R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Saturday, 25th October 2014 @ 04:26:45 GMT 
Downloads | PDF Documents
Notable papers / articles from the past few years on security and other related topics.

General Security

A Model for When Disclosure Helps Security

This Article asks the question: "When does disclosure actually help security?" The question of optimal openness has become newly important as the Internet and related technologies have made it seem inevitable that information will leak out. Sun Microsystems CEO Scott McNealy received considerable press attention a few years ago when he said: "You have zero privacy. Get over it." An equivalent statement for security would be to say: "You have zero secrecy. Get over it."
Defeating Encryption: Security is More than Just Good Crypto

Encryption is good. It helps make things more secure. However, the idea that strong cryptography is good security by itself is simply wrong. Encrypted messages eventually have to be decrypted so they are useful to the sender or receiver. If those end-points are not secured, then getting the plain-text messages is trivial. This is a demonstration of a crude process of accomplishing that.
Cache Snooping or Snooping the Cache for Fun and Profit

This research paper presents a technical overview of the technique known as DNS cache snooping. Firstly, a brief introduction to DNS is made followed by a discussion on common misconceptions regarding DNS sub-systems. Then this relatively unknown technique is introduced, followed by a field study to assert the overall exposure of the Internet to this threat.
Securing Fiber Optic Communications against Optical Tapping Methods

Optical tapping devices placed in public and private optical networks today allow unfettered access to all communications and information transiting any fiber segment. Available legally and inexpensively from numerous manufacturers worldwide, optical taps are standard network maintenance equipment that are in use daily. When used nefariously, optical taps provide an excellent method of intercepting voice and data communications with virtually no chance of being detected. Intruders are therefore rewarded with a bounty of relevant information while subject to a very low risk of being caught.
How to 0wn the Internet in Your Spare Time

The ability of attackers to rapidly gain control of vast numbers of Internet hosts poses an immense risk to the overall security of the Internet. Once subverted, these hosts can not only be used to launch massive denial of service floods, but also to steal or corrupt great quantities of sensitive information, and confuse and disrupt use of the network in more subtle ways.
Encryption Flaws Present No Immediate Security Risk

A series of reported flaws in basic encryption "hash" algorithms shouldn't cause immediate concern. But they do show that vendors, cryptographers and certifying agencies should make alternatives available.
The Law Enforcement and Forensic Examiner Introduction to Linux

This purpose of this document is to provide an introduction to the GNU/Linux (Linux) operating system as a forensic tool for computer crime investigators.
Magstripe Interfacing - A Lost Art

Just like Sun Microsystems, people have been forecasting the death of magstripes for years. Yet they are still the most common form of physical authentication in the world. Their wide-spread deployment makes components for them cheap, and home brewed applications limitless.
Ethereal User's Guide V2.00

Ethereal is one of those programs that many network managers would love to be able to use, but they are often prevented from getting what they would like from Ethereal because of the lack of documentation. This document is part of an effort by the Ethereal team to improve the usability of Ethereal.
Remembrance of Data Passed: A Study of Disk Sanitization Practices

Many discarded hard drives contain information that is both confidential and recoverable, as the authors' own experiment shows. The availability of this information is little publicized, but awareness of it will surely spread.
A Tool for Internet Chatroom Surveillance

Internet chatrooms are common means of interaction and communications, and they carry valuable information about formal or ad-hoc formation of groups with diverse objectives. This work presents a fully automated surveillance system for data collection and analysis in Internet chatrooms.
Buffer Overrun Attacks

The threat was first seen widely in 1988 and it is still an active attack methodology in 2000. A buffer overrun attack was one of the mechanisms reportedly utilized to deploy the malicious agents used on the Solaris-based servers in the recent DDoS attacks.
Remote physical device fingerprinting

We introduce the area of remote physical device fingerprinting, or fingerprinting a physical device, as opposed to an operating system or class of devices, remotely, and without the fingerprinted device's known cooperation. We accomplish this goal by exploiting small, microscopic deviations in device hardware: clock skews.
Supervised & Integrated Physical Security

