Notifications
Clear all

Release of Spider

14 Posts
6 Users
0 Likes
970 Views
hogfly
(@hogfly)
Posts: 287
Reputable Member
Topic starter
 

http//www.cit.cornell.edu/computer/security/tools/

A colleague of mine wrote a tool called Spider. I mentioned it here about a year ago. The tool has been released to the public in a few different flavors.

RIght now it runs on linux (full soruce available) and windows(source code coming soon). OS X is under active development.

How do we use this tool?

1) Under NY law, businesses and other institutions have to notify the public if there is a reasonable belief that there is sensitive data on a machine and it was accessed by unauthorized individuals. The tool *by default* searches for SSN and CC# - two of the major items that are commonly found on computers. You can add your own regular expressions for more searching.
We use it extensively in security incidents involving intrusions.

2) pre-emptive sensitive data removal. Run the tool against your machine *before* you get compromised to remove the unneccessary sensitive data (think of all of the stolen laptops out there).

 
Posted : 09/10/2006 7:11 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

hogfly,

Very cool. I can't tell you how many times I could have used something like this.

Is this for live systems? I'm assuming so, as I haven't read completely through the docs, but I don't see anything that specifically says "dd image" or points to interfacing with EnCase or ProDiscover.

Either way, it looks interesting. If it's for live systems, I'd think that it would be most useful to IT admins and the like, rather than first responders. After all, you don't want to mucking the last access times on all the files on the system prior to imaging (if that's what you're going to do).

I'll definitely be interested in the source…

 
Posted : 09/10/2006 7:40 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
Topic starter
 

Harlan,
hmm a best practices doc is in order methinks.

Can it be used live? Yes, but I sure as heck wouldn't in an incident since it stomps on access times.

We use it after the disk image has been created in order to search for sensitive materials so you are right, it isn't generally used by first responders.

It can be used on a loopback mounted dd image in linux. I wouldn't use it in windows unless you're using a write blocker or unless you are using it under the second scenario I listed.

We stick to dd images as our standard so I don't think any thought was given to programs like encase )

 
Posted : 09/10/2006 7:54 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I think I'd recommend something like this for use by IT admins…many times, I get the question of "was their sensitive data on the system?", and in the back of my mind, I think, "what…you don't know?"

I'm going to try it against an image file that I have…

 
Posted : 09/10/2006 8:24 pm
schlecht
(@schlecht)
Posts: 46
Eminent Member
 

This is a great idea. While it might not be optimal for live response - I can see using it after the imaging and also as part of configuration reviews. Look at the overall security of a machine to score its risk in light of technical vulnerabilities, but also capturing whether sensitive material is on the machine in question (not just taking somebody's word for it).

I do a lot of pen testing, so this is useful in other ways also.

 
Posted : 09/10/2006 8:37 pm
deckard
(@deckard)
Posts: 77
Trusted Member
 

looks like a very useful tool. I d/l the linux version and ran against a small test image, works as advertised.

Look forward to some test lab time with it later in week. Good share

Bill

 
Posted : 09/10/2006 8:37 pm
(@kpryor)
Posts: 68
Trusted Member
 

Just downloaded and tried it. Very good tool for sure. I plan to work some more with it later on. Thanks for the heads up on this.
KP

 
Posted : 09/10/2006 11:20 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I downloaded and installed the Windows version…and saw that it requires .NET. Eesh! What a pain!

 
Posted : 09/10/2006 11:30 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Okay, what I meant by that was this…

Let's say I image a system, and then want to run Spider. I have to install .Net on the system.

Or, if I have LiveView and an image, I still have to install .Net, if the system doesn't already have it…which is many times the case.

So besides changing MAC times, you also have to deal with a 23.1MB download, and an installation.

In the big scheme of things, this is manageable, particularly if the answer is absolutely necessary. However, there has *got* to be an easier way…like having a command line version that you can install on Helix, or run from a CD, that doesn't require .Net…

 
Posted : 10/10/2006 12:59 am
hogfly
(@hogfly)
Posts: 287
Reputable Member
Topic starter
 

Harlan,
Indeed and the linux version meets that need.

 
Posted : 10/10/2006 1:01 am
Page 1 / 2
Share: