The leaked Microsoft COFEE product

So, the Microsoft COFEE (Computer Online Forensic Evidence Extractor) tool was leaked. I took a quick look at it, and – as expected – there is nothing “magical”, “secret” or “backdoorish” about it (even though I love the picture which comes with the Gizmodo article, the text itself is complete and utter BS – COFEE isn’t a tool “that helps law enforcement grab data from password protected or encrypted sources” as the article claims).

So what is Microsoft COFEE?

• it is a collection of information gathering tools which are either built into Windows (ie. net, arp, ipconfig) or can be freely downloaded from the Microsoft website (ie. pslist)
• it contains a simple case-management software which helps users prepare a USB stick that need to be inserted in the target computer and manage the collected information
• the software on the USB stick is executed either using the autorun mechanism or by manually launching it. There is no built-in functionality to bypass passwords or other protection mechanisms
• It also contains a detailed analysis of the registry / filesystem fingerprint of each tool (this is important if the other party argues that running the tool caused modifications on the system which are pertinent to the case)

Conclusion: there is no magical pixie dust here, move along! (in fact, it is quite similar with the winenum Metasploit script).

PS/Update: regarding the "defense" against these tools: first of all, they all seem to be user-mode tools. This means that they probably have limited capability of detecting kernel-mode rootkits. Also - from what I've seen - they are all public tools, so there is a good chance that there exists malware out there there which "defends" itself against these software. Again, no magic.

Now before you conclude that this is utterly useless - if I were a IT forensicator :-p, I would prefer having this data compared to no data at all. It will give you some basic idea of the system (or the network for that matter if ran on every PC) which may enable you to come back with a very precise target in mind.

Picture taken from raddaqii's photostream with permission.

What VirusTotal is not

Since its inception VirusTotal has been used by people to compare different AV products (just in case you don’t know: VirusTotal is great free service which scans the uploaded file with 40 AV engines currently and reports back the results). The AV industry has objected to this practice because of a couple of reasons, some more valid than others IMHO.

Today however I want to talk about the practice of saying “(only) X% of AV detect this” and then giving a VirusTotal link. Two recent examples: here and here (to be clear: I don’t have anything against the particular blogs / companies / authors – there are many more examples of this practice, these are just two recent ones which came to my attention).

Why is this percentage meaningless and serves only to perpetuate FUD?

• As I first argument I could mention all the discussion about AV engine configuration (this is frequently raised in discussion regarding the detection discussion, so I won’t dissect it further). A very thoroughly discussed argument is also that VT results represent a “point in time” rather than “now” (ie. detections since the scanning might have changed).
• The second argument would be: VirusTotal goes for quantity not necessarily quality. Ie. the fact that a given engine is included in the list of engines used by VirusTotal isn’t a statement about the engine resource use, detection rate or false positive rate. Again, this doesn’t mean that the engines used are of low quality, it just means that VirusTotal isn’t in the AV engine testing business. It doesn’t say anything about the market share of the product either.
• This means that the affirmation “X% of the engines detect a given file on VT” isn’t equivalent with the affirmation “X% of the users using AV are protected” or “AV software is X% effective”. However these are the thoughts which appear (by association) in a readers mind when seeing the initial affirmation.
• Furthermore, some engines appear in multiple products (for example GData integrates BitDefender – amongst others) while other engines appear “split” (for example the McAfee desktop product contains both the “classical” and “cloud” engine, however on VT they appear as two separate entries “McAfee” and “McAfee+Artemis” respectively). If these relations are not considered (and I’m almost sure that they aren’t – given that these relations are not always publicly documented and they can change over time), the results come out skewed.

Conclusion: please never, ever take the VT result page and copy-paste the percentage from it! Do provide permalinks to the result pages and you can even make some sensible general statements (like “most of the major AV vendors detect this threat” or “this threat is not well detected by the smaller, Asian AV companies, but given its reliance on the English language for social engineering, it might not be such a big threat”). However, giving percentage wreaks of FUD and smells of negative propaganda (do we really want to be at each-others throat, analyzing which vendor doesn’t detect what? – there would be no winners in such a discussion). Lets concentrate on giving sensible security advice to users instead.

