Archive | Technology RSS feed for this section

Technology content from Leo Nelson

The No More Ransom Project

No More Ransom is an international initiative that shows the value of public-private cooperation when taking serious action cybercrime. This collaboration goes beyond geographical borders. The main aim of the project is to share knowledge and educate users across the world on how to prevent ransomware attacks. We believe that it will eventually lead to support for repairing the damage caused to victims all around the globe. By restoring access to their systems, we empower users by showing them they can take action and avoid rewarding criminals with a ransom payment.

Source: The No More Ransom Project

SSH Server Auditing

SSH-Audit is a tool for SSH server auditing.

Features

  • SSH1 and SSH2 protocol server support;
  • Grab banner, recognize device or software and operating system, detect compression;
  • Gather key-exchange, host-key, encryption and message authentication code algorithms;
  • Output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
  • Output algorithm recommendations (append or remove based on recognized software version);
  • Output security information (related issues, assigned CVE list, etc);
    analyze SSH version compatibility based on algorithm information;
  • Historical information from OpenSSH, Dropbear SSH and libssh;
    no dependencies, compatible with Python 2.6+, Python 3.x and PyPy;

Source: SSH Server Auditing

Inspecting a PDF File

I recently had to complete some work with inspecting a PDF file for malicious content. This was an interesting experience so I thought I’d share the approach I took to review the file from a sandboxed environment:

1. Start with using a service such as virustotal.com, scanii.com, metadefender.com to scan the file

2. Use Adobe Acrobat to browse the internal PDF structure. Launch the PreFlight Tool (Print Production > Preflight) and then under Options select Browse Internal PDF Structure.

3. Use an Adobe PDF meta data application to inspect the file. Here are some I used that were quite helpful:

peepdf.py – PeePDF is a Python based tool to explore PDF files

pdfid.py – PDFID is a Python based tool to scan the file looking for certain PDF keywords. For e.g., does the file contain JavaScript or execute an action when opened

pdf-parser.py – PDF-Parser is a Python based tool to parse a PDF document and identify the fundamental elements used in the file.

Additional Reading:

  1. Checking a PDF for exploits
  2. Viewing PDF objects
  3. PDF Tools from Didier Stevens
  4. Best tool tool for inspecting PDF files?
  5. PDF malware analysis

Additional Tools:

  1. GhostScript
  2. GSView
  3. PDF Validator Online Tool
  4. PDFMiner

Vendor Security Assessment Questionnaires

When sharing data with a vendor, it is important to ensure that the vendor will handle your data with the same level of care and protection that your organization expects or requires.

Google has just released an interactive questionnaire application to help support these security reviews by facilitating not only the collection of information, but also the redisplay of collected data in templated form.

You can test the Google Vendor Security Assessment Questionnaire or contribute and setup your own questionnaire using the source. Specific questionnaires are available below:

Censys Search Shortcuts

Use Censys to discover which of your devices are connected to the Internet, where they are located and who is using them.

Censys supports both full-text searches and structured queries. The search Dell will find any hosts where the word Dell appears. However, you can also compose more complex queries. For example, the query ip:192.168.0.0/24 AND metadata.manufacturer:”Dell” will find any Dell devices in the specified network.

Boolean Logic
You can compose multiple statements using AND, OR, NOT, and parentheses. For example, (“Schneider Electric” OR Dell) AND ip:192.168.0.0/24. By default, all terms are optional (e.g., executed as an or statement) unless specified otherwise.

Ranges
You can search for ranges of numbers using [ and ] for inclusive ranges and { and } for exclusive ranges. For example, 80.http.get.status_code:[200 TO 300]. You can search for IP addresses using CIDR notation, e.g., ip:192.168.0.0/16. Timestamps should be queried using the following syntax: [2012-01-01 TO 2012-12-31].

Wildcards
By default, Censys will search for complete words. In other words, the search Del will not return results with the word Dell. If you want to search for words that start with Del, you would search for Del*. You can also search for D?ll.

DNS Queries
You can perform inline DNS A and MX queries using the following syntax: a:facebook.com and mx:gmail.com.
Regular Expressions
You can also search using regular expressions, e.g., metadata.manufacturer:/De[ll]/. Full syntax is available here.

Boosting
The boost operator (^) can be used to make one term more relevant than another. For example, metadata.manufacturer: Dell^2 OR Schneider Electric puts more preference on the Dell keyword.

Reserved Characters
The following characters must be escaped with a backslash: + – = && || > < ! ( ) { } [ ] ^ ” ~ * ? : \ /