watching you watching us . .

Software

Securing Freedom, What Tactics Should and Currently are Being Used to Combat Criminal Exploitation of the Internet, and is it Legal or Proportionate ?

A few recent broadcasts not too be missed..

Stephen Grey investigates the use of computer hacking by the police and security agencies to combat criminal exploitation of the internet and asks if it is legal.

“.. RIPA .. range of surveillance powers.. unspecified hardware/software, keyloggers..

software installed on suspect computers could be considered breaking section 3 of Computer Misuse Act, by altering data..

lack of clarity from authorities, Article 8 Human Rights Act, scope of states power must be disclosed and made clear what authorities will or won’t use ..

William Hague, who speaks for the government on computer security issues, said: “Any export of goods that could be used for internal repression is something we would want to stop” .. He also admitted the law governing software exports was a grey area ..”

UK firm denies ‘cyber-spy’ deal with Egypt
Stephen Grey, File on 4, BBC Radio 4, 20 September 2011
http://www.bbc.co.uk/news/technology-14981672 – (Full Broadcast) – last access 23 September 2011

~

Excellently delivered by Eliza, offering public insight into reasons behind securing freedom and perceived hypocrisy.

Her second Reith lecture of 2011, the former director-general of the British Security Service (MI5), Eliza Manningham-Buller, discusses policy priorities since 9/11. She reflects on the Arab Spring, and argues that the West’s support of authoritarian regimes did, to some extent, fuel the growth of al-Qaeda.

The Reith Lectures – Securing Freedom: 2011 : Freedom
Eliza Manningham-Buller, BBC Radio 4, 20 September 2011
http://www.bbc.co.uk/iplayer/episode/p00k4053/The_Reith_Lectures_Eliza_ManninghamBuller_Lecture_3_Freedom/ – (Full Broadcast) – last access 23 September 2011

Her first and the previous Reith Lecture:

The Reith Lectures – Securing Freedom: 2011 : Security
Eliza Manningham-Buller, BBC Radio 4, 13 September 2011
http://www.bbc.co.uk/iplayer/episode/b014fcyw/The_Reith_Lectures_Securing_Freedom_2011_Eliza_ManninghamBuller_Security/ – (Full Broadcast) – last access 23 September 2011

/cobramark3

Advertisements

StarLogger Keylogger Found on New Samsung Laptops

Keylogger software discovered by Mohamed Hassan on two new Samsung laptops…

“.. Samsung installed a commercial keylogger on brand-new laptops to monitor customer usage, the company admitted after a user exposed the practice in a security newsletter.

– snip –

While setting up a new Samsung R525 laptop in early February, Hassan ran a full-system scan using an unnamed “licensed commercial security software” before installing anything else. The scan found two instances of a commercial keylogger, called StarLogger, installed within the Windows directory..

– snip –

A support supervisor then confirmed that Samsung knowingly put this software on the laptop to “monitor the performance of the machine and to find out how it is being used,”

..”

“Samsung installs keylogger on its laptop computers”
M. E. Kabay and Mohamed Hassan Mohamed Hassan, Network World – Security Strategies Alert, 30 March 2011
http://www.networkworld.com/newsletters/sec/2011/032811sec2.html – last access 31 March 2011 – ( Full Article )

“Samsung responds to installation of keylogger on its laptop computers”
M. E. Kabay and Mohamed Hassan Mohamed Hassan, Network World – Security Strategies Alert, 30 March 2011
http://www.networkworld.com/newsletters/sec/2011/040411sec1.html – last access 31 March 2011 – ( Full Article )

“Samsung Installs Stealthy KeyLogger on Brand-New Laptops”
Fahmida Y. Rashid, eWeek, 30 March 2011
http://www.eweek.com/c/a/Security/Samsung-Installs-Stealthy-KeyLogger-on-Brand-New-Laptops-265944 – last access 31 March 2011 – ( Full Article )

/cobramark3


Dell takes digital forensics mobile

“.. Dell on Thursday launched another installment of its digital forensics bundle so law enforcement can collect data faster from crime scenes.

The company took its digital forensic bundle—Spektor Forensic Intelligence software from Evidence Talks and rugged hardware—and extended it to mobile devices. The goal: Examine data at a crime scene and collect data on the fly from various storage devices ..”