This document is intended to explain the different steps that must be taken in order for a client to attain "integrated and supervised security" as we define it. Providing this level of security for people and material objects requires the use of many technical elements, including software and hardware.
Security Analysis of a Cryptographically-Enabled RFID Device

We describe our success in defeating the security of an RFID device known as a Digital Signature Transponder (DST). Manufactured by Texas Instruments, DST (and variant) devices help secure millions of SpeedPassTM payment transponders and automobile ignition keys.
Safecracking for the computer scientist

This paper is a general survey of safe and vault security from a computer science perspective, with emphasis on the metrics used to evaluate these systems and the weaknesses that cause them to fail.
Cheating CHAP

The Challenge Handshake Authentication Protocol (CHAP) is used to verify the identity of a peer in a 3-way handshake and is usually embedded in other protocols, commonly PPP. Several extensions (MS-CHAP) exist to allow the encryption of link layer packets via CHAP authenticated connections. In this paper I will describe how CHAP may be attacked, gaining unauthorized access to CHAP protected dialins or VPN's and show that CHAP is not the right protocol to authenticate clients in IP net-works.
Introduction to Shellcoding - How to exploit buffer overflows

Shellcode is a piece of machine-readable code, or script code that has just one mission; to open up a command interpreter (shell) on the target system so that an "attacker" can type in commands in the same fashion as a regular authorized user or system administrator of that system can do (with a few not-so-important exceptions of course).
Packet Sniffing on Layer 2 Switched Local Area Networks

Packet sniffing is a technique of monitoring network traffic. It is effective on both switched and non-switched networks. This paper discusses several methods that result in packet sniffing on Layer 2 switched networks. Each of the sniffing methods will be explained in detail. The purpose of the paper is to show how sniffing can be accomplished on switched networks, and to understand how it can be prevented.
Collisions for Hash Functions - MD4, MD5, HAVAL-128 and RIPEMD

MD5 is the hash function designed by Ron Rivest as a strengthened version of MD4. In 1993 Bert den Boer and Antoon Bosselaers found pseudo-collision for MD5 which is made of the same message with two different sets of initial value. H. Dobbertin found a free-start collision which consists of two different 512-bit messages with a chosen initial value IV .
A man-in-the-middle attack using Bluetooth in a WLAN interworking environment

During the SA3-31 meeting in Munich, it was decided that the Bluetooth link between peripheral devices did not require integrity protection. This contribution indicates that a man-in-the-middle attack may be possible on the bluetooth link in a WLAN interworking environment.
The Misuse of RC4 in Microsoft Word and Excel

In this report, we point out a serious security flaw in Microsoft Word and Excel. The stream cipher RC4 with key length upto 128 bits is used in Microsoft Word and Excel to protect the documents. But when an encrypted document gets modified and saved, the initialization vector remains the same and thus the same keystream generated from RC4 is applied to encrypt the different versions of that document. The consequence is disastrous since a lot of information of the document could be recovered easily.
Passive Information Gathering - The Analysis of Leaked Network Security Information

Most organisations are familiar with Penetration Testing (often abbreviated to, "pentesting") and other ethical hacking techniques as a means to understanding the current security status of their information system assets. Consequently, much of the focus of research, discussion, and practice, has traditionally been placed upon active probing and exploitation of security vulnerabilities. Since this type of active probing involves interacting with the target, it is often easily identifiable with the analysis of firewall and intrusion detection/prevention device (IDS or IPS) log files.
Good Practice Guide for Computer based Electronic Evidence

Details in this guide are designed to ensure good practice when collecting computer based electronic evidence; guidelines are not intended for use when dealing with evidence produced by witnesses from third party computer systems.
Host Discovery with nmap

