DNR's Suggested Readings

Post by **DNR** » 15 Sep 2009, 14:39

Law Enforcement Guide to Linux Nice linux tutorial-51pgs 131kb
http://digitalnomad.suck-o.net/DNR/red/ ... ro-LEO.pdf

Post by **DNR** » 28 Sep 2009, 16:02

PLAYING WITH SHADOWS –
EXPOSING THE BLACK MARKET
FOR ONLINE GAME PASSWORD
THEFT
http://digitalnomad.suck-o.net/DNR/red/feng2008.pdf

A Method for Detecting Windows Rootkits
http://digitalnomad.suck-o.net/DNR/red/ ... ootkit.pdf

Rootkits for JavaScript Environments
http://digitalnomad.suck-o.net/DNR/red/rootkitjava.pdf

hookfinder:identifying and understanding malware hooking
http://digitalnomad.suck-o.net/DNR/red/hookfinder.pdf

Post by **DNR** » 30 Sep 2009, 20:35

Smart Grid Cyber Security
Strategy and Requirements September 2009 -236 pgs 1.4mb

• Media is usually narrowband, limiting the volume of traffic and impacting
the types of security measures that are feasible.
• Intelligent Electronic Devices (IEDs) can be limited in compute power,
but that is becoming less of an issue as newer more capable devices
become available. However, the large legacy of devices in the field will
need be addressed through mitigating technologies and methods.
• IEDs can be on pole tops and other insecure locations
• Wireless media is often less expensive than wired media, which mean that wireless vulnerabilities exists, and will require security controls (either
physical or cryptographic) appropriate for wireless
• None of the communication protocols currently used (primarily
Distributed Network Protocol (DNP3) and sometimes International
Electrotechnical Commission (IEC) 61850) are typically implemented
with security measures, although IEC 62351 (which are the security
standards for these protocols) is now available but implementation
adoption and feasibility is not yet clear.
• Many of the SCADA Masters may have no way to add security without
complete replacement
• Many devices have no notion of a user or a role making security
management a challenge.
• Often no security event information available from these systems
• No standard for security events or logging

..

• IED’s and embedded sensors have limited computing power to
authenticate each other
• If any cryptography can exist in the nodes, usually consist on a shared key between all devices due to key management constraints
• Rogue nodes can be added by attackers. This rogue nodes might have
much more computing power than the real nodes
..

• Meters are used for utility revenue, and therefore, revenue protection is a very important issue for utilities.
• Remote connect/disconnect control could be vulnerable to malicious use.

..
See Diagram 3.4 on page 33

..

See diagram 3.6 on page 39
Remeber 'HAN' is Home Area Network - DNR

--
The HAN is not controlled or owned by the utility, and should be treated as a hostile network by the AMI meter. Because of this, we recommend that AMI components should not request or accept information from HAN components. We recommend that AMI components should only
push traffic to the home area network.

--

Mobile code should not be used in the configuration for management interfaces for components on the AMI system. Example: HTTP Web interface for AMI network aggregator.

--

In general, do not use domain name system (DNS) services on an AMI system. Host-based name resolution solutions are the recommended practice. However, if DNS services are implemented, it is recommended to deploy at least two authoritative DNS servers. The DNS configuration on the host will reference one DNS server as the primary source and the other as the secondary source. Additionally, locate the two DNS servers on different network subnets and separate geographically. If AMI system resources are accessible from external networks, establish authoritative DNS servers with separate address space views (internal and external) to the AMI system resources. The DNS server with the internal view provides name/address resolution services within the AMI system boundary. The DNS server with the external view only provides
name/address resolution information pertaining to AMI system resources accessible from external resources. The list of clients who can access the authoritative DNS server with a particular view must also specified.

--

Host-based name resolution solutions are best practice. This requirement enables remote clients to obtain origin authentication and integrity verification assurances for the name/address resolution information obtained through the service.

