Agustus 2012 ~ tutorial about web security computer networking

Kamis, 30 Agustus 2012

My Role in Information Warfare during the Yugoslav Wars

06.42 Air Force, information warfare No comments

This morning I read a Tweet from @AirForceAssoc reminding me that:

Today in Airpower History, August 30, 1995: NATO and U.S. aircraft began airstrikes on Serbian ground positions in Bosnia-Herzegovina to support the U.N. Operation Deliberate Force. The airstrikes, with a Bosnian-Croatian ground attack, convinced the Serbs to accept peace terms in late 1995.

I'm not particularly fond of commemorating airpower campaigns, but the Tweet did remind me of the small part I played in the Yugoslav Wars of the 1990s. Many Americans remember the 1990s, and especially the Clinton presidency, as a "quiet decade" between the first Gulf War led by President GHW Bush and the so-called "Global War on Terror" led by President GW Bush. Instead of a quiet decade, I remember a an exceptionally busy time for the Air Force, including some of the first "information operations" that combined digital and physical effects.

In fact, fifteen years ago, almost to the week I believe, I volunteered to deploy from San Antonio to Joint Analysis Center (JAC) Molesworth in the UK. They needed intelligence support in the targeting shop, so as an Air Force intel officer I fit the bill. I decided to volunteer to go to the UK over the holidays (through early January) at a time of my "choice," rather than wait for the inevitable call to deploy to the desert, where US forces were still conducting counter-Iraqi operations.

Besides other targeting duties, the most interesting aspect of the shop was a requirement we received concerning a counter-propaganda campaign. Serbian Radio Television (SRT) was broadcasting fairly vile and false information to undermine the peace process. The Stabilization Force (SFOR) commander asked the JAC for options to shut down SRT transmissions, i.e., how to conduct "offensive counterinformation" operations against the Serbs.

We did some technical analysis of the SRT communication infrastructure and determined that if a certain set of transmission towers were "out of commission," that would end the broadcast problem. Part of the shop thought 500 lb bombs would be the best answer. Others thought we should apply a nondestructive approach and simply seize the towers by surrounding them with troops and tanks.

The photo in this post, attributed to the 55th Combat Camera Company, tells you what happened the morning of 1 October, 1997. SFOR seized four towers (Hill 619 in Duga Njiva is depicted), effectively terminating the SRT propaganda campaign. SFOR didn't destroy anything, but it conducted an information warfare operation to achieve the desired objective -- control of adversary mass communication.

If you'd like to read more about the history and theory of this operation, please see Physical Attack Information Operations in Bosnia: Counterinformation in a Peace Enforcement Environment by Major Arthur N. Tulak. I haven't yet read Memory, the media and NATO: information intervention in Bosnia-Hercegovina by Monroe Price, but it also discusses the same operation.

Less Thrashing; More Queries (Part II)

15.12 No comments

These are more advanced event queries than my last post. Creating queries as psobject properties improves query speeds.More intra-message searches as calculated properties are included below.

$Elements=New-Object PSObject -Property @{
Security_515X=get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}
System=get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}
Application=get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}
}

if ($All_Events) {rv -ea 0 All_Events}
$global:Events= foreach ($element in $Elements) {$element}
[array]$HAElements="Security_515X","System","Application"
foreach ($element in $HAElements){$All_Events+=$Events.$element}
$a=$All_Events | Sort -desc -property TimeCreated

PS C:\> measure-command -expression {
>>
>> $Elements=New-Object PSObject -Property @{
>> Security_515X=get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}
>> System=get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}
>> Application=get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}
>> }
>>
>> if ($All_Events) {rv -ea 0 All_Events}
>> $global:Events= foreach ($element in $Elements) {$element}
>> [array]$HAElements="Security_515X","System","Application"
>> foreach ($element in $HAElements){$All_Events+=$Events.$element}
>> $a=$All_Events | Sort -desc -property TimeCreated
>> }
>>

