Post Process

Everything to do with E-discovery & ESI

Archive for the ‘Computer Security’ Category

Science Daily: New Approach to Generating Truly Random Numbers May Improve Internet Security, Weather Forecasts

Posted by rjbiii on February 22, 2010

You read correctly: weather forecasts. The article says this with respect to the importance of randomness:

According to Bernhard Fechner of the University of Hagen, and Andre Osterloh of BTC AG, in Germany, the “quality” of a random number is a measure of how truly random the number is. This quality affects significantly any security or simulation in which it is used. If a so-called random number is not truly random, then someone could predict a security key and crack the Internet encryption on bank accounts, e-commerce sites or secure government websites, for instance. Similarly, if the random numbers used in scientific models of the weather, climate, or the spread of disease and economic boom and bust are predictable, then systematic errors will creep into the models and make the predictions unreliable.

Posted in Articles, Computer Security, Technology | Leave a Comment »

DIY Cybercrime Kits Cause Surge in Phishing Attacks

Posted by rjbiii on January 20, 2010

USA Today posts the news on that an increase in phishing attacks has been driven by cheap, easy-to-use cybercrime kits:

DIY kits have been a staple in the cyberunderground for some time. But now they’ve dropped in price and become more user-friendly.

“If you know how to download music or a movie you have the necessary experience to begin using one of these kits,” says Gunter Ollman, senior researcher at security firm Damballa.

Indeed, newbie cybercrooks and veterans alike are using DIY kits to carry out phishing campaigns at an accelerated rate, security researchers say. They’ve been blasting out fake e-mail messages crafted to look like official notices from UPS (UPS), FedEx (FDX) or the IRS; or account updates from Vonage, Facebook or Microsoft Outlook (MSFT); or medical alerts about the H1N1 flu virus.

Posted in Articles, Computer Security, Technology, Trends | Leave a Comment »

DECAF for your COFFEE? New tool fights forensics application’s attempt to get your data

Posted by rjbiii on December 16, 2009

Ars Technica posts an article describing the battle that might occur inside your P.C.:

In response to Microsoft’s Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources, two developers have created “Detect and Eliminate Computer Assisted Forensics” (DECAF), a counter intelligence tool designed to thwart the Microsoft forensic toolkit. DECAF monitors the computer it’s running on for any signs that COFEE is operating on the machine and does everything it can to stop it.

More specifically, the program deletes COFEE’s temporary files, kills its processes, erases all COFEE logs, disables USB drives, and even contaminates or spoofs a variety of MAC addresses to muddy forensic tracks. It can be told to disable almost every piece of hardware on a machine and delete pre-defined files in the background. The 181KB DECAF program even has a ‘Spill the cofee’ mode in which it simulates COFEE’s presence to give the user an opportunity to test his or her configuration before actually using it. Source code for DECAF has not been made available, since the authors fear it will be reverse engineered, making it unclear what else the tool might be doing and whether or not it is completely safe to use.

Posted in Articles, Computer Forensics, Computer Security | Tagged: , | Leave a Comment »

Florida Programmer hacks clients’ web cams to collect photos

Posted by rjbiii on August 7, 2008


Marisel Garcia is one of eight or nine women in the Gainesville, Florida who is a victim of a Webcam Spy Hacker voyeurism scandal, orchestrated by Craig Feigin.

Craig Feigin, a computer programmer, worked on Marisel Garcia’s computer to fix her laptop. When she got her machine back from Feigin, it had a slew of other problems so she brought it to another area repair man. One of the new problems was that the computer’s built-in camera light came on every time she was near the machine.

When Marisel Garcia got her computer back, she learned that Craig Feigin had installed a program called Webcam Spy Hacker that was using her computer’s camera to take pictures of her and send them to a Web server. Apparently Feigin had 20,000 photos of Garcia and her friends, in some of which Garcia was not fully clothed.

I guess people think they’re never going to caught doing things like this. Truly astonishing.