Picture taken from Peter Kaminski's photostream with permission.

Grooveshark VIP member

I’ve written about Grooveshark in the past, however I want to mention them again for a couple of reasons:

First of all, they introduced a new user interface, which works great. More than that, you can now seek in the songs! This means that Grooveshark directly addresses three out of the five methods of music use which I’ve enumerated in my original post. There are some small quirks (I don’t really like the popup-type controls, where you first have to hover over it for the useful part to appear), but those are just a matter of personal taste. They’ve also made it available as a desktop application via Adobe Air (currently available only for VIP subscribers).

Which brings me nicely to my second point: I’ve subscribed to their VIP services. I thought that I’ve been using them for a month now and I’m satisfied, so I should give something back aka. “Vote with my money”. So, as of today, I’m a Grooveshark subscriber. A couple of things I didn’t like about the subscription process: there is an additional tax of 15% to the advertised 3 USD monthly price. Also, the subscription payment is set as recurring by default. You can deactivate it later, but even so, it made me feel a little uneasy. Still, I decided to give them some of my money. Hopefully I won’t regret it.

As of now, I can only recommend Grooveshark to everybody! If something happens, I will update this blogpost.

PS. I’ve also removed the last.fm widget from my blog. Currently Grooveshark seems to be a much better deal than last.fm for approximately the same amount of money.

Disclaimer: I don’t receive anything from Grooveshark, I’m just a happy subscriber.

How to generate a stackdump with GDB

I’m not a big GDB guy, but Google always helps:

• Create a textfile with the following content:

  set height 0
  thread apply all bt
  detach
  quit

• Run the following command:

  gdb $EXE -pid $PID -command $TEXTFILE > $OUTPUTFILE

  where:
  • $EXE is the path to the executable
  • $PID is the PID it is running under
  • $TEXTFILE is the file where your've saved the previous commands
  • $OUTPUTFILE is the file where you would like your stackdump to be saved.

The cool little crawling logo was taken from HiR, head over there for an explanation.

The importance of false positives

An interesting paper was bought to my attention recently by this blog post: The Base Rate Fallacy and its implications for the difficulty of Intrusion Detection. The central question of this paper is: if we have a flow of N packets per day and our network IDS has a false-positive rate of X, what is the probability that we are experiencing a real attack, given that the IDS says that we are? The paper uses Bayes’ theorem (of which you can find a nice explanation here) to put some numbers in and to get horrifying results (many false alerts), and to conclude that such a rate of FPs seriously undermines the credibility of the system.

The issue of false positives is also a concern in the anti-malware industry. And while I rant quite a bit about the AV industry, you have to give this one to them: the number of false positives is really low. For example, in the AV-Comparatives test 20 false positives is considered many, even though the collection is over 1 500 000 samples (so the acceptable FP rate is below 0.0015%!). Update: David Harley was kind enough to correct me, because I was comparing apples (the number of malware samples) to oranges (the number of clean files falsely detected). So here is an updated calculation: the Bit9 Global File Registry has more than 6 billion files indexed (they index clean files). Consider whatever percent from that which is used by AV-Comparatives for FP testing (as David correctly pointed out, the cleanset size of AV-Comparatives is not public information – although I would be surprised if it was less than 1 TB). Some back-of-the-napkin calculations: lets say that AV-Comparatives has only one tenth of one percent of the 6 billion files, which would result in 600 000 files. Even so, 20 files out of 600 000 is just 0.003%.

Now there were (and will be) a couple of big f***-ups by different companies (like detecting files from Windows), but still, consumers have a very good reason to trust them. Compare this with more “chatty” solutions like software firewalls or – why not – the UAC. Any good security solution needs to have at least this level of FPs and much better detection. AV companies with low FP rates – we salute you!

