News Contact Company



May 3, 2011
Newsletter May 2011 - Special Edition

Having trouble reading this email? View it in your browser.

TrueSec

News and Geek Stuff

May 2011 - Special Edition

This is a mid-month edition of our monthly newsletter. We felt we needed to share more about security, topping many agendas these days, as well as another great article from Mike.

A quick reminder of a couple of events coming up this spring/early summer:

May 12th (yes next Wednesday) Johan Arwidmark and Mikael Nystrom are running a full day workshop in deployment in London. There are seats still available. Mid June they are back for the Deployment Geek Week, this one in London as well. And finally, don’t miss “Understand how hackers attack the Windows platform” in Amsterdam. A very important and timely training developed and run by Marcus Murray, Microsoft MVP in security and frequent top rated speaker at TechDays, TechEd and other major Microsoft events.
ConfigMgr2012 Beta2. If you want to stay ahead of the curve, we offer already in June a master class in CM2012 based on Beta 2. Kent Agerlund has developed and run this class and this is an excellent class if you are thinking of going to CM2012 in the future or already use SCCM 2007 and want to upgrade.

Look out for another 5 day class on CM2012 and MDT 2012 run by Kent and Johan Arwidmark - a Microsoft MVP combo pack. A full week covering the new versions of both products and how to use in the deployment. First occasion in August. Stay tuned for more.


Marcus Murray:

Downloading binaries......

Mikael Nystrom:

Using the Wizard to modify the Wizard

 

 

Downloading binaries can be very dangerous, even from legitimate sites!!!

 

Most IT Pros I know sometimes download tools from the web like for example sysinternals pstools to do be able to do various sysadmin stuff on servers and clients in their IT-environment.

The most common way to ensure that the tool is legit and not infected by malware is usually just to download them from a trusted site and nothing more.

Often when I do penetration testing or security assessments I find these kind of tools lying around on servers at customer sites.

The question is if you can trust your download simply because it was downloaded from a trusted web site?

The answer is NO!

At Truesec we have a tool called Nasty. The tool was created by my colleague Johannes and it is a Proof-of-concept tool that demonstrates one of the most evil ways that exists today to compromise systems.

Whenever an attacker is on a network, wireless or wired he will have the possibility to initiate a man-in-the-middle attack on the network and intercept traffic between clients and servers. With a tool like Nasty he can trojanize any computer that is downloading binaries!!!!

Nasty will simply listen to traffic and whenever Nasty finds a binary, he will inject an evil shellcode into the binary and change the execution flow of the binary so that both the shellcode and the original binary will be executed as soon as the binary is run.

New browsers like internet explorer 9 will actually warn people from executing non-signed binaries downloaded from the web. Even that security control can be circumvented by applying automatic signing of the modified binary. A code signing cert that is trusted by all common browsers is just a couple of hundred dollars and will increase the chance that a target clicks it from approximately 60% to almost 100%.

At least I got really scared the first time I ran the tool. I set up the attack, then I downloaded process monitor directly from the sysinternals site. As soon as I executed the binary I could see that my computer was hacked and my remote attack machine had complete control over my box. Scary as hell!

Lessons learned:

If you are downloading binaries from the web:

- Only download from trusted sites

- Only download over trusted networks or secure channels

- If there is a hash-value of the binary presented on the site for control, use it to control that your binary has not been tampered with.

- If it´s supposed to be signed, then check the signature

- Monitor for suspicious behavior when executing downloaded binaries.

I soon run a 3 day hacking training course in Amsterdam. I think I will demonstrate the tool in public for the first time in that class! More info: www.truesec.com

stay safe
Marcus



Using the Wizard to modify the Wizard

From time to time there are customers that need the MDT LiteTouch wizard modified, they need to have something added or modified, and most common they need to add something. The particular customer in mind needed something that could present some kind of confirmation that everything was ok, before the technician press ok and load the OS on disk. Well, there is the “ready” page in the end, but the small issue is that it will by default only show values that has been provided during the wizard itself and since this customer gets variables from external sources that information was not really complete, not even close to it.

So, I did my homework and then I gave them pretty much what they wanted, but I kept working on this since I realized that there are a bunch of settings that “we” (you and me) most likely would like to have from time to time. I decided to split it up in three different pages. Hardware Information, Deployment Environment, OS Deployment settings and it looks like this (in that order)



 

This will be published on my blog in three separate blog posts (first one is up right now - http://deploymentbunny.com ), including screen shots, scripts and the rest you need to make it work in your environment.

Happy Deployment

/mike

 

 

 

 

Where to find us......

 

Mastering ConfigMgr 2012 Beta 2

Santa Ana, CA

June 6-8

Deployment Workshop with Johan Arwidmark and Mikael Nystrom

London May 12

Deployment Geek Week with Johan Arwidmark and Mikael Nystrom

London, UK

June 6-10

Understand how hackers attack the Windows platform with Marcus Murray Amsterdam June 14-16

Deployment Geek Week with Johan Arwidmark and Mikael Nystrom

Redmond, WA

July 18-22

Full schedule at http://www.truesec.com

 

 

 

This message was intended for '%%emailaddress%%'
Unsubscribe | To contact us please email info@truesec.com

TrueSec Inc.
8201 164th Ave NE, Redmond, WA 98052


 




TrueSec Inc    |     +1(425) 285-4477     |     info[at]truesec.com    |     Infrastructure    |     Security    |     Pentesting    |     TrueSec Inc. Website Privacy Statement