Grey bar Blue bar
Share this:

Wed, 29 Apr 2009

Chris Eng 1 - 0 Verizon DBIR Cover

Chris Eng over [at the Veracode blog] documents how he approached, and decoded the info behind the [2009 Verizon Data Breach Investigations Report ]

Its an interesting read, and although in the end it turned out to be just a [Vigenère cipher] and fell to (effectively) a [known plaintext attack], its def. worth the few minutes it will take to read..

Sat, 25 Apr 2009

Virtualization as an answer to backward compatability?

Part of the problem Microsoft bumped into with Vista, was hordes of people who had grown too attached to XP.. It seems they learnt their lesson (and found a cheap way to maintain backward compatability without having to keep legacy code forever). [XP with SP3 as a virtual-pc virtual machine within Windows 7]

We thought we had problems classifying client side bugs that required user intervention (remote? local?), what happens when a remote in XP-SP3 allows one to execute code in the Windows7 machine through local VM breakout? (indeed a new acronym is needed in anticipation: RAXPLVMB??)

Thu, 16 Apr 2009

BiDiBLAH Case Study (Part 2)

With our recent release of BiDiBLAH 2.0, we've decided to revisit some real world scenarios, and ways BiDiBLAH can deal with it… Herewith, part 2. All the scenarios can be downloaded from the BiDiBLAH home page.

Scenario:

We have a class B network internally. Many of the users run FTP servers on their machines. We do not allow this — but how do I identify these machines?

Solution:

Using BiDiBLAH, define your network as netblocks.

Next, perform a port scan for port 21/TCP (FTP)

Extract the banners for the FTP servers found.

Go to the targeting tree, search for the version and collect the IP addresses.

/frankieg

Wed, 15 Apr 2009

SPUD reminder(s)

After some queries regarding SPUD, I thought it would be a good idea to blog this reminder:

* Spud can only be run as an administrative user. * Spud cannot be run by directly accessing the .exe. You should run SPUD from the shortcut provided. The reason being: SPUD cannot start from the \bin directory, but only from the \bin parent directory. (default: Program Files\SensePost SPUD). I.e, run "bin\SPUD.exe" from the installation directory as below:

As for SPUD and the Vista issues, we're looking into it...

/frankieg

Mon, 13 Apr 2009

The power of data

We recently introduced some neat blizzards onto a PoC Broadview client.

On tha back of Conficker, our Broadview Dashboard sports a couple of instantly available blizzards that show:

1. How many machines, on all scans for the last 10 days, have patch MS08-067 missing

2. How many machines do not have SMS Agents, EPO Agents or Any AV installed

3. And without too much hassle one can quickly see where machines with MS08-067 missing also do not have EPO Agents, SMS agents or any AV installed. (enlarge image to see why)

4. All the results can immediately be downloaded into csv format for sorting and filtering. Easy to pick up the trends.

[caption id="attachment_3347" align="alignnone" width="300" caption="BVv4 Blizzard"]

BVv4 Blizzard
[/caption]

/evert