InfoSec News

Research In Motion launched a free online service for small businesses to help them centrally manage BlackBerry smartphones in the cloud, providing protection for business content saved on the devices.
A few weeks ago I was asked to check every single workstation in the organisation for unwanted files. The types of files I was asked to look for were media files such as music and video, but also torrent files. The main objective was to identify breaches of policy and to allow removal of the unwanted files from the network. I will take you through what I did, which achieved the main objective relatively painlessly. Undoubtedly there better methods than what I'm about to describe and in fact I'm kind of counting on it, so feel free to share how you deal with the challenge. In the mean time this is what I ended up doing.

I obviously didn't really want to visit every machine in the organisation and search the hard drive. Junior has been good lately, so sending him wasn't an option either. The first challenge was to identify the machines currently on the network. Being a windows environment, I considered using dsquery to grab the machine names from AD, but that didn't really work out nicely as the company has computers in all different kinds of OUs. WMIC also had similar limitations and Powershell, well let's just say I'm no Ed, Hal or Tom. I chose the easy option and used nmap. Convenient in this environment as the workstations are quite separate from the servers on their own subnet. The following nmap command does a quick ping sweep and places the results in a grepable output file.

nmap -sP ip-range/mask -oG filename

The the grep output from nmap looks as follows :

Host: aaa.bbb.ccc.20 ( Status: Up
Host: aaa.bbb.ccc.45 ( Status: Up
Host: aaa.bbb.ccc.62 ( Status: Up
snip ...
Host: aaa.bbb.ccc.100 ( Status: Up
Host: aaa.bbb.ccc.101 ( Status: Up
Host: aaa.bbb.ccc.102 ( Status: Up
Host: aaa.bbb.ccc.115 ( Status: Up
Host: aaa.bbb.ccc.150 ( Status: Up
snip ...

From the list Iculled those devices that Iwas not interested in, e.g. the printers and the switch, before building the commands and creating the batch file.

To do the heavy lifting I used psexec from sysinternals, which allowed me to examine all the machines from one central machine. To create the command and resulting batch file I edited the output file from the nmap.

find and replace Host: with PsExec.exe

find and replace ( with -w C: cmd.exe /c dir *.mp3 *.avi *.mkv *.mov *torrent* /s /b audit-

find and replace with .txt

find and replace ) Status: Up with blank (i.e. clear it out)

What you end up with should look something like this for each of the entries in the nmap output file.

PsExec.exe aaa.bbb.ccc.45 -w C:cmd.exe /c dir *.mp3 *.avi *.mkv *.mov *torrent*
/s /b audit-machine45.txt
Save the file as a .bat file extension, make sure psexec is in the path of the user who will be running the batch file.

What will it do? The command runs PsExec on the IP address, issues the command dir for those extensions listed and outputs the info in a local file called audit-machinename.txt. Because we are using a standard dir command you can easily look for any kind of file you like, or partial file names.

Each of the output files will look something like this

C:\Documents and Settings\jdoe\

Desktop\MUSAK\The Police\Greatest Hits\11 - The Police - Spirits In The Material World - Greatest H.mp3
Desktop\MUSAK\The Police\Greatest Hits\12 - The Police - Synchronicity II - Greatest Hits_120113005.mp3
Desktop\MUSAK\The Police\Greatest Hits\13 - The Police - Every Breath You Take - Greatest Hits_1201.mp3
Desktop\MUSAK\The Police\Greatest Hits\14 - The Police - King Of Pain - Greatest Hits_1201130115.mp3
Local Settings\Temporary Internet Files\Content.IE5\HKNBKI0L\novotelrestc[1].mov
My Documents\private\vids\SouthPark DVDiv\X 809-814\813 - Cartman's Incredible
Someone will need to inspect each of the result files and check to see if the materials are permitted to remain on corporate machines or whether they should be removed. Sometimes the owner wil not be obvious and you might need to examine the machine a little bit closer to determine the owner of the files. Once unwanted files have been identified I usually send the person a policy reminder and a request to have the materials removed. Second/third/nth offences however are passed on to the appropriate area to deal with.

To give you an idea of the effort involved for a site of 400 plus machines (about 325 up when checking).

Running the nmap - 15 minutes,
Culling undesirable devices and doing the find and replace commands - 15 minutes.
Running the batch file - 2 hrs.
Checking the results - 1 hour,
Sending the emails - 30 minutes (will obviously depend on how much you find Iended up sending 15).

All in all a reasonably straight forward process and easily adapted to different file types, or file names.

There are some limitations. The user running the psexec command must have privileges in the environment and the machines being checked should be part of the domain. Although you can pass alternate userid and passwords to the command if you want to. You will leave a user profile directory behind on the machine being checked. Only those machines accessible when the batch file is run will be checked, but you could make this part of a login process and write the results file to a network location instead.

Quick and dirty I know, but does the job. How do you find files on your network, including workstations, that should probably not be there?


Mark - Shearwater (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
This radical new process was presented at the USENIX Security Symposium last Friday and according to its authors has the potential to turn the entire web into a giant proxy server. Telex is markedly different from past anticensorship systems, making it easy to distribute and very difficult to detect and block.[1]
This is still a concept rather than a full production system but so far the tests conducted with proof-of-concept software by the researchers had encouraging results. According to the Telex website, The client secretly marks the connection as a Telex request by inserting a cryptographic tag into the headers. We construct this tag using a mechanism called public-key steganography. This means anyone can tag a connection using only publicly available information, but only the Telex service (using a private key) can recognize that a connection has been tagged.[1]
In order for Telex client to reach a blacklisted site, it needs to use a ISP Telex station that holds a private key that recognize the client Telex connections, decrypt the data and divert the connection to an anti-censorship service such as proxy servers or Tor to access the blocked site. The end result is an encrypted tunnel between the Telex client and an ISP station reaching any sites on the Internet.
A paper published by computer science researchers at The University of Michigan and Waterloo is available here. For updates, source code and an online demonstration, visit their website.[2]
If Telex works as advertized, it has the potential of bypassing current technologies deployed in an organization. How can we prevent a client from accessing this friendly ISP station? Application whitelisting might work, another option might be finding and blocking friendly ISP but seems like an impractical proposition. What else do you think could be done to prevent a Telex client from leaving a corporate network to access a Telex ISP station?


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Norton Mobile Security, Symantec's new Android app, can protect your smartphone against malware, phishing, theft and spam.
FireCAT: Firefox Catalog of Auditing exTensions version 2.0 has just been released. It contains 90 addons divided in 7 categories further subdivided in 19 sub-categories. A new Protection subcategory (in Misc) has been added to protect Navigation with TrackMeNot, NoScript, cookieSafe, TrackerBlock and Adblock Plus.
The graph showing the list of extensions can be viewed here and mindmap can be downloaded here.






Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Community SANS SEC 503 coming to Ottawa Sep 2011 (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status