--

Appropriate components or programming must be included within the AMI networks to identify potentially malicious address-resolution behavior (eg. ARP spoofing/cache poisoning). Such behavior should be identified, tracked, and the appropriate incident handling team-members alerted.

--

Incident related information must be available, as appropriate, from all components of the AMI system. This information will include activity logs, network logs, and integrity checks.
--

From a system perspective, malicious code protection mechanisms must be deployed in such a manner as to limit the impact of the attack to a small geographical area prior to detection and eradication. These include critical entry and exit points between Wide Area Networks (WAN), Neighborhood Area Networks (NAN), and in-premise networks.

--

For the AMI meters in particular, the Home Area Network (HAN) interface represents and entry point not only into the device but into the utility’s Neighborhood Area Network (NAN) as well. The AMI meter must ensure that no malicious code can pass from the consumer’s HAN to the utility’s NAN. The AMI meter must also protect the consumer’s HAN equipment from any attack which attempts to propagate malicious code utilizing the utility’s NAN.
Field tools represent a potentially higher risk due to their portability and likelihood of being connected to numerous networks. If not properly secured and controlled, they can be a mechanism to bypass security controls and allow malicious code to be transported from one security zone to another.

--

2. All signature files and definitions for malicious code detection mechanisms used within the AMI system shall be updated automatically from a centralized managed trusted source.
3. Centralized configuration management and change control shall be employed for all AMI system assets.
4. Periodic and automatic auditing/verification of configuration (programming parameters, firmware and revision level, etc.) shall be performed for all AMI system assets.
5. All detection of and actions taken within the AMI system to respond to malicious code shall be logged to a centralized repository.

--

6. Intrusion Detection System (IDS) capability shall be installed within each Neighborhood Area Network (NAN) network segment to monitor incoming and outgoing network traffic, including anti-virus, anti-spyware and signature and anomaly-based traffic monitors.
7. Access Control Lists (ACL) shall be employed at all points which bridge Neighborhood Area Network (NAN) segments to Wide Area Networks (WAN) to limit incoming and outgoing connections to only those necessary to support the AMI system.
8. Dynamic packet filtering shall be employed at all points which bridge Neighborhood Area Network (NAN) segments and Wide Area Networks (WAN).
9. The transfer of executable files through the perimeters of the Neighborhood Area Network (NAN) and the Wide Area Network (WAN) shall be restricted.
10. All components of the AMI system or any device connected to the AMI network shall employ host hardening, including patch application and security-minded configurations of the operating system (OS), browsers, and other network-aware software. All components of the AMI system or any device connected to the AMI network shall employ integrity checking mechanisms for firmware/software.

--
15. The AMI meter or gateway device shall not allow uploading of any executable code from the consumer’s HAN.
--

All AMI system components shall be capable of periodically performing automated selftest of the security functions at predefined intervals.
1. Any failure of the component self-test shall result in a security event being logged and reported to the appropriate logging system (for further details, see requirement "2.14.4 System Monitoring Tools and Techniques").
2. Any failure of the component self test shall result in the component transitioning to a safe state including:
1. Inhibiting all control capabilities of the component.
2. Inhibiting all communications initiated within the HAN to the NAN.
3. Inhibiting all relaying/repeating functionality of the component.

http://digitalnomad.suck-o.net/DNR/red/ ... ergrid.pdf

SCADA networks, HAN networks are upcoming technologies to study for. This has a higher chance of being implemented as 'green' tech.

