Hmm smells fishy. Remember that my wife’s yahoo account was hacked after someone from her friend’s hacked YM asked her to check out the pictures on his flicker. In just a minute, her username and password was harvested by the hacker and we have to call Yahoo just to retrieve the credentials.

You wont notice that this is a bogus page.

http://picasaphotos21.t35.com/photoalbum.htm

hmmm, ok. Not your usual Google URL and looks like a subdomain of t35.com

Let’s check out www.t35.com

Boom!!! t35.com is a free website service. So the hacker uses a free web service to host his fake Google Picasa page. The minute you entered your Google Account username and password it will be harvested.

How will you identify if the page is bogus or not? Here are some of the basic steps that you can use:

1. Google always use webpage SSL certificates. You will notice that the URL starts with https://…. instead of http://… on its page authentication.

2. Update your internet browsers. New browsers are intelligent enough if the SSL certificates is fake or not.

3. Always check the URL of the page. Most of the hackers uses free web service hosting to host their bogus site.

Internet security awareness will always save your butt and your hard earned ADS payments.

So how the hacker did it???? It was just a simple page that collects username and password. But he is skilled on “social engineering”. At first you will not notice anything because the flow of conversation is friendly.

The yahoo mail phishing webpage was so simple. Last night i debug the page by using fiddler2, a free web debugging tool. So after the victim entered the username and password and clicked the fake Sign On button, the account information will be then be saved in a clear text file that the hacker then can retrieve and used to logon unto the victim’s account. After that he will change your password and 0wn your account.

Debugging yahoo mail phishing page using Fiddler2

Saves username and password on clear text

So if you are a victim of such incident, call Yahoo Customer Service, email them and never forget all information that you used during the creation of your account, alternate email, pet’s name, birthday, etc. War against cyber crime is true so always be on guard.

http://ymphotos.my3gb.com/yahoo.html

The page looks like a yahoo mail login page. She then mistakenly entered her username and password.. and boom, her account was hacked.

The hacker then used my gf’s yahoo account and chat her friends in yahoo messenger asking again for a load. After a series of conversation on one of her friends. A former officemate in Manila called her and asked if she were in the Philippines and if she is online on YM. They were puzzled why would she then asked for a cellphone load. Rachel notified me to check her Yahoo  but no avail, the hacker already changed the password.

I tried to reset the password but she forgot her alternate email. We called yahoo’s customer service but they are already closed for the day.

We spent the night changing all of our account’s password and calling friends not to chat her YM ID just to avert further damage.

Fee: Php56,000.00 (Inclusive of 12%VAT, Training Materials, Certificate and AM/PM Snack and Lunch)

Venue: 25^th Flr. Unit 2502b West Tower, Philippine Stock Exchange, Ortigas Center Pasig City

CPE credits: 32 | Level: Introductory | Prerequisites: Basic computer skills. Advance preparation for this course is not required.

This hands-on course involves practical exercises and real-life simulations. The class provides participants with an understanding of the proper handling of digital evidence from the initial seizure of the computer/media to acquisition, and then progresses to the analysis of the data. It concludes with archiving and validating the data. Delivery method: Group-Live.

Students attending this course will learn the following:

• What constitutes digital evidence and how computers work
• An overview of the EnCase Computer Forensic Methodology
• Basic structures of the FAT and NTFS file systems
• How to create a case and how to preview/acquire media
• How to conduct basic keyword searches
• How to analyze file signatures and view files
• How to restore evidence
• How to archive files and data created through the analysis process
• How to prepare evidence for presentation in court
• How to verify the evidence file

WHO SHOULD ATTEND

This course is intended for IT security professionals, litigation support and forensic investigators Participants may have minimal computer skills and may be new to the field of computer forensics.

