They’ve finally been put online.  It’s late and it’s a weekend so I don’t really have a whole lot to say about it, but if you read this blog there’s a good chance you’re the same kind of geek that’s been waiting for them to post these videos.  

• http://www.shmoocon.org/2008/videos/

• TaoSecurity: Snort Evasion Vulnerability in Frag3
  Summary of an issue with Snort that allows fragments to be discarded without being examined. There’s a workaround that you can implement before you patch.
  (tags: snort security)
• Check Point Full Disk Encryption
  Check Point now supports full-disk encryption on Macs with pre-boot authentication. Someone needs to make the EFI equivalent of msramdmp now ;)
  (tags: security)

I just received these two pictures via email from my major professor, and thought I’d share.  They’re from a series of mock trials that were held for this past fall semester’s computer forensics class.  The students had the opportunity to take the stand and present expert witness testimony regarding the evidence that they had examined as part of a class project.  We had a real courtroom, a real judge, real attorneys, and another university’s students sitting as a jury.  I sat as the accused for a few cases, and also helped guide the defense attorneys through some of the more technical aspects of the forensics.

Thankfully, with the inexperience of the expert witnesses, and coaching my attorney a bit (he had an engineering background, which helped), I was found to be not guilty :) .

Edit: The real action’s going on down below here in the comments :) .  Be sure to catch up on them after you read the post.

Jesse Varsalone, a computer forensics expert that happens to be a reader of this site, just emailed me a link to a cool video where he demonstrates a quick and easy way of obtaining SYSTEM privileges on a Vista system, given physical access to the machine.  In the video, he uses BackTrack to replace Utilman.exe with a copy of cmd.exe .  The nice thing about replacing Utilman.exe is that you can make it run before you’re even logged-in by pressing Windows-U.  The video is available on the Offensive Security (maintainers of BackTrack) site:

• http://www.offensive-security.com/movies/vistahack/vistahack.html

If you’re into doing physical-presence penetration tests, you might want to roll your own custom CD or bootable USB drive that boots faster than BackTrack, and automatically swaps Utilman.exe out for the executable of your choice.  Perhaps something that installs a nice rootkit or Core Impact agent, and then places the real Utilman.exe back into its rightful place. 

Thanks Jesse!  Excellent choice of soundtrack as well!

• Cisco IOS Rootkit thoughts
  Mike Poor weighs in on the topic of Cisco IOS rootkits on the ISC blog
  (tags: security)
• Cisco Security Response: Rootkits on Cisco IOS Devices
  To go along with the previous link, here’s Cisco’s response to Muniz, which is thankfully light on knee-jerk legal action and heavy on good best-practices for verifying that your Cisco gear is untampered-with
  (tags: security)

• sontek ( John M. Anderson ) » Python with a modular IDE (Vim)
  Great tips for using Vim as a Python IDE. I don’t do anything nearly this fancy with mine, but I definitely want to give it a shot now.
  (tags: python vim)

I haven’t posted in a while, mostly because I’ve been busy hacking away at SCADA equipment and software, but I did spot some new conference video online in my usual rounds (Shmoocon 2008 video? knock knock :) ).  It looks to be deserving of a post.

I wasn’t aware of this conference before now, but the topics look very interesting.  There’s some SCADA, some virtualization, some reversing, and several more that I hope to sit down long enough to watch soon.  All of it’s hosted on the extraordinarily fast EasyNews mirror.  If you’re not already familiar with this mirror, poke around a directory up from the link and you’ll find a lot more conference audio/video to keep you busy.

• Troopers 2008 - Conference Website
• http://mirrors.easynews.com/defcon/troopers08/ - Videos!

• Links » Exploiting Network Cards
  Interesting thoughts on exploiting network cards. This is something I’m bookmarking to take a closer look at later.

• Drop.io: Simple Private Exchange
  Seems like a decent file dead-drop. I wouldn’t count on the privacy or anonymity of it, but it could be something you can work with, if you take appropriate steps to protect yourself. Might have to play with this a bit later.
  (tags: filesharing)
• lua-users wiki: Tutorial Directory
  If you listened to the webcast I linked yesterday, you heard Ed Skoudis talking about all the security tools that are integrating Lua scripting. Here’s a good starting point if you’re moving from other scripting languages to Lua.
  (tags: programming security)
• Multi-Page Comment System 1.1.0 Insecure Cookie Handling Vulnerability
  This is along the same lines as the vulnerabilities I see in student projects here at the university :)
  (tags: security)
• RantX 1.0 Insecure Admin Authentication Vulnerability
  Hah! this one’s pretty clever too.
  (tags: security)

• SANS Institute - SANS Special Webcast: New Computer Attack Tools and Techniques
  Ed Skoudis presents an overview of the new nmap scripting engine, various features of Cain, pass-the-hash attacks, and current research (including memory attacks :) ). Really excellent way to spend an hour or so today.
  (tags: security)
• MacBook and MacBook Pro USB Ports « Security Sumo!
  Information on which USB port on your MacBook or MacBook Pro is on a hub with internal devices, and which is on its own. I sure didn’t know that, and I hadn’t thought to look into it, but that info could definitely come in handy, especially if you’re ima
  (tags: forensics mac)