DNR

Post by **DNR** » 01 Oct 2009, 10:09

Exploiting 802.11 Wireless Driver Vulnerabilities on Windows - 40pgs - 2006
http://digitalnomad.suck-o.net/DNR/red/ ... wswifi.pdf

This chapter describes the tools and strategies used by the authors to identify 802.11 wireless device driver vulnerabilities. Section 3.1 provides a basic description of the 802.11 protocol in order to provide the reader with information necessary to understand the attack surface that is exposed by 802.11 device drivers. Section 3.2 describes the basic interface exposed by the 3.0 version of the Metasploit Framework that makes it possible to craft arbitrary 802.11 packets.
Finally, section 3.3 describes a basic approach to fuzzing certain aspects of
the way a device driver handles certain 802.11 protocol functions.
..
Although Ethernet devices (and their drivers)
have been around forever, the simplicity of what the driver has to handle has greatly limited the attack surface. Wireless drivers are required to handle a wider range of requests and are also required to expose this functionality to anyone within range of the wireless device.

Good read on wifi connectivity.

DNR

Post by **DNR** » 01 Oct 2009, 21:21

Killer night, can of red bull and some tunes (Red Hot Chili Peppers, U2, Cheap Trick)

Sensor Networks, vuln
http://digitalnomad.suck-o.net/DNR/red/sensoraccess.pdf

Kernel Mode payloads on Windows 34pgs 2006
http://digitalnomad.suck-o.net/DNR/red/ ... indows.pdf

Proactive Attacker Localization in Wireless LAN
http://digitalnomad.suck-o.net/DNR/red/ ... driver.pdf

Analyzing Network Traffic To Detect Self-Decrypting
Exploit Code
http://digitalnomad.suck-o.net/DNR/red/ ... detect.pdf

De-anonymizing the Internet Using Unreliable IDs
http://digitalnomad.suck-o.net/DNR/red/ ... mizing.pdf

Internet Access to Home Area Networks
http://digitalnomad.suck-o.net/DNR/red/ ... etwork.pdf

Attacking SMM Memory via Intel® CPU Cache Poisoning
http://digitalnomad.suck-o.net/DNR/red/ ... he_fun.pdf

Post by **DNR** » 03 Oct 2009, 15:02

going to be a long night..

Your Botnet is My Botnet: Analysis of a Botnet Takeover - 13pgs 1.8mb
http://digitalnomad.suck-o.net/DNR/red/torpig.pdf

Post by **DNR** » 05 Oct 2009, 20:16

Post by **DNR** » 05 Oct 2009, 20:41

Structured Peer-to-Peer Overlay Networks: Ideal
Botnets Command and Control Infrastructures?
http://digitalnomad.suck-o.net/DNR/red/ ... botnet.pdf

Post by **DNR** » 06 Oct 2009, 22:26

Military Role in Space Control: A Primer
http://digitalnomad.suck-o.net/DNR/red/spacesurveil.pdf

Toward Space based Surveillance
http://digitalnomad.suck-o.net/DNR/red/ ... llance.pdf

Fire Team Tactics - a primer
http://digitalnomad.suck-o.net/DNR/red/fireteamtac.pdf

Cyberwar Strategy and Tactics - A Playbook
http://digitalnomad.suck-o.net/DNR/red/ ... _strat.pdf

A Brief history of Hackers
http://digitalnomad.suck-o.net/DNR/red/ ... istory.pdf

Post by **DNR** » 07 Oct 2009, 13:08

Combatives, tactics - 233pgs 5.4mb
http://digitalnomad.suck-o.net/DNR/red/combatives.pdf
lots of illustrations - thanks to Gogeta

Optimal Spatial Reuse in Mobile Ad Hoc Networks 122pgs
http://digitalnomad.suck-o.net/DNR/red/ ... otocol.pdf

Post by **DNR** » 07 Oct 2009, 22:53

Sensor Technology and UGV Operations –
Lessons Learned from the Urban Challenge
http://digitalnomad.suck-o.net/DNR/red/ ... echugv.pdf

Switched UAV-UGV Cooperation Scheme for Target Detection
http://digitalnomad.suck-o.net/DNR/red/ ... uavugv.pdf

Reconnaissance, Surveillance, and Target Acquisition
in the UGV/Demo II Program
http://digitalnomad.suck-o.net/DNR/red/ugvsurveil.pdf