DAY 1 OUTLINE	DAY 2 OUTLINE
Ø EnCase Concepts · Case File · Evidence File · Case File Backup · Configuration Files Ø What constitutes Digital Evidence · Computers as an instrumentality of the crime · Computers as a repository of evidence · Examples of mediums of storing digital evidence Ø How Computer Works · Power Sequence o BIOS o POST o Etc. · Bits/Bytes/Hex/Binary Ø Encase Navigation Ø Diskette Preview / Acquisition · Create Case · Options Day one provides an understanding of the proper handling of digital evidence from seizure to acquisition. Students receive a basic overview of how computers function, as well as the constitutes digital evidence	Ø NTFS/FAT File Systems · How these file systems track data · What happens when a file is created · What happens when a file is deleted Ø Creating a Boot Disk · Why a forensically sound boot disk is needed · Components of a forensically sound boot disk Ø Hard Drive Preview and Acquisitions · Physical disk versus logical drive · Fastbloc · DOS based via disk to disk · DOS based via crossover cable Ø Creation of Keywords and Searching · Global versus Case Specific · Selecting Keywords · Selecting where/what to search · Viewing results Ø Bookmarking/Preserving Findings · Highlighting sections of data · Pointing to file(s) Day two begins with a discussion of the FAT file systems as well as an overview of the NT file system. Hard disk acquisition is covered, using both a forensically sound boot diskette, as well as a hardware write blocking device. Attendees will learn how to properly preview a computer system prior to acquisition, as well as explore keyword searching and bookmarking of relevant data.
DAY 3	DAY 4
Ø File Types · Icons/Description column Ø Bookmarking Techniques · Pointing to file(s) · Comments · Organizing Report Ø Signature Analysis · Search Button · All or Selected · Compares Extension to Header · Interpreting results Ø Installing External Viewers · Link Application to EnCase · Can link file extensions to Application Ø Copy/Unerase Options Ø Restoring Evidence Ø Reacquiring an Evidence File · Don’t need original hardware to change options · Quick Reacquisition Day three includes more complex bookmarking of data, and examination of file signatures to accurately identify file types. Attendees will install external viewers within EnCase and learn how to copy data from within an evidence file. Students learn how to restore an evidence file back to physical media and reacquire an evidence file with different options.	Ø Archiving/Reopening an Archived Case · What to archive · Specify path to EnCase of Evidence file to reopen case Ø Verification of Evidence File · Change 1 bit; EnCase detects change · Manually re-verify at any time Ø Timeline · Define four Date/Time stamps Ø Windows Artifacts · User Accounts · Recently Accessed Files · Internet Cache · Desktop/My Documents Ø Searching Unallocated Space · Use file header for image · Display image Day four explores how to archive a completed case, as well as how to reopen this case if needed in the future. Attendees will observe how EnCase can detect and identify any changes to the content of an evidence file, as well as take a detailed look at the Timeline view within EnCase. Pertinent areas of interest within the Windows operating system and user accounts are explored as well as locating data in unallocated space.

EnCase® v6 Computer Forensics II on June 16-19, 2008

Fee: Php56,000.00 (Inclusive of 12%VAT, Training Materials, Certificate and AM/PM Snack and Lunch)
Venue: 25^th Flr. Unit 2502b West Tower, Philippine Stock Exchange, Ortigas Center Pasig City
CPE credits: 32 | Level: Intermediate | Prerequisites: EnCase® Computer Forensics I. Advance preparation for this course is not required.

This hands-on course is designed for investigators with strong computer skills, prior computer forensics training, and experience using the EnCase forensic software. This course builds upon the skills covered in the EnCase Computer Forensics I course and enhances the examiner’s ability to work efficiently through the use of the unique features of EnCase.
*Students must understand evidence handling; the structure of the evidence file; creating and using case files; data acquisition methods including DOS based, hardware write protected, crossover cable and disk to disk; recovering deleted files and folders in a FAT environment; keyword searches across logical and physical media; creating and using EnCase bookmarks; file signatures and signature analysis; and locating and understanding Windows® artifacts. Delivery method: Group-Live.

Focusing on investigations common to the private sector, students will learn about the following:

• How to create and use of logical evidence files
• How to locate and recover deleted partitions and folders
• How to conduct keyword searches and advanced searches using GREP
• Students will gain an understanding of the EnCase Virtual File System (VFS) and Physical Disk Emulator (PDE)
• Students will learn about the Windows® Registry
• Students will learn how to deal with compound file types
• How to export files, directories and entire volumes
• How to identify files using hash values and building hash libraries
• How to identify Windows XP operating system artifacts such as link files, recycle bin, and user folders
• How to prepare reports and evidence for presentation in court
• How to recover artifacts such as swap files, file slack, and spooler files
• How to recover printed and faxed pages

WHO SHOULD ATTEND

This course is intended for IT security professionals, litigation support and forensic investigators. Participants should have attended the EnCase Computer Forensics I.

DAY 1	DAY 2
Ø How the EnCase Evidence File is Stored and Verified Ø Encase Forensic Edition Overview · Data flow · Navigating EnCase Ø Logical Evidence Files · What are they? · Why would I use them? · How to create them Ø Single Evidence Files · What are they? · Why would I use them? · How to create them Ø Software Write Protection · Fast Bloc SE Ø Introduction to NTFS · Understanding the Windows® New Technology File System Ø Handling Formatted or Repartitioned Media Ø Partition recovery · Folder Recovery Day one provides an understanding of EnCase concepts. Students will learn how an evidence file is acquired, verified, added to a case, and stored. They will learn how to create and use logical evidence files and single evidence files. Students will receive hands-on imaging training using FastBloc SE.	Ø Hash Analysis · Using file hashes to improve accuracy and efficiency Ø Compound files · An overview of compound files · Mounting compound files · Searching compound file types Ø - Windows Registry · Appropriate keywords · How EnCase searches the evidence file Ø VFS / PDE · Using Virtual File System · Using Physical Disk Emulator Ø Using GREP to focus searches. GREP allows the examiner to create concise keywords using control characters, reducing false positives and increasing efficiency. Day two introduces the students to the process of analyzing the evidence. The hashing of files both as a means of identification and as a tool to speed up the searching process is covered. Students also take a first look into the Windows Registry and learn how, why and when to use VFS and PDE. We continue to build on the students’ skill sets, moving from general keyword searches and file type analysis to advanced keyword searches using GREP.
DAY 3	DAY 4
Ø Quickly locating file system artifacts unique to the NTFS file system Ø De-constructing link files to reveal artifacts that indicate the who, what, when and where of file manipulation. Ø E-mail recovery and examinations including Microsoft Outlook, Outlook Express and Ø web based e-mail. Ø Recovering and analyzing e-mail attachments Ø Internet history concepts and analysis using Internet Explorer Ø Understanding and recovering documents that have been printed Ø Recycle Bin analysis to reveal important information about deleted files Day three moves to specific analysis of common artifacts that cannot normally be locatedthrough keyword searches. This analysis can often provide vital information to investigations by revealing data that can provide a clear indication of a user’s activities. We look at how EnCase handles common e-mail files and Internet history.	Ø Handling and acquiring Flash Memory and artifacts Ø Reporting · How and what to report after the investigation is completed · Using bookmarks we created to prepare a written report within the EnCase interface · Exporting the report in an HTML or other format On day four students learn how to utilize all of the techniques from the previous days to create a readable, coherent report using EnCase.

