Solid State Drive adoption in computers, tablets and devices, is presenting new challenges to the CF community. Good article by Mike Sheward explaining to some depth some of the current Forensic concerns and issues with SSD. Interesting testing and hash results with FTK imager and a write blocker.
“Rock Solid: Will Digital Forensics Crack SSD’s?”
Mike Sheward, 5 January 2012
http://resources.infosecinstitute.com/ssd-forensics/ – last access 23 January 2012 – ( Full Article )
Current article in The Economist, discusses a paper published (and previously mentioned on CFL): Click Trajectories: End-to-End Analysis of the Spam Value Chain (PDF)
Snippets of the Economist article “.. well-worn assertion is that cybercrime revenues exceed those from the global trade in illegal drugs..
In the absence of figures from the practitioners, experts tend to fall back on surveys of victims, often compiled by firms that sell security software..
Few cybercrime surveys cite the methodology they used..
Stefan Savage, Mr Kanich’s PhD supervisor, says that the security industry sometimes plays “fast and loose” with the numbers, because it has an interest in “telling people that the sky is falling”..
in the grand scheme of criminal threats, hacker kingpins do not appear to be on a par with Colombian drug lords..”
Measuring the black web
Cybercrime, The Economist, 15 October 2011 (Print Article)
http://www.economist.com/node/21532263 – (Full Online Article) – last access 14 October 2011
I beg the question, a definition of the “Black web” ?
New CESG initiative builds on IISP Skills Framework in drive for greater professionalism in Information Assurance
“.. As part of the UK Government’s investment in cyber security, a consortium comprising the IISP (Institute of Information Security Professionals), CREST (Council for Registered Ethical Security Testers) and Royal Holloway’s Information Security Group (ISG) has been appointed by CESG to provide certification for UK Government Information Assurance (IA) professionals. The consortium has been awarded a licence to issue the CESG Certified Professional Mark based on the IISP Skills Framework, as part of a certification scheme driven by CESG, the IA arm of GCHQ ..
step forward in professionalising key Information Assurance roles needed by the public sector. It is also an important development along the path of securing the UK against cyber attack and protecting government and individuals’ data. CESG looks forward to continuing close co-operation with the IISP, CREST and Royal Holloway in delivering this IA Certification Service ..”
New CESG initiative builds on IISP Skills Framework in drive for greater professionalism in Information Assurance
PR-Inside, 22 September 2011
http://www.pr-inside.com/new-cesg-initiative-builds-on-iisp-r2823053.htm – last access 23 September 2011 – (Full article)
New CESG initiative builds on IISP Skills Framework
Forensic Focus, 22 September 2011
http://www.forensicfocus.com/index.php?name=News&file=article&sid=1730 – last access 23 September 2011 – (Full article)
“.. In the UK, the introduction of malware is covered by section 3 of the Computer Misuse Act . The Act states that a crime is committed if a person “does any act which causes an unauthorized modification of the contents of any computer” and the perpetrator intends to “cause a modification of the contents of any computer” which may “impair the operation of any computer”, “prevent or hinder access to any program or data held in any computer” or “impair the operation of any such program or the reliability of any such data” ..
Malware is generally distributed unintentionally subsequent to its initial creation. Thus an ICP or an ISP would not be found criminally liable under either the Computer Fraud and Abuse Act or the Computer Misuse Act for most cases of dissemination ..”
What the Law Says about Distributing a Virus or Malware
Craig S Wright, InfoSec Island, 20 September 2011
https://www.infosecisland.com/blogview/16567-What-the-Law-Says-about-Distributing-a-Virus-or-Malware.html – last access 22 September 2011 – (Full article)
“.. The Japanese parliament has quietly passed legislation to make the creation or distribution of a virus or similar malware a criminal offense ..
the distribution of a virus created, for example, in the US, in Japan by a Japanese citizen, would come within the scope of the criminal law ..
what happens if the malware distribution takes place without the knowledge of the user of the computer, such as when a botnet is involved..
Legislators in Japan are less concerned about the semantics, however, as they say this is the country’s response to support the International Convention on Cybercrime, a treaty ratified by more than 30 countries and which mandates international co-operation in investigating crimes in cyberspace ..”