As a Computer Security Engineer that regularly conducts external penetration tests, a recurring challenge seems to arise when assessing organizations with a large allocation of IP address space. What does one do when faced with multiple class B's, a few class C's, and a limited amount of time? Do you stick all of the address space in your favourite scanner and hit the Go button, wait til it's done and hope the results are accurate? How can you be sure that your scanner found all the hosts that are accessible? Do you even know the method your scanner uses to discover which hosts are alive?
Open-Source Security Testing Methodology Manual

It began with a simple idea: to make a methodology for security testing open to all. I had no interest in competing with the many hacking books and articles in existence. I knew that this would be important if it worked. I knew it had to work since much of security testing follows a methodology whether or not we sec testers really saw it as anything but a rhythm.
A Guide to Building Secure Web Applications - The Open Web Application Security Project

We all use web applications everyday whether we consciously know it or not. That is, all of us who browse the web. The ubiquity of web applications is not always apparent to the everyday web user.
PHP Security

Security is a measurement, not a characteristic. It is unfortunate that many software projects list security as a simple requirement to be met. Is it secure? This question is as subjective as asking if something is hot.
Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks

"HTTP Response Splitting" is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and an old favourite, cross-site scripting (XSS).
Attacking the DNS Protocol

DNS is a heavily used protocol on the Internet yet has numerous security considerations. This paper whilst containing nothing new on DNS security brings together in one document many strands of DNS security which has been published and reported in many separate publications before. As such this document intends to act as a single point of reference for DNS security.
Securing Your Windows Laptop

Now-a-days laptops are part of our life. We carry laptops almost everywhere for our work, connect it to different networks and store our sensitive information on it. But we hardly care about the security of our laptop and that opens the door for an intruder to attack or steal sensitive data from it.
Electronic Crime Scene Investigation: A Guide for Law Enforcment

The Internet, computer networks, and automated data systems present an enormous new opportunity for committing criminal activity. Computers and other electronic devices are being used increasingly to commit, enable, or support crimes perpetrated against persons, organizations, or property.
Security Through Obscurity

Steganography is the art of hiding information in ways that prevent its detection. Steganography is usually given as a synonym for cryptography but it is not normally used in that way. It is not intended to replace cryptography but supplement it. Though steganography is an ancient craft, the onset of computer technology has given it new life. Computer-based steganographic techniques introduce changes to digital covers to embed information foreign to the native covers.
Brute-Force Exploitation of Web Application Session IDs

Almost all of today's "stateful" web-based applications use session IDs to associate a group of online actions with a specific user. This has security implications because many state mechanisms that use session IDs also serve as authentication and authorization mechanisms - purposes for which they were not well designed.
An Introduction to ARP Spoofing [Slides]

This paper deals with the subject of ARP spoofing. ARP spoofing is a method of exploiting the interaction of IP and Ethernet protocols. It is only applicable to Ethernet networks running IP. The subject will be addressed such that anyone with basic networking experience can understand key points of the subject. Knowledge of the TCP/IP reference model is vital to full understanding, as is a familiarity with the operation of switched and non-switched networks.
Session Fixation Vulnerability in Web-based Applications

Many web-based applications employ some kind of session management to create a user-friendly environment. Sessions are stored on server and associated with respective users by session identifiers (IDs).
Snort Install Manual

This document originated when a friend of mine asked me to put together this procedure for him so that he could install Snort and Acid. It is pretty basic and is for the Linux newbie, as well the Snort newbie. This is not an ultra-secure end-all to Snort IDS deployment guide; this is a "How in the hell do I get this installed and working" guide.
Timing Analysis of Keystrokes and Timing Attacks on SSH

SSH is designed to provide a secure channel between two hosts. Despite the encryption and authentication mechanisms it uses, SSH has two weakness: First, the transmitted packets are padded only to an eight-byte boundary (if a block cipher is in use), which reveals the approximate size of the original data.
An Overview of Unix Rootkits

Rootkits, as we know them now, came into being sometime in the mid 1990s. At that time, Sun operating system Unix system administrators started seeing strange server behaviours, missing disk space, CPU cycles and network connections that strangely did not show up in command netstat.
Forensic Examination of Digital Evidence: A Guide for Law Enforcement

