Category Archives: #linux

DC3 Challenge & VSC Analysis on Linux

Posted by on December 3, 2013 No comments

I recently had to analyze a Windows 7 system’s Volume Shadow Copies (VSCs) that were stored on a Virtual Machine Disk (VMDK) as part of an advanced-level DC3 challenge exercise.  While there are a few great resources out there regarding forensics and VSCs, most of these methods use Windows workstations or commercial tools for conducting an examination.

More often than not I’ve found the aforementioned methods limiting, their success either hit-or-miss. I’ve been looking for open source alternatives for VSC analysis that work on my Linux workstations.

While reading the Malware Analyst’s Cookbook section entitled “[w]orking With Virtualbox Disk and Memory Images,” I decided to convert the VMDK the DC3 provided to VHD using VBoxManage. Harlan Carvey’s post entitled, “How to Mount and Access VSCs” also helped me understand VHDs and how they were used in forensics. But for some reason I couldn’t mount my VHD properly in Windows using his approach. After re-converting the VHD to every major image file type, I decided to go with a libvshadow approach that tackled both the VMDK conversion and provided the ability to analyze the evidence on my Ubuntu box.

Knowing I needed to convert the VMDK provided into some kind of usable format, I set out to find the best guide to mounting VSCs. EpyxForensics has a terrific guide to this entitled,“Mounting Shadow Volumes in Linux Ubuntu 12.04” (see “Resources” below).

Using the EpyxForensics approach, I was able to both mount the virtual disk and extract the data I needed in a fast and efficient way. I’ve tweaked some of those methods below to suit my needs for the challenge and I’m more than pleased with the results. Although you – the reader –may not be using VMDKs, using libvshadow to analyze VSCs is extremely beneficial and worth trying.

What follows is my experiences with the 2013 DC3 Forensics Challenge as well as my methodology on the Volume Shadow Copy exercise.

Why Shadow Copy Analysis?

Without re-quoting every single resource on the topic I’ve read, VSCs provide a great way for examiners to see a system up to the time of a snapshot. This snapshot is a sort of time machine that can be crucial in understanding the intricacies of user activity on the system.

Volume Shadow Copy analysis is also an interesting avenue if other anti-forensics techniques were used. Smart criminals can cover their tracks by wiping Prefetch, using encryption, scripting tools to sanitize registry keys, use timestomp to control timestamping, perform drive wipes, tamper with MFT records or other anti-forensics measures.

Snapshot and backup examination techniques are often left out by forensics suites. All too often developers of such suites are left playing “catch up” when adding new features to their tools. But criminals are people too; sometimes the convenience of having a backup outweighs the desire to hide data. Enter VSCs.

An example could be a snapshot that was created after the installation of a new program. The user may not be aware that VSC is being created to begin with. Once created, the snapshot may contain unencrypted copies of files that were later encrypted. Other artifacts important to your case may also reside within copies.

It goes without saying that I found this DC3 VSC to be extremely rewarding. While I can’t give actual exercise questions or case files, I’ve tried to outline the steps I used below.

Installing VBoxManage & Sleuthkit 4.0.2

On Ubuntu I was able to install the required tools automatically with APT:

For Sleuthkit you can: sudo apt-get install sleuthkit

For VBoxManage you’ll need Oracle VM Virtualbox:

sudo apt-get install virtualbox

Linux: VMDK to RAW

To convert a VMDK to a RAW/dd image you can:

VBoxManage clonehd vdisk.vmdk newvdisk.dd –format RAW

The percent status of the conversion will keep you informed as to the status of the conversion.

Windows: VMDK to RAW (QEMU)

The alternative to the linux method in Windows is to use the QEMU Windows Binaries. Due to a lot of misinformation on the subject, I’ve included the method used for performing the conversion on Windows below.

With QEMU installed on Windows, navigate to your QEMU folder (or if you have it in path), open a cmd shell. We can use qemu-image to convert the VMDK to the desired format:

qemu-img convert -f vmdk shadows.vmdk shadows.raw

Determining Offset of Partition

Calculating an offset is fairly straightforward if you’ve used linux for forensics in the past. First see the partitions and their starting locations with:

mmls newvdisk.dd

Multiply the starting point with the sector size (usually 512, mmls reports this when you run the command). The resulting number will be what we use to target the NTFS partition on the image. This is important if the image represents a physical whole disk or multi-partitioned system. In my case, it simply represented one partition on which resided the critical files. My working offset was 65536, the subsequent mount would look like:

sudo mount -t ntfs -o ro,offset=65536 shadows.dd /mnt/evidence

Take a peek inside with:

cd /mnt/evidence/System\ Volume\ Information/; ls -la

For those that don’t know the format of VSCs, check the MSDN article here. We see the identifying GUID and unique set IDs.  This is a great way of gauging where to focus your efforts.

libvshadow by Joachim Metz is an excellent tool for conducting a deeper analysis of shadow copies. We’ll set up the tool’s requirements and set it up from its latest source below.

libvshadow

Install the requirements:

sudo apt-get install libfuse-dev

Install libvshadow’s latest source and unpack it, configure and make install.

To get basic information about the VSCs, we can use vshadowinfo with the following syntax:

vshadowinfo -o [offset] [image]

The order of shadows listed is also neat. The top store will be the furthest back in time while the latest would be the last (kind of self-explanatory but you probably know that I enjoy being long winded online). The listing also helped me answer a number of temporal questions in the exercise. This information can correspond with your case’s timeline so examining the output is critical.

