watching you watching us . .

Author Archive

Full Disk Encryption – Breaking Hard Disk Encryption

Good article and more importantly a great discussion in the comments! the article is centered around on the topic of Hard Disk Encyption after a less significant announcement of a “new..” ElcomSoft Forensic Disk Decryptor can decrypt BitLocker, PGP, and TrueCrypt.

“If the PC being investigated is turned off, the encryption keys can be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.”

“most (if not all) encryption software hashes your password immediately, yielding a hex based result which is still easily searched by looking for strings.”

“You are not missing anything. Its a non issue for most. Just don’t use sleep.”

“OpenBSD’s malloc fills junk bytes into allocated and freed chunks via the J option. By default OpenBSD encrypts the swap (where hybernation state is kept), and has done so for many years.”

“DMA is just one such way of manipulating the memory beneath the CPU level there is also the Memory Managment Unit and the I/O mechanisms that rule the roost via the interupt mechanisms that run at what you might consider Ring -1. And these are what you might consider the upper layers of this gulf of insecurity. There are other tricks such as the actual CPU microcode or equivalent in all the other state machines.”

“Breaking Hard-Disk Encryption”
Bruce Schneier, 27 December 2012
http://www.schneier.com/blog/archives/2012/12/breaking_hard-d.html – last access 24 January 2013 – ( Article )

/cobramark3


Reverse Engineering Android Applications

Interesting article by Carl Benedict, introducing and dicussing Android applications, development and dissection, using some tools for reverse enginnering. Good focus on the Android permission-based system and how it allows access to resources, and where to alter these controls.

“Under the Hood: Reversing Android Applications”
Carl Benedict, 20 January 2012
Infosec Institute Resources
http://resources.infosecinstitute.com/reversing-android-applications/ – last access 23 January 2012 – ( Full Article )

Tools:

pktool – a tool used for manipulating .apk files, http://code.google.com/p/android-apktool/

jad – a Java decompiler (Windows only), http://www.varaneckas.com/jad

JD-Core + JD-GUI – another Java decompiler, supporting newer Java versions and features, http://java.decompiler.free.fr

dex2jar – a tool for converting .dex files to .class files, http://code.google.com/p/dex2jar/downloads/list (dex2jar)

/cobramark3


Solid State Disks, Update, Forensic Implications ?

Solid State Drive adoption in computers, tablets and devices, is presenting new challenges to the CF community. Good article by Mike Sheward explaining to some depth some of the current Forensic concerns and issues with SSD. Interesting testing and hash results with FTK imager and a write blocker.

“Rock Solid: Will Digital Forensics Crack SSD’s?”
Mike Sheward, 5 January 2012
http://resources.infosecinstitute.com/ssd-forensics/ – last access 23 January 2012 – ( Full Article )


Police E-Crime Unit Suspend 2000+ Counterfeit and Fraudulent E-Commerce Websites

It is unclear as to the origins of the suspended e-commerce sites, presumably they were all/mostly based in the UK, unfortunatley this information is not given for analysis.

The press release states that the Metropolitan Police E-Crime Unit suspended more than 2,000 e-commerce website deemded to be selling fake or non-existent goods. The e-commerce websites were offering low price goods from manufacturers such as GHD, Ugg, Tiffany and Nike. The goods were either counterfeit or never arrived, some sites also harvested credit card, bank details and personal information given by customers.

It is also unclear as to if the sites were suspended, siezed (pending further investgation and prosecution) or shut down.

If many gangs registered sites in bulk, how many actual gangs or criminals are under investigation, facing possible prosecution ? Would more information be beneficial to help the consumer/potential victim be better prepared, other than advising the usual update AV.. dedicated credit card for e-shopping.. etc ? Would releasing more details hinder further or current investigation or help consumers to avoid similar ilegal sites ?

“.. Police officers worked with domain registrars to identify the rogue traders and then used Nominet’s powers to seize and shut down the offending domains .. the E-Crime Unit said many gangs registered sites in bulk solely to dupe customers. He said the campaign to close the criminal sites would continue in the run-up to Christmas .. consumers should check a website’s credentials to ensure it was approved and reputable .. also consider using a credit card for payments over £100 and perhaps reserve one card for online shopping ..”

“The E-Crime Unit took similar action in 2010 when it shut down about 1,800 sites.”

