Saturday, 1 October 2011

What is the GOT?

The Global Offset Tables (GOTs) are used to store the memory addresses of all accessed global variables. A single GOT that is positioned at a fixed offset from the code will be created for each compilation unit or object module. The Global Offset Table redirects position independent address calculations to an absolute location. These can be found in the .got section of an ELF executable or shared object. The reason for this is that Position-independent code cannot, in general, contain absolute virtual addresses.

Global Offset Tables hold absolute addresses in private data. This allows the addresses to be accessible when still providing a level of position-independence for the code’s text. The code will reference its respective GOT through the use of position-independent addressing. This allows it to maintain absolute values such that it can still readdress position-independent references over to absolute locations.


Figure: Mapping Shared Memory, the GOT

The GOT is isolated in each process with (ideally) just the owning process having write permissions to it’s GOT. On the other hand, the library code is shared. Each process needs to be restricted such that it is limited to just read and execute permissions on the code. When this is not true, a serious security compromise can occur through code modification.

Friday, 30 September 2011


NetStumbler (or Network Stumbler) is a Windows-based wireless tool for the detection of 802.11b, 802.11a and 802.11g Wireless LANs (see A version for WindowsCE called MiniStumbler is also available. NetStumbler is frequently used in:

  • Wardriving,
  • The verification of wireless network configurations,
  • Testing wireless coverage,
  • Detecting wireless interference, and
  • Detecting unauthorized or”rogue” access points.


Figure 1 Configure NetStumbler

There are a few important options that should be selected in order to get the optimum performance out of NetStumbler (see Figure 1). Generally it is best to set the scan speed to Fast. This provides more frequently repeated updates and allows for greater accuracy when refreshing wireless networks. When running Windows 2000 or Windows XP set the "Reconfigure card automatically" option or NetStumbler will discover the default wireless network that the network card is currently associated with and stop looking for other networks.

NetStumbler has the ability to provide you MIDI feedback for signal strength. This audio marker is an aid in finding the best possible signal between two points. This is useful in aligning antennas for instance. The signal strength can be set to rise with the pitch and tone played by NetStumbler. This increases the efficiency of tuning an antenna making the process comparable to aligning a satellite dish. The process involves moving the antenna until the highest pitch tone is heard. To select a MIDI channel and patch sounds choose the MIDI tab on the Options screen (Figure 5). A MIDI-capable sound card is required to have been installed on the system prior to using this option.

After setting the options, NetStumbler is ready to find wireless networks. As long as a wireless card is installed and enabled, NetStumbler will begin scanning instantly. If the MIDI option is enabled, it will also produce audio feedback straight away. This can be quite a din if there are multiple networks in the location of the system running NetStumbler. Figure 2 shows a characteristic NetStumbler session that has recently started monitoring.


Figure 2 NetStumbler showing several detected networks

NetStumbler displays the most active links using colour.

  • Green indicates a strong signal,
  • Yellow is a marginal signal,
  • Red is a very poor or almost unusable signal, and
  • Grey lists wireless networks that are unreachable.

The padlock symbol displayed on the link buttons indicates that the network is encrypted with WEP or more (e.g. WPA). All of the wireless networks that NetStumbler has discovered are displayed at a glance. It also shows the signal strength, SNR, and noise. Selected vendor chipsets will also be displayed.

To deploy NetStumbler for the purposes of fine-tuning a wireless link, start up NetStumbler and ensure that the network on the other end of the point-to-point link has been discovered. The audible MIDI tones will then sound as it reports the signal strength. A higher tone indicates improved signal strength.

Another option that will help to visualize the signal strength is accessible using the drill down navigational menu to the left-hand side of the screen. Select the plus next to "SSIDs" and something like figure 8 will be displayed after clicking on the plus. This will show all of the MAC addresses associated with an SSID. Click on the MAC address to glimpse a graphical representation of signal strength associated with this network as is shown in figure7. This tool may be used to tell you when a directional antenna is placed correctly. It can also help in determining the optimum placement of an access point.


Fig 3 The visual meter shows signal strength over time.

NetStumbler also supports GPS location resolution. Select the GPS system from a list:

View ->Options dialog.

Once you have configured NetStumbler to use the GPS unit, the main screen will not only display the particulars of the wireless network, but also the latitude and longitude associated with each of the wireless devices.


Figure 4 Sort by channel, SSID and a number of other factors

NetStumbler includes NDIS 5.1 driver support for Cisco and a number of Prism cards under Windows XP, Vista etc.

NetStumbler is an active network scanner. This means that it sends out probe requests and listens for a response to those probes. This will not allow it to detect closed networks

I will be loading a video on the use of NetStumbler this weekend on the YouTube channel.

Thursday, 29 September 2011

Video - Using DD

This is a section of a re-cap lecture on using DD to capture a forensic image of a disk (Hard Drive, USB, CD etc). We also demo how to mount the image using the partition offset.

More on forensics will follow tonight.

Tuesday, 27 September 2011

What I am doing

"Do you have a free course offering, new mailing list, free labor available, etc. to help those of us already in the trenches fighting this battle?"