The output looks like:

vshadowinfo 20131003
Volume Shadow Snapshot information:
Number of stores:           4

Store: 1

Identifier                        : e132d30a-9cee-11e0-a94f-000c29caa4ff
Shadow copy set ID        : f24f1ec4-e556-473f-b8dd-3417944d613d
Creation time                 : Jun 22, 2011 17:26:18.953125000 UTC
Shadow copy ID             : 4db4b198-10bf-412a-8168-82aab3ad66e5
Volume size                   : 2144337920 bytes
Attribute flags                : 0x0042000d

Store: 2

Identifier                        : e132d310-9cee-11e0-a94f-000c29caa4ff
Shadow copy set ID        : 7d330a7f-eaaa-47e6-a7ae-ec586cb60705
Creation time                 : Jun 22, 2011 18:11:35.484375000 UTC
Shadow copy ID             : a3de8297-e174-4cc6-af1e-14b97b228b91
Volume size                   : 2144337920 bytes
Attribute flags                : 0x0042000d

Store: 3

Identifier                       : e132d31d-9cee-11e0-a94f-000c29caa4ff
Shadow copy set ID       : ca46eac5-70eb-4c53-a21a-b6a6b66ba245
Creation time                : Jun 22, 2011 18:15:52.140625000 UTC
Shadow copy ID            : 94d3e514-62db-4dd2-89e1-7ff3810bb861
Volume size                  : 2144337920 bytes
Attribute flags               : 0x0042000d

Store: 4

Identifier                     : e132d322-9cee-11e0-a94f-000c29caa4ff
Shadow copy set ID      : 31f43d93-881f-43b2-bd40-86133cba47d7
Creation time               : Jun 22, 2011 18:19:45.484375000 UTC
Shadow copy ID           : 2740b68b-cdb2-4c13-a535-f2f6f1ecb352
Volume size                 : 2144337920 bytes
Attribute flags              : 0x0042000d

But what if you need access to the actual data within the shadow copy? The EpyxForensics post told me about a great utility in libvshadow, vshadowmount. This awesome feature allows you to select which VSCs to mount with traditional linux mountings. It does this by allowing you to mount the partition by offset on the image and mount each store individually (the latter is the amazing part).

sudo vshadowmount -o 65536 shadows.dd /mnt/vssvolume

To mount each store individually (if you know what time frame you are working with), you can:

sudo mkdir /mnt/vss1; sudo mount -o ro /mnt/vssvolume/vss1 /mnt/vss1

There were 4 VSCs to mount in the exercise (as seen in /mnt/vssvolume). To mount them you could also create a bash or Python script to do it for you automatically. I ran the commands by hand for each store. Tedious but I like having control over what’s going on. The not-so-simplified version looks like this:

sudo mkdir /mnt/vss1; mkdir /mnt/vss2; mkdir /mnt/vss3; mkdir /mnt/vss3; mkdir /mnt/vss4; sudo mount -o ro /mnt/vssvolume/vss1 /mnt/vss1; sudo mount -o ro /mnt/vssvolume/vss2 /mnt/vss2; sudo mount -o ro /mnt/vssvolume/vss3 /mnt/vss3; sudo mount -o ro /mnt/vssvolume/vss4 /mnt/vss4

If you want to find a particular file that’s pertinent to your case, you can do that with the find command (find -name [file]*). You can also view the shadow copies from your desktop environment’s built in file manager as you can with any mounted device in Linux (this helps with viewing thumbnails of JPGs captured in the shadow copy).

Another good find trick is to use the –mtime [day] option to find files that were modified after a certain amount of days in the past. Or use your favorite regular expression against the mounting to find specific pieces of information.

Since the primary questions dealt with timestamps I set up Phil Harvey’s ExifTool and ran it against the desired files within the copies. Obviously you can also use this tool to acquire metadata timestamps residing within the file’s themselves (such is the case with artifacts like LNK files).

Shadow Explorer

The only tool I really don’t like using is Shadow Explorer for Windows. It may be a fine tool for general VSC work but I don’t see it as useful in forensics. This is a personal opinion and I know many great examiners that use it regularly. I certainly mean no disrespect to the tool’s author.  I’d try it if you are limited to working on a Windows forensics workstation but much prefer using a Linux-oriented approach.

My main reason for disliking Shadow Explorer is that it doesn’t seem to work with virtual mountings (FTKi mountings set physical or logical, ImDisk, Winmount, etc). The author recommends enabling system protection on devices so that they appear in Shadow Explorer but this isn’t an option for as I’m concerned.

Closing Remarks

The solution above worked for me and fulfilled my needs on the challenge but this approach isn’t the only approach. I’ve created a list of VSC references below in hopes of helping others find a solution they’re comfortable with. Feel free to submit your own site or article by emailing me at adam [at] forensicsblog.org — I’ll add it to the list.

Lastly I should note that the methods I’ve described above are not new or Earth shattering, libvshadow is used by other examiners. It’s simply new to me, now it’s also my method of choice.

DC3 Challenge Exercises Completed

The forensics challenge was hosted by the DoD Cyber Crime Center (DC3) and was a terrific experience for me considering I’m relatively new to forensics (the challenges are similar to online jeopardy style CTF). While there will be other challenges, this will likely be the DC3’s last. This is really unfortunate news: nothing reinforces infosec skills like challenges and competitions. I have yet to see a forensics-specific competition that has as much scope and depth as the DC3 Forensics Challenge.