Larry Dignan, ZD Net, 24 March 2011
http://www.zdnet.com/blog/btl/dell-takes-digital-forensics-mobile/46450 – last access 25 March 2011 – ( Full Article )

\cobramark3


The Sleuth Kit v3.2.1

New version of Brian Carrier’s TSK released (version 3.2.1), 27 February 2011
http://www.sleuthkit.org/

“.. The Sleuth Kit and Autopsy Browser. Both are open source digital investigation tools (a.k.a. digital forensic tools) that run on Windows and Unix systems (such as Linux, OS X, Cygwin, FreeBSD, OpenBSD, and Solaris). They can be used to analyze NTFS, FAT, HFS+, Ext2, Ext3, UFS1, and UFS2 file systems and several volume system types.

The Sleuth Kit (TSK) is a C library and a collection of command line tools. Autopsy is a graphical interface to TSK. TSK can be integrated into automated forensics systems in many ways, including as a C library and by using the SQLite database that it can can create ..”

Brain Carrier, The Sleuth Kit, 27 February 2011
http://www.sleuthkit.org/ – last access 5 March 2011 – ( More Info / Download )

\cobramark3


Stuxnet worm’s true origins ?

Interesting article on the possibile origins of Stuxnet… ?

“.. The worm, Stuxnet, is a Trojan horse said to have disabled Iran’s nuclear weapons program. The New York Times said late last year, “Meanwhile, the search for other clues in the Stuxnet program continues — and so do the theories about its origins.” The Times updated their take on January 15, 2011 calling Stuxnet, “the most sophisticated cyberweapon ever deployed…experts who have picked apart the computer worm describe it as far more complex — and ingenious — than anything they had imagined when it began circulating around the world, unexplained, in mid-2009 ..

– snip –

No one is looking back to a time in the mid-70s, when an obscure program called Promis first reared its head. Promis, according to sources, is at the root of Stuxnet. Promis was a computer program that promised to help US prosecutors track criminals and legal maneuverings through the system, “Prosecutor’s Management Information System.” The people-tracking software was later marketed by a firm named Inslaw, under the auspices of William Hamilton, a former NSA officer who still markets a version of the product today.

– snip –

By the late 1980s, Promis programs had been sold to Britain, Australia, South Korea and Canada. Allies harmless enough, right? But then up next was the KGB. There are multiple claims as to who sold Promis to the Russians. Several, including a source of mine, said it was newspaper mogul Robert Maxwell in assistance to Israel. Another acquaintance, former double agent David Dastych (Polish intell working for the CIA during the Cold War) said that an American intelligence officer admitted to him, “Yes, we gave Promis to the Russians and Chinese to back door their intell. Worked like a charm.” Both claims may overlap. In fact, the KGB is said to have used Promis for over 15 years. At first, there was nothing to suspect since malicious malware had not really been coined. Few back then understood the power of the computer, and so the Trojan horse entered the realms of international espionage, the microscopic spy ..”

Stuxnet worm’s true origins are exposed
PJ Wilcox, worldsecuritynetwork.com / greatreporter.com, 22 February 2011
http://greatreporter.com/mambo/content/view/2014/1/ – last access 3 March 2011 – ( Full Article )

~

Further to this article:

“.. So we start with a Windows dropper. The payload goes onto the gray box, damages the centrifuge, and the Iranian nuclear program is delayed — mission accomplished. That’s easy, huh? I want to tell you how we found that out. When we started our research on Stuxnet six months ago, it was completely unknown what the purpose of this thing was. The only thing that was known is very, very complex on the Windows part, the dropper part, used multiple zero-day vulnerabilities. And it seemed to want to do something with these gray boxes, these real-time control systems ..

this is a directed attack. It’s completely directed. The dropper is prowling actively on the gray box if a specific configuration is found, and even if the actual program that it’s trying to infect is actually running on that target. And if not, Stuxnet does nothing ..

And if you have heard that the dropper of Stuxnet is complex and high-tech, let me tell you this: the payload is rocket science. It’s way above everything that we have ever seen before. Here you see a sample of this actual attack code. We are talking about — round about 15,000 lines of code. Looks pretty much like old-style assembly language ..

The big digital warhead — we had a shot at this by looking very closely at data and data structures. So for example, the number 164 really stands out in that code; you can’t overlook it. I started to research scientific literature on how these centrifuges are actually built in Natanz and found they are structured in what is called a cascade, and each cascade holds 164 centrifuges. So that made sense, it was a match ..

And it even got better. These centrifuges in Iran are subdivided into 15, what is called, stages. And guess what we found in the attack code? An almost identical structure ..

