Category: information security

Two Factor Authentication: How To Secure Yahoo! Accounts

We discussed securing gmail and hotmail accounts. We now will secure Yahoo! accounts. First login into your Yahoo! account then click on account info on the top right of the page, select the account security tag, and the toggle two-step verification.

 

 

After toggling two-step verification a window pops up. Select your country and enter in your mobile number and then either select ‘Send SMS’ or ‘Call Me’. For the purpose of this assignment I will go with ‘Send SMS’.

 

Enter the verification code that you are sent.

 

Success!

Two Factor Authentication: How To Secure Microsoft Accounts

We discussed securing Google accounts before. You can reach that content from here. The following walk-through illustrates how to install two-factor authentication for a Hotmail account.  These instructions assume you have the following: an Android smart phone and an alternate email address registered with your Hotmail account.  If you don’t then don’t fret, continue up to Step 3 then follow the on screen instructions.

Step 1:  Go to https://account.microsoft.com/proofs/Manage and sign in to your account.  Once signed in, click on the ‘Set up two-step verification’ link.

 

Step 2:  Click next.

 

Step 3:  Select a method to verify your identity.  (If you don’t have an alternate email address or Android, select the method that best fits your needs.)

Step 4:  Download and install the ‘Microsoft account’ app onto your smart phone.

 

Step 5:  Open the app and follow the on screen instructions to sign in to your account.  After signing in, you will be asked to verify your identity by having a security code emailed to your alternate email address.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step 6:  Back on the website, select ‘Next’ to complete the setup.  Optionally, you can proceed further to create an app password for use on any devices that do not accept security codes.

The next time you or someone else tries to log into your account from another device, an alert will be sent to your phone to verify the login is authorized.  If not, reject the attempt.

Additional Resources

Microsoft FAQ: http://windows.microsoft.com/en-us/windows/two-step-verification-faq

 

Two Factor Authentication: How To Secure Your Google Accounts

  • You will first need to log-in to your Gmail account.
  • Click on your profile picture near the top right corner and a box with a few options will appear. You will need to click on the blue button named “My Account”.

 

  • A new tab will open with different kinds of options for your account. You will need to click on the “Sign-in & security” option.

 

  • Under “Sign-in & security” there is an option named “Signing in to Google”. You will need to click that link next.

 

  • Under the section “Signing in to Google” you need to click on the link option “2-Step Verification”

 

  • You will now be taken somewhere to begin the set up process. You will need to click the blue button named “Start setup”

  • You will be told to re-enter your password to continue with the set up process

  • The first step of the set up process would be to enter a valid phone number to be able to be sent the codes. You will also need to choose how to receive the codes they will be sending you for verification.

 

  • After you have entered the phone number a code will be sent to that number that you provided

  • The third step will ask if you trust the computer you are using to set up the two step verification. Leave the box checked if you do and if you don’t then make sure to uncheck the box.

The last step will just need you to confirm that you would like to turn on the 2-step verification.

 

  • After confirming you will be sent an email that tells you that you have successfully turned on the 2-step verification. The set up process is now done and no more steps need to be taken.

Another Adobe Flash Player Vulnerability

There is a new adobe flash player vulnerability found by Trend Micro.  Here is what you need to know:

  • Adobe told they would publish the fix next week. However they did faster job and published the fix yesterday.
  • The attacks seem to be targeted attacks against to government entities. However once exploit becomes available to larger audience then I would expect they would start attacking regular users too.
  • Mac, Linux, Windows are all affected  by this vulnerability.
  • You can download the latest adobe flash player here: https://helpx.adobe.com/security/products/flash-player/apsb15-27.html

If your company cannot update its flash player for some reason I would encourage them to block e-mails with following subject lines:

“Suicide car bomb targets NATO troop convoy Kabul”

“Syrian troops make gains as Putin defends air strikes”

“Israel launches airstrikes on targets in Gaza”

“Russia warns of response to reported US nuke buildup in Turkey, Europe”

“US military reports 75 US-trained rebels return Syria”

How To View Windows Registry On Linux

Introduction

Forensic Registry EDitor (fred) is a cross-platform Microsoft registry hive editor. It is GUI based registry editor that can work on Linux and has a built in hex viewer and data interpreter.

Installation

The best way to install this tool is listening its owner Daniel:

In order to automatically stay up-to-date when new versions are released, I recommend adding my repository to your software sources list. This is done by executing the following commands:

sudo wget -P /etc/apt/sources.list.d/ http://deb.pinguin.lu/pinguin.lu.list
wget -q http://deb.pinguin.lu/debsign_public.key -O- | sudo apt-key add -
sudo apt-get update

Once done, you can install packages by issuing:

sudo apt-get install fred fred-reports

 

Environment

I used a hard disk image of a Windows system.

# ewfmount myImage.E01 /mnt/ewf/
# mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/windows_mount

I mounted my image in /mnt/windows_mount. Since I was using an E01 image, I used two step process to mount my image. For details on how to mount E01 image in Linux you can check this post. You don’t need to use E01 image. Any image you could mount in Linux i.e. raw image would be fine.