So happy shopping with the usual rules, ie. you don’t get something for nothing, and if you pay peanuts you get monkeys.

Police crackdown on fake shopping sites
BBC News, created 21 November 2011.
http://www.bbc.co.uk/news/technology-15820758 – (Full Article) – last access 23 November 2011

E-Crime Unit take down fraudulent websites
Metropolitan Police, created 18 November 2011.
http://content.met.police.uk/News/ECrime-Unit-take-down-fraudulent-websites/1400004634037/1257246745756 – (Full Article) – last access 23 November 2011

/cobramark3


Zetas gang beheads 4th internet blogger, anonymous outcry or Anonymous stepping in ?

Mexico gangsters have beheaded a 4th internet blogger by the name of Rascatripas (or Belly Scratcher) who was involved in moderating a blog called En Vivo, which posted news of criminal activities of the Zetas, a Mexican narcotics and extortion gang.

Recently a person said to be a member of Anonymous, has posted a video on YouTube claiming that the Zetas had kidnapped another Anonymous member.. threatening Zetas to return the victim unharmed or Anonymous will publish identities of Zetas and details of their protectors, in government and business.

Rumours of it being a possible hoax, have paralleled Anonymous publicising to drop the threat, due to the danger it posed to innocent lives.. although with comments like “wait and see” and more recently “expect us”, the jury is out.

Also, Police arrested two people in southern Veracruz state in September for posting rumors on Twitter about impending gangster attacks on schools. Following this Veracruz’s governor introduced a bill that would have outlawed such postings for “disturbing the public tranquility.” The bill was later dropped and the Twitter users released.

Gang sends message with blogger beheading
By Dudley Althaus, Houston Chronicle, 10 November 2011
http://www.chron.com/news/houston-texas/article/Blogger-murdered-and-beheaded-in-Nuevo-Laredo-2260814.php – (Full Article) – last access 12 November 2011

Anonymous – Operation Zetas Hunt
TheAnonMessage, Youtube, posted 7 November 2011
http://www.youtube.com/watch?v=0lpJJgVfJD8 – (Video) – last access 12 November 2011

‘Hackers’ threaten Mexican drug cartel in YouTube film
BBC News Technology, 31 Ocotber 2011
http://www.bbc.co.uk/news/technology-15520912 – (Full Article) – last access 12 November 2011

Anonymous Veracruz message to ZETA – English Mirror
lesleyblooddotcom, Youtube, posted 29 October 2011.
http://www.youtube.com/watch?v=bJORGO1Q2VY – (English Translated Video) – last access 12 November 2011

/cobramark3


Measuring the black web

Current article in The Economist, discusses a paper published (and previously mentioned on CFL): Click Trajectories: End-to-End Analysis of the Spam Value Chain (PDF)

Snippets of the Economist article “.. well-worn assertion is that cybercrime revenues exceed those from the global trade in illegal drugs..

In the absence of figures from the practitioners, experts tend to fall back on surveys of victims, often compiled by firms that sell security software..

Few cybercrime surveys cite the methodology they used..

Stefan Savage, Mr Kanich’s PhD supervisor, says that the security industry sometimes plays “fast and loose” with the numbers, because it has an interest in “telling people that the sky is falling”..

in the grand scheme of criminal threats, hacker kingpins do not appear to be on a par with Colombian drug lords..”

Measuring the black web
Cybercrime, The Economist, 15 October 2011 (Print Article)
http://www.economist.com/node/21532263 – (Full Online Article) – last access 14 October 2011

I beg the question, a definition of the “Black web” ?

/cobramark3


Securing Freedom, What Tactics Should and Currently are Being Used to Combat Criminal Exploitation of the Internet, and is it Legal or Proportionate ?

A few recent broadcasts not too be missed..

Stephen Grey investigates the use of computer hacking by the police and security agencies to combat criminal exploitation of the internet and asks if it is legal.

“.. RIPA .. range of surveillance powers.. unspecified hardware/software, keyloggers..

software installed on suspect computers could be considered breaking section 3 of Computer Misuse Act, by altering data..

lack of clarity from authorities, Article 8 Human Rights Act, scope of states power must be disclosed and made clear what authorities will or won’t use ..