Experiments of trajectory generation and obstacle avoidance for a UGV
http://digitalnomad.suck-o.net/DNR/red/obs_ugv.pdf

Connectivity Constrained
Multi-UGV Surveillance
http://digitalnomad.suck-o.net/DNR/red/multiugv.pdf

Concurrent Performance of Gunner’s and Robotic
Operator’s Tasks in a Simulated Mounted
Combat System Environment
http://digitalnomad.suck-o.net/DNR/red/gunnerugv.pdf

UGV Roundup 2008
http://digitalnomad.suck-o.net/DNR/red/08_ugv.pdf

Intimate Control for UAV and UGV Rendezvous and Docking
http://digitalnomad.suck-o.net/DNR/red/dockugv.pdf

Assessing the Impact of Bi-directional Information
Flow in UGV Operation: A Pilot Study
http://digitalnomad.suck-o.net/DNR/red/ ... ionugv.pdf

Post by **DNR** » 10 Oct 2009, 19:11

Post by **DNR** » 10 Oct 2009, 21:31

Tactical Local Area Network (LAN)Management 4.5mb 5 chapters
http://digitalnomad.suck-o.net/DNR/red/tacLAN.zip

Tactical Tactics, Techniques, and Procedures
for the Tactical Internet 2.26mb - 11 chapters
http://digitalnomad.suck-o.net/DNR/red/tacINTERNET.zip

FM24-12 Tactical Comms 565kb 8 chapters
http://digitalnomad.suck-o.net/DNR/red/FM24-12.zip

DEPLOYABLE COMMUNICATIONS
STANDARDS-PACAF INITIAL
COMMUNICATIONS PACKAGE (PICP) 19pgs
http://digitalnomad.suck-o.net/DNR/red/ ... ommset.pdf

TACTICAL GENERATOR OPERATION 177pgs
http://digitalnomad.suck-o.net/DNR/red/ ... ndbook.pdf

AN/UGC-144 COMMUNICATIONS TERMINAL 216pgs
http://digitalnomad.suck-o.net/DNR/red/ugc-144.pdf

AN/URC-119(V) HF COMMUNICATIONS SYSTEM 130pgs
http://digitalnomad.suck-o.net/DNR/red/pacer-bounce.pdf

TERMINAL, COMMUNICATIONS AN/UGC-74A(V)3 226pgs
http://digitalnomad.suck-o.net/DNR/red/ ... -guide.pdf

Combat safety guidelines 41pgs
http://digitalnomad.suck-o.net/DNR/red/ ... earned.pdf

SHELTER SYSTEM, COLLECTIVE PROTECTION,
CHEMICAL-BIOLOGICAL: INFLATABLE,
TRAILER-TRANSPORTED, M51 298pgs
http://digitalnomad.suck-o.net/DNR/red/ ... manual.pdf

AIR FORCE NATIONAL SECURITY EMERGENCY
PREPAREDNESS PROGRAM (AFNSEP) 185 pgs
http://digitalnomad.suck-o.net/DNR/red/ ... hdbook.pdf

STATIONARY BATTERY BANKS 104pgs
http://digitalnomad.suck-o.net/DNR/red/batt-banks.pdf

ELECTROMAGNETIC INTERFERENCE
http://digitalnomad.suck-o.net/DNR/red/usmc-EMI.pdf

Radio Set AN/PRC-127 128pgs
http://digitalnomad.suck-o.net/DNR/red/ ... manual.pdf

High Altitude Electromagnetic Pulse (HEMP) Hardening in Facilities 50pgs
http://digitalnomad.suck-o.net/DNR/red/ ... dening.pdf

Infantry Leader Battle book 197pgs
http://digitalnomad.suck-o.net/DNR/red/battlebook.pdf

Safety Standards, Electrical
http://digitalnomad.suck-o.net/DNR/red/ ... safety.pdf

