Room362.com

EDIT: This and the following posts are also show notes for the Season 4 premiere of Hak5

So Maltego 2 has been released and all I have to show for it are these images stolen from paterva.com

and a bit of an explination also stolen from their site:

But you aren’t here for what you can find on their site. You are here to find out why Maltego is fun, useful, and something you might want to recommend your boss/secretary/parents to buy.

Maltego is hard define because of it’s open nature. It is designed to be whatever that information gatherer wants it to be. But before we go into Maltego’s super powers, lets define the differences between it’s two versions, Full and Community editions.

Full is just as it implies. Unfettered. You can make it fly. But it’s 400 bucks a year per client. (Or your organization can talk straight to Paterva about their server/client platform)

Community Edition is free, but you are locked down quite a bit. Community Edition is bundled with Back|Track 3 which is don’t by the awesome guys over at Offensive Security. Here are the nags:

•  A 15second nag screen
• Save and Export has been disabled
• Limited zoom levels
• Can only run transforms on a single entity at a time
• Cannot copy and paste text from detailed view
• Transforms limited to 75 per day
• Throttled client to TAS communication

However, if you do have one full version client, you can open saved investigations (mtg files) with it and manipulate it all you want. 

So that is just one of my tricks and now that we have a baseline down (kinda like getting done with all of your base classes in college), in the following segments of this post I will be showing of some of the electrolyte driven goodness of Maltego and some of the hacks/tricks that will make you look wonder just what you can’t do with Maltego.

 So, instead of doing this the right way, which is submitting a bug report to google, I am going to do this the blogger way:

1. Publish article to blog about problem in product
2. Wait for traffic to rise on blog
3. Become giddy at rise in traffic due to outstanding title
4. Watch as traffic falls within days
5. Become angry and write retort (in said blog, still not contacting the company) getting mad about the STILL unfixed problem

Actually thats a lie, here is what I reported to Google after I wrote the above statement:

This problem only happens in a specific sequence of events, but can be easily reproduced. 

1. User 1 opens Google Doc that is collaboratively edited.
2. User 1 closes browser (with save session ability)
3. User 2 opens Google Doc and makes an edit to that same document
4. User 2 saves the new edits (through AutoSave or save/close or save)
5. User 1 at any point after this save (User 2 doesn’t have to have the document closed), opens his saved session browser and it opens the old version of the doc. If user 1 then waits long enough for AutoSave to do its thing or save/closes it, then the document is saved in its old status.

This can easily be fixed by reverting via revision history to the “newer” version, but also can easily go unnoticed. A suggestion for a fix would be a nice popup on User 1’s screen saying that there is a newer version of that document available.

 If you have a fix, please leave a comment. I would really hate to find out that this is a simple preferences setting.

Original Article: http://sunbeltblog.blogspot.com/2008/09/how-to-make-notepadexe-malicious-file.html

Alex Eckelberry over at Sunbelt got an itch to see which virus vendors were just using packer signatures instead of emulating the defaltion process and detecting the virus inside. This is a shortcut that can yield false positives such as demonstarted in Alex’s experiment, but is done due to the overhead such an undertaking would introduce, I assume, to the client software.

I bring this up here because I recently conducted a somewhat similar test, although I admittedly know very little about packers. I submitted a couple of No-CD cracks that I got from a unnamed source (GameCopyWorld.com) and tested it with VirusTotal.com to see if they had viruses, and all of them came back positive. I doubted these finding since they were mostly labeld “Trojan.Downloader” and similar generic names. I then used Sunbelt’s very own CWSandbox and a few local tools to determine of the trojan downloaders I had were actually that. All tests came back stating non network connections, packed by UPX, and made minimal DLL calls which were all used to disply windows GUIs.

Alex’s article and my recent research renewed my want to learn more about packers. Where to start? Wikipedia. Nope! Wikipedia’s article on runtime packers hasn’t been written yet. I haven’t stopped searching for a good resource on the topic, but if anyone knows one, please leave a comment and a link.

Thanks

  Just like it’s LOVELY auto download feature, Google Chrome slipped in a new version. I was testing out some of the latest and greatest posts of exploits for .27 and they were failing to work. Checked my version and low and behold a new version number was displayed. I didn’t upgrade, all done automagically. (Evilgrade anyone?)

  I wonder what will pop on this new version.

For some reason LinkedIn has become unavailable:

Earlier when going to LinkedIn, I was greeted by a wizard saying that they will performing upgrades tonight. I guess they didn’t go as wel as planned. As a security addict though, I always have that sinking feeling when a server is down. Especially one that has personal information about so many people.

Hope it’s nothing

Fear it’s bad

It’s nothing WINS! (We’re doing some front-end network maintenance, on the loadbalancer which hosts the Wizard page. We should be back soon.) -- via commenter