Posted in Articles, Computer Security, Technology, Tools | Tagged: , | Leave a Comment »

More details on PI Licensing and Forensics Technicians

Posted by rjbiii on July 1, 2008

An update on the licensing issues discussed here, here, and here, with a couple of helpful links.

First, Kessler International, a company that engages in forensics accounting, computer forensics and corporate investigations, has posted the results of a survey concerning state licensing laws with respect to forensics accounting and computer forensics companies and employees. The results are posted in map form. Click on the state that interests you, and that state’s response pops up in pdf format.

Now, with respect specifically to Texas, you may click here [PDF] to find a series of opinions made by the Private Security Bureau with respect to licensing issues and technical tasks associated with computers. Scroll down and look at those opinions from August 21 to October 18.

Some relevant excerpts (keeping in mind that these are the board’s opinions, and not judicial rulings):

Computer Forensics August 21, 2007
The computer forensics industry has requested clarification of the Private Security Bureau’s position regarding whether the services commonly associated with computer forensics constitute those of an “investigations company” and are therefore services regulated under the Private Security Act (Chapter 1702 of the Occupations Code). It is hoped that the following will be of assistance.
First, the distinction between “computer forensics” and “data acquisition” is significant. We understand the term “computer forensics” to refer to the analysis of computer-based data, particularly hidden, temporary, deleted, protected or encrypted files, for the purpose of discovering information related (generally) to the causes of events or the conduct of persons. We would distinguish such a content-based analysis from the mere scanning, retrieval and reproduction of data associated with electronic discovery or litigation support services.
For example, when the service provider is charged with reviewing the client’s computer-based data for evidence of employee malfeasance, and a report is produced that describes the computer-related activities of an employee, it has conducted an investigation and has therefore provided a regulated service. On the other hand, if the company simply collects and processes electronic data (whether in the form of hidden, deleted, encrypted files, or otherwise), and provides it to the client in a form that can then be reviewed and analyzed for content by others (such as by an attorney or an investigator), then no regulated service has been provided.
The Private Security Act construes an investigator as one who obtains information related to the “identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person; the location, disposition, or recovery of lost or stolen property; the cause or responsibility for a fire, libel, loss, accident, damage, or injury to a person or to property; or for the purpose of securing evidence for use in court. Tex. Occ. Code §1702.104. Consequently, we would conclude that the provider of computer forensic services must be licensed as an investigator, insofar as the service involves the analysis of the data for the purposes described above.
With respect to the statutory reference to “securing evidence for use in court,” we would suggest that the mere accumulation of data, or even the organization and cataloging of data for discovery purposes, is not a regulated service. Rather, in this context, the Bureau would interpret the reference to “evidence” as referring to the report of the computer forensic examiner, not the data itself. The acquisition of the data, for evidentiary purposes, precedes the analysis by the computer forensic examiner, insofar as it is raw and unanalyzed. FN1 The mere collection and organization of the evidence into a form that can be reviewed and analyzed by others is not the “securing of evidence” contemplated by the statute.
This analysis is consistent with the language of HB 2833 (Tex. Leg. 80th Session), which amends Section 1702.104. The amendment confirms that the “information” referred to in the statute “includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.”

FN1 It may well be that the hardware on which the data exists is itself the product of an investigation, but that is a separate question.

