part of the MAFIA suite. The purpose is to take advantage of NTFS's implementation oddities and move logical and physical file pointers in certain ways to avoid having data zeroed out. That is, to create hidden space in the file slack.

Though a combination of multiple selection techniques such as file splitting and obfuscation using OTP's (one time pads) or XOR'd keys, it is possible to hide data in the slack.
  • A simple search using Encase or strings will not uncover the data.
This is where more advanced techniques come into play. This is why we should all stay familiar with the GPL'd tools.

Friday, 28 December 2007

SAM Juicer does not need SYSTEM Privileges

SAM Juicer is one of the tools in the Meterpreter suite.

A part of the Meterpreter Anti-Forensic Investigation Arsenal (MAFIA), the Sam Juicer runs over a memory/LSASS channel to dump password hashes on a Windows system. Many people think that you need SYSTEM Privileges to access the SAM Database, this is not the case. Any account, service or program running with access to the memory and LSASS channels will do. In fact, the majority of accounts are still given the debug privilege to make life easier for developers (and crackers).

Why is this tool a problem for many "traditional" digital forensic practitioners?
It never hits the disk and it never hits the registry. Without leaving a signiture on the disk or opening a registry call, many forensic tools just do not have a hope. By using an existing Meterpreter channel, there is no need to start a service, open a network port or to leave all that easy to find evidence that PWCrack for instance creates.

Using direct memory injection techniques, tools like Encase have no hope. EnCase Enterprise allows the examiner to see current processes, open ports, file system, and other such volatile system areas.

As Metasploit’s Meterpreter does not leave a track on the disk but rather exploits a running process and creates threads, Encase is blind to it. (This is where a good old fashion dd.exe dump of the memory in Windows still beats the high end tools).

Metasploit Anti-Forensic (AF) Tools
The toolset includes the following AF Tools:

  • Timestomp,
  • Slacker,
  • Transmogrify, and
  • Sam Juicer
More on these other tools in the next few days.

So what exactly does MAFIA (and similar tools) mess up for the tools based analyst?
  1. Temporal locality (through the alteration of time stamps)
  2. Spatial locality (using the modification of file location)
  3. Data recovery
  4. File signatures
  5. Hashing
  6. Keywords
  7. Reverse engineering
  8. Profiling
  9. Effectiveness/info overload
  10. Disk access/hiding in memory
For details see:

Thursday, 27 December 2007

Should the Corporations Act 2001 (Cth) be revised?

Should the Corporations Act 2001 (Cth) be revised to require directors to take into account the interests of specific classes of stakeholders or the broader community when making corporate decisions?

To answer this it must be understood where the responsibilities of the directors are going under the Act as it stands at present.

In studies done by the Australian Securities (formerly Stock) Exchange (ASX) ,on listed companies, they found no evidence to suggest the current Act deters companies from the incorporation of "corporate social responsibility" [CSR] and the reporting that comes along with it. They go on to report the current legislation seems to have room for the directors to include and sustain their accountability to their stakeholders. In looking at this accountability to the stakeholders it must be mentioned here that quite possibly, rather than the legislation, it is the financial and commercial impetus that is guiding this accountability to their stakeholders.

Therefore the ASX found the necessity for legislative change was unclear on the face of increasing interests by the public companies in CSR in particular their reporting and meeting the demands of their stakeholders*. It must be emphasised here the corporations involved with the ASX are all the listed corporations and not the private ones who will also be affected by any possible changes in legislation.

In looking at the present duties of the directors as laid down in the Corporations Act 2001 (Cth)* Section 180(1) states a director must discharge their duties with the care and meticulousness any reasonable person would use. In Section 180(2) it is stated the directors must meet a duty of care when making business decisions and that it is “in good faith for a proper purpose”*.
Another group felt the Act should be revised to require directors to take responsibility for the specific classes of stakeholders and their interests when they are making decisions which may have broad implications to the community in which they exist as well as to their other stakeholders such as clients and employees.* As stated:
…in order to genuinely protect non-shareholder constituencies, legislation would need to be passed to mandate directors to consider non-shareholder interests in situations where there is conflict with the interests of shareholders and the shareholder profit maximisation objective.