Days : 0
Hours : 0
Minutes : 5
Seconds : 10
Milliseconds : 163
Ticks : 3101636859
TotalDays : 0.00358985747569444
TotalHours : 0.0861565794166667
TotalMinutes : 5.169394765
TotalSeconds : 310.1636859
TotalMilliseconds : 310163.6859

PS C:\> $All_Events.count
70000
PS C:\> $Elements | gm

TypeName: System.Management.Automation.PSCustomObject

Name MemberType Definition
---- ---------- ----------
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToString Method string ToString()
Application NoteProperty System.Object[] Application=System.Object[]
Security_515X NoteProperty System.Object[] Security_515X=System.Object[]
System NoteProperty System.Object[] System=System.Object[]

PS C:\> $Elements.Application.count
10000
PS C:\> $Elements.Security_515X.count
50000
PS C:\> $Elements.System.count
10000

Parsing ports and Addresses from the message log for security events: 5156,5157,5158
(e.g.:
C:\Windows\system32>auditpol /get /subcategory:"Filtering Platform Policy Change"
System audit policy
Category/Subcategory Setting
Policy Change
Filtering Platform Policy Change Success and Failure
)

is a still a little cludgey here:

$a[0..100] | Select TimeCreated,ID,ProviderName, `
@{Name='Ext_Message';Expression={($_.Message | findstr "Address Source Port")}} `
| ft -auto -wrap

TimeCreated Id ProviderName Ext_Message
----------- -- ------------ -----------
8/25/2012 9:48:33 AM 7036 Service Control Manager
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing { Source Address: 192.168.0.11, Source Port: 2672, Destination Address: 199.47.217.146, Destination
Port: 80}
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing { Source Address: 192.168.0.11, Source Port: 2672, Destination Address: 199.47.217.146, Destination
Port: 80}
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing { Source Address: 192.168.0.11, Source Port: 2672, Destination Address: 199.47.217.146, Destination
Port: 80}

This is more concise:

$a[0..100] | Select TimeCreated,ID,ProviderName, `
@{Name='Ext_Message';Expression={($_.Message | findstr "Address Source Port") `
-replace("Source Address:","") -replace("Destination Address:","") `
-replace("Source Port:","") -replace("Destination Port:","") }} `
| ft -auto -wrap

TimeCreated Id ProviderName Ext_Message
----------- -- ------------ -----------
8/25/2012 9:48:33 AM 7036 Service Control Manager
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 2672, 199.47.217.146, 80}
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 2672, 199.47.217.146, 80}
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 2672, 199.47.217.146, 80}
8/25/2012 9:47:24 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 17500, 255.255.255.255, 17500}
8/25/2012 9:47:12 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 137, 192.168.0.255, 137}
8/25/2012 9:47:00 AM 7036 Service Control Manager
8/25/2012 9:47:00 AM 7036 Service Control Manager
8/25/2012 9:46:58 AM 5158 Microsoft-Windows-Security-Auditing { ::, 2680}
8/25/2012 9:46:58 AM 5156 Microsoft-Windows-Security-Auditing { ::1, 445, ::1, 2680}
8/25/2012 9:46:58 AM 5156 Microsoft-Windows-Security-Auditing { ::1, 2680, ::1, 445}
8/25/2012 9:46:54 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 17500, 255.255.255.255, 17500}
8/25/2012 9:46:42 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 2672, 199.47.217.146, 80}
8/25/2012 9:46:42 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 2672, 199.47.217.146, 80}
8/25/2012 9:46:42 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 2672, 199.47.217.146, 80}
8/25/2012 9:46:24 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 17500, 255.255.255.255, 17500}
...

08/26/2012: I've updated this post with the use of 'normalize()' to remove brackets.

