This webcast is a bit off the normal track for us. This recording was made live at a conference a few months back. (Sorry that the first few minutes have the screen capture software in view. Be patient, it goes away before we get to anything really good!) In the recording, David Hoelzer walks through a demonstration of the various phases that a security researcher (or hacker) would go through to discovery a vulnerability, build a proof of concept and finally create a working exploit.

A major take-away from this demonstration is how quickly this can be done. The actual demonstration takes only 60 minutes from beginning to end and that's with all of the talking and explaining. This exploit could, after being discovered, have a working POC exploit and Metasploit module written in about 15 minutes.

I've had people say, "Well, sure, there's a flaw, but it would be really hard to exploit it." Guess what.. In many cases they're just plain wrong!

How hard is it for someone to insert a proxy between you and the rest of the Internet without you knowing? Will running a Mac or Linux protect you?

In this episode we combine the concepts from Episode 20 with the WPAD style attack that was discussed back in Episode 17, creating a quick and easy how-to when it comes to creating a man in the middle attack that will work against any system that has Automatic Proxy Discovery enabled.

This feature is sometimes thought to be a Windows specific issue, but as we demonstrate here by transparently creating a man in the middle proxy for a Mac, it really does apply everywhere. There are just a few simple pieces that you need to accomplish this attack and there are some quick and easy things that you can do to defend yourself or that you can look for during an audit.

For more details and a link to the source code, please check the Blog article here:

http://it-audit.sans.org/blog/2011/11/09/it-security-audit-what-about-wpad/

This screencast was created specifically as a support video for our VisualSniff product. The default permissions that are set on the BPF adapters on OS X are a bit atypical and make it impossible for a user to start a sniffer without becoming an administrator. Using the directions in the video with the accompanying script resolves this issue so that VisualSniff will work correctly. The script referenced can be downloaded here: http://enclaveforensics.com/ClientFiles/VisualSniffPerms.sh

BIND is usually the go-to DNS solution if you're looking to set up a DNS sinkhole to contain and identify malware. While I love BIND as much as the next guy, I find that it's a real pain in the neck to get everything set up just right and the maintenance involved in adding a new authoritative zone is just more than I'm willing to do.

As a solution to this, I've revived a tool that I wrote more than a decade ago for Internet usage policy enforcement. As it turns out, it already was a DNS sinkhole, I just never called it one!

Watch the episode for a demonstration and discussion and check out the blog article for more information and the source code: http://it-audit.sans.org/blog/2011/11/02/dns-sinkhole-for-malware-defense-and-policy-enforcement/

In all of the cases that I've worked where a malware infection, suspected APT or other security breach had occurred, detectable file remnants were left behind. How can you find them? Can IT audit techniques help?

In this episode we take a look at a super easy technique that allows you to find any type of file or any specific file anywhere within your domain. The script can also be modified to allow you to create an inventory of any other type of file you need to.

For a copy of the script and a longer discussion, please be sure to check the show notes: http://it-audit.sans.org/blog/2011/10/17/detecting-malware-apt-like-threats-domain-wide-file-finder/