Computer Network Vulnerability Testing Firms — AMENDED January 15, 2008
This opinion amends the previous opinion issued in June of 2007. The question posed was whether network vulnerability testing firms must be licensed under the Private Security Act, Chapter 1702 of the Texas Occupations Code (“the Act”). Such companies typically conduct:
(1) Scans of a computer networks to determine whether there is internet vulnerability or other external risk to the internal network;
(2) Sequential “dial ups” of internal phone numbers to assess potential access;
(3) Risk assessment and analysis on all desktop computers connected to the network;
(4) Notification of any new security threats and required action.
Section 1702.226 of the Occupations Code provides in relevant part, that “[a]n individual acts as a private security consultant for purposes of this chapter if the individual consults, advises, trains, or specifies or recommends products, services, methods, or procedures in the security loss prevention industry.” TEX. OCC. CODE §1702.226 (1).
However, while the Bureau regulates consultants in the “security industry or loss prevention industry,” these latter phrase is not explicitly defined in the statute. It is therefore necessary to look to the rest of the statute in order to understand to which services the private security consultant’s licensure requirement applies.
It is reasonable to consider those industries otherwise regulated by the Private Security Act as reflecting the scope of the phrase “security industry or loss prevention industry.” In other words, the definitions are implied by those services that are regulated by the statute, viz., security guards, locksmiths, alarm system installers and monitors, and private investigators, and not software designers, installers or suppliers.
Thus, the industries that are directly regulated are the same industries about which one cannot consult without a license. Because the Private Security Bureau does not regulate software designers, installers, or suppliers, it also does not regulate those who provide consulting services related to computer network security.
Computer Repair & Technical Assistance Services October 18, 2007
Computer repair or support services should be aware that if they offer to perform investigative services, such as assisting a customer with solving a computer-related crime, they must be licensed as investigators. The review of computer data for the purpose of investigating potential criminal or civil matters is a regulated activity under Chapter 1702 of the Texas Occupations Code, as is offering to perform such services. Section 1702.102 provides as follows:
§1702.104. Investigations Company
(a) A person acts as an investigations company for the purposes of this chapter if the person:
(1) engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to:

(A) crime or wrongs done or threatened against a state or the United States;
(B) the identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person;
(C) the location, disposition, or recovery of lost or stolen property; or
(D) the cause or responsibility for a fire, libel, loss, accident, damage, or injury to a person or to property;
(2) engages in the business of securing, or accepts employment to secure, evidence for use before a court, board, officer, or investigating committee;
(3) engages in the business of securing, or accepts employment to secure, the electronic tracking of the location of an individual or motor vehicle other than for criminal justice purposes by or on behalf of a governmental entity; or
(4) engages in the business of protecting, or accepts employment to protect, an individual from bodily harm through the use of a personal protection officer.
(b) For purposes of subsection (a)(1), obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.
Please be aware that providing or offering to provide a regulated service without a license is a criminal offense. TEX. OCC. CODE §§1702.101, 1702.388. Employment of an unlicensed individual who is required to be licensed is also a criminal offense. TEX. OCC. CODE §1702.386.

Posted in Computer Forensics, Computer Security, Laws, Legislation | 2 Comments »

Quantum Encryption: Cutting edge but far from Perfect

Posted by rjbiii on June 16, 2008

An interesting post on quantum encryption is found at arXiv. The post explains why quantum encryption is not bullet-proof:

Here’s one loophole. The security of quantum encryption schemes depends on our inability to make a copy of a quantum state. If that were possible, [the eavesdropper] could make a copy of the message and pass on the original without anybody being the wiser. But in the quantum world, copying anything destroys the original, so the sender and receiver can always tell if they’ve been overheard by examining the error rates in their message. If it rises above a certain limit, the line is not secure.
That would be pretty convincing were it not for our ability to make imperfect copies of quantum states without destroying the original. That’s a loophole that an eavesdropper can exploit to extract information from a quantum message without the sender or receiver knowing. It should work as long as Eve is careful to keep the error rate below the critical limit.

He then points to an outline of a quantum eavesdropper.

Posted in Articles, Computer Security, Encryption, Privacy | Tagged: | Leave a Comment »

Companies are taking Forensics in-house

Posted by rjbiii on October 16, 2007

According to an article posted by Dark Reading, (annoying ad warning) IT departments are doing more of the intrusion investigations, and other tasks traditionally outsourced to experts, themselves.

If you think finding out who did what with your data always means calling in high-priced spooks armed with arcane software, think again. The trend is toward placing the power to handle investigations in the hands of enterprises themselves. Why? With security incidents, e-discovery and litigation on the rise across all industries and organizations of all sizes, having tools in-house allows IT to mobilize quickly and address situations before there’s significant impact.