ENROLL NOW!

GLOBALKNOWLEDGE PHILIPPINES, INC.
2502B West Tower, PSE Bldg. Exchange Road, Ortigas Center, Pasig City, Philippines 1600
Tel. Nos. (632) 683-0969; 637-3657; 0920-709-8298
Email: Sandra@globalknowledgeph.com YM: Sandra_medalla@yahoo.com

Install tcsh. Perl needs the csh shell to execute SARA
#wget http://mirror.muntinternet.net/pub/slackware/slackware_source/a/tcsh/tcsh-6.15.00.tar.bz2
#bunzip2 tcsh-6.15.00.tar.bz2
#tar xvf tcsh-6.15.00.tar
#cd tcsh-6.15.00
#./configure
#make
#make install
#ln -sf /usr/local/bin/tcsh /bin/csh

Download and install SARA
#wget http://www-arc.com/sara/downloads/sara-7.5.2.tgz
#tar xvzf sara-7.5.2.tgz
#cd sara-7.5.2
#./configure
#make
#make install

Add sara user
./add_user

Scan a host
./sara -a4 <ip.address>

Run SARA in daemon mode
./sara -D

Now browse to http://localhost:666

im starting to like PostgreSql…

My Toshiba Satellite M50 laptop now runs Backtrack v3 Linux!!!! The installation manual was straightforward although i have to mess around with lilo bootloader and the computer’s mbr. Copying the livecd’s xorg.conf to my HD installed xorg.conf fixed the LCDs resolution

Download and install Nessus rpm package from the Nessus download page

[root@nessus chris]# rpm -ivh Nessus-3.0.6-es5.i386.rpm
Preparing… ########################################### [100%]
1:Nessus ########################################### [100%]
nessusd (Nessus) 3.0.6. for Linux
(C) 1998 – 2007 Tenable Network Security, Inc.
Processing the Nessus plugins…
[##################################################]
All plugins loaded
- Please run /opt/nessus//sbin/nessus-add-first-user to add an admin user
- Register your Nessus scanner at http://www.nessus.org/register/ to obtain
all the newest plugins
- You can start nessusd by typing /sbin/service nessusd start

[root@nessus chris]#

Add the first Nessus user, it will be the admin account

[root@nessus chris]# /opt/nessus/sbin/nessus-add-first-user
Using /var/tmp as a temporary file holder
Add a new nessusd user
———————-

Login : admin
Authentication (pass/cert) [pass] :
Login password :
Login password (again) :

User rules

———-

nessusd has a rules system which allows you to restrict the hosts
that admin has the right to test. For instance, you may want
him to be able to scan his own host only.
Please see the nessus-adduser(8) man page for the rules syntax
Enter the rules for this user, and hit ctrl-D once you are done :

(the user can have an empty rules set)

Login : admin
Password : ***********
DN :
Rules :
Is that ok ? (y/n) [y] y
user added.

Thank you. You can now start Nessus by typing :

/opt/nessus//sbin/nessusd -D

Start Nessus service daemon

[root@nessus chris]# /opt/nessus/sbin/nessusd -D &
[2] 1454
[root@nessus chris]# nessusd (Nessus) 3.0.6. for Linux
(C) 1998 – 2007 Tenable Network Security, Inc.

Processing the Nessus plugins…
[##################################################]
All plugins loaded
[2]- Done /opt/nessus/sbin/nessusd -D

[root@nessus chris]#

Obtain your Nessus registration code in the Nessus website and register your nessus installation.

[root@nessus chris]# /opt/nessus/bin/nessus-fetch –register putyourregcodehere
Your activation code has been registered properly – thank you.
Now fetching the newest plugin set from plugins.nessus.org…
Your Nessus installation is now up-to-date.
If auto_update is set to ‘yes’ in nessusd.conf, Nessus will
update the plugins by itself.

[root@nessus chris]#

If you want a Windows-based Nessus admin console. Download and install Nessconnect