Developments in the world have shown how simple it is to acquire all sorts of information through the use of computers. This information can be used for a variety of endeavours, and criminal activity is a major one. In an effort to fight this new crime wave, law enforcement agencies, financial institutions, and investment firms are incorporating computer forensics into their infrastructure.
Simulating and optimising worm propagation algorithms

This paper describes a series of simulations run to estimate various worm growth patterns and their corresponding propagation algorithms. It also tests and verifies the impact of various improvements, starting from a trivial simulation of worm propagation and the underlying network infrastructure to more refined models, it attempts to determine the theoretical maximum propagation speed of worms and how it can be achieved.
The Anatomy of Cross Site Scripting

Cross site scripting (XSS) flaws are a relatively common issue in web application security, but they are still extremely lethal. They are unique in that, rather than attacking a server directly, they use a vulnerable server as a vector to attack a client.

Shatter Attack

Shattering By Example

'Shatter attack' is a term used to describe attacks against the Windows GUI environment that allow a user to inject code into another process through the use of windows messages. This document includes technical examples written in C and is not meant to cover the basics of these attacks.
Win32 Message Vulnerabilities Redux

About one year ago, Chris Paget, aka Foon, published a pair of papers that described fundamental flaws in the way the Windows event model is designed. Paget showed how these flaws led to a class of attacks he dubbed "Shatter attacks", and claimed that they were both widespread and unfixable.

Tempest Attacks

Optical Time-Domain Eavesdropping - Risks of CRT Displays

A new eavesdropping technique can be used to read cathode-ray tube (CRT) displays at a distance. The intensity of the light emitted by a raster-scan screen as a function of time corresponds to the video signal convolved with the impulse response of the phosphors.
Information Leakage from Optical Emanations

A previously unknown form of compromising emanations has been discovered. LED status indicators on data communication equipment, under certain conditions, are shown to carry a modulated optical signal that is significantly correlated with information being processed by the device.

Denial of Service (DOS) Attacks

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms

This paper proposes a taxonomy of distributed denial-of-service attacks and a taxonomy of the defense mechanisms defense systems, our purpose is not to criticize but that strive to counter these attacks. The attack taxonomy is to draw attention to these problems so that they illustrated using both known and potential attack mechanisms. might be solved.
Surviving Distributed Denial of Service (DDoS) Attacks

Distributed denial of service (DDoS) attacks aim to disrupt the service of information systems by overwhelming the processing capacity of systems or by flooding the network bandwidth of the targeted business. Recently, these attacks have been used to deny service to commercial web sites that rely on a constant Internet presence for their business.
Denial of Service via Algorithmic Complexity Attacks

We present a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications' data structures. Frequently used data structures have 'average-case' expected running time that's far more efficient than the worst case.

@stake Inc Papers

GPRS Wireless Security: Not Ready For Prime Time

Not Ready For Prime Time Mobile GPRS devices contain built-in support for Internet Protocol (IP) networks. Network operators installing next generation equipment often believe handsets are isolated from potentially more sensitive parts of the network operator's infrastructure. In @stake's experience, however, mobile equipment users are separated from critical network components by only one or two IP devices.
War Nibbling: Bluetooth Insecurity

The Bluetooth protocol, which is deployed in millions of products ranging from cellular telephones to laptops, is quickly becoming the new standard for intra-device wireless communications. This paper examines methods of assessing the security of Bluetooth devices in relation to the protocol's design and implementation flaws.
EtherLeak: Ethernet frame padding information leakage

Multiple platform Ethernet Network Interface Card (NIC) device drivers incorrectly handle frame padding, allowing an attacker to view slices of previously transmitted packets or portions of kernel memory. This vulnerability is the result of incorrect implementations of RFC requirements and poor programming practices, the combination of which results in several variations of this information leakage vulnerability.

