Search
Contact Us
This form does not yet contain any fields.
    Monday
    Oct162017

    Looking for KRACK'd Intel Drivers with PowerShell

    As many people know by now, WPA2 AES was broken by Mathy Vanhoef's excellent work.  I won't go into the details of his research, as you should read it yourself at KRACK Attacks.  Many vendors have been working to proactively put out patches prior the publishing of the vulnerabilities that occurred today.  That being said there is still a great deal of concern as to whether clients are patched from all sides.  

    In response to client concerns about whether the installed versions Intel WLAN drivers were susceptible to the caveats mentioned in Microsoft's CVE-2017-13080 guidance, I wrote the basic script to query any drivers with the string Intel in them and return the hostname, driver name, and driver version.  Just add your text file containing a list of hostnames and set your output directory for the results.  Launch the script, tell your boss that you're on it, and comeback in a few for a peek at your results file.  A quick filter with Excel and a sys admin can check all the Intel WLAN drivers on his or her network and whether they are vulnerable to KRACK.

    Apologies in advance for the lousy embedded formatting, but pasting into a text editor will clean up the wrap around mess below.

     

    #This script is pulling back all drivers with the word "intel" anywhere in the driver name.  

    #For targeted search of Intel Wireless drivers susceptible to KRACK, change "*Intel*" to "*Dual Band Wireless-AC*".  CAREFUL though because you'll miss the AMT entries with this change.

    #See https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00101&languageid=en-fr for vulnerable Intel drivers and fixed versions.

    $Machines = Get-Content "C:\Your\List\of\Hosts.TXT"

    $results = @()

    ForEach ($machine in $Machines)

    {         

    $results += $var = Get-WmiObject -ComputerName $machine Win32_PnPSignedDriver| select PSComputerName, devicename, driverversion | where {$_.devicename -like "*Intel*"}

    }

    $results | Export-Csv C:\Your\Desired\Output\Directory\IntelDriverCheck.csv -NoTypeInformation -Append

     

    See Intel's guidance on vulnerable WLAN drivers and AMT to determine if one of your machines is using a KRACK'd driver.

    See "Does this security update fully address these vulnerabilities on Microsoft Platforms, or do I need to perform any additional steps to be fully protected?"

    Thursday
    Apr062017

    What SANS SEC504 Did For Me

    I’m excited to say that I’ll be teaching SANS SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling this May in Phoenix.  The class will be in the new Multi-Week format starting May 5.  It runs each Friday and Saturday for three weeks.  (May 5, 6, 12, 13, 19 & 20).  This new format combines instructor led classroom training with the convenience of maintaining work-life balance and time to absorb the materials presented each week.

    After providing digital forensics services to the corporate sector for almost six years, and being one of the first 350 GCFE’s in 2011, I found more and more of my engagements involving the question of “how do we stop this from happening again?”  Already being familiar with the quality of SANS courses and their active participation in the security community, I chose SEC504 as my next class. 

    SANS SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling and accompanying GCIH certification raised my skill set to be more prepared for incidents and set me on a course to easily obtain my CISSP and CISM certifications.  The deep dive into attack techniques, as well as how to prevent and detect such activity laid the foundation for me to write an incident response script that any Windows admin could deploy easily in their environment when the time came.  The script relies on nothing but native Windows commands.  It collects a combination of current state and forensic artifacts from the host system, packages the information and sends to a central location of the client’s choosing. 

    I recognize that there are many incident response tools out there, but using what I learned in SEC504 and my forensics background, I was able to 1) write a script that provided me with exactly what I wanted, and 2) understand the ins and outs of quickly triaging systems.  I often deploy the script across an entire environment in cases where patient zero is unknown.  The script allows us to triage the incident, quickly identify suspicious artifacts on hosts, and place those hosts on a short list for a further analysis, including full forensic collection and/or additional monitoring.  Some examples of the script’s output include irregular services like psexec, anomalous user accounts and groups, suspicious account logons, evidence of unauthorized application execution, network connections, hidden shares, running processes, executables in temp directories, and the entire user and machine registries.

    The defensive, or Blue Team, nature of SEC504’s content and the challenge of protecting networks without adversely impacting business operations is what most security teams deal with.  I apply the content I learned from SEC504 daily, and have used it as springboard to quickly absorb the material necessary for passing other management focused security certifications like the CISSP and CISM.  I’m still a geek at heart though and have since gone on take SEC560:  Network Penetration Testing and Ethical Hacking, and FOR610:  Reverse-Engineering Malware: Malware Analysis Tools and Techniques.  I plan to take additional SANS courses as the opportunities arise.

