Sunday, May 29, 2011

lsof command for incident responders

As an incident response personnel, if you were to choose a single command that you can run on *nix systems, which one would you choose? My pick would be the "lsof" command.

Here are some of the useful options of this command.

lsof /var/log/messages  - to see the process, process ID, and the user who initiated this process and holds the file

lsof -c syslogd - to see all files open for this process with the path, size, and inode

lsof -u root - to see all processes and files that run under root

lsof -an -i - to show all connections, with the process, Process ID, and the user who initiated the process

lsof -an -i -r 2 - puts this in repeat mode and it repeats the command every t seconds

lsof -an -i @ - shows all connections for a single IP

lsof -i -a -u root - to see all network connections for a particular user

lsof -i :6106 - to find what process is listening on a given port and who's connecting to it

lsof -i -U - to list all open files, processes and connections

Sunday, May 15, 2011

Cyber criminals target mobile platforms

According to a the new Cisco report, cyber criminals are shifting their focus away from Windows based PCs to smart phones, tablets, and mobile platforms. Apple's platforms are also gaining popularity with the criminals. Cisco attributes this shift to the fact that "PC vendors are building better security into their products, and they are moving faster than ever to provide updates, alert users to potential flaws, and make patches available to users. This means it is becoming increasingly time-consuming and resource-intensive to find ways to exploit platforms that once were so lucrative-in particular, the Microsoft Windows platform."

The complete report is available here.

As more and more corporate executives start using smart phones and tablets, this poses new challenges for the information security professionals. People don't realize what personal information and other data  are being extracted from their mobile phones by the various applications installed on them. A recent Wall Street Journal Investigation found that many of these smart phones share personal data widely and regularly.

Many financial and retail institutions started offering transactions through these devices, PayPal alone expects to process more $700 million mobile payments. Along with this jump in mobile usage, we now have more vulnerabilities in the mobile applications as well. Most of these vulnerabilities have been basic lapses such as storing authentication data in plain text, storing credit card and CVV numbers, etc. These vulnerabilities indicate that organizations are rushing into both development and release of such applications without implementing proper controls.

New Microsoft SDL (and malware analysis) tool

Microsoft released a new SDL tool to check the presence of attack vectors introduced by a program. Some of the attack vectors it checks include open sockets, services running by default, weak ACLs, dynamic web pages, ActiveX enabled, and enabled guest accounts. Based on the presence of these attack vectors, it identifies the changes and reports them.

Some of things we can do with the tool include,
  • Developers to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
  • IT Professionals to assess the aggregate Attack Surface change by the installation of an organization's line of business applications
  • IT Security Auditors evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
But, in my opinion, the most use of the tool would be in malware analysis and incident response. The tool allows you to take snapshots of a system, which would be the baseline and compare it with another snapshot, enabling you to detect changes such as additional files, registry keys, services, ActiveX controls, listening ports, access control lists, and other parameters.  It enables the investigator to see the effect of a malware or other legitimate programs on a system.

The tool can be downloaded from here.