William Hague, who speaks for the government on computer security issues, said: “Any export of goods that could be used for internal repression is something we would want to stop” .. He also admitted the law governing software exports was a grey area ..”

UK firm denies ‘cyber-spy’ deal with Egypt
Stephen Grey, File on 4, BBC Radio 4, 20 September 2011
http://www.bbc.co.uk/news/technology-14981672 – (Full Broadcast) – last access 23 September 2011

~

Excellently delivered by Eliza, offering public insight into reasons behind securing freedom and perceived hypocrisy.

Her second Reith lecture of 2011, the former director-general of the British Security Service (MI5), Eliza Manningham-Buller, discusses policy priorities since 9/11. She reflects on the Arab Spring, and argues that the West’s support of authoritarian regimes did, to some extent, fuel the growth of al-Qaeda.

The Reith Lectures – Securing Freedom: 2011 : Freedom
Eliza Manningham-Buller, BBC Radio 4, 20 September 2011
http://www.bbc.co.uk/iplayer/episode/p00k4053/The_Reith_Lectures_Eliza_ManninghamBuller_Lecture_3_Freedom/ – (Full Broadcast) – last access 23 September 2011

Her first and the previous Reith Lecture:

The Reith Lectures – Securing Freedom: 2011 : Security
Eliza Manningham-Buller, BBC Radio 4, 13 September 2011
http://www.bbc.co.uk/iplayer/episode/b014fcyw/The_Reith_Lectures_Securing_Freedom_2011_Eliza_ManninghamBuller_Security/ – (Full Broadcast) – last access 23 September 2011

/cobramark3


New CESG initiative builds on IISP Skills Framework in drive for greater professionalism in Information Assurance

“.. As part of the UK Government’s investment in cyber security, a consortium comprising the IISP (Institute of Information Security Professionals), CREST (Council for Registered Ethical Security Testers) and Royal Holloway’s Information Security Group (ISG) has been appointed by CESG to provide certification for UK Government Information Assurance (IA) professionals. The consortium has been awarded a licence to issue the CESG Certified Professional Mark based on the IISP Skills Framework, as part of a certification scheme driven by CESG, the IA arm of GCHQ ..

step forward in professionalising key Information Assurance roles needed by the public sector. It is also an important development along the path of securing the UK against cyber attack and protecting government and individuals’ data. CESG looks forward to continuing close co-operation with the IISP, CREST and Royal Holloway in delivering this IA Certification Service ..”

New CESG initiative builds on IISP Skills Framework in drive for greater professionalism in Information Assurance
PR-Inside, 22 September 2011
http://www.pr-inside.com/new-cesg-initiative-builds-on-iisp-r2823053.htm – last access 23 September 2011 – (Full article)

New CESG initiative builds on IISP Skills Framework
Forensic Focus, 22 September 2011
http://www.forensicfocus.com/index.php?name=News&file=article&sid=1730 – last access 23 September 2011 – (Full article)

/cobramark3


Some Current Law addressing the Distribution and Creation of Malware and Viruses

“.. In the UK, the introduction of malware is covered by section 3 of the Computer Misuse Act [2]. The Act states that a crime is committed if a person “does any act which causes an unauthorized modification of the contents of any computer” and the perpetrator intends to “cause a modification of the contents of any computer” which may “impair the operation of any computer”, “prevent or hinder access to any program or data held in any computer” or “impair the operation of any such program or the reliability of any such data” ..

Malware is generally distributed unintentionally subsequent to its initial creation. Thus an ICP or an ISP would not be found criminally liable under either the Computer Fraud and Abuse Act or the Computer Misuse Act for most cases of dissemination ..”

What the Law Says about Distributing a Virus or Malware
Craig S Wright, InfoSec Island, 20 September 2011
https://www.infosecisland.com/blogview/16567-What-the-Law-Says-about-Distributing-a-Virus-or-Malware.html – last access 22 September 2011 – (Full article)

~

“.. The Japanese parliament has quietly passed legislation to make the creation or distribution of a virus or similar malware a criminal offense ..

the distribution of a virus created, for example, in the US, in Japan by a Japanese citizen, would come within the scope of the criminal law ..

what happens if the malware distribution takes place without the knowledge of the user of the computer, such as when a botnet is involved..