I got into the challenge during its last month by running solo and without a boost from the missed bonus rounds. Despite these set backs, I did manage to get in the Grand Champion category with pretty good standing in both the Overall Civilian and the U.S. Overall categories. I’m proud of this, I did much better than I thought I would. While it doesn’t make me an authority on digital forensics (I’m not), I’d be glad to write about other exercises attempted.

Special thanks to the DoD Cybercrime Center (DC3) and the Air Force Office of Special Investigations (AFOSI) for hosting such a cool event for civilians and military personnel alike. I’m in no way affiliated with and/or endorsed by AFOSI or DC3.

Resources

There’re a lot of good resources out there regarding Volume Shadow Copies.  Many of which are written for examiners by examiners. Anyone interested in VSS or VSC analysis should definitely check them out:

Mounting Shadow Volumes in Linux Ubuntu 12.04” by EpyxForensics.

Ripping Volume Shadow Copies – Introduction,” Journey Into Incident Response (blog) by Corey Harrell – note: his entire VSC series is really terrific.

Shadow Timelines and Other VolumeShadowCopy Digital Forensics Techniques with Sleuthkit on Windows,” SANS Computer Forensics Blog by Rob Lee

Accessing Volume Shadow Copies,” by Harlan Carvey

Mount shadow volumes on disk images,” forensicswiki.org (site lists various methods)

Into the Shadows,” forensic4cast, by Lee Whitfield

libvshadow’s Project Page: http://code.google.com/p/libvshadow/

How Volume Shadow Copy Service Works,” TechNet (Microsoft)

Volume Shadow Copy Service,” MSDN on VSS and how it works

Volume Shadow Copy System Restore” (VSS FAQs) by Tomasz P. Szynalski

Volume Shadow Copy Forensics.. cannot see the wood for the trees?” by Richard Drinkwater, FFTSF blog

Examining Volume Shadow Copies – The Easy Way!” by Simon Key, Digital Forensics Today (EnCase/Guidance Software) – note: this piece is very interesting and helps explain what’s going on behind the scenes when snapshots are taken. It also discusses the EnCase PDE approach to analyzing them.

Android USB Device Support

Posted by on June 23, 2013 No comments

While reading Android Forensics by AH and setting up the SDK on my Ubuntu box, I noticed the udev rules needed an update. Makes sense considering there’s been many new vendors since the book was published.

I’ve compiled an up-to-date ruleset that uses the standard format and includes comments indicating each vendor. While not a terribly new contribution, I’ve decided to post the rules here to allow android devs and examiners the opportunity to use them with little effort.

Copy & paste it:

# 51-android-rules should be placed in /etc/udev/rules.d (chmod 664 or a+r)
# Official Guide & Vendor IDs: http://developer.android.com/tools/device.html#Acer
SUBSYTEM==”USB”, SYSFS{idVendor}==”502″, MODE=”0666″
#ASUS
SUBSYTEM==”USB”, SYSFS{idVendor}==”0b05″, MODE=”0666″
#Dell
SUBSYTEM==”USB”, SYSFS{idVendor}==”413c”, MODE=”0666″
#Foxconn
SUBSYTEM==”USB”, SYSFS{idVendor}==”0489″, MODE=”0666″
#Fujitsu
SUBSYTEM==”USB”, SYSFS{idVendor}==”04c5″, MODE=”0666″
#Fujitsu Toshiba
SUBSYTEM==”USB”, SYSFS{idVendor}==”04c5″, MODE=”0666″
#Garmin-Asus
SUBSYTEM==”USB”, SYSFS{idVendor}==”091e”, MODE=”0666″
#Google
SUBSYTEM==”USB”, SYSFS{idVendor}==”18d1″, MODE=”0666″
#Haier
SUBSYTEM==”USB”, SYSFS{idVendor}==”501E”, MODE=”0666″
#Hisense
SUBSYTEM==”USB”, SYSFS{idVendor}==”109b”, MODE=”0666″
#HTC
SUBSYTEM==”USB”, SYSFS{idVendor}==”0bb4″, MODE=”0666″
#Huawei
SUBSYTEM==”USB”, SYSFS{idVendor}==”12d1″, MODE=”0666″
#K-Touch
SUBSYTEM==”USB”, SYSFS{idVendor}==”24e3″, MODE=”0666″
#KT Tech
SUBSYTEM==”USB”, SYSFS{idVendor}==”2116″, MODE=”0666″
#Kyocera
SUBSYTEM==”USB”, SYSFS{idVendor}==”0482″, MODE=”0666″
#Lenovo
SUBSYTEM==”USB”, SYSFS{idVendor}==”17ef”, MODE=”0666″
#LG
SUBSYTEM==”USB”, SYSFS{idVendor}==”1004″, MODE=”0666″
#Motorola
SUBSYTEM==”USB”, SYSFS{idVendor}==”22b8″, MODE=”0666″
#MTK
SUBSYTEM==”USB”, SYSFS{idVendor}==”0e8d”, MODE=”0666″
#NEC
SUBSYTEM==”USB”, SYSFS{idVendor}==”0409″, MODE=”0666″
#Nook
SUBSYTEM==”USB”, SYSFS{idVendor}==”2080″, MODE=”0666″
#Nvidia
SUBSYTEM==”USB”, SYSFS{idVendor}==”0955″, MODE=”0666″
#OTGV
SUBSYTEM==”USB”, SYSFS{idVendor}==”2257″, MODE=”0666″
#Pantech
SUBSYTEM==”USB”, SYSFS{idVendor}==”10a9″, MODE=”0666″
#Pegatron
SUBSYTEM==”USB”, SYSFS{idVendor}==”1d4d”, MODE=”0666″
#Philips
SUBSYTEM==”USB”, SYSFS{idVendor}==”0471″, MODE=”0666″
#PMC-Sierra
SUBSYTEM==”USB”, SYSFS{idVendor}==”04da”, MODE=”0666″
#Qualcomm
SUBSYTEM==”USB”, SYSFS{idVendor}==”05c6″, MODE=”0666″
#SK Telesys
SUBSYTEM==”USB”, SYSFS{idVendor}==”1f53″, MODE=”0666″
#Samsung
SUBSYTEM==”USB”, SYSFS{idVendor}==”04e8″, MODE=”0666″
#Sharp
SUBSYTEM==”USB”, SYSFS{idVendor}==”04dd”, MODE=”0666″
#Sony
SUBSYTEM==”USB”, SYSFS{idVendor}==”054c”, MODE=”0666″
#Sony Ericsson
SUBSYTEM==”USB”, SYSFS{idVendor}==”0fce”, MODE=”0666″
#Teleepoch
SUBSYTEM==”USB”, SYSFS{idVendor}==”2340″, MODE=”0666″
#Toshiba
SUBSYTEM==”USB”, SYSFS{idVendor}==”0930″, MODE=”0666″
#ZTE
SUBSYTEM==”USB”, SYSFS{idVendor}==”12d2″, MODE=”0666″