Creating or distributing malware in Japan is now a crime
InfoSecurity Magazine, 20 June 2011
http://www.infosecurity-magazine.com/view/18782/creating-or-distributing-malware-in-japan-is-now-a-crime/ – last access 22 September 2011 – (Full article)
” This is a review (“the review”) conducted at the request of and for the Lord Chief Justice, prompted by concerns as to the operation of the disclosure regime contained in the Criminal Procedure and Investigations Act 1996, as amended (“the CPIA”). ”
Review of Disclosure in Criminal Proceedings (Judiciary of England and Wales)
The Rt Hon. Lord Justice Gross
The Society has announced the extension of its accreditation scheme to include two new Component Standards to address digital forensics:
- Computer Network Evidence Recovery and Analysis
- Digital Evidence Analysis Recovery and Preservation
These two new Standards plus the Core Standard of Interpretation, Evaluation and Presentation of Evidence (IEPE) make up the new Digital Component Standards.
Launch event in the afternoon on 19th October 2011:
Apart from Rootkits modifying and hiding; files, registries, processes.. from detection software, some often typically modify memory. Anti-rootkit tools inspect memory areas in attempts to identify modifications and flag.
A particular rootkit also modifies a memory location to prevent actual disk access by detection software. This technique is not new, however it is the first found in the Wild and being adopted by Malware authors.
“.. a new rootkit appeared that at first glance seemed more similar to initial variants of TDL3 than to the updated TDL4 variants we have seen this year. Like TDL3, it also parasitically infected a driver by inserting code in the resource directory of the PE file. In this case the name of the file it infected was hard-coded to volsnap.sys. Also similar to the early variants of TDL3, this rootkit also hooked some pointers in the dispatch table (IRP hook) of the driver below disk on the device stack of the hard disk.
But it was very interesting to see some of the anti-rootkit tools not showing the dispatch table hooks that are usually pretty straightforward to identify. Also this malware would not allow an external debugger (WinDbg) to break.
The reason for hooks not being reported was that the memory being read by the tools was not the actual memory ..”
“Memory Forging Attempt by a Rootkit”
Rachit Mathur, McAfee Blog Center, 21 April 2011
http://blogs.mcafee.com/mcafee-labs/memory-forging-attempt-by-a-rootkit – last access 8 June 2011 – ( Full Article )
Interesting publication of a paper at the IEEE Symposium on Security and Privacy 2011 (California). The research (involving 15 authors) investigated purchasing spam products and amongst other things, focused on tracing the payments.
” .. The paper performs holistic analysis that quantifies the full set of resources employed to monetize spam email—including naming, hosting, payment and fulfillment—using extensive measurements of three months of diverse spam data, broad crawling of naming and hosting infrastructures, and over 100 purchases from spam-advertised sites. We relate these resources to the organizations who administer them and then use this data to characterize the relative prospects for defensive interventions at each link in the spam value chain. In particular, we provide the first strong evidence of payment bottlenecks in the spam value chain; 95% of spam-advertised pharmaceutical, replica and software products are monetized using merchant services from just a handful of banks ..
the so-called “spam value chain” involves; botnets, domain registration, name server provisioning, hosting services, and proxy services ..
spammers must also process orders, which requires “payment processing, merchant bank accounts, customer service, and fulfillment.” ..
95% of spam-advertised pharmaceutical, replica, and software products are monetized using merchant services from just a handful of banks ..
13 banks handling 95% of the 76 orders for which they received transaction information .. just three banks handled the majority of transactions: Azerigazbank in Azerbaijan, DnB NOR in Latvia (although the bank is headquartered in Norway), and St. Kitts-Nevis-Anguilla National Bank in the Caribbean ..
all software orders and 85% of pharmaceutical orders used the correct Visa “Merchant Category Code,” which identifies what’s been sold. “A key reason for this may be the substantial fines imposed by Visa on acquirers when miscoded merchant accounts are discovered ‘laundering’ high-risk goods,” ..
orders were fulfilled from 13 suppliers in four countries: the United States–Massachusetts, Utah, and Washington, all for herbal purchases, as well as West Virginia for pharmaceuticals–plus India, China, and New Zealand. Most pharmaceuticals came from India, while most herbal products came from the United States, likely due to weak regulations ..”
