RAM File System in Python

One of the first things you are taught when studying Computer Forensic Investigation is the concept of evidence volatility. Simply put, some pieces of evidence will be available for collection for a much shorter amount of time than other pieces. You must always collect evidence from the most to least volatile. For a concrete example of "why" this practice must be applied you can consider the bot I have developed below.

Incident Response Reading Material

The SANS institute has been nice enough to collect a list of checklist and procedural documentation to aid the Computer Forensic Examiner in the possible tasks they may be faced with. https://www.sans.org/score/checklists

Escalate Plowman – Linux FW Privilege Escalated Download and Execute

The Escalte Plowman tool (https://github.com/dreilly369/EQGRP-Auction-Files/tree/master/Firewall/EXPLOITS/ESPL) is a parameterized dropper (or a privelege escalation exploit) against WatchGuard firewalls (and likely a few others) of unknown versions. It injects code via the ifconfig command. It uses FTP, TFTP, or HTTP (via wget) for the download portions. The code makes some assumptions about the environment. For instance, when using the TFTP protocol it assumes the existence of a custom tftp client located at the hard-coded location /usr/rapidstream/bin/tftp. The sample also makes the assumption of the interface being eth0.

Extrabacon's Sploit Framework 1: Static Analysis

Sploit is the modular core that runs the EXTRABACON exploit in the (supposed) Equation group tool dump. While everyone is focused on the news of the 0-days, the recent porting of this old exploit to newer ASA versions (http://www.securityweek.com/leaked-cisco-asa-exploit-adapted-newer-versions) I chose to look at the underlying structure. First because there are already a number of talented researchers covering every angle of each exploit in greater detail than I could.

RFIDler revisited: RFIDling with Proximity card UID collection

My first few projects scripting for the RFIDler were an exploratory effort. As you can see from my integration post and my first auto-capture script there were a number of features I breezed passed. The main one I want to discuss now is the RFIDler python class.

Cracking a OTP Cipher: Python Unit Testing by Example - Part 2 Unit Testing with Python

Now that we have defined the steps for our algorithm (if you have not read part 1 go do that first) we can begin to describe what features we want the core of our OTP reuse cracker to have. This is where Unit Tests fit in. They describe explicitly what the System needs to do to pass and be considered

Cracking a OTP Cipher: Python Unit Testing by Example - Part 1 Encryption Motivation

This article is special to me because it combines 3 things I love dearly in one project. Today I am going to talk about how someone (namely me) can use The Python language to automate an attack on an implementation of the One Time Pad Encryption Scheme that ignored the "One-Time" portion of the name. Python, Unit Testing, and Attacking Crypto...does it get any better?

Second Order Buffer OverFlow Attacks (SOBOF): Attacking underlying components

The C programming language is still prevalent in computing today. It may be tempting to think that interpreted languages like Java and Ruby have taken over, but this belief is unfounded or at least limited in scope. Even interpreted, Type-safe (in the sense of defining 'undefined' behavior as Exceptions), languages have had their applications ripped open by a buffer overflow. Not in a buffer they contained directly. No these errors exist in the core of the system. In the Kernel hooks and Drivers that every program reliant on features of the Operating System use.

Attacker's Tool Chest: Anatomy of tools and tactics from the field on network security

When you start trying to talk to people about Security topics you may come to find that not everyone has a clear understanding what different terminology actually means. I don't think it is their fault really. We as a culture tend to under-explain topics to outsiders. For ease of explaining something to a non-technical person we will often overload a term (like Virus), or switch to an improper term (Like Trojan) that they are more likely to know...even if they don't understand what it means.
To combat that I think it is a good idea to get a running list of terms I have had to explain or clarify to people. These are my own explanations, meant to capture the unique qualities of each type of Tool or Technique.

Knowing the Enemy: Advanced Persistent Threat report analysis Pt. 2

I am back for part 2 of the analysis breakdown of the ICIT APT briefing. After an excellent discussion on the topic of Malware Evolution with someone from the Malware Bytes team, I think it is time to finish what I started several weeks ago. Here is the second half of my analysis or the APT report.

The Jolly Roger Flies Again: BSides Tampa

This past Saturday I had the pleasure of presenting my Rellik Project once again. This time at the Security Bsides event in Tampa FL. Hosted by the (ISC)2. The topic of Botnets has been very popular and my audience was very involved. It was a fantastic day all around.

Knowing the Enemy: Advanced Persistent Threat report analysis Pt. 1

Advanced Persistent Threats or APTs has become a well known term over the last 5 years. In terms on Network security an attack is considered

Be careful what you wish for: Information Leaks in Job Searches

Your company is leaking data. That is not a question. It simply is a fact. The reason is: job postings. The amount of information companies give out freely about their organization, network technology, infrastructure, etc., is amazing. It is also a potential gold mine for a would be attacker. Consider the real (but edited for privacy) job description found on a very popular classified site:

Foretelling the future: Estimatig Software Project Lifespans

In my professional career as  Technologist I have evolved through many stages. Why it seems like just yesterday I was scanning for broken HREFs. Now, I am in charge of task management for one of the most talented development teams I have ever gotten the privilege of coding with. Like every major paradigm shift though, this one has come with a whole new set of challenges and skills. One of the most important ones is accurately estimating project timelines. As a manager, I wanted an easy way to come up with realistic project. This is the result of that research.

Pick a card: Playing Cards as Trust Tokens

While preparing for my Bsides: Seattle presentation I met a guy who showed me an idea for the coolest 2nd factor of authentication I think I have ever seen. Anyone who knows me even a little bit knows I have a love of close up magic, sleight of hand, and anything generally dealing with card and coin magic. So when the guy pulled out a deck of cards I was instantly intrigued. When he told me it was his password I had to see it to believe it.

BSides Seattle

First, let me say: to the organizers, supporters, participants, and my fellow presenters, Thank you for having me out. I had an excellent time and I learned tons. To the guys from TOOOL and Locksport, a special thank you. You sparked a love of locks and picking in my son. He spent well over half his time learning from you, and he hasn't been able to stop since.

If you are coming here after my presentation for slides and code they will be up by the end of this week. The code will be on my github https://github.com/dreilly369 . The issue with the demo was local (and due solely to my pre-talk jitters). The code is thankfully in good working order still. I will post my examples for:

HTTPS w/ STS
DNS Tunneling
Stegonagraphic embedding
CherryPy Server
Several Example bots to show possible uses

Thank you for you patience. I know a talk is always more fun with a live demo and I truly wish I had delivered on that front. Still, aside from the Demos above not happening, I hope you enjoyed yourself and learned something about Botnet Architecture!

EDIT: Slides have been given to the organizers and the code has been posted to the GitHub as promised. Please feel free to leave any comments below

Another speaking date announced

I have added another presentation to my schedule of upcoming events. If you will be attending the BSides Seattle Event February 20th, 2016

Coding the Vigenère Square Cipher

Since I was a young boy, one of my favorite things to play around with has always been ciphers. Although they have largely fallen out of use I still enjoy studying different ciphers and trying to break them down into python algorithms. Today  I will share one such project. The Advanced Vigenère Square Cipher.

Speaking date announced

I have recently confirmed my acceptance to speak at the Security BSides: Tampa Bay event later this year. I am excited to be presenting a topic on Bot Net Architectures.