The forensics software landscape has also gotten more inclusive, with enterprise-class investigative tools in the pipeline along with log-analysis software, network monitors, and systems that can aid in investigations and e-discovery involving e-mail. Many of these do double duty, making them easier sells come budget time.

The article also discloses that Guidance Software, producer of EnCase, will soon get a little more competition:

In the forensics space, at least two upstarts are set to rival the enterprise edition of Guidance Software’s Encase, the granddaddy of investigative toolsets. By year’s end, security services provider Mandiant will step into the enterprise incident response arena with its Intelligent Response appliance, and AccessData is also prepping an offering, due in the first half of next year, that will encompass forensics, incident response and e-discovery.

I’m not sure what a product that encompasses “forensics, incident response and e-discovery” will look like (seems like it might be taking too big a bite of the cookie), but I’m willing to reserve judgment for now.

Posted in Articles, Computer Forensics, Computer Security, Discovery | Tagged: , , , , | Leave a Comment »

The problem with passwords

Posted by rjbiii on September 25, 2007

I’m sure none of us has ever noticed this before:

Paying bills and buying merchandise online may be convenient but carries a well-known side effect: Too many passwords.

Virtually every secure Web site involved in transacting financial information requires a username and password. Your credit cards. Your mortgage. Your auto loan. Your phone. Your cell phone. Your bank account. Your 401(k) account. Your brokerage account. Your health insurance account. Your prescription drug provider. Shopping sites. Hotel reservation sites. Airline reservation sites. You get the idea.
Over the years, estate attorneys have discovered a lesser-known side-effect: Some people go to their graves preserving their passwords, leaving relatives and representatives of their estates with no knowledge of how to access the various accounts – or even which accounts exist.

(emphasis added)

I’m pretty good about remembering passwords, yet I’ve had to call certain vendors to re-set on a number of occassions. While processing evidence, we often come up on password protected files. While there are a number of apps that take advantage of back-door routes, often the only answer is brute force. At some point, I’ll look at password protected files in the context of the legal standard of “reasonably accessible.”

Posted in Computer Security, Password Protection | Leave a Comment »

Want to crack a password fast?

Posted by rjbiii on September 10, 2007

To all those EDD operators who run up against password protection, and can’t get past it, try Orphcrack.

The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password “Fgpyyih804423” in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it “strong”. The Geekwisdom password strength meter rates it “mediocre”.

New toys…and new fears. [HT: Slashdot]

Posted in Computer Security, Password Protection | Leave a Comment »

Forensically Sound?

Posted by rjbiii on July 28, 2007

According to ISec Partners, Inc., forensic software (specifically, EnCase and The Sleuth Kit) that many forensics teams use is not as secure as it ought to be. From a post on D’Technology Weblog:

The San Francisco security company has spent the past six months investigating two forensic investigation programs, Guidance Software Inc.’s EnCase, and an open-source product called The Sleuth kit. They have discovered about a dozen bugs that could be used to crash the programs or possibly even install unauthorized software on an investigator’s machine, according to Alex Stamos, a researcher and founding partner with Isec Partners.

Researchers have been hacking forensics tools for years, but have traditionally focused on techniques that intruders could use to cover their tracks and thwart forensic investigations. The Isec team has taken a different tack, however, creating hacking tools that can be used to pound the software with data, looking for flaws.

ISec has yet to divulge the exact nature of the flaws, but will reveal some details at the upcoming Black Hat convention in Las Vegas. The Black Hat website says that the Isec discussion will make these points:

  • Forensic software vendors are not paranoid enough. Vendors must operate under the assumption that their software is under concerted attack.
  • Vendors do not take advantage of the protections for native code that platforms provide, such as stack overflow protection, memory page protection), safe exception handling, etc.
  • Forensic software customers use insufficient acceptance criteria when evaluating software packages. Criteria typically address only functional correctness during evidence acquisition when no attacker is present, yet forensic investigations are adversarial.
  • Methods for testing the quality of forensic software are not meaningful, public, or generally adopted. Our intention is to expose the security community to the techniques and importance of testing forensics software, and to push for a greater cooperation between the customers of forensics software to raise the security standard to which such software is held.