Here are some methods to parse through the 70K log entries looking for connections:

$a[0..100] | Select ID,ProviderName,TimeCreated, `
@{Name="Message[10]"; Expression={($_.Message)[0,1]}}, `
@{Name="SourceAddress"; Expression={(($_.Message | findstr /C:"Source Address:").replace("Source Address:","")).Normalize()}}, `
@{Name="DestinationAddress"; Expression={(($_.Message | findstr /C:"Destination Address:").replace("Destination Address:","")).Normalize()}} `
| ft -auto -wrap

This use of the for command let the users roll through log fifty events at a time:

for ($i = 0;; $i += 50) {$a[$i..($i+50)] | ft -auto ID,ProviderName,TimeCreated,Message;pause}

for ($i = 0;; $i += 50) {$a[$i..($i+50)]| `
ft -auto -wrap ID,TimeCreated,@{Name="Ext_Message"; Expression={(($_.Message | findstr "Address Source Port")).Normalize()}};
pause;
}

This last one cleans it up and separates Source and Destination into different fields:

for ($i = 0;; $i += 50) {$a[$i..($i + 50)] |
ft -auto -wrap TimeCreated,ID,ProviderName, `
@{Name="SourceAddress";Expression={(($_.Message | findstr /C:'Source Address:').replace("Source Address:","")).Normalize()}}, `
@{Name="DestinationAddress";Expression={(($_.Message | findstr /C:'Destination Address:').replace("Destination Address:","")).Normalize()}};
pause;
}

Id ProviderName TimeCreated SourceAddress DestinationAddress
-- ------------ ----------- ------------- ------------------
7036 Service Control Manager 8/25/2012 9:48:33 AM
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:47:37 AM 192.168.0.11 199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:47:37 AM 192.168.0.11 199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:47:37 AM 192.168.0.11 199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:47:24 AM 192.168.0.11 255.255.255.255
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:47:12 AM 192.168.0.11 192.168.0.255
7036 Service Control Manager 8/25/2012 9:47:00 AM
7036 Service Control Manager 8/25/2012 9:47:00 AM
5158 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:58 AM ::
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:58 AM ::1 ::1
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:58 AM ::1 ::1
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:54 AM 192.168.0.11 255.255.255.255
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:42 AM 192.168.0.11 199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:42 AM 192.168.0.11 199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:42 AM 192.168.0.11 199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:24 AM 192.168.0.11 255.255.255.255

...

Now we will do some quick analysis courtesy of the 'group-object' command:

$SearchResult= $a | Select ID,RecordID,TimeCreated, `
@{Name='SourceAddress';Expression={(($_.Message | findstr /C:'Source Address:').replace("Source Address:","")).Normalize()}}, `
@{Name='DestinationAddress';Expression={(($_.Message | findstr /C:'Destination Address:').replace("Destination Address:","")).Normalize()}}

$SearchResult | group -property ID -noelement | Sort -desc -property Count

Count Name
----- ----
2565 5158
2369 5156
898 1035
751 7036
66 5157
56 1
33 7042
32 7040
29 257
27 42
27 0
...

$SearchResult | Select SourceAddress,DestinationAddress | Sort -unique -desc -property SourceAddress,DestinationAddress

SourceAddress DestinationAddress
------------- ------------------
fe80::ffff:ffff:fffe ff02::2
fe80::ffff:ffff:fffe ff02::16
fe80::cddc:ceef:b717:a5ac ff02::1:3
fe80::46:eb0:3f57:fff4 ff02::2
fe80::3069:3e11:3f57:fff4 ff02::2
fe80::3069:3e11:3f57:fff4 ff02::16
fe80::1468:390c:3f57:fff4 ff02::2
fe80::1468:390c:3f57:fff4 ff02::16
255.255.255.255 0.0.0.0
239.255.255.250 127.0.0.1
224.0.0.252 192.168.0.11
224.0.0.22 192.168.0.11
199.47.216.177 192.168.0.11
192.168.0.11 98.138.49.43
192.168.0.11 98.137.49.1
192.168.0.11 98.124.156.54
192.168.0.11 96.17.239.144
192.168.0.11 96.17.237.177

$SearchResult | group -property SourceAddress,DestinationAddress -noelement | Sort -desc -property Count | ft -auto