Legislators in Japan are less concerned about the semantics, however, as they say this is the country’s response to support the International Convention on Cybercrime, a treaty ratified by more than 30 countries and which mandates international co-operation in investigating crimes in cyberspace ..”

Creating or distributing malware in Japan is now a crime
InfoSecurity Magazine, 20 June 2011
http://www.infosecurity-magazine.com/view/18782/creating-or-distributing-malware-in-japan-is-now-a-crime/ – last access 22 September 2011 – (Full article)

/cobramark3


Phishing Web-Based Email Services with HTML 5

Just came across a research paper from May 2011, thanks to Joe Sylve for the work.

“.. overview of a new technique that could be used for phishing web-based email services such as Google’s Gmail and Yahoo’s Mail ..”

Phishing Web-Based Email Services with HTML 5
Joe Sylve
Department of Computer Science, University of New Orleans, 11 May 2011
http://dl.dropbox.com/u/17627038/papers/html5phishing.pdf – last access 22 September 2011 – (Full article)

/cobramark3


Hacked Dutch security firm, DigiNotar has filed for voluntary bankruptcy and the SSL certificate debacle

Hacked Dutch security firm, DigiNotar has filed for voluntary bankruptcy..

“Hacked security firm closes its doors”
BBC News UK, 20 September 2011
http://www.bbc.co.uk/news/technology-14989334 – last access 21 September 2011 – ( Full Article )

Related:
“SSL certificate debacle includes CIA, MI6, Mossad and Tor”
Chester Wisniewski, NakedSecurity, 5 September 2011
http://nakedsecurity.sophos.com/2011/09/05/ssl-certificate-debacle-includes-cia-mi6-mossad-and-tor/ – last access 21 September 2011 – ( Full Article )

/cobramark3


Skype for iPhone and iPod Touch: iOS Vulnerability allows comprimising the device address on reciveing a text message, just add JavaScript

Exploit in Skype on an iPhone or iPod touch, allows comprimise of your device’s address book simply by the attacker sending you a chat message. When the exploit code in the message is run, the victim’s iPhone will automatically make a new connection to a server, grabbing a larger payload, to execute and upload the iPhones entire address book file to the server.

“.. Type some JavaScript commands into the user name of a Skype account, use it to send a chat message to someone using the latest version of Skype on an iPhone or iPod touch, and load a small program onto a webserver. Within minutes, you’ll have a fully-searchable copy of the victim’s address book.

.. failure by Skype to sanitize potentially dangerous JavaScript commands from the text that gets sent in chat messages ..

It’s already been 48 hours since this vulnerability was first documented, and the vulnerable app is still available in the iTunes Store. It will be interesting to see how long it takes Apple and Skype to close the gaping hole ..”

“Skype for iPhone makes stealing address books a snap”
Dan Goodin, Malware, The Register UK, 20 September 2011
http://www.theregister.co.uk/2011/09/20/skype_for_iphone_contact_theft/ – last access 21 September 2011 – ( Full Article )

/cobramark3


Review of Disclosure in Criminal Proceedings (Judiciary of England and Wales)

” This is a review (“the review”) conducted at the request of and for the Lord Chief Justice, prompted by concerns as to the operation of the disclosure regime contained in the Criminal Procedure and Investigations Act 1996, as amended (“the CPIA”). ”

Review of Disclosure in Criminal Proceedings (Judiciary of England and Wales)
The Rt Hon. Lord Justice Gross
September 2011

Full Report: http://www.judiciary.gov.uk/Resources/JCO/Documents/Reports/disclosure-review-september-2011.pdf

/cobramark3


The UK Forensic Science Society: Launch of the Digital Forensic Component Standards

The Society has announced the extension of its accreditation scheme to include two new Component Standards to address digital forensics:

  • Computer Network Evidence Recovery and Analysis
  • Digital Evidence Analysis Recovery and Preservation

These two new Standards plus the Core Standard of Interpretation, Evaluation and Presentation of Evidence (IEPE) make up the new Digital Component Standards.

http://www.forensic-science-society.org.uk/Accreditation/Launchofdigitalstandards

Launch event in the afternoon on 19th October 2011:
http://www.forensicsciencesociety.co.uk/Events/2011/Digital%20Launch

/cobramark3


Digital Forensics – ISO 27001, ISO 17025, ISO 17020 – Compliance, Accreditation and Best Practice

The United Kingdom Accreditation Service (UKAS) accredits against ISO 17025 and ISO 17020 and this is seen as an integral part of the quality framework and an expectation for those supplying forensic science services.