Along with this information is the announcement that:

We will release several new file and file system fuzzing tools that were created in support of this research, as well as demonstrate how to use the tools to create your own malicious hard drives and files.

Some of you may have seen an earlier article concerning anti-forensic tools that are already widely used. From that article:

The investigator (who could only speak anonymously) wonders aloud what other networks are right now being controlled by criminal enterprises whose presence is entirely concealed. Computer crime has shifted from a game of disruption to one of access. The hacker’s focus has shifted too, from developing destructive payloads to circumventing detection. Now, for every tool forensic investigators have come to rely on to discover and prosecute electronic crimes, criminals have a corresponding tool to baffle the investigation.

This is antiforensics. It is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.

An InfoWorld article mentions that The Sleuth Kit has already patched the flaws, so those bugs will be revealed. What details concerning the deficencies found in EnCase depends much upon what actions Guidance has taken by the time of the conference.

Guidance software, in the person of Larry Gill has now publicly responded to these concerns.

As a result of this extensive testing regimen, they were able to identify six test scenarios, out of ?tens of thousands? of test scenarios run, that apparently revealed minor bugs ? in some cases for which there are straightforward workarounds ? in our EnCase® Forensic Edition software. All of the testing involved intentionally corrupted target data that highlighted a few relatively minor bugs. The issues raised do not identify errors affecting the integrity of the evidence collection or authentication process, or the EnCase Enterprise process (i.e., the operation of the servlet code or the operation of the SAFE server). Moreover, the iss
ues raised have nothing to do with the security of the product. Therefore, we strongly dispute any media reports or commentary that imply that there are any ?vulnerabilities? or ?denials of service? exposed by this report.

(Excuse the rogue question marks, these are displayed in the response, and represents character translation issues).
One additional point of interest in Mr. Gill’s response, as noted in a slashdot post, may cause those concerned with legal issues to pause. Here is Mr. Gill’s 5th point:

5. EnCase Had Difficulty Reading Intentionally Corrupted NTFS File System Directory.

Response: This issue involves the authors intentionally corrupting an NTFS file system to create a ?loop? by, ?replacing a directory entry for a file with a reference to the directory?s parent directory.? Experienced forensic examiners are trained to identify such instances of data cloaking. The purposeful hiding of data by the subject of an investigation is in itself important evidence and there are many scenarios where intentional data cloaking provides incriminating evidence, even if the perpetrator is successful in cloaking the data itself. The chances of this specific scenario occurring in the field are extremely remote, but Guidance Software will test and, if verified, place this anomaly in its development queue to be addressed in the future.

I think it obvious that the “masking” or “cloaking” of data is not always evidence of wrongdoing. The slashdot post takes issue with such an argument in this manner:

That begs the question: if one cloaks data by encrypting it, exactly what incriminating evidence does that provide? And how important is that evidence compared to the absence of anything else found that was incriminating? Are we no longer allowed to have any secrets, even on our own systems?”

As Michael Caloyannides wrote in his book, Computer Forensics and Privacy, “[t]he right to privacy is not a ‘cover for crimes,’ as some law enforcers would assert.”

As a final thought, I would emphasis that the flaws in software is likely the least important item in any basic civil discovery process. An element of truest is imbued within the whole concept of civil discovery, and while strict forensic methodologies and tools are sometimes required, it is not typically necessary. What any discovery team should be focused on is the reasonable nature of the total process, from data collection to data processing, to document review. The processes used should reasonably be expected to find relevant documents, and initial assumptions (such as data custodians and search criteria) should undergo a verification process to ensure their effectiveness. But this is a discussion for another post.

Posted in Computer Security, Data Management, EnCase, Forensics, Guidance Software, Privacy, The Sleuth Kit | 1 Comment »