Or you can download it from my Sourceforge @ https://sourceforge.net/projects/forensicscripts/files/android/

Edit: Do you see android running on a device that works but somehow isn’t officially mentioned in the SDK docs? Feel free to grab the vid and comment with it (to get the vid you can connect the device and run a simple dmesg | usb.)

Thoughts on viaExtract (Demo)

Posted by on May 19, 2013 No comments

I recently had the opportunity to try the viaForensics viaExtract VM utility. viaExtract is essentially a framework in which many different advanced analysis features can be utilized (and automated). Based on Ubuntu, the VM utility is easy to setup and even easier to operate.

Although I’m not terribly advanced in mobile forensics (more of a hobby at the moment), I’ve used Santoku and acquired android data through AFLogical OSE. The law enforcement/government-only AFLogical proper is offered through viaExtract and enables the reporting and harvesting of many different types of data, including:

* Device Information
* Browser History including Searches & Bookmarks
* An in-depth call log
* In-depth contact information acquisition
* Thumbnailed photos each including their own hash
* Application installations
And more…

Much like using AFLogical OSE within Santoku, the analyst can easily deploy the ADB daemon onto the device and have the workstation connect to it so long as the android is set into debugging mode and the VM properly passes through the USB connection. The daemon essentially allows you to execute commands on the device and is packaged with the SDK (in case you haven’t had the pleasure of using ADB in the past). As with all viaForensics tools, there’s no digging around the Android SDK for ADB to manually deploy it. But in viaExtract there’s the added benefit of automated deployment of AFLogical OSE on the smartphone. In fact, the data collection process is fully automated and shouldn’t require the analyst to actually touch the mobile device at all.

Along those lines you don’t actually have to pull the acquired reports from the device’s SD card. All of that is also automated. But should you want to push any additional tools to the device, you can do so with the command line (via adb push).

Case management is one of viaExtract’s most important features. You can manage your entire case using viaExtract and include multiple devices for inspection.

Whereas in Santoku the reports output in CSV, viaExtract allows you to compile PDF-reports based on HTML reports it acquires. The feature is as simple as selecting the PDF option on the toolbar.

But what other advanced features does viaExtract have? While I can’t access them within the demo version, the tool offers the analyst the following additional options:

* Gesture Key Code (if used to lock a device)
* Image Storage Device (SD)
* Unlock Screen (Thomas Cannon mentioned in his Defcon speech how 4 digit pins are extremely easy to crack whereas using complex passphrases may not be as simple)
* Sleuth Kit Timeline exporting (allows for use in generating super timelines)
* Encryption Brute Force (makes use of file headers and footers akin to the bruteforce_stdcrypto Python script in Santoku, but fully automated and makes use of the viaExtract GUI)

Despite being limited to basic data acquisition with the demo version, I can already tell how valuable this tool can be when conducting forensic examinations. Automation, case management and advanced mobile forensic features rolled all into one easy-to-use package marks viaExtract as a good product for law enforcement personnel.

On AFLogical OSE and SD Card Limitations

While it’s beyond the scope of this post, when using AFLogical OSE in Santoku reports are saved to the device’s SD card and must be copied to the analyst’s workstation via the command line. But devices like the Razr Maxx HD only allow for pictures and video to be transferred to the SD card (this limit seems to coincide with the release of MTP with jelly bean). This limitation is imposed on many newer devices running android 4.2+. Upon some research into the matter, I believe this limitation does not  restrict AFLogical OSE reports from being saved to the card.

Santoku aside – and more to the point of using viaExtract with AFLogical-proper – vE worked flawlessly as advertised and automatically extracted the needed data for me, reporting on it with ease.

Type of device used: Unrooted Motorola Razr Maxx HD and a rooted Motorola Razr.

Note: I do not work for viaForensics, I was simply interested in this tool and decided to test it. The reason for the blog post is to help others make the decision to try it if they’re looking for a valuable android forensics tool.

Resources

viaExtract: https://viaforensics.com/products/viaextract/
AFLogical & AFL OSE: https://viaforensics.com/resources/tools/android-forensics-tool/
Santoku Linux: https://santoku-linux.com/

DNS Threats and Security Solutions

Posted by on September 15, 2012 No comments

DNS security is of great importance to the internet as a whole. DNS, or Domain Name System, is a naming standard in which names are resolved to IP addresses. When you surf the internet your ISP’s name servers are queried and the appropriate IP address is found, you’re then forwarded to the correct location of your choice.

