Sunday, April 25, 2010

Raeted R Reincarnation!

Before reincarnating this blog, some explanations are due. I have been meaning to make a comeback to this blog, but travel for work and personal life kept me busy. I am a changed man from 2005 when I started this blog. I am engaged (much wiser - wink wink) and have lots of things to share especially after conducting forensic investigations for many different kinds of companies.

So why the comeback? I met some really interesting folks at the security cons last year (DEFCON and SecTor) and just last weekend at Thotcon in Chicago. I am inspired by the work of so many folks in this field and I feel a strong urge of sharing and discussing security with them, hence a comeback to twitter and blog. I still don't plan to post very regularly, but I would like to write when twitter's 140 words aren't enough for my thoughts and when I am done with all the Fiancé wedding planning duties for the week :)

What started in year 2005 was a dream... a dream of working and contributing in the field of Information Security. It was September 5, 2005 when I started this blog and it was mainly to share the security write-ups and tools found via daily surfing.

Little did I know that I will eventually land a job in Information Security working with the very people I used to read about and better yet, get to work in the field of Digital Forensics investigating financial fraud. It all started when Nicholas (Nick) Percoco was recruiting for Security Operation Center (SOC) Engineer in January 2006. I was one of the lucky candidates chosen by Titan Recruiting to have an interview opportunity with Nick. I don't quite remember what I said or displayed in the interview that Nick decided to hire me , perhaps it was the desire and passion for security that reflected somewhere in the interview (Thanks Nick)

I started working for AmbironTrustWave (ATW, now Trustwave) on February 6, 2006 as a Security Engineer. The job was to help design and maintain firewalls and intrusion detection systems for our fortune 500 clients. It was a great learning experience under the guidance of Stewart Williams (da Checkpoint Guru) and Zachary Lammers (The Attack). ATW was growing by the day so the company decided to hold lots of cross training sessions to meet the high demand. Rob Havelt's Penetrating Testing training was one that I learned the most from and developed interest in offensive security.

In summer of 2007, there was an opening for Forensics Consultant at ATW. Out of all the positions ATW, I always wanted to get into Forensics, perhaps because that department always kept their doors locked and my curiosity led to a greater interested in Forensics. Anyhow, I saw an internal email about the Forensics position, I jumped on it and one of my really long emails to Mark Shelhart (Practice Manager of Forensics at ATW at the time) got me an interview and the rest as they say is history. Thank you Mark.

Forensics was tough but my very patient colleagues, Chris Johnson and Colin Sheppard were always there when I got stuck on a case. In 2008, I discovered a new form of attack for Point of Sale devices in one of the high profile cases. Colin who became the Practice Manager of Forensics then, encouraged me to write a whitepaper on it. Thanks to him, that paper took me places and encouraged me to do even better. First it got published by Visa in Oct 2008, then the talks at DEFCON and SecTor with Nick in our Malware Freakshow Preso.

In 2009, Chris Pogue joined our team. This is when Colin, Chris and I along with other big players in Forensics started being loud about the methodology shift required in Forensics as highlighted in Chris' Blog post. The acceptance of Chris' Sniper Forensics talk at various conferences proves that our initiative is not going in vain.

The biggest credit to at least my development and learning in the field of incident response/forensics goes to this one blog, Windows Incident Response by Harlan Carvey. I visit many blogs but this is one blog that is constantly updated and can always be counted for original content. He is also the author of Windows Forensics Analysis book.

So this was pretty much the explanation behind the absence from the blog. This field keeps getting fascinating with every new case. The bad guys are getting better but to be honest, the white hats are closing the gap. As they say, "You scan my ports, I sniff your packets". Just like bad guys need one hole to break in, the good guys need just one mistake to catch the trail. Game ON!

Labels: ,

Thursday, March 05, 2009

New attack vector

In the past, I have highlighted top tools and write-ups resulting from my surfing on message boards and security sites. I am extremely pleased to share my own finding with you. This finding was published by my company and also by Visa as a security alert for their merchants.

The executive summary of the finding is that attackers are stealing credit card data from Point of Sale environments by going to RAM. They are using open source process dumpers on the executable files which process credit card data e.g. if they know that the payment application in use is named "poscreditcards.exe" or "cctransactions.exe" then they would dump that process and save the data in a dump file. As a followup, they are running custom made credit card data parsers to get just credit cards in an output file from those dump files. Its a pretty neat technique to remain safe from antivirus software since this is something not malicious in nature and with the custom code from credit card parsers, this attack vector could remain hidden from antivirus and even the eye of Security Administrators for a long time.

Here are the two links for more info:

1. Visa Data Security Alert - Memory Parsing

2. Emerging Threat: Parsing Track Datafrom RAM


Jibran Ilyas

Labels: ,

Friday, May 30, 2008

Six Top Sec Tools

MetaSploit, Splunk, Google, KeePass, Helix and Netwox.

Read more here

My fav: Netwox cuz it can do all of the following:
  • Sniff packets
  • Grab files via HTTP
  • Attempt a brute force crack on an FTP server
  • Use Netwox as a back door on an system
  • Spoof packets
  • Even compute cryptographic hash of a file

Thursday, February 28, 2008

I woke up today and said to myself ...

... I will do SQL injection today. Its an intimidating term looking from far out, but as you get closer its more of a 'duh' than a 'nah'

So you do countless readings on SQL injection, yet you are unsure?? Well, you are on the right planet ... people here make these cool videos to explain these concepts.

Pictures are worth a thousand words, hence videos are worth ... ? think about frames per second :) Here is a video of an SQL Injection hacking challenge:

What's a forum: The open air urban space(s) in ancient Roman cities, generally rectangular in shape, defined by the porticoes and civic buildings at its perimiter, and used for marketplace and public interaction, particularly 'civic discussion'


Wednesday, January 16, 2008

My router protects me ... think again!!!

So all your inbound connections are blocked by the router by default right? Yes ... Is UPnP turned on by default? Yes (90%)

So, if you have UPnP enabled, you are susceptible to funny attacks ... lets say your router's DNS servers could be changed so that when you go to, it will take you to or it can create port forwarding rules ... in other words, the attack can 0wn your network.

Fix: Simply turn off UPnP on your router.

More info:,141399/printable.html


Wednesday, November 28, 2007

sec apps

some nice security tools there...

Thursday, October 04, 2007

Dig Deeper for malware

I am not sure about you, but i have always been skeptical of these antivirus software cuz they haven't raised their level when the blackhats just keep getting better. Here is a collection of tools to detect hidden processes, doing file integrity and other stuff that your AV won't do.

Enjoy ; it has got source codes too !

edit: add helios to the list