The Advisory Committee organised by the Commonwealth to study and respond to the CAMAC Discussion Paper felt a revision of the Act was not necessary in light of the fact the present legislation allowed enough flexibility for the directors to take into account recognition of their stakeholders and the specific needs of each group*.

Tuesday, 25 December 2007

What Christmas is About

Many people think that Port MacQuarrie is a paridise where nothing could be wrong and life is easy. Unfortunately, this is far from the truth. There are many families and people here that need help.

Each year my wife and I help by sponsoring a Christmas function for the families that Burnside supports. The question is what have you done to help?

Like us, you may be busy. My wife and I are both full time professionals and both in University. Having little time is not an excuse. The good people at Burnside for instance will providebodies if they are sponsored. Many other also do the same. I have included a letter from Helen below.

The families have been taken to a number of places, but they seem to love the Billabong Koala and Wildlife Park.

Remember, Christmas is a time to give, not recieve.

Hi Craig & Lynn

What a wonderful Christmas you and Lynn gave the service users! The photos don’t do it justice but here are a few samples. It was huge this year with 61 adults and 100 children. Santa came and the children welcomed him with songs of Christmas. Everyone LOVED the food and it was all gone in no time!

Thank you immensely for the opportunity for service users to enjoy the spirit of Christmas!

Merry Christmas and a happy New Year!


Helen Townsend
Hastings Family Support Centre

PO Box 1551 Port Macquarie 2444

Monday, 24 December 2007

A Generic Security Risk Management Methodology

SEI Risk Management Paradigm (Copyright Carnegie Melon University)
Classifying Risks - Classifying or categorizing like or related risks helps build a clearer picture of the project’s risks. Eliminating duplicates and merging similar risks can possibly increase the return on investment for mitigation, i.e. eliminate or reduce more than one risk at a time through the same mitigation plan.

Evaluate the basic risk attributes of probability and impact in order to provide a basis for relative comparison to other risks. This assists in planning a risk response strategy by determining which risks are the most important. A risk’s criticality is based on the interaction of how likely it is to happen and the magnitude of the consequence (negative or positive) to the project.

Prioritise the risks relative to one another in order to decide how to allocate resources for mitigation particularly if the project team has identified a large number of risks.

Assign Responsibility - A key to risk management is team member ownership of and accountability for risks. The project manager should ensure that responsibility for every risk is assigned internally to a team member even if a risk is to be transferred outside of the direct control of the project team. The risk owner is to act as the project manager or sub-contract manager on behalf of the project team in order to ensure that nothing falls through the cracks.

Determine the strategy that will be followed in response to the risk. In order to decide on a response strategy consider the following questions:

  1. Can we live with this risk?
  2. Can we do anything to mitigate or avoid the risk within a reasonable budget and timeframe?
  3. If yes, what would be the measurable goals so we can tell we are done mitigating the risk?
  4. Would it be just as effective to deal with the risk if and when it becomes a problem?

What is left?

Residual Risk – after countermeasure is installed, there is still some risk, which is the residual risk

(Threats x vulnerability x asset value) x control gap = residual risk

Total risk – when a company chooses not to implement any type of safeguard. Reasoning for this would be because of the cost/benefit analysis results.

Threats x vulnerability x asset value = total risk


It Is a Method, Not the Solution

Risk Management is just a means to an end… Good Corporate Governance!

Bibliography (For the various prior risk posts)

