Export and Import GPG Secret Keys with OpenSSL Protection

2013-03-03 14:37:50 by chort

Some times I need to move GPG/PGP secret keys around, but I get very nervous about having them "in flight." Of course the passphrase protects they key, but call me paranoid. I had been encrypting with OpenSSL, then decrypting right before import, than rm -P (or shred -u) the file. Wouldn't it be nice to skip the step of having the key decrypted on disk at all? Turns out gpg can read from STDIN (and so can OpenSSL), so it's very simple.

srchost$ gpg --export-secret-key -a "user@domain" \
| openssl aes-256-cbc -a -salt -out user.key.enc

dsthost$ openssl aes-256-cbc -d -a -in user.key.enc \
| gpg --allow-secret-key-import --import -

gpg:    secret keys imported: 1

I Think Ankit Fadia Is A Fraud

2013-02-18 10:06:06 by chort

You may have heard of Ankit Fadia at some point through the main-stream media. At first glance, his story is one of those made-for-TV scripts of a child prodigy. What you probably don't know is he's widely believed in the security industry to be a charlatan. Everyone is entitled to their own opinion of course, but I invite you to read the long list of supporting evidence that has been compiled by the folks at attrition.org. Most damning, in my mind, is the lists of books Ankit Fadia "wrote" that contain blatant plagiarism. At the time of this writing, all 7 of his books reviewed by attrition.org contained plagiarism.

The message here is pretty clear: Don't use Ankit Fadia as a source for anything. The only thing he should be on TV for again is explaining why he ripped off so many people's work without giving them proper credit.

On Goals, Part 2: Call to Action

2013-02-02 14:42:42 by chort

In part 1 I outlined what I believe to be some of the fundamental, strategic problems facing Western society, and in a general sense how it applies to US businesses. In this part I'm going to relate that to specific courses of action and how anyone reading this can change their behavior to shape a better future.

Read the rest of this story...

On Goals, Part 1: Statement of Values

2013-02-02 13:26:46 by chort

One of the things I don't do well, that I feel is characteristic of the InfoSec discipline as a whole, is setting goals. I'm talking about relevant, worthwhile, and attainable goals. In their absence, it's easy to busy ourselves with tactical issues.

When thinking about goals, it makes sense to first define your values, so you can choose goals that align with or advance your values. One of the values I hold dearly is building a future that my offspring have the opportunity to enjoy. That means many things, but one that I think about frequently is the global economic situation and where the Western world, particularly the United States of America fits into it. I think far too many people have allowed instant gratification to confuse tactical decisions with strategic decisions. If we're serious about giving our kids the opportunities we had, we need to make sure our nation and democratic values are strongly positioned in the global market.

If this all sounds very grand and abstract, that's because it is. Please be patient, since it's a necessary foundation for the rest of this post, which gets into very actionable and practical steps. It has everything to do with Information Security and how we live our daily lives.

Read the rest of this story...

Installing Latest Yara That Works With Automake-1.11

2013-01-25 21:16:27 by chort

If you still run Ubuntu 10.04 (or another OS that can't upgrade automake past 1.11), you'll find that Yara 1.7 (last SVN version) won't build. You'll probably get something like this:

configure.ac:3: unknown warning category `no-extra-portability'

This is a quick post to show you how to get the latest 1.6 bugfixes (i.e. updated past the 1.6 tarball release) without breaking the build.

First off, I recommend installing RE2 for better performance (allegedly, I cannot confirm). Once you've done that, follow these easy steps (don't miss -r 162, that's the critical bit!):

$ rm -rf yara-project-read-only
$ svn checkout -r 162 http://yara-project.googlecode.com/svn/trunk/ yara-project-read-only
$ cd yara-project-read-only
$ ./configure --with-re2
$ ./bootstrap.sh
$ make
$ sudo make install
$ cd  yara-python
$ python setup.py build
$ sudo python setup.py install
$ sudo ldconfig

Boom, done!

SF Bay Area DFIR Meetup January 31st

2013-01-12 16:24:44 by chort

Big news, AlienVault has agreed to play host, and they'll provide pizza and beer to boot! We also have a set date now, so without further ado, here's what to put on your calendar.

Read the rest of this story...

Scripting Hopper Disassembler - WS2_32.dll Ordinals to Names

2012-12-26 22:52:58 by chort

Over the holiday break I set goals to learn Yara signature creation and start the lab exercises in Practical Malware Analysis. Learning Yara turned out to be extremely easy, the User's Manual (available here) is excellent. Attempting to do the labs from PMA with Hopper rather than IDA Pro turned out to be rather challenging. One major advantage of IDA Pro is F.L.I.R.T. as many experienced reversers have been quick to point out to me. The very first exercise I attempted required analyzing a call to gethostbyname, which I couldn't even find because Hopper hadn't resolved the import ordinal to a name. I decided it was an excellent opportunity to learn how to use the built-in scripting of Hopper to resolve the names myself.

Read the rest of this story...

SF Bay Area DFIR Meetup

2012-12-20 19:13:58 by chort

If you are in the San Francisco Bay Area and do Incident Response, please read this post and give feedback on preferred location, time, and frequency of proposed local meetups.

Read the rest of this story...

Prerequisites To DFIR

2012-12-15 21:24:08 by chort

I gave a short presentation at Baythreat this year titled My First Incident Response Team: DFIR for Beginners. Due to the time format, I wasn't able to give a lot of context around some of the concepts. A few people asked if I had suggestions of simpler things to start with prior to diving into digital forensics. I hope to address those questions in a long-form version of my presentation at conferences in 2013, but in the mean time here are a few things I consider prerequisites or jumping-off places for new incident responders.

Read the rest of this story...

How To Provide Software Downloads

2012-11-27 07:20:21 by chort

Today I tried to download some anti-virus software from the manufacturer's site. When I clicked the Download button embedded in their site, it sent me to a CNET download page, which I assume would have downloaded one of those special CNET installers. I say assume, because I didn't actually bother to download it once I realized I had been redirected to CNET.

That was an example of a wrong way to provide a software download, but what is the correct way to do it?

Read the rest of this story...