IPv4 and IPv6 protocols may make IP addresses appear different, but DNS is used regardless of the IP protocol used. While DNS is more of a phone book or database than the method used for communicating data (the IP protocols themselves), attackers can use DNS changing techniques to their benefit. (Actually there are a lot more differences than appearances when dealing with the new IPv6, but that’s beyond the scope of this article.)

Threats from DNS exploitation include the DNS Changer/Alureon virus and social engineering/harvester attacks used in phishing. Have you ever spent any time in Backtrack Linux? You can easily create faked login pages for use during certain types of man-in-the-middle (MITM) attacks. Such pages can be concealed to appear real but, in actuality, forward your valuable information to an attacker. Some, like the aforementioned harvester attack, will forward you to the correct page afterwards… you’ll never know you were taken advantage of!

Note: Backtrack is a legitimate security auditing Linux distribution. Don’t use it against others (after all, this blog is for folks really interested in security not as a “hacking guide”).

Credential Harvester

One of the most effective attacks is the replication of a false login page. As seen by using the Metasploit Framework. Absolutely any type of false login can be created using the Social Engineering Toolkit (SET). When combined with a successful MITM attack or by including such a payload in malware, an attacker can gain sensitive information about you.

Alternative name server solutions sometimes offer greater security over your standard ISP’s DNS servers. Such tools can often be used to detect false sites as they resolve.

Further Reading on SET’s Credential Harvester

Metasploit Unleashed – Credential Harvester Attack:
http://www.offensive-security.com/metasploit-unleashed/SET_Credential_Harvester_Attack

Note: If you’re interested in seriously studying computer security you owe it to yourself to check out the Metasploit Framework.

History Repeating: The DNSChanger Scare

Almost everyone remembers the scare we had recently with the DNS Changer incident. Uncured computers infected with DNSChanger/Alureon that faced a big problem: with the arrest of botnet masters across the globe, the FBI feared that maliciously redirected DNS entries would – instead of resolving to unintended sites for phishing and advertising – instead, simply fail.

The DNS Changer Working Group (DCWG) has a nifty website that checks for whether or not your DNS resolution was hijacked. The incident turned out to be a major disaster for the FBI and few others. Internet

Service Providers compensated for this and allowed their own name servers to re-redirect the faulty computers. In the news the FBI seemed to blame everyone but themselves. In actuality they overestimated the risk. They even failed to notify people that DNSChanger was actually the very old and well known Alureon to begin with.

Also, the DCWG website would have apparently given nearly everyone in the United States a false sense of security. With ISPs compensating for DNSChanger months in advance (in some cases nearly since Alureon has been around), the page would have infected machines to be uninfected simply by virtue of your ISP correcting the problem (the number one complaint made by the FBI against ISPs).

Guess the internet didn’t shut off! Okay, disperse people. We can all go back to work safely.

Yet on an individual level DNS changing malware is still a very real security problem and, if launched successfully, can mean you handing over sensitive information to the attacker.

As I’m writing this I’ve noticed the DCWG page is back online. While the “global meltdown” is no longer a real threat, the page still can be used to attempt to detect DNSChanger on individual computers. Note that I’m not saying it isn’t a real concern, it is a concern merely not a global threat as the FBI suggested. Prior to the DCWG page going back online, a notice was post explaining how ISPs compensated for DNSChanger and therefore would have rendered their site useless against actually detecting DNSChanger.

So a joke? No. OpenDNS.com reported in blog posts that over hundreds of thousands were infected but simply didn’t know it. While there wasn’t a global meltdown of epic proportions, users should still take note that the threat is real and do everything they can to ensure their own safety. Use DCWG but simply keep in mind  that many ISPs have independently addressed this issue: if you are still infected you should get it cleaned up. Also be sure to run regularly updated malware protection.

DNS Changer Detection (DCWG): http://www.dcwg.org/detect/
Malware Bytes: http://www.malwarebytes.org/

Further Reading on DNSChanger

Blog Post on DNSChanger on Geek Street:
http://mountainloopexpress.com/index.php?fn_mode=fullnews&fn_id=694

Tech Republic Post by Alfonso Barreiro Prior to Incident:
http://www.techrepublic.com/blog/security/preparing-for-the-dnschanger-internet-outage/7863?tag=nl.e036

DNA India on DNS Changer Prior to Incident:
http://www.dnaindia.com/pune/report_dns-syndrome-not-a-major-threat-experts_1712350

Peckham, Matt. “DNSChanger: No, the Internet Isn’t Shutting Down on Monday.” Time Magazine. July 6, 2012. Note: Prior to incident, warnings that a global meltdown scenario is not accurate but threat is still real.

Chabrow, Eric. “Malware Monday: Much Ado About Nothing.” Bank Info Sec. July 5, 2012.

DNS Cache Poisoning/Spoofing Attacks

The types of attacks above are DNS Cache Poisoning attacks and rely on an attacker changing your DNS table to facilitate faulty look-ups (ones that can appear real but be used to steal your information).

More info on DNS poisoning generally can be found on these sites:
http://searchsecurity.techtarget.com/definition/cache-poisoning
http://cr.yp.to/djbdns/notes.html#poison

Alternative DNS Solutions

There are quite a number of different ways to protect against phishing online from nifty router firewall software that monitors the sites you visit to anti-virus software. In the end, used intelligently, a combination of all these methods can be utilized to safeguard your presence online. One small solution (the focus of this article) is to use an alternative name server with security tools built-in to protect you from visiting faulty or purposely misleading websites.