ISO 17025 can be applied to accredit any general laboratory and ASCLD-LAB, special purpose forensic laboratories.

Digital forensics is also key in implementing and maintaining an effective information security management system (ISMS) as specified by the ISO27001.

Control A.13.2.3 of the ISO 27001 Standard requires: in the event of a security incident any evidence presented in a criminal or civil action against an individual or company must fully conform to all relevant legislation. While this requirement is fairly obvious, it is crucial to the success of the legal process that the digital evidence is collected as accurately and reliably as possible.

The best practice as defined in clause 13.2.3 of the ISO 27002 Code of Practice (not a management standard, only best practice, cannot be accredited) recommends the preparation of an investigation procedure which includes the forensic collection of digital evidence together with the originals of all documents and witness details.

All such plans are major contributors to ensuring conformance to Clause 7.3 of the ISO 27001 Standard on preventative action which is of course essential to the maintenance of the ISMS continual process improvement.

/cobramark3


Forging memory, a new development in Malware Rootkits

Apart from Rootkits modifying and hiding; files, registries, processes.. from detection software, some often typically modify memory. Anti-rootkit tools inspect memory areas in attempts to identify modifications and flag.

A particular rootkit also modifies a memory location to prevent actual disk access by detection software. This technique is not new, however it is the first found in the Wild and being adopted by Malware authors.

“.. a new rootkit appeared that at first glance seemed more similar to initial variants of TDL3 than to the updated TDL4 variants we have seen this year. Like TDL3, it also parasitically infected a driver by inserting code in the resource directory of the PE file. In this case the name of the file it infected was hard-coded to volsnap.sys. Also similar to the early variants of TDL3, this rootkit also hooked some pointers in the dispatch table (IRP hook) of the driver below disk on the device stack of the hard disk.

But it was very interesting to see some of the anti-rootkit tools not showing the dispatch table hooks that are usually pretty straightforward to identify. Also this malware would not allow an external debugger (WinDbg) to break.

The reason for hooks not being reported was that the memory being read by the tools was not the actual memory ..”

“Memory Forging Attempt by a Rootkit”
Rachit Mathur, McAfee Blog Center, 21 April 2011
http://blogs.mcafee.com/mcafee-labs/memory-forging-attempt-by-a-rootkit – last access 8 June 2011 – ( Full Article )

/cobramark3


Going After the Money, Tracing Spammers with an End to End Analysis of the Spam Value Chain

Interesting publication of a paper at the IEEE Symposium on Security and Privacy 2011 (California). The research (involving 15 authors) investigated purchasing spam products and amongst other things, focused on tracing the payments.

” .. The paper performs holistic analysis that quantifies the full set of resources employed to monetize spam email—including naming, hosting, payment and fulfillment—using extensive measurements of three months of diverse spam data, broad crawling of naming and hosting infrastructures, and over 100 purchases from spam-advertised sites. We relate these resources to the organizations who administer them and then use this data to characterize the relative prospects for defensive interventions at each link in the spam value chain. In particular, we provide the first strong evidence of payment bottlenecks in the spam value chain; 95% of spam-advertised pharmaceutical, replica and software products are monetized using merchant services from just a handful of banks ..

the so-called “spam value chain” involves; botnets, domain registration, name server provisioning, hosting services, and proxy services ..

spammers must also process orders, which requires “payment processing, merchant bank accounts, customer service, and fulfillment.” ..

95% of spam-advertised pharmaceutical, replica, and software products are monetized using merchant services from just a handful of banks ..

13 banks handling 95% of the 76 orders for which they received transaction information .. just three banks handled the majority of transactions: Azerigazbank in Azerbaijan, DnB NOR in Latvia (although the bank is headquartered in Norway), and St. Kitts-Nevis-Anguilla National Bank in the Caribbean ..

all software orders and 85% of pharmaceutical orders used the correct Visa “Merchant Category Code,” which identifies what’s been sold. “A key reason for this may be the substantial fines imposed by Visa on acquirers when miscoded merchant accounts are discovered ‘laundering’ high-risk goods,” ..

orders were fulfilled from 13 suppliers in four countries: the United States–Massachusetts, Utah, and Washington, all for herbal purchases, as well as West Virginia for pharmaceuticals–plus India, China, and New Zealand. Most pharmaceuticals came from India, while most herbal products came from the United States, likely due to weak regulations ..”