RADIO SETS: AN/VRC-12+ tech manual 637pgs
http://digitalnomad.suck-o.net/DNR/red/ ... echman.pdf

AN/TSC-107 COMMUNICATIONS CENTRAL 74pgs
http://digitalnomad.suck-o.net/DNR/red/tsc-107.pdf

Air Force SatComm 228pgs
http://digitalnomad.suck-o.net/DNR/red/afsatcomm.pdf

E-Mail over HF Radio 6pgs
http://digitalnomad.suck-o.net/DNR/red/ncs-hfemail.pdf

USAF GLOBAL HIGH FREQUENCY (HF) SYSTEM -645 pgs
http://digitalnomad.suck-o.net/DNR/red/GHFS.pdf

Metropolitan Medical Strike Team (MMST) 272pgs
http://digitalnomad.suck-o.net/DNR/red/ ... -guide.pdf

Urban Search and Rescue (US&R) Incident Support Team (IST) 242 pgs
http://digitalnomad.suck-o.net/DNR/red/ ... istops.pdf

COMMUNICATIONS- ELECTRONICS (C-E)
MANAGER’S HANDBOOK 179 pgs
http://digitalnomad.suck-o.net/DNR/red/ ... ndbook.pdf

Emergency Employment of Army, Mil Support to Civil Authorities 23pgs
http://digitalnomad.suck-o.net/DNR/red/ARNG-MSCA.pdf

THE MEDICAL NBC BATTLEBOOK 303 pgs
http://digitalnomad.suck-o.net/DNR/red/ ... lebook.pdf

MEDICAL MANAGEMENT OF RADIOLOGICAL CASUALTIES 152pgs
http://digitalnomad.suck-o.net/DNR/red/ ... ogical.pdf

MEDICAL MANAGEMENT OF CHEMICAL CASUALTIES 162 pgs
http://digitalnomad.suck-o.net/DNR/red/ ... emical.pdf

MEDICAL MANAGEMENT OF BIOLOGICAL CASUALTIES 135pgs
http://digitalnomad.suck-o.net/DNR/red/ ... ogical.pdf

Post by **DNR** » 12 Oct 2009, 18:14

Introducing Stealth Malware Taxonomy
http://digitalnomad.suck-o.net/DNR/red/ ... xonomy.pdf

Detection of an HVM rootkit (aka BluePill-like)
http://digitalnomad.suck-o.net/DNR/red/detectHVM.pdf

Wireless Security What Works and What Doesn't
http://digitalnomad.suck-o.net/DNR/red/ ... -final.pdf

Intrusion Prevention from the Inside Out
http://digitalnomad.suck-o.net/DNR/red/insideout.pdf
(lots of links)

A Testing Methodology for Rootkit Removal
Effectiveness
http://digitalnomad.suck-o.net/DNR/red/ ... itmeth.pdf

Rootkit-Resistant Disks
http://digitalnomad.suck-o.net/DNR/red/rootresist.pdf

Post by **DNR** » 12 Oct 2009, 19:22

Malware in Men
http://digitalnomad.suck-o.net/DNR/red/ ... in_men.pdf

USMC Signal Intelligence
http://digitalnomad.suck-o.net/DNR/red/mcwp2-22.pdf

Using SoftIce 1998 236pgs
http://digitalnomad.suck-o.net/DNR/red/ ... eguide.pdf

SoftIce Command Reference 1998 244pgs
http://digitalnomad.suck-o.net/DNR/red/Cmdrefer.pdf

Keygen Injection Kwazy Webbit March 2006 19pgs
http://digitalnomad.suck-o.net/DNR/red/ ... ection.pdf

The Big SoftIce How to 24pgs
http://digitalnomad.suck-o.net/DNR/red/ ... ehowto.pdf

Hacking The Art of Exploitation 214pgs 2.28mb
http://digitalnomad.suck-o.net/DNR/red/ ... tation.pdf