“3 Banks Service Majority Of Spam-Driven Sales”
Mathew J. Schwartz, InformationWeek 25 May 2011
http://www.informationweek.com/news/security/client/229625599 – last access 8 June 2011 – ( Full Article )
“Click Trajectories: End-to-End Analysis of the Spam Value Chain”
Kirill Levchenko et al., IEEE Symposium on Security and Privacy 2011, Oakland, California, 24 May 2011
http://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf – last access 8 June 2011 – ( Full Journal )
Interesting article in Time regarding IMF chief Dominique Strauss-Kahn who is currently on Bail in New York. Is this to be a new development in Digital Forensic services ?
“..IMF chief Dominique Strauss-Kahn on bail was moved from temporary lodgings on lower Broadway to a large townhouse in Tribeca. Keeping watch over him will be multiple “armed monitors” courtesy of security firm Stroz Friedberg.
– snip –
terms of Strauss-Kahn’s bail order, filed with the New York State Supreme Court on May 20, DSK is “confined to home detention 24 hours per day at an address in Manhattan.” He is permitted to leave the home only for court appearances, medical and legal appointments and religious observances, and the court must have six hours notice.
The people responsible for ensuring Strauss-Kahn’s compliance work for Stroz Friedberg LLC, a cyber security and computer forensics firm. According to “in-home detention protocols” prepared by the company, Stroz Friedberg employees will monitor Strauss-Kahn 24 hours a day, maintain a log of all visitors, search all visitors for weapon and have sole discretion to limit the type and number of visitors to DSK’s residence, along with any other measures that “may be required to prevent flight.”
– snip –
Stroz Friedberg previously kept watch over Bernard Madoff (2009). Ed Stroz made sure to emphasize this is not the firm’s “core expertise,” but rather a sideline business that coincidentally presented itself.
– snip –
Although the Strauss-Kahn case has kept them in the news, Stroz sees digital and cyber security as the most important growth area for the firm in the coming years.
– snip –
Stroz says, “but we’re kind of evolving into the firm you have to have if you’re a serious industry out there. Who isn’t at risk for litigation, regulatory scrutiny, trade secret theft, insider problems? And when that happens, that is not a normal business issue. And you don’t get good at this unless you’re kind of a jungle cat out there seeing things.”
“Who’s Keeping an Eye on Strauss-Kahn?”
Nate Rawlings, TIME, 26 May 2011
http://www.time.com/time/nation/article/0,8599,2074075,00.html – last access 27 May 2011 – ( Full Article )
Snippets of recent article in the New Scientist..
“.. hide data on a hard drive without using encryption. Instead of using a cipher to scramble text, the method involves manipulating the location of data fragments.
– snip –
..possible to encode a 20-megabyte message on a 160-gigabyte portable hard drive. It hides data so well that its existence would be “unreasonably complex” to detect
– snip –
Encryption .. shows someone might have something to hide..
– snip –
steganography, hiding data in plain sight.. But these techniques are well known and easily detected, says Khan. So, with colleagues at the National University of Science and Technology in Islamabad, Pakistan, he has developed an alternative.
Their technique exploits the way hard drives store file data in numerous small chunks, called clusters. The operating system stores these clusters all over the disc, wherever there is free space between fragments of other files.
Khan and his colleagues have written software that ensures clusters of a file, rather than being positioned at the whim of the disc drive controller chip, as is usually the case, are positioned according to a code. All the person at the other end needs to know is which file’s cluster positions have been encoded.
The code depends on whether sequential clusters in a file are situated adjacent to each other on the hard disc or not. If they are adjacent, this corresponds to a binary 1 in the secret message. If sequential clusters are stored in different places on the disc, this encodes a binary 0 (Computers and Security, DOI: 10.1016/j.cose.2010.10.005). The recipient then uses the same software to tell them the file’s cluster positions, and hence the message. The researchers intend to make their software open source.
“An investigator can’t tell the cluster fragmentation pattern is intentional- it looks like what you’d get after addition and deletion of files over time,” says Khan. Tests show the technique works, as long as none of the files on the hard disc are modified before handover.