OpenDNS is a terrific solution which provides fast and stable name servers with anti-phishing protection. Combined with DNSCrypt, your DNS look-ups will also be encrypted so that if you have a virus, it’ll be more difficult to change your DNS look-up behavior. Plus OpenDNS enables the use of parental controls for parents to block access to certain types of sites. There’s a paid version and an ad-supported free version which, upon entering an unresolvable IP, you’ll get an error page, like normal, but with an ad.

This solution does not replace the need for a VPN, does not offer the extendability and protection of a good proxy, does not anonymize you in any way, shape, or form, and does not encrypt data passing through your network (for a free solution that encompasses all of those forms of protection, please look into running an OpenVPN+Squid Virtual Private Network as I describe as being effective in this article). This solution is for those wishing to either secure their DNS querying, protecting their system from the above risks and/or accessing sites their ISP would otherwise prohibit them from seeing (such as regional restrictions).

For more information on OpenDNS with DNSCrypt, see ghacks.net’s article entitled, “OpenDNS DNSCrypt, Increase Security By Encrypting DNS Traffic.”

DNSCrypt relies on elliptic-curve cryptography, Curve25519, as outlined here: http://dnscurve.org/crypto.html — keep in mind that the DNS server must actually use DNSCurve in order for you to gain its benefits. If in doubt, call your ISP to see if you can make use of it by itself or use DNSCrypt with the the OpenDNS Service. To setup DNSCurve without relying on OpenDNS, click here for instructions.

DNSSEC Protection: Why It Isn’t Enough

DNS Security Extensions is a way of authenticating DNS entries and ensuring that the response from a queryed server is coming from the intended server. In and of itself it offers no crypto-level protection but it does add a small layer of protection. When considering DNS service providers you should choose ones that use DNSSEC in combination with an encryption tool depending on your needs.

DNS Server Logging and Record Keeping
(Should You Use an Alternative DNS Server?)

Theoretically OpenDNS can compile a list of every site you access (name and IP address). But they do not have access to your data. Once a name server resolves a name to an IP address, a link is created and the DNS server’s role is at an end (simplistically speaking). That means that your ISP actually has even more information about you than any sole DNS server could ever have.

Not only does your ISP have access to the sites you visit through their name server logs, they could potentially see your web traffic so long as it’s unencrypted (not using SSL) since it is running through their network.

It all comes down to personal choice and who you’re willing to trust more (or more completely). Your ISP or your ISP and a third party DNS service. Everyone’s goals and desires are different, the purpose of this post is to inform you of the technology, the threat and possible solutions.

Keep in mind that despite your best efforts to be safe online, your unencrypted information is out there. Plenty of third party sites know what you do. Even by using proxy chains (and I’ve used some pretty extensive proxy chains), most of your activities can eventually be tracked back to you. Generally speaking, your ISP will always have extensive records chronicling your internet adventures.

In an insecure world, what measures do you think are acceptable and worth going through in order to safeguard your privacy?

As a great American Hero once said, “Only You Can Prevent Forest Fires.”

Related post: “Public Wi-fi? Be Mindful of Session Hijacking.”

Hamachi as a Private VPN For Secure Web Traffic

Posted by on September 13, 2012 No comments

If you’ve ever set up a fake LAN for a pirated games you probably know all about Hamachi. The tool, now available through RAS-giant LogMeIn, allows you to flawlessly construct a VPN which in turn lets you and a set number of friends (5 using the free edition of Hamachi) join in and appear to be using the same network. For this reason Hamachi would seem like an ideal VPN solution for those looking to jury-rig their own homemade VPNs using additional proxy software.

This trend was started by Lifehacker, formerly a prominent DIY tech site that now focuses on providing articles on Instagram replacements and other pop consumer tech. One of the most notable Hamachi VPN articles from Lifehacker can be seen here by clicking here (“Build Your Own VPN to Pimp Out Your Gaming, Streaming, Remote Access, and Oh Yeah, Security” by Alan Henry). These articles all claim Hamachi in combination with Proxy software run off Windows machines are all viable security solutions. That song is now being sung on many tech blogs.

The most common configuration for such a VPN is Hamachi and Privoxy although Hamachi and Squid combinations are also making an appearance (Squid is actually much better in my opinion as it offers unparallelled customization).

The problem is that neither solution works to anonymize you and keep you safe and secure. At best, your Hamachi IP address would be visible in conjunction with your actual IP address. While the proxy will do its job, Hamachi will not properly route web traffic securely. Plus there are no ways to access your VPN via any mobile device despite outlandish claims to the contrary. Android ICS relies on PPTP and IPSec, neither native-supported function is accessible using a Hamachi solution.

What Hamachi is Good At and What It Isn’t

Hamachi is NOT a real VPN in the sense of routing web traffic even with proper proxy configuration. It’s more likely that those claiming success were confused and had limited exposure to actual VPNs and how proxies actually route traffic. Firefox’s web proxy settings – when configured with your Hamachi IP – may have the result of some websites receiving the VPN’s IP address, but in actuality, your actual IP is still very much visible.

If you don’t believe me, go ahead and check the numerous comments made by users in response to these DIY tips. Lifehacker has received a number of complaints about these articles but they haven’t modified their articles.

Real VPN+Proxy solutions conceal your true IP address entirely and route all proxied data through the VPN.