Count Name
----- ----
2170 0.0.0.0
2000
617 192.168.0.11, 192.168.0.1
113 192.168.0.11
110 192.168.0.11, 199.47.217.146
109 ::
99 127.0.0.1
89 192.168.0.11, 255.255.255.255
81 192.168.0.11, 192.168.0.255
74 ::1
50 239.255.255.250, 127.0.0.1
48 192.168.0.11, 12.129.210.71
48 192.168.0.11, 184.73.175.201
44 192.168.0.11, 224.0.0.252
33 192.168.0.11, 224.0.0.22
28 192.168.0.11, 173.192.226.196
27 192.168.0.11, 96.17.237.177
26 255.255.255.255, 0.0.0.0
23 192.168.0.11, 64.94.107.64
....
#Note: Using Normalize() doesn't help me here...
[array[]]$Tuple=($SearchResult | group -property SourceAddress,DestinationAddress -noelement | Sort -desc -property Count | Select Name) -replace(",","") -replace(" ","")
[array[]]$Tuple=$Tuple.replace("@{Name=","") -replace("}","")

$Tuple[0..100]
0.0.0.0

192.168.0.11 192.168.0.1
192.168.0.11
192.168.0.11 199.47.217.146
::
127.0.0.1
192.168.0.11 255.255.255.255
192.168.0.11 192.168.0.255
::1
239.255.255.250 127.0.0.1
192.168.0.11 12.129.210.71
192.168.0.11 184.73.175.201
192.168.0.11 224.0.0.252
192.168.0.11 224.0.0.22
192.168.0.11 173.192.226.196
192.168.0.11 96.17.237.177
255.255.255.255 0.0.0.0
192.168.0.11 64.94.107.64
224.0.0.252 192.168.0.11
192.168.0.11 174.137.34.100
192.168.0.11 239.255.255.250
192.168.0.11 23.3.68.139
127.0.0.1 127.0.0.1
192.168.0.11 173.192.226.197
192.168.0.11 184.73.247.29
192.168.0.11 199.47.216.177
0.0.0.0 255.255.255.255

...

Thrashing memory with queries...(Part I)

12.07 No comments

These are some event log search queries. They all trash my memory in any Powershell session.
I have written them down for some reason. Probably so I can evolve more elegant solutions to such queries in the future.

foreach ($i in @("a","b","c","d","e")) {if ($i) {rv -ea 0 $i}}
$start=(get-winevent -log security -max 1).TimeCreated
$a=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)})
$c=(get-winevent -ea 0 -log System -max 10000) | Select TimeCreated,ProcessID,ThreadID,Message
$d=(get-winevent -ea 0 -log Application -max 10000) | Select TimeCreated,ProviderName,Message
$b=$a | Select TimeCreated,ProcessID,ThreadID, `
@{Name="Port";Expression={($_.Message | findstr /C:"Source Port:").replace("Source Port:"," ")}}, `
@{Name="Application";Expression={($_.Message | findstr /C:"Application Name:").replace("Application Name:"," ")}}
$e=@()
$e=($b + $c + $d) | sort -desc -property TimeCreated
$a.count;$b.count;$c.count;$d.count;$e.count
$e | ft -auto -wrap TimeCreated,Application,ProcessID,ThreadID,Port,Message

# $start=(get-winevent -log security -max 1).RecordID
# $a=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)})
# $b | where Application -match 'dropbox.exe' | ft -auto
# ($a | ? {$_.RecordID -gt $Start} | % {$_.Message | findstr /C:"Source Port"} ).count
# $b=$a | % {write "$($_.TimeCreated) : PID=$($_.ProcessID) : $($_.Message | findstr /C:"Source Port") : $($_.Message | findstr /C:"Application Name:")"}
# $b=$a | Select TimeCreated,ProcessID, @{Name="Port";Expression={($_.Message | findstr /C:"Source Port")}}, @{Name="Application";Expression={$_.Message | findstr /C:"Application Name:"}}