“The real strength of this technique is that even a completely full drive can still have secret data added to it – simply by rearranging the clusters,” adds Khan.
Others are impressed with the technique but see limitations.
“This type of steganography could be used by spies, police or informants – but the risk is that it requires direct contact to physically exchange the USB device containing the secret data,” says Wojciech Mazurcyk, a steganographer at Warsaw University of Technology in Poland. “So it lacks the flexibility of internet steganography. Once you embed the secret data on the disk it is not easy to modify it.”
– snip –
“It’s how security vulnerability disclosure works,” says Khan. “We have identified that this is possible. Now security agencies can devise techniques to detect it.” He adds that his team have had no issues with either US or Pakistani security agencies over their development of this secret medium – despite current political tensions between the two nations.
“The use of steganographic techniques like this is likely to increase,” says Fred Piper, director of information security at Royal Holloway, University of London. “Eavesdroppers can learn much from the fact that somebody is encrypting a message.”
“Covert hard drive fragmentation embeds a spy’s secrets”
Paul Marks, New Scientist.com, 21 April 2011
http://www.newscientist.com/article/mg21028095.200-covert-hard-drive-fragmentation-embeds-a-spys-secrets.html – last access 29 April 2011 – ( Full Article )
“.. A man wrongly accused in Britain’s largest ever child pornography investigation has won damages in the High Court after an eight-year legal battle.
Jeremy Clifford, 51, from Watford, was arrested and falsely charged in 2003 as part of Operation Ore. His credit card details had been found among those of thousands of British people on a list maintained by Landslide, a commercial provider of illegal pornography based in the US.
Hertfordshire Constabulary seized a computer that had belonged to Mr Clifford and discovered 10 illegal thumbnail images in its temporary internet files folder.
However, a senior High Court judge found on Friday that the arresting officer had been told by a computer forensics expert that the images were not sufficient evidence to charge.
“The images could have been received unsolicited by and even without the knowledge of the operator of the computer, for example as ‘pop-ups’,” said Mr Justice Mackay.
Despite this, the officer, Detective Constable Brian Hopkins, pressed three charges of possession of indecent images of children. Mr Justice Mackay said he cut a “rather pathetic figure” in the witness box, having initially claimed he could not give evidence because of a psychiatric condition.
– snip –
The finding was based on evidence the court heard from an internal investigation launched after Mr Clifford was formally cleared of all the allegations before trial. It found that Hertfordshire Constabulary’s forensics expert, George Fouhey, had advised against pressing charges ..”
“Judge hits police with massive bill over false Operation Ore charges”
Court correspondent, Policing, The Register UK, 4 April 2011
http://www.theregister.co.uk/2011/04/04/operation_ore_suspect_wins_damages/ – last access 5 April 2011 – ( Full Article )
“.. SSDs are different. Writing a virgin cell merely requires a write cycle. Rewriting a cell requires two cycles: an erase cycle and a write cycle. The erase cycle is governed by the physics, and takes time. Performance is improved by “pre-clearing” no longer needed cells (e.g., free space on the disk) during otherwise unused device cycles.
– snip –
A recent paper from Graeme Bell and Richard Boddington of Murdoch University in Perth, Solid State Drives: The Beginning of the End for Current Practices of Digital Forensic Recovery, documented several consequences of this implementation approach with respect to standard best practices for digital forensic acquisitions. In short, the autonomous pre-clearing function rendered free space unrecoverable on short order from the time that the drive was powered-on.
– snip –
As noted by Bell and Boddington, the automatic nature of the resetting function on space determined by the controller to be unallocated has several implications for standard forensics procedures:
data in unallocated space will quickly disappear on such a device (Quick format will actually cause the drive contents to be erased on short order)
the data recorded by a forensic acquisition with a write-blocker will be inconsistent with a subsequent acquisition until the reset process has completed. The cryptographic checksums (e.g., MD-5, SHA-1) generated on successive acquisitions will thus be inconsistent ..”