This attack is generic. It doesn’t have anything to do, in specifics, with centrifuges, with uranium enrichment. So it would work as well, for example, in a power plant or in an automobile factory. It is generic. And you don’t have — as an attacker — you don’t have to deliver this payload by a USB stick, as we saw it in the case of Stuxnet. You could also use conventional worm technology for spreading. Just spread it as wide as possible. And if you do that, what you end up with is a cyber weapon of mass destruction. That’s the consequence that we have to face. So unfortunately, the biggest number of targets for such attacks are not in the Middle East. They’re in the United States and Europe and in Japan. So all of the green areas, these are your target-rich environments ..

My opinion is that the Mossad is involved, but that the leading force is not Israel. So the leading force behind that is the cyber superpower. There is only one, and that’s the United States — fortunately, fortunately. Because otherwise, our problems would even be bigger ..”

Cracking Stuxnet, a 21st-century cyber weapon
Ralph Langner, TED2011, March 2011
http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html – Full Talk

\cobramark3


EnCase EnScript to export MFT slack

Useful EnCase EnScript for extracting contents of Slack space in the MFT from Lance Mueller.

“.. MFT slack, that is, the data that may exist between the end of a logical MFT record and the end of the physical MFT record. A typical MFT record can be anywhere between 400 to 700 bytes in length, but the MFT allocates 1024 bytes for each record. This can cause data to be left from previous records, the same way data remains in file slack at the end of a cluster.

– snip –

The EnScript will process every MFT found in the case. The EnScript only exports data in the MFT record slack area with an ASCII value between 0x20 (space) and 0x7E (tilde). A folder is created in the case default export folder named “MFT Slack” and a file with a record number is created for every MFT record that contains slack. The reason this method was used, was so if you review the exported data and find something of interest, you can quickly map it back to the exact MFT record where it came from. If a MFT record has no data in slack, then no export file is created for that record. ..”

Lance Mueller, ForensicKB, 21 February 2011
http://www.forensickb.com/2011/02/encase-enscript-to-export-mft-slack.html – last access 27 February 2011 – ( Full Article and to download the EnScript )

\cobramark3


Time Stamps on NTFS, examination of the MFT

Interesting article on examining Time Stamps (defeating Timestomp? Filetime ?), in terms of highlighting differences between SI and FN attributes. In this article a Perl script is refered to (previously written by Harlan Carvey) to output results…

“.. Chronological data about the files on a Windows system are stored in something called the Master File Table or $MFT ..

– snip –

there are two places in the MFT that store this chronological data. One is the $Standard_Information ($S_I) attribute, and the other is the $File_Name ($F_N) attribute ..”

Cepogue, The Digital Standard, 23 February 2011
http://thedigitalstandard.blogspot.com/2011_02_01_archive.html – last access 26 February 2011 – ( Full Article )

\cobramark3


Fun and games with Windows FILETIME and how to efficiently detect timestamp alterations

Interesting article by Lance Mueller on Filestamps (NTFS and FAT).

” .. an examiner should be familiar how the time values are stored on NTFS volumes AND the need to examine these dates manually, since many of the common forensic tools do not display the dates with any precision beyond one second, when there is any suspicion of tampering .. ”

Lance Mueller, ForensicKB, 21 January 2011
http://www.forensickb.com/2011/01/fun-and-games-with-windows-filetime-and.html – last access 23 January 2011 – ( Full Article )


DEFT Linux 6 ready for download

DEFT 6 is based on Lubuntu with Kernel 2.6.35 (Light Ubuntu Linux) and DEFT Extra 3.0 (Windows).

deftlinux.net, 11 January 2011
http://www.deftlinux.net/2011/01/11/deft-linux-6-ready-for-download/ – ( More Info )
http://na.mirror.garr.it/mirrors/deft/deft_6.iso – Download ISO

DEFT 6 computer and network forensic packages list:

* sleuthkit 3.2.0, collection of UNIX-based command line tools that allow you to investigate a computer
* autopsy 2.24, graphical interface to the command line digital investigation tools in The Sleuth Kit
* DFF 0.8
* dhash 2.0.1, multi hash tool
* aff lib 3.6.4, advanced forensic format
* disk utility 2.30.1, a partition manager tool
* guymager 0.5.7, a fast and most user friendly forensic imager
* dd rescue 1.14, copy data from one file or block device to another
* dcfldd 1.3.4.1, copy data from one file or block device to another with more functions
* dc3dd 7, patched version of GNU dd to include a number of features useful for computer forensics
* Xmount 0.4.4, convert on-the-fly between multiple input and output hard disk image types
* foremost 1.5.6, console program to recover files based on their headers, footers, and internal data structures
* photorec 6.11, easy carving tool
* mount manager 0.2.6, advanced and user friendly mount manager
* scalpel 1.60, carving tool
* wipe 0.21
* hex dump, combined hex and ascii dump of any file
* outguess 0.2 , a steganography tool
* ophcrack 3.3.0, Windows password recovery
* Xplico 0.6.1 DEFT edition, advanced network analyzer
* Wireshark 1.2.11, network sniffer
* ettercap 0.7.3, network sniffer
* nmap 5.21, the best network scanner
* dmraid, discover software RAID devices
* testdisk 6.11, tool to recover damaged partitions
* ghex, light gtk hex editor
* vinetto 0.6, tool to examine Thumbs.db files
* trID 2.02 DEFT edition, tool to identify file types from their binary signatures
* readpst 0.6.41, a tools to read ms-Outlook pst files
* chkrootkit, Checks for signs of rootkits on the local system
* rkhunter 1.3.4, rootkit, backdoor, sniffer and exploit scanner
* john 1.7.2, john the ripper password cracker
* catfish, file search
* galletta 1.0
* pasco 1.0
* md5sum, sha1sum, sha224sum, sha256sum, sha512sum
* md5deep, sha1deep, sha256deep
* skype log view, skype chat conversation viewer
* Xnview, viewer graphics, picture and photo files
* IE, Mozilla, Opera and Chrome cache viewer
* IE, Mozilla, Opera and Chrome history viewer
* Index.dat file analyzer
* pdfcrack, cracking tool
* fcrackzip, cracking tool
* clam, antivirus 4.15
* mc, UNIX file manager

DEFT extra 3.0: http://www.deftlinux.net/2011/01/11/deft-linux-6-ready-for-download/ – ( More Info )

\cobramark3


Android Forensics Application

“While security on Android phone is pretty decent, applications can (and do) share data.  We take advantage of this sharing (via ContentProviders) and extract the data for forensic purposes.”

Andrew Hoog
Open Source Android Digital Forensics Application, 1st March 2010
http://computer-forensics.sans.org/blog/2010/03/01/open-source-android-digital-forensics-application/

\solarfreek


Independent Research and Reviews of iPhone Forensic Tools

“.. This white paper is intended for forensic analysts, corporations and consumers who want to understand what personal information is stored on the iPhone and how to recover it. The research reveals the vast amount of personal information stored on Apple’s iPhone and reviews techniques and software for retrieving this information. For questions about our research or our services, please contact us.

Note: viaForensics is independent and is not compensated in any way by the makers of the software reviewed in this white paper.

1. About this white paper
2. iPhone Forensics Overview and Techniques
3. Cellebrite UFED
4. FTS iXAM
5. Oxygen Forensic Suite 2010 PRO
6. Micro Systemation XRY
7. Lantern
8. MacLock Pick
9. Black Bag Technology Mobilyze
10. Zdziarski Technique
11. Paraben Device Seizure
12. Mobile Sync Browser
13. CellDEK
14. EnCase Neutrino
15. iPhone Analyzer
16. Overall Rankings
17. Report Conclusions ..”

Andrew Hoog and Katie Strzempka, viaforensics, November 2010
http://viaforensics.com/education/white-papers/iphone-forensics/ – last access 26 November 2010 (Full Article )

\cobramark3


Forensics: Recovering a 12-year old floppy disk with DD

“.. True story. Earlier this year I was handed a 12-year old floppy disk loaded with bad sectors and unmountable due to a missing/corrupted partition table. A lost cause? Nope. DD can still image the raw media, skipping unreadable sectors and padding the output file with zeros to keep file structures intact wherever possible.

I booted up a Helix Live CD and ran:
dcfldd if=/dev/fd0 of=floppy.img bs=4k conv=noerror,sync

After much grinding and hissing, DD finished with a fully intact 1.4MB floppy disk image. Almost made me want to scour through my old floppy collection. Almost ..”

Grep8000.blogspot.com, 9 September 2009
http://grep8000.blogspot.com/2009/09/forensic-recovering-12-year-old-floppy.html – last access 30 September 2010 (Full Article )

\cobramark3