“3 Banks Service Majority Of Spam-Driven Sales”
Mathew J. Schwartz, InformationWeek 25 May 2011
http://www.informationweek.com/news/security/client/229625599 – last access 8 June 2011 – ( Full Article )

“Click Trajectories: End-to-End Analysis of the Spam Value Chain”
Kirill Levchenko et al., IEEE Symposium on Security and Privacy 2011, Oakland, California, 24 May 2011
http://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf – last access 8 June 2011 – ( Full Journal )

/cobramark3


Who’s Keeping an Eye on Strauss-Kahn, “Prevent Flight” Forensic Services ?

Interesting article in Time regarding IMF chief Dominique Strauss-Kahn who is currently on Bail in New York. Is this to be a new development in Digital Forensic services ?

“..IMF chief Dominique Strauss-Kahn on bail was moved from temporary lodgings on lower Broadway to a large townhouse in Tribeca. Keeping watch over him will be multiple “armed monitors” courtesy of security firm Stroz Friedberg.

– snip –

terms of Strauss-Kahn’s bail order, filed with the New York State Supreme Court on May 20, DSK is “confined to home detention 24 hours per day at an address in Manhattan.” He is permitted to leave the home only for court appearances, medical and legal appointments and religious observances, and the court must have six hours notice.

The people responsible for ensuring Strauss-Kahn’s compliance work for Stroz Friedberg LLC, a cyber security and computer forensics firm. According to “in-home detention protocols” prepared by the company, Stroz Friedberg employees will monitor Strauss-Kahn 24 hours a day, maintain a log of all visitors, search all visitors for weapon and have sole discretion to limit the type and number of visitors to DSK’s residence, along with any other measures that “may be required to prevent flight.”

– snip –

Stroz Friedberg previously kept watch over Bernard Madoff (2009). Ed Stroz made sure to emphasize this is not the firm’s “core expertise,” but rather a sideline business that coincidentally presented itself.

– snip –

Although the Strauss-Kahn case has kept them in the news, Stroz sees digital and cyber security as the most important growth area for the firm in the coming years.

– snip –

Stroz says, “but we’re kind of evolving into the firm you have to have if you’re a serious industry out there. Who isn’t at risk for litigation, regulatory scrutiny, trade secret theft, insider problems? And when that happens, that is not a normal business issue. And you don’t get good at this unless you’re kind of a jungle cat out there seeing things.”

..”

“Who’s Keeping an Eye on Strauss-Kahn?”
Nate Rawlings, TIME, 26 May 2011
http://www.time.com/time/nation/article/0,8599,2074075,00.html – last access 27 May 2011 – ( Full Article )

/cobramark3


Covert hard drive fragmentation – Steganography Ad-dress

Snippets of recent article in the New Scientist..

“.. hide data on a hard drive without using encryption. Instead of using a cipher to scramble text, the method involves manipulating the location of data fragments.

– snip –

..possible to encode a 20-megabyte message on a 160-gigabyte portable hard drive. It hides data so well that its existence would be “unreasonably complex” to detect

– snip –

Encryption .. shows someone might have something to hide..

– snip –

steganography, hiding data in plain sight.. But these techniques are well known and easily detected, says Khan. So, with colleagues at the National University of Science and Technology in Islamabad, Pakistan, he has developed an alternative.

Their technique exploits the way hard drives store file data in numerous small chunks, called clusters. The operating system stores these clusters all over the disc, wherever there is free space between fragments of other files.

Khan and his colleagues have written software that ensures clusters of a file, rather than being positioned at the whim of the disc drive controller chip, as is usually the case, are positioned according to a code. All the person at the other end needs to know is which file’s cluster positions have been encoded.

The code depends on whether sequential clusters in a file are situated adjacent to each other on the hard disc or not. If they are adjacent, this corresponds to a binary 1 in the secret message. If sequential clusters are stored in different places on the disc, this encodes a binary 0 (Computers and Security, DOI: 10.1016/j.cose.2010.10.005). The recipient then uses the same software to tell them the file’s cluster positions, and hence the message. The researchers intend to make their software open source.