“Solid-State Disk Behavior Underlying Digital Forensics”
Robert Gezelter, InfoSecIsland.com , 7 March 2011
https://www.infosecisland.com/blogview/12375-Solid-State-Disk-Behavior-Underlying-Digital-Forensics.html – last access 1 April 2011 – ( Full Article )
“Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?”
Graeme B. Bell and Richard Boddington, 2010
Journal of Digital Forensics, Security and Law, Vol. 5(3)
Keylogger software discovered by Mohamed Hassan on two new Samsung laptops…
“.. Samsung installed a commercial keylogger on brand-new laptops to monitor customer usage, the company admitted after a user exposed the practice in a security newsletter.
– snip –
While setting up a new Samsung R525 laptop in early February, Hassan ran a full-system scan using an unnamed “licensed commercial security software” before installing anything else. The scan found two instances of a commercial keylogger, called StarLogger, installed within the Windows directory..
– snip –
A support supervisor then confirmed that Samsung knowingly put this software on the laptop to “monitor the performance of the machine and to find out how it is being used,”
“Samsung installs keylogger on its laptop computers”
M. E. Kabay and Mohamed Hassan Mohamed Hassan, Network World – Security Strategies Alert, 30 March 2011
http://www.networkworld.com/newsletters/sec/2011/032811sec2.html – last access 31 March 2011 – ( Full Article )
“Samsung responds to installation of keylogger on its laptop computers”
M. E. Kabay and Mohamed Hassan Mohamed Hassan, Network World – Security Strategies Alert, 30 March 2011
http://www.networkworld.com/newsletters/sec/2011/040411sec1.html – last access 31 March 2011 – ( Full Article )
“Samsung Installs Stealthy KeyLogger on Brand-New Laptops”
Fahmida Y. Rashid, eWeek, 30 March 2011
http://www.eweek.com/c/a/Security/Samsung-Installs-Stealthy-KeyLogger-on-Brand-New-Laptops-265944 – last access 31 March 2011 – ( Full Article )
“.. Dell on Thursday launched another installment of its digital forensics bundle so law enforcement can collect data faster from crime scenes.
The company took its digital forensic bundle—Spektor Forensic Intelligence software from Evidence Talks and rugged hardware—and extended it to mobile devices. The goal: Examine data at a crime scene and collect data on the fly from various storage devices ..”
Larry Dignan, ZD Net, 24 March 2011
http://www.zdnet.com/blog/btl/dell-takes-digital-forensics-mobile/46450 – last access 25 March 2011 – ( Full Article )
New version of Brian Carrier’s TSK released (version 3.2.1), 27 February 2011
“.. The Sleuth Kit and Autopsy Browser. Both are open source digital investigation tools (a.k.a. digital forensic tools) that run on Windows and Unix systems (such as Linux, OS X, Cygwin, FreeBSD, OpenBSD, and Solaris). They can be used to analyze NTFS, FAT, HFS+, Ext2, Ext3, UFS1, and UFS2 file systems and several volume system types.
The Sleuth Kit (TSK) is a C library and a collection of command line tools. Autopsy is a graphical interface to TSK. TSK can be integrated into automated forensics systems in many ways, including as a C library and by using the SQLite database that it can can create ..”
Brain Carrier, The Sleuth Kit, 27 February 2011
http://www.sleuthkit.org/ – last access 5 March 2011 – ( More Info / Download )
Interesting article on the possibile origins of Stuxnet… ?
“.. The worm, Stuxnet, is a Trojan horse said to have disabled Iran’s nuclear weapons program. The New York Times said late last year, “Meanwhile, the search for other clues in the Stuxnet program continues — and so do the theories about its origins.” The Times updated their take on January 15, 2011 calling Stuxnet, “the most sophisticated cyberweapon ever deployed…experts who have picked apart the computer worm describe it as far more complex — and ingenious — than anything they had imagined when it began circulating around the world, unexplained, in mid-2009 ..
– snip –
No one is looking back to a time in the mid-70s, when an obscure program called Promis first reared its head. Promis, according to sources, is at the root of Stuxnet. Promis was a computer program that promised to help US prosecutors track criminals and legal maneuverings through the system, “Prosecutor’s Management Information System.” The people-tracking software was later marketed by a firm named Inslaw, under the auspices of William Hamilton, a former NSA officer who still markets a version of the product today.
