UPDATE: A newer version of this script is here.
Last week, Johannes Ullrich shared a Bash script that would check for changes in NS records. This was in a blog post about the google.com.my DNS hijack. I wanted to create a version of the this script that would be usable on Windows machines. So I created the PowerShell script below that does pretty much the same thing as the Bash script. The script runs nslookup.exe instead of DIG and queries the DNS server for all NS records for a domain. This is saved in file named domain.new and compared with a previous query of the NS records stored in domain.old. If there are any differences, an email is sent and an entry is made in the Application Event Log. (more…)
Many organizations are moving to Mobile Device Management or MDM solutions to manage and control their mobile devices. The proliferation of Android and Apple devices has almost made this a necessity.
One of the primary controls with an MDM solution is to prevent mobile devices from connecting to company email unless the device is both managed and compliant with company policy. Almost every MDM vendor accomplishes this by using a gateway. In order for mobile devices to get email, they must first pass through an MDM gateway that checks to see if (1) the device is managed by the MDM solution and (2) if he device is compliant with company policy. If it fails either of those tests, it is prevented from retrieving email.
However, there is an issue. All of the gateways used by MDM vendors only monitor and control the Active Sync protocol. They do not monitor or control the Outlook Anywhere (RPC over HTTPS) or Outlook Web Access (OWA) protocols. Modern mobile devices are smart enough to try multiple protocols to connect to email if one of them fails. So, in certain email domain configurations, a device would still be able to retrieve email even though MDM was preventing an Active Sync connection. (more…)
UPDATE 2013-04-18: More variables!
I’ve been playing around with the Mobile Device Management (MDM) software from Citrix. Last year, Citrix purchased Zenprise and renamed it XenMobile. Overall, it’s a pretty sold platform for managing iOS and Android devices. However, it does have a few dark corners. One of these is the use of variables in their configurations. They are not documented very well. This can make finding the right combination of variables for email setup difficult. So I have created a list of the variables I have discovered and what they do. As I discover more I will add to this list: (more…)
I was playing Faster Than Light recently and came to a sobering conclusion. As my ship burned and my crew furiously attempted to put out fires and repair systems, I saw startling similarities between roguelike games and the jobs in Information Security.
Just another day at the office.
For those unfamiliar with roguelikes, they are games characterized by randomly generated areas, punishing difficulty, and permadeath. You will die in roguelikes. A lot. With enough persistence and skill, you can win the game. But you must be willing to learn from each death. Each failure highlights a mistake made that should never be repeated in subsequent games.
What does this have to do with Information Security? Let’s start with number one. (more…)
I’ve updated the http-screenshot-html script. You can download it at the Google Code page. The primary changes are:
- Compatibility with Lua 5.2 as used in NMAP 6.25
- Added the “imgquality” script argument to modify the image output quality of wkhtmltoimage.
See the script’s Manual for full details on using the script.
Also, it appears that there is a bug in Lua 5.2. If you use backslashes while calling a script, Lua will throw an error about an Invalid Escape Sequence. So make sure you use forward slashes when calling scripts or using script args in NMAP 6.25. This should be fixed in a future release of NMAP.
I recently attended #BSidesDFW2012 this past Saturday. A great time was had by all. There was hacking. There was a lock pick village. There was beer. There were two CTFs. This was my first BSides. But I would gladly attend another. Below are some of the highlights. (more…)
So, you have a PC on your network that you think might be infected with some malware. What do you do? Well, you could always PSExec into the computer and run a series of commands. But why not automate that process and store the results?
That was my motivation for writing this IR-Script. It is like a first response tool for investigating a possibly infected PC. You run the tool, gather a bunch of information, and store it for review. The script gathers the following information from a PC: (more…)
Subsonic is a great client/server music streaming application. You can install the server software on a machine of your choice and stream your MP3s or movies from your server to your phone or to a web browser. (more…)
I’ve downloaded the new Tony Hawk Pro Skater HD for Steam. It’s great playing those old levels again, this time in HD. School II! Yeah! However, there is no configuration for a gamepad other than an XBOX controller. If you use any other gamepad, you might want to invert the Y-Axis so that pushing UP will make you go faster. To do this, open the file below:
<steamInstall>\steamapps\common\Tony Hawk's Pro Skater HD\THHDGame\Config\DefaultInput.ini
Find the following line the in the INI file:
.Bindings=(Name="XboxTypeS_LeftY", Command="Axis aBaseY Speed=1.0 DeadZone=0.3")
Change this line to:
.Bindings=(Name="XboxTypeS_LeftY", Command="Axis aBaseY Speed=-1.0 DeadZone=0.3")
Basically, you change Speed from 1.0 to negative 1.0. Save the file, load up THPS HD, and skate.
If you read the computer security news feeds, you’ve probably heard about the recent Java 7 and IE 6-9 exploits. The problem is that these exploits are discovered before there are any patches or reasonable workarounds for them. Fortunately, there is something that can be done to provide some additional protection that doesn’t involve an anti-virus company. Earlier this year, Microsoft released the Enhanced Mitigation Experience Toolkit (or EMET) version 3. The goal of EMET is to make exploitation of Windows applications difficult or impossible using the common attack techniques we see today. It’s not a silver bullet and won’t protect against every type of attack. But it does add additional layers of protection to your system by enforcing DEP, ASLR, Heap Spray Protection and more. (more…)