“An investigator can’t tell the cluster fragmentation pattern is intentional- it looks like what you’d get after addition and deletion of files over time,” says Khan. Tests show the technique works, as long as none of the files on the hard disc are modified before handover.

“The real strength of this technique is that even a completely full drive can still have secret data added to it – simply by rearranging the clusters,” adds Khan.

Others are impressed with the technique but see limitations.

“This type of steganography could be used by spies, police or informants – but the risk is that it requires direct contact to physically exchange the USB device containing the secret data,” says Wojciech Mazurcyk, a steganographer at Warsaw University of Technology in Poland. “So it lacks the flexibility of internet steganography. Once you embed the secret data on the disk it is not easy to modify it.”

– snip –

“It’s how security vulnerability disclosure works,” says Khan. “We have identified that this is possible. Now security agencies can devise techniques to detect it.” He adds that his team have had no issues with either US or Pakistani security agencies over their development of this secret medium – despite current political tensions between the two nations.

“The use of steganographic techniques like this is likely to increase,” says Fred Piper, director of information security at Royal Holloway, University of London. “Eavesdroppers can learn much from the fact that somebody is encrypting a message.”

..”

“Covert hard drive fragmentation embeds a spy’s secrets”
Paul Marks, New Scientist.com, 21 April 2011
http://www.newscientist.com/article/mg21028095.200-covert-hard-drive-fragmentation-embeds-a-spys-secrets.html – last access 29 April 2011 – ( Full Article )

/cobramark3


Operation Ore suspect Jeremy Clifford awarded damages after 8 years of battle

“.. A man wrongly accused in Britain’s largest ever child pornography investigation has won damages in the High Court after an eight-year legal battle.

Jeremy Clifford, 51, from Watford, was arrested and falsely charged in 2003 as part of Operation Ore. His credit card details had been found among those of thousands of British people on a list maintained by Landslide, a commercial provider of illegal pornography based in the US.

Hertfordshire Constabulary seized a computer that had belonged to Mr Clifford and discovered 10 illegal thumbnail images in its temporary internet files folder.

However, a senior High Court judge found on Friday that the arresting officer had been told by a computer forensics expert that the images were not sufficient evidence to charge.

“The images could have been received unsolicited by and even without the knowledge of the operator of the computer, for example as ‘pop-ups’,” said Mr Justice Mackay.

Despite this, the officer, Detective Constable Brian Hopkins, pressed three charges of possession of indecent images of children. Mr Justice Mackay said he cut a “rather pathetic figure” in the witness box, having initially claimed he could not give evidence because of a psychiatric condition.

– snip –

The finding was based on evidence the court heard from an internal investigation launched after Mr Clifford was formally cleared of all the allegations before trial. It found that Hertfordshire Constabulary’s forensics expert, George Fouhey, had advised against pressing charges ..”

“Judge hits police with massive bill over false Operation Ore charges”
Court correspondent, Policing, The Register UK, 4 April 2011
http://www.theregister.co.uk/2011/04/04/operation_ore_suspect_wins_damages/ – last access 5 April 2011 – ( Full Article )

/cobramark3


Solid-State Disk Behavior Underlying Digital Forensics

“.. SSDs are different. Writing a virgin cell merely requires a write cycle. Rewriting a cell requires two cycles: an erase cycle and a write cycle. The erase cycle is governed by the physics, and takes time. Performance is improved by “pre-clearing” no longer needed cells (e.g., free space on the disk) during otherwise unused device cycles.

– snip –

A recent paper from Graeme Bell and Richard Boddington of Murdoch University in Perth, Solid State Drives: The Beginning of the End for Current Practices of Digital Forensic Recovery, documented several consequences of this implementation approach with respect to standard best practices for digital forensic acquisitions. In short, the autonomous pre-clearing function rendered free space unrecoverable on short order from the time that the drive was powered-on.

– snip –

As noted by Bell and Boddington, the automatic nature of the resetting function on space determined by the controller to be unallocated has several implications for standard forensics procedures:

data in unallocated space will quickly disappear on such a device (Quick format will actually cause the drive contents to be erased on short order)
the data recorded by a forensic acquisition with a write-blocker will be inconsistent with a subsequent acquisition until the reset process has completed. The cryptographic checksums (e.g., MD-5, SHA-1) generated on successive acquisitions will thus be inconsistent ..”