– snip –
By the late 1980s, Promis programs had been sold to Britain, Australia, South Korea and Canada. Allies harmless enough, right? But then up next was the KGB. There are multiple claims as to who sold Promis to the Russians. Several, including a source of mine, said it was newspaper mogul Robert Maxwell in assistance to Israel. Another acquaintance, former double agent David Dastych (Polish intell working for the CIA during the Cold War) said that an American intelligence officer admitted to him, “Yes, we gave Promis to the Russians and Chinese to back door their intell. Worked like a charm.” Both claims may overlap. In fact, the KGB is said to have used Promis for over 15 years. At first, there was nothing to suspect since malicious malware had not really been coined. Few back then understood the power of the computer, and so the Trojan horse entered the realms of international espionage, the microscopic spy ..”
Stuxnet worm’s true origins are exposed
PJ Wilcox, worldsecuritynetwork.com / greatreporter.com, 22 February 2011
http://greatreporter.com/mambo/content/view/2014/1/ – last access 3 March 2011 – ( Full Article )
Further to this article:
“.. So we start with a Windows dropper. The payload goes onto the gray box, damages the centrifuge, and the Iranian nuclear program is delayed — mission accomplished. That’s easy, huh? I want to tell you how we found that out. When we started our research on Stuxnet six months ago, it was completely unknown what the purpose of this thing was. The only thing that was known is very, very complex on the Windows part, the dropper part, used multiple zero-day vulnerabilities. And it seemed to want to do something with these gray boxes, these real-time control systems ..
this is a directed attack. It’s completely directed. The dropper is prowling actively on the gray box if a specific configuration is found, and even if the actual program that it’s trying to infect is actually running on that target. And if not, Stuxnet does nothing ..
And if you have heard that the dropper of Stuxnet is complex and high-tech, let me tell you this: the payload is rocket science. It’s way above everything that we have ever seen before. Here you see a sample of this actual attack code. We are talking about — round about 15,000 lines of code. Looks pretty much like old-style assembly language ..
The big digital warhead — we had a shot at this by looking very closely at data and data structures. So for example, the number 164 really stands out in that code; you can’t overlook it. I started to research scientific literature on how these centrifuges are actually built in Natanz and found they are structured in what is called a cascade, and each cascade holds 164 centrifuges. So that made sense, it was a match ..
And it even got better. These centrifuges in Iran are subdivided into 15, what is called, stages. And guess what we found in the attack code? An almost identical structure ..
This attack is generic. It doesn’t have anything to do, in specifics, with centrifuges, with uranium enrichment. So it would work as well, for example, in a power plant or in an automobile factory. It is generic. And you don’t have — as an attacker — you don’t have to deliver this payload by a USB stick, as we saw it in the case of Stuxnet. You could also use conventional worm technology for spreading. Just spread it as wide as possible. And if you do that, what you end up with is a cyber weapon of mass destruction. That’s the consequence that we have to face. So unfortunately, the biggest number of targets for such attacks are not in the Middle East. They’re in the United States and Europe and in Japan. So all of the green areas, these are your target-rich environments ..
My opinion is that the Mossad is involved, but that the leading force is not Israel. So the leading force behind that is the cyber superpower. There is only one, and that’s the United States — fortunately, fortunately. Because otherwise, our problems would even be bigger ..”
Cracking Stuxnet, a 21st-century cyber weapon
Ralph Langner, TED2011, March 2011
http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html – Full Talk
Useful EnCase EnScript for extracting contents of Slack space in the MFT from Lance Mueller.
“.. MFT slack, that is, the data that may exist between the end of a logical MFT record and the end of the physical MFT record. A typical MFT record can be anywhere between 400 to 700 bytes in length, but the MFT allocates 1024 bytes for each record. This can cause data to be left from previous records, the same way data remains in file slack at the end of a cluster.
– snip –
The EnScript will process every MFT found in the case. The EnScript only exports data in the MFT record slack area with an ASCII value between 0x20 (space) and 0x7E (tilde). A folder is created in the case default export folder named “MFT Slack” and a file with a record number is created for every MFT record that contains slack. The reason this method was used, was so if you review the exported data and find something of interest, you can quickly map it back to the exact MFT record where it came from. If a MFT record has no data in slack, then no export file is created for that record. ..”