Well actually several.

Please do talk. I am talking at BoM today/Tomorrow on IPv6 security issues. I was in Canberra a week before last and training in Sydney last week. I have free webinars that provide CPE hours weekly.

So Ali, right now, I donate 25% of my time in training and I would do more if I could.

I do not want the keg, but a nice bottle of wine would be fine. It is nearly the end of September and I have provided free training to 140 people this quarter. So please, contact me. I am not kidding. This is a real offer.

Soon there will be even more help. More training. Right now, I am one man and I have restraints, but I am putting programs together that in the coming months will make more training available.

So Ali, are you willing to take up the offer, more, are you willing to do something yourself to help?

I offer this openly to many groups.

Sunday, 25 September 2011

Cyber(Crime/Terror/Espionage) webinar lectures

Please find the link to the Cyber(Crime/Terror/Espionage) webinar lecture 3 as follows:

Lectures 1 and 2 are also available at:
Lecture 1
Lecture 2

The link for lecture 4 will be posted tomorrow.

We are also holding a Management webinar for security:

How much do I really need to spend on security?
A management webinar on Quantifying Information Systems Risk.

Information security is a risk function. Paying for too much security can be more damaging in economic terms than not buying enough. This leads to the optimal expenditure on damage prevention and where this should lie. Who should be responsible for the security failures that are impacting the economy and society and how can this be maximized in order to minimize negative externalities?

I hope that you can learn from these.

Air gaps never exist.

In the nature of getting myself into trouble I have decided to write a little personal anecdote. As anybody who has read my posts and more will quickly determine, I am outspoken and at times far from diplomatic, but these are never the things that had me in trouble the most.
It was usually silly things that I should have shut up about if I really cared for my career more than security that are the bane of my life.
I do not usually wear a watch, but in this tale, I had one on. It was an interesting watch, it had a Bluetooth mobile and a 512MB USB hard drive but looked just like a normal every day watch.
A ways back, I was contracting through a company I owned with CSC and DFAT. Fun stuff such as “Advice on Information Technology Security” . That much is public information and that is about as far as it needs to be said and is as far as I will say as it is not at all important here.
Well to the story, I was working in a data centre and comms centre in Forrest. One of the fun places that have the blue cables in gas filled tubes and have loads of copper throughout as to create a faraday cage to DSD Tempest specs.
I did the normal stuff and wasted the normal long amount of time getting in through the man-trap and having the scanner go off many times as they are too sensitive. Side note, I have several chunks of metal in me that are now “me” due to the collections of broken bones I have accrued in the years I have walked this earth.
I did the pad down and wondered just how friendly the guard was getting. They took my phone, issued me with a laptop to work on (as I could not take my own in) and gave me the general spiel of how and what for the location I was working in that week. Basic things that I knew already like “if the person has more tinsel than a Christmas tree, do not bother him just agree”.
Well, the watch was left on and I forgot it. Completely by accident, but it was on all day as I was left alone in a data centre hosting A*** data for a number of 4 letter agencies. Here in Oz we have 4 letter agency names to demonstrate that we are good Smile
I did a full day playing with a number of Unix and VMS systems (real Unix and not Linux) and finished up. I did the pad down, left and was in a meeting room outside the secure area doing a debrief on what we had configured etc. when I was dumb enough to pipe up and say…
Oh, I forgot to say my watch has a hard drive in it…”
Shite, fan… I need not say too much.
I was still in my 20’s at this point, young and stupid (stupider than now even). I managed to spend a couple hours with a few people who did not seem really happy. I personally think it was too much starch in their laundry.
If I was smart, I would have shut up at that point and it would have passed. But being a 20-something at the time, after being told that I could not take a drive into this facility and that if I had left with it and not been stopped (so much for saying I had it) it would have been a felony, I was dumb enough to say, “what is the big deal. I can just send and receive data over the Net
The response was normal…
Don’t be daft kid we are air gapped. Nothing goes in or out.
Now, if you ever want to see a Brigadier go funny colours just say what I did…
How do you think I got the firmware updates? We just made an SSH tunnel over TCP 53 and proxied HTTP to the Sun website.”
Then there was a gap as this was explained in detail, all the time the colours on the faces were amazing.
Not naming names here and nor will I even when plied with drink, but basically, some of the CSC guys I worked with also did the Telstra tower and worked in TS and general systems. They needed to manage these and the budget only allowed them to do so much.
So, they had implemented TCP 53 outgoing from anything on the firewall. All the auditors missed this. It was simply DNS and so nothing was ever noted in a single report.
So, not that I have said as much as I could to make this clear and though in some ways I have said too much and can expect to end up berated yet again, I will say, there are no air gapped systems.

  • Air gaps do not work.
  • Data diodes do not work.
  • If you are placing your trust in this, you are already done.
Even in TS cleared faraday controlled bases with no links, there are links. I have seem so many kludges connecting SIPPER and NIPPER networks in the US it is not funny and they have links to us here in Oz as well.
So, the things we do to try and ruin our careers.
Then, at least unlike Stephen Northcutt, I never managed to take down a battle ship.