Hamachi is a VPN in that it facilitates secure networking with remote parties insofar as some types of traffic is concerned (most notably this service is great when it comes to gaming, chat servers, simple and secure VPN file sharing, etc). But it is not an anonymous VPN and can’t hide your IP address for web traffic. If that worked in the past, it doesn’t seem to apply any more.

Checking your IP address through services like whatismyip.com is also unreliable as many such sites have scripts that see through proxies. Sometimes the remote servers will say one IP address but log enough when connected (that occurred during my tests of a Hamachi+Proxy setup). Proxy detection is typically limited to basic header information and are typically wrong to begin with (as you’ll see below, with the proper squid.conf entries, you can mask that detection).

Poor Proxy Configuration

Supporters of a Hamachi+Proxy solution self-hosted on the individual’s own machine are bound to think there was something wrong with my proxy settings. But upon thorough testing with both Privoxy and Squid, I’ve determined that my conclusion is valid concerning Hamachi’s privacy.

First off, configuration in Privoxy is notably poor. Beginners pick Privoxy due to its ease of use and Windows-based interface. The better solution is Squid 2.7 Stable 8.

Some Known Issues

The results using WhatIsMyIP (and triple checked elsewhere) is as follows:

With squid.conf configured appropriately:

Your IP Address Is: [HAMACHI IP] Other IPs Detected: [ACTUAL IP] Possible Proxy Detected: 1.1 [HOSTNAME]:3128 (squid/2.7.STABLE8)

Huh. Must be registering server-side with my Hamachi IP but merely showing me my actual IP as well. But that’s not quite right. Looking at my normal website’s traffic logs, the Hamachi IP doesn’t actually show at all!

squid.conf with forwarded_for delete: 

Your IP Address Is: [ACTUAL IP] Possible Proxy Detected: 1.1 [HOSTNAME]:3128 (squid/2.7.STABLE8)

forwarded_for delete and forwarded_for off yields the exact same results.

Trying to add http_access blocks, etc. will have a similar result. You can drop sites from noticing your proxy, only show your actual IP, or completely block various header identifiers (you can essentially cripple what you can see on websites or even get yourself banned), but nothing solves the problem of properly anonymizing yourself.

At one point this setup may have worked (hence all the positive feedback it receives across the internet), but to my knowledge, it doesn’t work any longer. Besides… if you want a VPN solution you owe it to yourself to either create your own OpenVPN Server and use Squid for proxying or purchase a VPN service. Cutting corners with your privacy is silly.

Better Solutions

OpenVPN running on a virtualized or stand-alone linux box with Squid is the absolute best way of creating your own Proxy server.

Keep in mind that beginners often download the OpenVPN Windows AS Client (Access Server) and run it in a virtual box thinking that such replaces the need for a an OpenVPN Server. It doesn’t. You need to configure an OpenVPN server yourself and get it working: there are no shortcuts here. Though you can check out the following guides to help you:

Official OpenVPN Documentation

Optionally, GZ on the TechIMO support forums also posted a great guide to configuring OpenVPN with Ubuntu, click here to access it.

Optionally you can create a Windows OpenVPN Server but it requires a little more work. To be honest, I’ve found that XP doesn’t work great with OpenVPN and Windows 7 works the best. But feel free to give it a try. This guide will help you install and appropriately configure your Windows OpenVPN Server: http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/ — you must also configure any firewall software and/or hardware you may have. If you are new to configuring your router’s firewall (port forwarding and changing your router’s subnet is extremely important), for example, OpenVPN may not be for you.

Another (slower) solution is to use the free edition of Hotspot Shield in combination with anti-popup add-ons in Firefox (keeping in mind that you are violating Anchor’s Terms of Service by blocking the ads). You can set the appropriate software to block the appropriate ads/frames. Adblock Plus and NoScript work wonders in that regard. Keep in mind that your speeds will be slow with the free edition!

The last solution is a paid one which involves getting a really good VPN service. Price, data throughput and accessibility on devices are the top priority. Log keeping on the server-side is also incredibly important to ensuring your anonymity online. Three top solutions for paid VPNs are: StrongVPN, VyperVPN, and BTGuard (for anonymous torrent use).

Configuring Squid as a Proxy

While you’ll want to get yourself a VPN if you’re trying to protect yourself against MITM attacks (be sure to read my blog post entitled “Public Wi-fi? Be Mindful of Session Hijacking“), once you’re ready to setup a Proxy, nothing works as well as Squid. Similarly check here for comprehensive guide to using squid.conf to enforce your anonymity online.

Resources of Note

LogMeIn Hamachi Homepage
OpenVPN Homepage
Squid Proxy Homepage
Privoxy Homepage
Hotspot Shield VPN

Sources

Henry, Alan (Lifehacker.com) “Build Your Own VPN to Pimp Out Your Gaming, Streaming, Remote Access, and Oh Yeah, Security.” Posted on April 11, 2012.

Quora’s page in support of Hamachi used as an “effective VPN.”

Access Your Virtualized Linux Box Anywhere

Posted by on September 10, 2012 No comments

Have you ever wanted access to a Linux box on your mobile device? Sure, you could just SSH into secure shell but what if you wanted the entire experience on your portable computer or at a friend’s house? Virtualization + RAS = true OS freedom (or… well, for geeky fun anyway). The technique is used on a regular basis but there may be some out there that may not know how to take advantage of it.

In this blog article I’ll explain how to get access to your Linux box from any platform or device. Keep in mind that if your host is already Linux you can skip the virtualization section and head right down to configuring the remote access software.