NIST Guides

Information Security

The E-Government Act (Public Law 107-347) passed by the one hundred and seventh Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States.
Apple Mac OS X V10.3.x Panther - Security Configuration Guide

The purpose of this guide is to provide an overview of Mac OS X v10.3.x "Panther" operating system security and recommendations for configuring the security features. This guide provides recommended settings to secure systems using this operating system, and points out problems that could cause security concerns in systems using this operating system.
PDA Forensic Tools: An Overview and Analysis

Digital handheld devices, such as Personal Digital Assistants (PDAs), are becoming more affordable and commonplace in the workplace. They provide highly mobile data storage in addition to computational and networking capabilities for managing appointments and contact information, reviewing documents, communicating via electronic mail, and performing other tasks.
Security Metrics Guide for Information Technology Systems

The requirement to measure IT security performance is driven by regulatory, financial, and organizational reasons. A number of existing laws, rules, and regulations cite IT performance measurement in general, and IT security performance measurement in particular, as a requirement. These laws include the Clinger-Cohen Act, Government Performance and Results Act (GPRA), Government Paperwork Elimination Act (GPEA), and Federal Information Security Management Act (FISMA).
Security Considerations for Voice Over IP Systems

Voice over IP – the transmission of voice over packet-switched IP networks - is one of the most important emerging trends in telecommunications. As with many new technologies, VOIP introduces both security risks and opportunities.

Wireless

Analysis of WEP and RC4 Algorithms

The Wired Equivalent Privacy protocol (WEP) is the standard for authentication and encryption used in the 802.11b wireless Ethernet protocol. For encryption, WEP uses the RC4 algorithm. Unfortunately, due to the poor design and implementation of WEP it cannot be considered a valid security measure for wireless networks.
Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection

Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack.
Detecting Wireless LAN MAC Address Spoofing

An attacker wishing to disrupt a wireless network has a wide arsenal available to them. Many of these tools rely on using a faked MAC address, masquerading as an authorized wireless access point or as an authorized client.

Microsoft Posters

Protect Your Stuff: Use An Internet Firewall

A firewall can help prevent outsiders from getting to your computer through the Internet. so using a firewall isn't just smart, it's essential
Protect Your Stuff: Get Computer Updates

Security updates do more than just protect your computer against the latest worms, viruses, hacks, and other Internet villains. they protect your privacy and productivity.
Protect Your Stuff: Use up-to-date antivirus software

An antivirus software program will help protect your computer against viruses, worms, trojan horses, and other malicious code.

Books (released freely onto the Internet by their authors)

IIS Security and Programming Countermeasures

This is a book about how to secure Microsoft Internet Information Services for administrators and programmers whose work includes a requirement for information security, a computer industry specialty field commonly referred to as infosec.
All Hell's Breaking Loose on the Chaos on the Electronic Superhighway

Dear Reader: It was about time. It was about time to take the original version of "Information Warfare," first released in Spring of 1994 and make it available for free to the Internet community.
IPv6 cookbook for routing, DNS, intra-domain multicast, inter-domain multicast, security

In many ways the issues IPv6 routing, IPv6 DNS, IPv6 multicast and security are very similar to the corresponding tasks in IPv4, which the authors of this document assumes the reader is familiar with. This deliverable rather focuses on the differences between IPv6 and IPv4 in these areas and therefore builds on the IPv4 knowledge and understanding of the reader to enable him to extend or migrate his network to IPv6.
Underground Book

Hacking, madness and obsession on the electronic frontier 'Gripping, eminently readable. Dreyfus has uncovered one of this country's best kept secrets and in doing so has created a highly intense and enjoyable read' -- Rolling Stone

Miscellaneous

Stability Comparison of Recordable Optical Discs - A Study of Error Rates in Harsh Conditions

The reliability and longevity of any storage medium is a key issue for archivists and preservationists as well as for the creators of important information. This is particularly true in the case of digital media such as DVD and CD where a sufficient number of errors may render the disc unreadable. This paper describes an initial stability study of commercially available recordable DVD and CD media using accelerated aging tests under conditions of increased temperature and humidity.
User Guide to Using the Linux Desktop