 

Usage

I will give some examples that shows how to use this powerful tool. First let’s cover the locations of hives. If you already  are familiar with Windows Registry you can skip this section and continue on Finding unique device serial number of a USB Key.

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format (http://www.forensicswiki.org/wiki/Windows_Registry).

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

1. Finding unique device serial number of a USB Key

This information is stored at SYSTEM\CurrentControlSet001\Enum\USBSTOR

We know that SYSTEM registry hives are stored in C:\Windows\system32\config\system

Lets go to the directory that we have system file (/WINDOWS/system32/config/system) I mounted it in the /mnt/windows_mount so I will type

cd /mnt/windows_mount/WINDOWS/system32/config

Then I can type the following to run fred on system file:

root@siftworkstation:/mnt/windows_mount/WINDOWS/system32/config# fred system

So it is the value I circled red.

 

fred1

2.What was  last time that a user opened a .doc file

This data stored  in NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsn>

NTUSER.DAT is in \Documents and Setting\User Profile. First we need to go into that directory and run

fred NTUSER.DAT

fred2

So it is the value I circled red.

3.What was the last program a user ran using the Start->Run dialog.

We need to use fred and open NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

fred3

At the right column we see what the user run using start->run.

Conclusion

Windows registry includes good information for investigators. Fred helps investigators to find the data they need in registry very easily. The best thing about Fred it is open source and cost you zero dollar…

I would love to hear from you about what you think about fred and  registry tools in general.

 

 

 

 

 

 

Forensics Netwars First Day

I was planning to attend DFIR Summit for last two years and now I am in Austin for that. As part of DFIR summit I am attending Forensics netwars. Forensics netwars is a fun practice that help you to remember the forensics knowledge you may forget and learn some new tricks. The best thing is if you screw up, that’s okay. You cannot damage anything but your netwars score…

I remembered the power of stat command when it comes to mac time.  I also found a new tool called Fred for analyzing registry.  I also remembered that -iname option will ignore case when you use it in “find” command.

I am planning to write how to install and use Fred this week.

 

 

What security researchers do need to know about laws?

Disclaimer: First I am not a lawyer, this post is not about legal advices. Please contact a lawyer for a legal advice. This post is just about what I learned through different sources over time. Let’s start.

One of the most important law for security researcher is the computer fraud and abuse act (cfaa). This act was written in 1984. At that time the main idea of the act was “you are not supposed to gain access government computers”. There were a few additions happened over the time to the act and made the act confusing and pretty much useless. There are problems with this law. I discussed them below:

  • 18 usc 1030 a 2c:without authorization or in excess of authorization—> Here we DO NOT know what without authorization mean…
  • 18 usc 1030 a 4:knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;->Here we DO NOT know what without authorization mean…
  • 18 usc 1030 a 5:(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.  –>Here we DO NOT know what without authorization mean…

There could be criminal charges or civil penalties. However the victim has to have at least 5k of financial loss for court to process the claims.

Problems:

  • What is illegal is unclear.
  • Selective enforcement: Law enforcement can interpret the law the way they want since it is so open for interpretation.
  • The penalties are harsh.

Interesting Cases:

  • US v. Nosal (Bonus: watch the trial here)

  • US v. Drew
  • EF Cultural v. Explorica
  • US v. Auernheimer

 

 

 

 

Effective Security Project Management

After running several projects I observe very interesting things about the management of the security projects.

Stakeholders usually have very limited focus. For example if there is a project about network security, they don’t think how to implement some part of the projects into  say an application security project.

Moreover stakeholders usually have lack of long term thinking. You should never spend all of your money to achieve a single thing unless it is so critical. In other words you have to be very effective, efficient and smart. If you are doing a project to reduce abuse in your internal computing resources, don’t try to save the day. Try to save the weeks, months, and years. This is not hard to do.

When you design your project, assume that you are playing with lego. With lego you can build home, and you can break down the home and build a car with the same lego pieces. Your projects should be the same. Moreovoer there will be some “plugins”. This means if you want to achieve X, dont just build X. Do this

Build A, B and C and make them to work together to get X as a result of those three plugins.

A+B+C=X

Moreover the functionality of A, B and C shouldn’t so similar to each other. Make them somewhat diverse by thinking your only condition is that the total    result should be X.

Then next time when you are working for a different project, say project Y, think about using at least one plugin you have here i.e.

A+D+E=Y

This makes you use your resources in a smart way and you have a long term thinking.

Always think smart since this will make your projects better and powerful…

 

SQLite Database Browser

There is no doubt that the most popular post I have written so far is How FF store your passwords? Is it secure?  I believe the reason is there was not enough documentation 3 years ago about Firefox’s security mechanisms. At that time I couldn’t find something simple that can read/edit sqlite databases. Now I am going to write about SQLite Database browser; a freeware, public domain, open source visual tool used to create, design and edit database files compatible with SQLite.

You can go here and download it. After you download it, go to your firefox profile directory. How can you find it? Just open a new page and type about:support You will see the path of the directory next to the Profile Folder.

There are very good information stored in the profile folder such as bookmarks, passwords, search engine data etc…

You can now open SQLite Database Browser and click the directory icon in upper left and browse the file you want to open in the profile directory. Now you can have some fun with the ff databases and get more information about how ff store information.