PS. There might be an argument to be made that different false-positives should be weighted differently (for example depending on the popularity of the file) to emphasize the big problems (when out-of-control heuristics start detecting Windows components for example). That is a valid argument which can be analyzed, but the fact remains that FP rates of AV solutions, is very low!

Picture taken from wadem's photostream with permission.

Fun videos

Got the links from a friend:

Why network neutrality is a big deal

Reposted from the packetlife blog. We already pay for the bandwidth. The content providers already pay for the bandwidth. Anyone claiming anything different is either very misinformed or is straight out lying!

Bohemian Bankruptcy

Via Naked Capitalism

RequestPolicy Firefox Plugin – the ultimate NoScript

I recently found out about the following Firefox plugin/addon: RequestPolicy (via this blogpost) – see also the Firefox addon page. Its function is to whitelist all kinds of cross-domain requests, including scripts, style-sheets, images, objects (Flash, Java, Silverlight), etc. Anything in a webpage hosted on the domain A can reference other content from domain A, but if it references content from other domains, it must be present in the RequestPolicy whitelist. There are three types on entries which can be added to the whitelist:

• source (ie. pages on domain S can reference anything)
• destination (ie. anything can reference domain D)
• source-to-destination (ie. pages on domain S can reference resources on domain D)

There are still some glitches to work out, but all in all it is a good tool for the security conscious. So is it worth it? It depends. If you are not a power-user who has some knowledge HTML (ie. how CSS, HTML, JS and plugin objects fit together to form the page), I would recommend against it (because you will have the experience of webpages “not working for no good reason”). It takes some initial training (just like NoScript), but after that it is pretty invisible (even though not as invisible as NoScript, because it blocks images / style-sheets).

Does it make you more secure? Yes, but just in the “you don’t have to outrun the bear”: once the attacker has enough control to insert a linked resource (script, iframe, etc) in a page, s/he almost certainly has enough control to insert the attack script directly in the page, rather than linking to it. The current practice of linking to a centralized place is mostly because the attackers want to have centralized control (for example to add new exploits) and statistics. Would such a whitelisting solution to become widely used, they could switch with very little effort to the “insert everything into the page” model. Still, such a solution shouldn’t be underestimated, since it gives an almost perfect protection under the current conditions.

Update: If leaving digital trails is something you like to avoid, take into consideration that the fact that a given site is present in the whitelist of addons such as NoScript or RequestPolicy can be considered proof that you've visited the given site (unless it is on the default list of the respective addon). Just something to consider from a privacy standpoint. Life is a series of compromises and everyone has to decide for herself how to make them.

Picture taken from Luke Hoagland's photostream with permission.

help build the mozilla developer network

After asking you if you use Perl, now I’m asking you to help build the Mozilla Developer Network (MDC). They are running a survey to get to know their audience better. Please take it if you use the MDC and have a couple of minutes of free time.

PS. You can read some preliminary results from the Perl IDE poll here.

Taking apart the Dell Inspiron 9400

A word of caution: taking apart your laptop will void your warranty. Do this operation at your own risk. If you are not comfortable doing this operation, I would recommend against it. Disassembling a laptop is harder than taking apart a desktop computer (mostly because of the confined space), so you shouldn’t do it if you didn’t “look into” atleast couple of desktops already!

You can see a high resolution of the images below by clicking on them.

Step 0: what tools you need – a long Philips (“cross”) screwdirever, preferably one with magnetic tip (but you can manage without it).

Step 1: disconnect the antenna from the wireless card. This is important, since it is connected to the LCD panel, which we need to remove. Do this by pulling carefully upwards on the connectors (not the wire). Don’t worry about knowing which wire goes where when reassembling, since it is clearly marked (with small white / black arrows).

Step 2: tilt the screen all the way backwards (so that it is parallel with the bottom part) and remove the upper part of the cover. There is a small opening where the marking is on the image, you can start there. Carefully remove the whole cover. It has a couple of plastic “ears” which you have to be careful not to break.

