From Security Weekly Wiki
Jump to navigationJump to search

Episode Media

Episode 317


Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 317 for Thursday January 24th, 2013

Many organizations use Java as a regular, if not critical, part of the IT infrastructure. Yes, this even applies to applets. Over the past few weeks there have been more than a few new 0-days for Java. Now, we have a large number of Infosec Pros calling for organizations to simply uninstall Java. Recommendations like this are dangerous. Every time we say things like "Don't use IE!! Uninstall Adobe Acrobat!! Uninstall Java!!" we get a little further down the path of total irrelevance to management and the rest of the IT community.

It is time to stop.

In this webcast John and Paul will be discussing some approaches for securing your Java programs. This webcast will be of use to any infosec pro who has to secure the insecure. It will also be of use for any penetration testers looking for ways to document mitigations for their customers beyond simply recommending patches and not using software

Guest Tech Segment with Alissa "Sibertor" Torres :Extracting Network Packets from Physical Memory Images with Bulk Extractor

Alissa Torres is a certified SANS Instructor and Incident Handler at Mandiant, finding evil on a daily basis. Alissa began her career in information security as a Communications Officer in the United States Marine Corps and is a graduate of University of Virginia and University of Maryland. She's on tonight to talk to us about Bulk Extractor.

My first investigation at Mandiant as an MCIRT incident handler was to unravel a DNS anomaly occurring on a customer's network. I was tasked with identifying why numerous workstations were hammering the internal DNS Servers with version.bind requests from port UDP 53. Using the stream-based extraction tool, Bulk Extractor, against two memory images from a sample set of affected systems, I was able to get visibility into the anomalous traffic by carving the network packets from the one of the memory images.

Bulk Extractor

As a stream-based tool, Bulk Extractor has several advantages over other forensics tools, which are limited by file system structure and boundaries to interpret data. It processes data, disregarding sector boundaries, and automatically detects and expands compressed data. So, running a hard drive image or memory image through Bulk Extractor automatically unzips compound files like Office files, zipped files and Xpress compression as found in Windows hibernation files. In addition, this tool is capable of processing data segments in parallel, making it much faster than some forensics tools limited to a single processor. Bulk Extractor, written by Simson L. Garfinkel, is included in BackTrack and the SIFT, the SANS Investigative Forensic Toolkit and is available for download.

Bulk Extractor “categorizes” data in specific folders upon processing based on the scanners specified in the job by the analyst. The default scanners look for information of interest in typical investigations (IP, hostnames, MACs, Credit Cards, URLs, and domains). Additional scanner features, and some of the most powerful, include –AES keys, -Net Scanner (carves network traffic), -Wordlist (pulls strings from data image) and –Stoplists (suppresses “known goods” from appearing in the output).

Figure 1 Sample Syntax for Bulk Extractor tool


BE Viewer

For those analysts who prefer to use a GUI, Bulk Extractor does have a graphical user interface tool, BEViewer. The BEViewer reports pane displays the results of a Bulk Extractor job that can include default, wordlist, and net scanners in addition to the defaults. By using the viewer, an analyst can search through the output for specific keywords, viewing the data in hexademical or text view in the far right pane (Shown below).


The packets.pcap file can be opened with any network packet analysis tool. Realize that since these packets are pulled from a memory image, there are no time/ datestamps nor are there both sides of the “conversation”. From what I viewed, the memory images I parsed contained inbound packets with no time/datestamps.


Based on what was seen in the resultant pcap, I was able to detect an inbound packet, scanning this local system for a DNS vulnerability and provide this lead to the customer, who confirmed their pen-testing team had been active on the network.

Questions come to light based on this investigation, to include "Are there specific occasions when memory should be dumped locally not over the network in order to prevent trampling over network packets on the local system?” This is a consideration, especially in light of the lack of visibility into internal network traffic between hosts. Unless customers are capturing their own network traffic between subnets, the memory-bound packets may be the only evidence of anomalous activity between hosts.

More information on Bulk Extractor can be found at Simson Garfinkel’s website. We also put this tool through its paces in the SANS FOR508: Advanced Computer Forensic Analysis and Incident Response as we work our way through investigating an enterprise-level compromise by a sophisticated adversary. Check it out at SANS Cyber Guardian in Baltimore, MD April 15 -20, 2013.

Submitted by Alissa Torres


  • Join us on our 2nd ever Google+ Hangout! Add PaulDotCom on Google+ and join us in the Google Hangout.
  • We are in the process of archiving and cataloging our technical segments, please visit the PaulDotCom Technical Library and we indexed all of the interviews we have conducted. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.


Paul's Stories

  1. Incentives and Decision Making - This quote just blows me away: "Dan Geer has a snappy little rule of thumb on security which says that when those that can make the changes to improve security are not those that impacted by the effect of poor security, you will basically get status quo and no security improvement."
  2. Apple's Skimpy Software Update Descriptions - I hate them, tell the people what they want to hear, the details! Attackers already have 0day on it, right?
  3. Backdoors Found in Barracuda Networks Gear - Wow, this is bad: Viehböck found that the username “product” could be used to login and gain access to the device’s MySQL database (root@localhost) with no password, which he said would allow an attacker to add new users with administrative privileges to the appliances. Patrick will tell you just how bad this is on an upcoming tech segment! And Tim Tomes wrote about this as well.
  4. How LinkedIn's Hacker-In-Residence Transformed An Ordinary Job Into A Dream Job - Hacking in its true: DropIn is like LinkedIn Tetris. It’s pretty much like the traditional game of Tetris, but we substitute LinkedIn profile pictures. It’s a fun way to navigate your network. I don’t know how much value it adds, but this is the first hack I made that went viral through the network.

ounds like a cool job!

  1. Twitter Flaw Exposes Direct Messages To Third-Party Applications - This could be a bad day for Privacy, maybe Twitter needs to hire the LinkedIN hacker.
  2. Is Dell looking to kill PCs with Project Ophelia?
  3. Canadian Student Expelled After Finding Critical Flaw in Software Used by Colleges - We just have to talk more about this one, was he wrong? Yes. Did he deserve to get expelled? Good to hear he has a job, though I would not recommend doing this to get a job.
  4. Linksys vuln: Cisco responds - They say you should just secure your wireless network and only let your "Friends" use the wired network. Unless you have friends like mine...


Larry's Stories

Jack's Stories that would make Motley Crue blush

  1. Words of wisdom from Dan Geer who says it is lonely in the middle. No, Dr. Geer doesn't need a hug, he is talking about challenges in mid-sized orgs where one skilled person can't keep up with everything, but can't afford the enterprise scale products which could ease the pain and automate many processes.
  2. Devops, complexity and anti-fragility in IT: Risk and anti-fragility James Urquhart offers insight on DevOps and anti-fragility
  3. He's a politician, no he's a hacker- no, he's both! From Amsterdam, the leader of the 50Plus political party will appear in court next month accused of hacking into medical records.
  4. RFC for the 7XX Range of HTTP Status codes - Developer Errors Some of these need to be implemented. Now. Starting with 725.
  5. Security monitoring in public IaaS A look at monitoring in the cloud, as done by the folks at RightScale.

Allison's Stuff