This setup can be and should be used on a Windows host machine running a Linux Guest environment.

Remote Access on Your Mobile

There’s been a lot of advancements in the fields of virtualization and remote access software, but it never ceases to amaze me how few all-in-one packages there are for manipulating virtual environments via mobile devices. This is because writing mobile devices is often tricky and the few software options out there are kind of crappy. The software I’ll be using in this post are the iOS iPad versions of TeamViewer HD Free for iPad and VMware View (also free but the host-side software is a 60-day trial). But I’ll only be providing the in-depth setup for TeamViewer as to do both would be too exhaustive.

Downloading TV or VMware View on Your Mobile

TeamViewer For Remote Control (Android OS)

TeamViewer HD for iPad (iOS/iPad)

VMware View for Android (Android OS)

VMware View for iPad (iOS/iPad)

Your RAS software is the key to accessing your virtualized session so select RAS that is usable on the desired mobile device. The RAS determines manipulation to a “T” so select wisely or YMMV. Similarly you can opt for VNC variations and swap out the RAS selections I’ve used.

As such, you’ll probably need to review the release notes on your mobile RAS to ensure that it’ll function correctly on your specific mobile device. For example, I’ve used TeamViewer for Android on my Motorola Razor without any problems. But I wouldn’t expect speedy results on an older android without a dual-core processor.

Host Machine

Obviously it goes without saying (but I will) that your host needs to be on if you want to access your virtualized box. The critical components here are:

  • RAM
  • Bandwidth

I’ll be using ~1.5-2 gigs dedicated to the virtual sessions but keep in mind that this is the bare minimum needed for most X environments to work efficiently under pressure (and therefore in a virtual environment). Your success will be based on how much RAM you a lot the virtualization on the host machine: some operating systems X environments are resource hogs. Keeping that in mind, I’ll be using Bodhi Linux as it’s a lightweight E17 distribution. Minimalism is critical if you are tight on RAM.

(If you’re interested in Bodhi Linux you can pick up the distro here: http://www.bodhilinux.com/)

It goes without saying that 3D hardware acceleration needs to be enabled on the host but what you’ll see on the mobile client may also vary, this means having a fairly new GPU. But this is Linux we’re talking about… in all likelihood you’ll be fine so long as you aren’t doing anything too graphically intense. I’m using an XFX HD 6670 with 1 GB of DDR5 so you don’t need anything fancy (keep in mind everything on my system is bottlenecked due to an old Pentium D processor, so any modern system should be able to do well). If the virtual environment plays fine on your host you are set in that department.

Bandwidth is critical. I’m pulling 45/35 on a fiber line for the host. You don’t want your host machine to slow you down (use Wi-fi on the client-side as opposed to 3G or 4G if the network is fast enough). Let’s be honest. We’re using RAS (slow) and virtualization (potentially slow), you don’t want a bandwidth problem factored in. Nothing sucks more than remote access lag.

Host Software

This is broken up into two parts. 1) The virtual environment creator and player (can be the same in the case of VMware Workstation or VirtualBox), and 2) The RAS setup within the virtualized Linux session.

This post will be focusing on the latter. You should already know how to setup a virtual environment in VMware or Oracle VM VirtualBox. Read the documentation associated with either virtualizaton software package you decide to use (keeping in mind, of course, that VirtualBox and VMware Player are free while VMware Workstation is an expensive investment; the free former alternative is best for creating and playing environments without having to purchase VMware Workstation).

Oracle VM VirtualBox can be downloaded here: https://www.virtualbox.org/
VMware Workstation can be sampled for 30-days here: http://www.vmware.com/products/workstation/overview.html
VMware Player (not a v creator) can be downloaded here: http://www.vmware.com/products/player/

The last note here would be to use NAT as your network adapter preference to allow the host to share the IP address (my VPN configured through my host machine also worked well with this configuration).

Virtualization’s RAS

TeamViewer or VMware View 5.0 are ideal since they are well documented and exist on nearly any platform you need. You need to have created your virtual environment flawlessly for this to work which means installing and being able to use Linux as a whole.

As far as the virtualization’s RAS is concerned, if you did use Bodhi you can download the Debian archive for TeamViewer for Linux or use Synaptic to automate the process (using this method is the easiest with TeamViewer7).

Configuring Your RAS (TeamViewer Example)

Upon starting TeamViewer for the first time you’ll get a notice about software configuring Wine to run the remote desktop accordingly.

I would create an account on TeamViewer to be able to save frequently accessed computers.

Once it starts up you’ll want to copy down your 9-digit ID number. If you want to perform unattended sign in disregard the attended password on the main page (keeping in mind that your Linux guest box and TeamViewer software needs to be running).

To configure the unattended password head over to the Options/Security Tab and choose a complex password for logging in (the combination of your 9-digit ID and your unattended password will allow you remote access to your virtualized Linux session).

Then head over to your mobile TeamViewer app (or the program you are trying to connect from) and add the Linux guest’s ID and unattended password in the “Computers & Contacts” section of the client.

Then go ahead and connect resting assured the connection is secure (even if you’re connecting over an insecure wi-fi).

Closing Notes

Bodhi Linux Guest VMware / Bodhi on iPad 1

It’s highly unlikely that any RAS is going to offer stunning visuals but different software can provide different results (TeamViewer isn’t known for graphical prowess). Regardless, feel free to play around with the general concepts explored in this post to achieve a suitable result. In the end the goal was to create a decent remotely accessible Linux virtualization as opposed to accessing your Linux box through a CLI and, to that end, it worked.