Step 3: remove the battery, hard drive, optical drive and bluetooth adapter. You eject the battery by sliding the middle lever. Remove the hard-disk by removing the two screws marked at the right. You can also remove the bluetooth adapter, which is near the harddisk. Sidenote: except the screws from the harddrive, you can distinguish the screws from the lower part and the upper part by their length. The rule is: lower part – long screws, upper part – short screws. To remove the optical drive, first remove the screw marked by a lock, and then push on he metal part with the screwdriver. This should pop it out just enough that you can pull on it.

 

Step 4: remove the screws holding the screen and the two screws holding the keyboard.

Step 5: disconnect the CMOS battery (this will result in you loosing your BIOS settings, which you will have to reset at the first boot after assembly). Also, disconnect the keyboard. This is a tricky connector: you have to flip the upper part open to remove the cable. Also, when putting it back, you first have to make sure that you’ve properly aligned the cable with the connector, and then push down on it. If it doesn’t go easy, don’t force it, rather take it out and try again, making sure that the alignment is correct (straight).

Step 6: disconnect the LCD panel and remove it. Unscrew the upper part, in the locations marked with “P”. Disconnect the two cables linking it to the mainboard (the ones towards the middle). Flip the base over and remove the bottom screws also. At this point you can separate the upper and lower part of the base.

Step 7: You can remove the PCMCIA adapter.

Step 8: The laptop is almost completely unassembled at this point. You can continue removing parts if you need to, however take care when working around the coolers: tightening them too much can result in the CPU/GPU cracking. Make them too loose however, and your cooling will suffer.

Happy hacking!

Watch out for those reviews…

Recently I was buying a notebook HDD, and after considering a Samsung SpinPoint model, I’ve looked around the net to see if there were any known issues with the model. So I stumbled upon this page and my blood ran cold. Quote:

One of the most common problems Samsung SpinPoint hard drives experience is burnt cuircuit board(PCB).

...

Samsung hard drives could also suffer from firmware problems.

...

Another quite common symptom Samsung drives experience is clicking/knocking sound.

...

There is one more problem that is typical for all hard drives and Samsung drives particularly: bad sectors.

Is this drive really of such poor quality? Does it really have all these problems? But then I started looking around on their site at they seem to have the same or very similar text for every type of HDD out there. The conclusion: they (Data Cent) are just trying to spam Google and I’m inclined to believe that most of their advice isn’t founded on facts, but rather on a randomized text generator. I for one encourage people not to take their business to such a company.

PS. All the links to them are nofollow, so I’m not giving them any Google love.

Picture taken from barnoid's photostream with permission.

And now for some upbeat news

While I certainly like to rant, one shouldn’t forget about the more sunny side of life (unless you want to go berserk). So here are some random positive things:

Some songs which I like:

A funny image from a friend:

A couple of great freeware programs for the Windows platform:

• CDBurnerXP – does everything Nero does, for free!
• DVD Flick – while from the technical standpoint it is “just a wrapper” over FFMpeg and similar tools, it does a great job – you can create your DVD in a couple of steps
• foobar2000 – a great little MP3 player, especially for those of us who liked the old Winamp, before it tried to do everything. At it can also do batch transcoding!
• IrfanView – the free image viewer / converter!
• 7-zip – open source WinRar. Supports a lot of formats
• Far Manager Open Source – a great native win32 file manager with a retro look
• BB FlashBack Express – a free screen capture software which works great
• VideoLan (or VLC as it is better know) – the simple solution to play all your media, without having to install tones of codecs. If it would have a little better playlist management, I would use it as my primary media-player

A great quote: “the difference between communism and capitalism is that in first men exploit other men, and in the second it is the other way around”. Found it via this New York Times blog, written by the authors of Freakonomics (and now the sequel '>Superfreakonomics). It is a great blog, worth the read. Where elsewhere do you find a rigorous analysis of the logic in newspaper comics?

So there you have it, have a great day! An maybe listen to some french striptease songs :-) (just a little SEO for a friend ;-))