This user guide is meant as an introductory guide for a user to use a modern personal computer (PC) running the Linux operating system. The main aim is to provide a self-learning guide on how to use a modern Linux desktop system. It assumes that the user has no prior knowledge of Linux or PC usage.
Coca-Cola EVS Revision 2.2 Programming Method

The controller has two modes of operation: NORMAL and SERVICE. In normal mode, on power up display will show software installed in vender, then change to POS message or decimal point. Note: If "SET MODEL NUMBER" scrolls across the display on power up with the door open, you will need to program the vender model number in the controller. To program: with "SET MODEL NUMBER" on the display press select button 4.
The FBI's Combined DNA Index System Program

The FBI Laboratory's COmbined DNA Index System (CODIS) blends forensic science and computer technology into an effective tool for solving violent crimes.
How to find hidden cameras

While it was easy to spot cameras twenty years ago due to their large size, this has become increasingly difficult during the last decade. Cameras have become much smaller and consume a fraction of the power they did ten years ago. Due to this, covert installation in nearly any imaginable place is possible. This paper will show methods frequently used for hiding cameras as well as methods to detect and locate covertly installed cameras.
Hacking Coke Machines

Coke vending machines are everywhere. They're getting more and more like regular computers with LEDs that show little "ICE COLD" messages and whatnot. Well, there's a lot more to those little builtin computers than you may think. Included in the low-level operating system that these babies run on is an actual debug menu that gives you access to all sorts of machine information and possibly gives you free cokes in older machines.
Cultural divide in IM: presence vs. communication

To most of my friends, i appear always-on. If i'm not on the computer, my IMs usually go to my Sidekick. I have a round-the-clock presence on AIM, even if frequently idle. I share this round-the-clockness with some of my buddies - people who always appear to be on, although sometimes idle. There are other buddies who pop up whenever they're on their computer (often 9-5). Then, there are those who pop up very occasionally.
United States of America v. Advian Lamo

Complaint: Violations of 18 U.S.C
Interviewing With An Intelligence Agency

A first-person narrative of an applicant interviewing and going through the clearance process with the National Security Agency.
A discrete fourier transform based digital DTMF detection algorithm

We present a new type of digital Dual-Tone Multifrequency(DTMF) detection scheme based on the Goertzel DFT algorithm. This detection scheme is more robust and cost-effective than conventional analog detection techniques.
An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol

Skype is a peer-to-peer VoIP client developed by KaZaa in 2003. Skype claims that it can work almost seamlessly across NATs and firewalls and has better voice quality than the MSN and Yahoo IM applications. It encrypts calls end-to-end, and stores user information in a decentralized fashion. Skype also supports instant messaging and conferencing.
United States Frequency Allocations

The radio spectrum.
Email as Spectroscopy: Automated Discovery of Community Structure within Organizations

We describe a methodology for the automatic identification of communities of practice from email logs within an organization. We use a betweeness centrality algorithm that can rapidly find communities within a graph representing information flows.
The Google File System

We have designed and implemented the Google File System, a scalable distributed file system for large distributed data-intensive applications. It provides fault tolerance while running on inexpensive commodity hardware, and it delivers high aggregate performance to a large number of clients.
How Liberty Disappeared from Cyberspace: The Mystery Shopper Tests Internet Content Self-Regulation

The internet represents an immense challenge for established forms of content control, which cannot be met, by common understanding, via the traditional, by and large national, legal system.

Surveillance Nation

Part 1 - Surveillance Nation

Low-priced surveillance technologies will help millions of consumers protect their property, plan their commutes, and monitor their families. But as these informal intelligence-gathering networks overlap and invade our privacy, that very security and convenience could evaporate.
Part 2 - Surveillance Nation

In the name of convenience, efficiency, and security, we're creating a world in which our every movement, transaction, and indiscretion can be electronically tracked. But if we ensure that emerging surveillance technologies are designed in ways that deter misuse, we may not have to forfeit our privacy in the bargain.