Practical audit advice you can use today.

Quick and easy DNS spoofing for the masses!
Published: 2011-11-02 (Length: 10:54)

Screencast_icon
BIND is usually the go-to DNS solution if you're looking to set up a DNS sinkhole to contain and identify malware. While I love BIND as much as the next guy, I find that it's a real pain in the neck to get everything set up just right and the maintenance involved in adding a new authoritative zone is just more than I'm willing to do.

As a solution to this, I've revived a tool that I wrote more than a decade ago for Internet usage policy enforcement. As it turns out, it already was a DNS sinkhole, I just never called it one!

Watch the episode for a demonstration and discussion and check out the blog article for more information and the source code: http://it-audit.sans.org/blog/2011/11/02/dns-sinkhole-for-malware-defense-and-policy-enforcement/

Domain Wide File Searching
Published: 2011-10-17 (Length: 11:01)

Screencast_icon
In all of the cases that I've worked where a malware infection, suspected APT or other security breach had occurred, detectable file remnants were left behind. How can you find them? Can IT audit techniques help?

In this episode we take a look at a super easy technique that allows you to find any type of file or any specific file anywhere within your domain. The script can also be modified to allow you to create an inventory of any other type of file you need to.

For a copy of the script and a longer discussion, please be sure to check the show notes: http://it-audit.sans.org/blog/2011/10/17/detecting-malware-apt-like-threats-domain-wide-file-finder/

Making a safer world through better baselines!
Published: 2011-10-11 (Length: 13:14)

Screencast_icon
I've been saying for years that Change Control is one of the most critical processes in our enterprise and the one that we are failing to follow most often. When you consider the 20 Critical Controls, you'll find that at least 5, and likely more, are directly related to how well you know the systems in your business. In fact, if you know your systems well you are poised to be able to discover any 0-day infections and most any APT like (Advanced Persistent Threat) threats. How can you know your systems well? Watch this webcast for a demonstration!

The Show Notes for this episode along with copies of the scripts demonstrated can be obtained here: http://it-audit.sans.org/blog/2011/10/11/detecting-apt-and-other-zero-day-malware-through-service-auditing/

How I learned to stop worrying and love the proxy!
Published: 2011-10-03 (Length: 10:41)

Screencast_icon
In today's networked world, the vast majority of "work" that we do is done in a web browser. As it turns out, there's a very common configuration setting that creates enormous potential for serious information leakage or compromise in those very web browsers that we trust.

In this episode we take a look at a demonstration of the WPAD (Web Proxy Auto-Discovery) service and how it can be leveraged to compromise data, particularly on Windows computers. It is important to note that the actual browser being used is not important! All modern browsers support the WPAD protocol. If a hacker finds himself on a network with even one system configured in this way, he has an immediate attack vector that allows him to start intercepting data. Of course, if he can intercept data, there's no reason he can't inject data too! This is a perfect avenue for the injection of malicious Javascript and other exploits, though we will not explore that in the demo.

What's the answer to this problem? The answer is at the end of the episode or, if you don't want to wait, stop by the related show notes over at the SANS site for a quick explanation of what to look for:

Leveraging Built-In Information Exposures
Published: 2011-09-21 (Length: 11:05)

Screencast_icon
If I asked you for your password, no doubt you'd tell me to get lost. If I asked for your username you would be suspicious. If I asked you for your email address, you'd likely give it up.

Of course, your email address and your username are quite likely one and the same. What good is your username if I don't have your password? Well, there's not much that can be done with a single username in terms of hacking. In large numbers, however, usernames can be quite useful.

How can I get my hands on a large number of usernames? There are many techniques, some for web applications, others for internal attacks. In this episode we depart from our usual audit focus to weaponize an information disclosure that is a part of virtually every Microsoft Windows domain that you'll encounter.

Using a few easy tools, we'll extract the usernames and then use an easy technique to capture valid username/password credentials, compromising accounts!

For a longer discussion of what's happening in this presentation, please be sure to visit here: http://it-audit.sans.org/blog/2011/09/21/usernames-matter-more-than-passwords