December 2009 Archives

Sophos shed some light on a new Trojan 'Troj/Lneage-A' that takes advantage of the cliche that all MMORPG'ers are lonely males, popping up naked elves on the screens of drooling nerds while their game login information is stolen.

I'm waiting for the female version!

Susan Brenner discussed the interesting case of State v. Dingman, 149 Wash.App. 648, 202 P.3d 388 (Washington Court of Appeals 2009), in which the defense received evidence files in proprietary EnCase format, and was asked to provide the evidence in a different format as the defense did not have access to the EnCase software. Interestingly, the court decided in the end that a different format should be provided if asked for.

A counter-intelligence tool 'DECAF' has been released to defeat the use of Microsoft's COFEE suite intended for computer forensic investigations. DECAF has the following features (from their website):

• Contaminate MAC Addresses: Spoof MAC addresses of network adapters
• Kill Processes: Quick shutdown of running processes
• Shutdown Computer: On the fly machine power down
• Disable network adapters
• Disable USB ports
• Disable Floppy drive
• Disable CD-ROM
• Disable Serial/Printer Ports
• Erase Data: Quick file/folder removal (Basic Windows delete)
• Clear Event Viewer: Remove logs from the Event Viewer
• Remove Torrent Clients: Removes Azureus and BitTorrent clients
• Clear Cache: Remove cookies, cache, and history

It reminds me a bit of Netbus from all those years ago. It makes the job more difficult, but I admit is clever at the same time.

Update: Apparently DECAF was only a media stunt to increase security awareness and to attract attention to the need for better forensics tools.

Apparently not only in criminal cases is metadata of great importance. As seen in a recent case against the City of Phoenix, a new Supreme Court decision overruled the Court of Appeals in saying that metadata is part of public records, and should be provided if requested for under the freedom of information act.

Susam Brenner discussed the case of U.S. v. Haymond, 2009 WL 3029592 (U.S. District Court for the Northern District of Oklahoma 2009), and the story is quite interesting in how it discusses the use and importance of metadata, and how a case can stand or fall with this information.

More and more organisations are beginning to implement biometric systems for identification purposes in access control, and one of those uses is tracking people by their fingerprints when entering a country. But what happens if someone's fingerprints are changed? Doesn't seem reasonable? Think again. A Chinese woman was able to have her fingerprints changed through plastic surgery, and she was able to enter Japan while she was previously deported for an expired visa and listed in Japan with her 'old' fingerprints.

Source: http://thecybersleuth.blogspot.com/2009/12/plastic-surgery-changes-identity-by.html

Ethical hacker Moxie Marlinspike launched an online service for cracking WPA passwords in 20 minutes. For $34, his 'users' get access to a 400-node cluster specifically designed for cracking WPA passwords. Marlinspike's intention is to have this service available for ethical hackers and WIFI auditors, but I wonder how long it will take before it is abused by others.

Ever since I took the Information Technology, Investigation & Evidence module in my new masters course I've been fascinated by link analysis and criminal profiling (I admit Criminal Minds might have something to do with it too). So I was surprised to see that a study was carried out in the Netherlands to find new links in the police databases through data mining. Some unexpected and previously unknown links were discovered:

* women in the database are significantly more often addicted to drugs than men
* people suspected of manslaughter are relatively often already convicted for racism
* joyriders often don't follow employment and alcohol regulations
* theft with violence is often linked with possession of weapons
* African origin and convictions for public security/safety
* criminals in the low lands also often don't follow traffic regulations

This sounds like a fun exercise to do in Belgium too!

Sources:
http://weblogs.nrc.nl/media/2009/12/07/datamining-politiedatabank-toont-onbehaaglijke-verbanden/
http://webwereld.nl/nieuws/64515/politie-test-datamining-criminelendatabank.html

It looks like more people are beginning to think about the skills an information security professional should have. David Lacey listed his top 7 here.

I hadn't heard of this one before, but it seems quite interesting indeed: SANS Security 550 - Information Reconnaissance: Competitive Intelligence and Online Privacy

Information is power! Don't think so? Follow the course or read my paper.

PayPal recently sent out a legitimate email to its users including a link to its login page which looked suspiciously like a phishing attempt to Randy Abrams. He forwarded it to PayPal support, and they answered "You're right – it was a phishing attempt". Apparently PayPal support can't even tell a legitimate email from one phishing for information.

Drazen Drazic posted today asking what the new "core skills" are we should all be developing. Well, I'd say there is no "core skill" in information security. The field is beginning to become so broad that one can't possibly posses all skills... even though that is what a lot of companies ask if you look at job advertisements. They all want someone that can administer servers, configure the firewall, maintain the network, program custom scripts and applications, update the website, know everything about risk management, be a penetration tester, know forensics, be a disaster recovery specialist, do audits, etcetera. Many of these are so large subjects in themselves that usually multiple people are needed with specific specializations in one or more of these subjects. But I can't think of someone that can do all of the above, and more, and still keep up with new versions of software, hardware, standards, legislation and stay abreast of new trends and technologies.

I'm not always Anton Chuvakin's biggest fan, but this time he hit the nail on the head with his comparison of "smart" and "stupid" security. I completely agree with his statement that "things are actually a bit worse, even “TYPICAL” security from the right column is more than some smaller organizations have". And honestly, I wouldn't even say 'smaller' organizations. I've seen enough larger organizations that are just as bad.

Lawyers from Jones Day are arguing that the oversight arm for the enforcement of SOX is unconstitutional, as it was established free of both congressional and presidential oversight, while the constitution requires this for government and regulatory enforcement agencies. More details here.

BitLocker has been a nightmare for some forensic examiners, but those days (or nights) are now over. The newest version of the Passware Kit Forensic[1] can now crack Windows BitLocker encryption by extracting the encryption keys from a memory image.

[1] http://www.lostpassword.com/kit-forensic.htm

I started studying again, and now that the first semester is over I have more time to turn back to blogging!