“Solid-State Disk Behavior Underlying Digital Forensics”
Robert Gezelter, InfoSecIsland.com , 7 March 2011
https://www.infosecisland.com/blogview/12375-Solid-State-Disk-Behavior-Underlying-Digital-Forensics.html – last access 1 April 2011 – ( Full Article )

“Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?”
Graeme B. Bell and Richard Boddington, 2010
Journal of Digital Forensics, Security and Law, Vol. 5(3)
http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf

/cobramark3


StarLogger Keylogger Found on New Samsung Laptops

Keylogger software discovered by Mohamed Hassan on two new Samsung laptops…

“.. Samsung installed a commercial keylogger on brand-new laptops to monitor customer usage, the company admitted after a user exposed the practice in a security newsletter.

– snip –

While setting up a new Samsung R525 laptop in early February, Hassan ran a full-system scan using an unnamed “licensed commercial security software” before installing anything else. The scan found two instances of a commercial keylogger, called StarLogger, installed within the Windows directory..

– snip –

A support supervisor then confirmed that Samsung knowingly put this software on the laptop to “monitor the performance of the machine and to find out how it is being used,”

..”

“Samsung installs keylogger on its laptop computers”
M. E. Kabay and Mohamed Hassan Mohamed Hassan, Network World – Security Strategies Alert, 30 March 2011
http://www.networkworld.com/newsletters/sec/2011/032811sec2.html – last access 31 March 2011 – ( Full Article )

“Samsung responds to installation of keylogger on its laptop computers”
M. E. Kabay and Mohamed Hassan Mohamed Hassan, Network World – Security Strategies Alert, 30 March 2011
http://www.networkworld.com/newsletters/sec/2011/040411sec1.html – last access 31 March 2011 – ( Full Article )

“Samsung Installs Stealthy KeyLogger on Brand-New Laptops”
Fahmida Y. Rashid, eWeek, 30 March 2011
http://www.eweek.com/c/a/Security/Samsung-Installs-Stealthy-KeyLogger-on-Brand-New-Laptops-265944 – last access 31 March 2011 – ( Full Article )

/cobramark3


Dell takes digital forensics mobile

“.. Dell on Thursday launched another installment of its digital forensics bundle so law enforcement can collect data faster from crime scenes.

The company took its digital forensic bundle—Spektor Forensic Intelligence software from Evidence Talks and rugged hardware—and extended it to mobile devices. The goal: Examine data at a crime scene and collect data on the fly from various storage devices ..”

Larry Dignan, ZD Net, 24 March 2011
http://www.zdnet.com/blog/btl/dell-takes-digital-forensics-mobile/46450 – last access 25 March 2011 – ( Full Article )

\cobramark3


Ways to circumvent shutdown of normal communications

“.. With a tin can, some copper wire and a few dollars’ worth of nuts, bolts and other hardware, a do-it-yourselfer can build a makeshift directional antenna. A mobile phone, souped-up with such an antenna, can talk to a network tower that is dozens of kilometres beyond its normal range (about 5km, or 3 miles).

– snip –

their existence has recently been valuable to the operation of several groups of revolutionaries in Egypt, Libya and elsewhere. To get round government shutdowns of internet and mobile-phone networks, resourceful dissidents have used such makeshift antennae to link their computers and handsets to more orthodox transmission equipment in neighbouring countries.

– snip –

Creative ideas for circumventing cyber-attacks even extend to the redesign of apparently innocent domestic equipment. Kenneth Geers, an American naval-intelligence analyst at a NATO cyberwar unit in Tallinn, Estonia, describes a curious microwave oven. Though still able to cook food, its microwaves (essentially, short radiowaves) are modulated to encode information as though it were a normal radio transmitter. Thus, things turn full circle, for the original microwave oven was based on the magnetron from a military radar. From conflict to domesticity to conflict, then, in a mere six decades ..”

“Unorthodox links to the internet”
Science and Technology, The Gaurdian UK, 17 March 2011
http://www.economist.com/node/18386151 – last access 23 March 2011 – ( Full Article )

\cobramark3