$s = New-PSWorkflowSession
Invoke-Command $s {
workflow Invoke-ParallelForEach
{
foreach -parallel ($i in 0)
{
InlineScript
{
"foo: $using:i"
}
$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var | export-csv -path C:\ps1\security.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var | export-csv -path C:\ps1\application.csv
}
}
}
Invoke-Command $s { Invoke-ParallelForEach -PSComputerName localhost }

workflow getwinevent
{
$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var | export-csv -path C:\ps1\security.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var | export-csv -path C:\ps1\application.csv
}
getwinevent

[gc]::gettotalmemory(0)/1MB
[gc]::collect(2)
$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var | export-csv -path C:\ps1\security.csv
[gc]::gettotalmemory(0)/1MB
[gc]::collect(2)
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
gc]::gettotalmemory(0)/1MB
[gc]::collect(2)
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var | export-csv -path C:\ps1\application.csv
[gc]::gettotalmemory(0)/1MB
[gc]::collect(2)

$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var | export-csv -path C:\ps1\security.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var | export-csv -path C:\ps1\application.csv

The Best Way to Bypass the Great Firewall of China (Windows and Linux)

02.18 Censorship, china, Firewall, Freegate, Great Firewall of China, Hotspotshield, Software, Tip of the Day, VPN No comments

FreeGate is the way to go to freely use the Internet in China

Update: Click here for my review of other VPNs and Proxies

If you have plans on going to China for vacation, or living there for any length of time, you will need to prepare to visit the Great Firewall of China. Visiting this tourist attraction is mandatory! As most people know, many websites are blocked in China. Mostly websites related to social interaction such as Facebook, Twitter, Google+ and most the popular blogging platforms such as Wordpress and Blogger (which means if you are reading this, you are either not in China, or you have already figured out a way to bypass the Great Firewall of China.

I have lived in China now for a year and have tried many different tools to try to use the internet freely. I have tried various VPNS, Hotspot Shield and Freegate. The best (and freest) is Freegate.

Read article »

DOJ National Security Division Pursuing Cyber Espionage

16.19 feds, law, spying No comments

I just read Justice Department trains prosecutors to combat cyber espionage by Sari Horowitz, writing for the Washington Post. The article makes several interesting points:

Confronting a growing threat to national security, the Justice Department has begun training hundreds of prosecutors to combat and prosecute cyber espionage and related crimes, according to senior department officials.

The new training is part of a major overhaul following an internal review that pinpointed gaps in the department’s ability to identify and respond to potential terrorist attacks over the Internet and to the rapidly growing crime of cyber espionage, the officials said, describing it for the first time.

In recent weeks, Justice has begun training more than 300 lawyers in Washington and nearly 100 more across the county in the legal and technical skills needed to confront the increase in cyber threats to national security...

Under the reorganization, teams of specialized lawyers within NSD in Washington will work with other agencies, the military and companies facing cyber intrusions. They will develop protocols for the intelligence community and federal agents in how to deal with private companies that are victims of cyber attacks. The issues revolve around how to build possible prosecutions within guidelines covering information sharing, privacy and civil liberties.

At least one prosecutor in each of the 94 U.S. attorney’s offices around the country has been designated and will be trained to gather evidence and prosecute cyber espionage and similar Internet-related cases.

This is very interesting if the focus is truly on cyber espionage cases. DOJ persecutes physical espionage cases routinely (albeit with difficulty due to the nature of the laws). Cyber espionage cases are almost never pursued. Working with private companies will be key to this problem, and that aspect is mentioned specifically in the article.

Let's see what happens!

tutorial about web security computer networking

Kamis, 30 Agustus 2012

My Role in Information Warfare during the Yugoslav Wars

Sabtu, 25 Agustus 2012

Less Thrashing; More Queries (Part II)

Rabu, 22 Agustus 2012

Thrashing memory with queries...(Part I)

Sabtu, 18 Agustus 2012

The Best Way to Bypass the Great Firewall of China (Windows and Linux)

Kamis, 09 Agustus 2012

DOJ National Security Division Pursuing Cyber Espionage

Label

Arsip Blog

Recent Posts