    I’m excited to say that I’ll be teaching SANS SEC504 this May in Phoenix.  The class will be in the new Multi-Week format starting May 5.  It runs each Friday and Saturday for three weeks.  (May 5, 6, 12, 13, 19 & 20).  For more information visit, https://www.sans.org/community/event/sec504-phoenix-48437.  Use HonorHealth10 when registering for 10% discount.

    Tuesday
    Apr012014

    LTN Cybersecurity Edition Features Vertigrate’s President

    Michael Lombardi, Vertigrate’s President, was featured in two Law Technology News articles, “Feeling Insecure?  Threats to Client Confidentiality Lurk Inside and Outside Your Firm” and “Big Law Reveals the Budgets and Tech Needed to Safeguard Confidential Data”.  The interviews focused on the state of cybersecurity within large law firms and what those firms can do to protect their clients’ data.  Mr. Lombardi focuses on a layered approach to security built on a foundation of well-trained security practitioners. 

    There is no substitute for grey matter. People, equipped with solid security training, can help firms create a holistic view of how to protect client data, he says. By contrast, building a defense around one (or a handful of) security products can lull firms into a false sense of security, or crush them with an avalanche of log data.”

    Visit Vertigrate’s Cybersecurity section, for more information on our cybersecurity services.

    Sunday
    Sep012013

    Vertigrate’s Founder Presents Alongside FBI on Topic of Cybersecurity

    Vertigrate’s President, Michael Lombardi, presented alongside the FBI and KPMG to a standing room only crowd on the state of cybersecurity and what law firms can do to protect themselves at the International Legal Technology Association’s Annual Conference.  Mr. Lombardi’s presentation provided specific methodologies to review and harden systems, along with scripts that any technology administrator can use to begin a security assessment of his or her network.

    Visit Vertigrate’s Cybersecurity section, for more information on our cybersecurity services.

    Thursday
    Aug012013

    Presidential Aircraft Found to be Target of Fraud

    Vertigrate’s Client Wins Multi-Million Dollar Judgment After Five Week Jury Trial

    When the plaintiff’s Boeing 707-100 series aircraft went in for its C-check, the plaintiffs thought they were being proactive and diligent in maintaining this one of a kind aircraft for their nation’s president.  Only a small number of this classic 1959 aircraft are still in operational condition.  Owners of this rare jet are avid aviators and include the likes of John Travolta.  Unfortunately for our plaintiff, what should have been a two month process took almost two years of runaway costs and resulted in an aircraft in worse shape than when it arrived. 

    Vertigrate’s trial presentation services played an integral role in the award of a multi-million dollar judgment and recovery of attorney’s fees in this five week jury trial.  With over 1,400 exhibits comprised of 30,000+ documents, photographs, and videos, Vertigrate employed its battle-tested approach to build its standardized, yet highly flexible, trial database in TrialDirector.  Using TrialDirector’s advanced display capabilities, we quickly and easily displayed to the jury up to four documents simultaneously to demonstrate to the jury the heart of our case; the fraudulent nature of the defendants’ invoicing scheme.  Vertigrate’s adept use of this four panel display allowed the trial team to quickly and successively knock the defendants’ witnesses on their heels as they tried to explain away contradictory invoice amount, including both duplicative and phantom charges.    

    Defendants’ counsel, on the other hand, struggled with its presentation of exhibits via an iPad trial presentation app.  Opposing counsel was plagued with display issues, application crashes, and missing exhibits throughout the trial.  iPad apps can serve a useful role in cases, but are often better suited for smaller exhibit sets and straight-forward presentations.  We often help attorneys use them for smaller cases, and in larger cases will leverage TrialDirector for iPad to deliver up-to-the-minute exhibit outlines or closing slides to attorneys in the war room, at home, or in the courtroom.   For a case with as much material as this one though, a tablet-based presentation often caused the jury to focus more on the defendants’ technical difficulties than any merits their case may have had.  

    As a matter of best practice, Vertigrate stays within the bounds of its technology and tools.  We build solid databases that you can rely on in court.  We perform ongoing quality checks of those databases daily leading up to and during trial.  All of our databases are built on standard numbering formats, incorporate existing bates numbers for any productions, contain the exhibit list description for every potential exhibit, track admitted date, party and witness, and include full-text for every available page.  As is often the case, Vertigrate is brought in at the last minute just before the case goes to trial.  Our approach to building a TrialDirector database allows us to get up to speed on the various hot docs, while utilizing standard conventions for retrieving even the most obscure document based upon a single full-text query or bates number reference. 

    For more information about our services, please visit our Trial Preparation or Trial Presentation pages, or download our white paper on cross-referencing Bates numbers, "Trial Linguistics: Bates Numbers Bridge the Communication Gap".