1. Anderson, R. J. (2001) “Security Engineering – A guide to building dependable distributed systems”. John Wiley & Sons
2. Bell and La Padula. (1975) “Secure Computer System: Unified Exposition and Multics Interpretation”, ESD-TR-75-306, ESD/AFSC, Hanscom AFB, Bedford, MA
3. Bosworth, Seymour & Kabay, M. E. (Ed.) (2002) “Computer security Handbook” Fourth Edition, John Wiley & Sons Inc. USA
4. Boyd, C. and Mathuria, A. (2003) “Protocols for Authentication and Key Establishment”. Springer-Verlag, Berlin, Germany
5. Curtis L. Smith, John A. Schroeder, Scott T. Beck, and James K. Knudsen (2001) “MODELING POWER NON-RECOVERY USING THE SAPHIRE RISK ASSESSMENT SOFTWARE”, Bechtel BWXT Idaho, LLC. Viewed 20th March 2006 ( )
6. Delphi Group (2005) “Time-Based Analysis: Process De-engineering (TBA)” White Paper.
7. Dodson, Bryan & Nolan, Dennis (2005 Ed) “The Reliability Engineering Handbook” Quality Publishing.
8. Ford, W. and Baum, M. S. (1997) “Secure Electronic Commerce”. Prentice Hall
9. Garfinkel, S. and Spafford, G. (2001) “Web Security, Privacy & Commerce”. 2nd Edition. Cambridge, Mass: O'Reilly
10. Ghosh, A. K. (1998) “E-Commerce Security”. Wiley
11. Kalakota, R. and Whinston, A. B. (1996) “Frontiers of Electronic Commerce”. Addison-Wesley
12. Keong, Tan Hiap (2004) “Risk Analysis Methodologies” (Last Viewed 27th March 2005)
13. Infosec Graduate Program. Purdue University. Available on March 12, 2006 at
14. Lawrence, E., Corbitt, B., Fisher, J., Lawrence, J. and Tidwell, A. (1999) “Internet Commerce” 2nd Edition, Wiley
15. Mauw, Sjouke & Oostdijk, Martijn (2004) “Foundations of Attack Trees” Eindhoven University of Technology, Emerald
16. Microsoft (2004) “The Security Risk Management Guide” v1.1, Microsoft Corporation, USA
17. MIL-STD-1629 “Procedures for Performing a Failure Mode, Effects and Criticality Analysis”
18. Moore, Andrew P., Ellison, Robert J. & Linger Richard C. (2001) “Attack Modeling for Information Security and Survivability”, Carnegie Mellon University. The Software Engineering Institute US
19. Myagmar, Suvda, Lee Adam J. & Yurcik, William (2005) “Threat Modelling as a Basis for Security Requirements”, National Center for Supercomputing Applications (NCSA)
20. NIST (800-42) “Guideline on Network Security Testing” NIST Special Publication 800-42
21. NIST (800-12) “An Introduction to Computer Security: The NIST Handbook” (Special Publication 800-12)
22. NIST (800-41) “Guidelines on Firewalls and Firewall Policy” (Special Publication 800-41)
23. NIST (800-27) “Computer Security” (Special Publication 800-27)
24. NIST (800-30) “Risk Management Guide for Information Technology Systems” (Special Publication 800-30), 2002
25. Rodrigues, Alexandre G. (2001) “Managing and Modelling Project Risk Dynamics A System Dynamics-based Framework”, Presented at the Fourth European Project Management Conference, PMI Europe 2001, London
26. Ryan, P. and Schneider, S. (2001) “Modelling and Analysis of Security Protocols”. Addison-Wesley London, UK
27. SANS (2005) “GIAC ISO 17799 Training Notes”, SANS GIAC 2005, Sydney AU
28. Sherif, M. H. (2000) “Protocols for Secure Electronic Commerce”. CRC Press
29. Stallings, William. (2002) “Cryptography and Network Security”, Third Edition, Prentice Hall,
30. Stallings, W. (1995) “Network and Internetwork Security: principles and practice.” Englewood Cliffs, N.J: Prentice Hall New York: IEEE
31. Stein, L. D. (1998) “Web Security”, Addison-Wesley
32. Viega and McGraw. (2002) "Risk Analysis: Attack Trees and Other Tricks", Software Development, Vol. 10(8), pp. 30-36.
33. Winfield Treese, G. and Stewart, L. C. (2002) “Designing Systems for Internet Commerce”. 2nd Edition, Addison-Wesley
34. Zwicky, E. D., Cooper, S., Chapman, D. B. and Russell, D. (2000) “Building Internet Firewalls”. 2nd Edition, O'Reilly, UK