Lance Mueller, ForensicKB, 21 February 2011
http://www.forensickb.com/2011/02/encase-enscript-to-export-mft-slack.html – last access 27 February 2011 – ( Full Article and to download the EnScript )
Interesting article in the Atlantic from the perception of a Chinese student…
“.. Stuxnet is a computer worm that gained notoriety in 2010 as it took down about one fifty of Iran’s nuclear centrifuges. The New York Times describes it as may be “the most sophisticated cyberweapon ever deployed”. Many experts believe that it was developed by either the United States or Israel. And the official Chinese media asserted that Stuxnet is a joint U.S.-Israel project. (Interestingly, to lend itself credibility, one news report from the leading Chinese news agency is entitled “New York Times Confirms U.S.-Israel Development of Computer Worm Targeted at Iran”.)
Does the United States’ (possible) active use of cyber weapons legitimize their use by other countries? And more pertinent to my concern, is China’s insistence on the United States’ involvement in Stuxnet a sign of Beijing’s intention to capitalize on the legitimacy conferred by Stuxnet?
– snip –
Cyber attacks from China have been going on for more than a decade. The high-profile Titan Rain and Operation Aurora made it clear that networks belonging to the U.S. government, the defense industry, and other companies have suffered large-scale, sustained and highly sophisticated cyber attacks from computers located in China, though Beijing has denied any involvement. As with Stuxnet, the nature of cyber attacks makes it hard to trace to their origin, and even if an origin is found, there is no international legal authority that could hold the state responsible for the cyber activities of its individuals. The states can plead “plausible deniability” which is what makes it possible for many cyber attackers to operate with impunity, as seen in the case of Russian attacks on Estonia.
Regarding the China threat, many American security experts worry that in a dispute over Taiwan, China would disable and exploit U.S. computer networks. But some, like James Mulvenon, Deputy Director of Defense Group and a specialist on the Chinese military, go further to say that he observed a potential expansion of the People’s Liberation Army’s (PLA) intrusion set. He argues that the list of targets for both computer network exploitation and attack activities would encompass a wide range of countries and regions, including the East and South China Seas.
Moreover, experts point to China’s systematic training of its cyber warriors and its recruitment strategy. The cyber warriors are firstly trained in military institutions such as the PLA National University of Defense Technology, which built the “Tianhe 1A” supercomputer that surpassed U.S.’ Cray XT5 Jaguar as the world’s fastest computer by a large margin at the end of last year. Second, the PLA has included computer network operations (CNOs) in its military exercises since 2005 and aims at disabling target networks with its first attacks, according to Dr. Zheng Dacheng, a Taiwanese expert on the Chinese military.
In addition to trained cyber warriors, China can fully utilize the talents of its civilians who require the kind of security clearance for which only about 20% of U.S. population would qualify if the same cyber missions were carried out by United States, according to Kevin G. Coleman, security technology expert at Technolytics Institute.
– snip –
China’s efforts in cyber space have mainly been internally rather than externally focused. This would support the regime’s main concern of domestic stability, rather than an intensified confrontation with a foreign entity.
Chinese citizens’ limited access to foreign websites is often seen as one of the defenses China has in a future cyber war scenario. Aside from the infamous Great Firewall, China only has nine ports through which the Chinese Internet is connected to the foreign Internet (as last reported in 2008, after which all information on this is withheld). Therefore, it is conceivable that China could cut itself off the Internet and operate a de facto Intranet. However, it also means that in the case of a large-scale outbreak of domestic instability, the government can cut its people off from the outside world (as what happened in Egypt).
If the first use is the main purpose of China’s cyber setup, then the defense effort would be severely undermined because the government and big state-owned-enterprises are whitelisted to have full and unrestricted access to foreign networks, and many big private firms use satellite or microwave connections which do not go through the state’s control mechanism, thus they will not be effectively immune from a cyber attack.
The domestically-focused use of this cyber structure actually occurred in Xinjiang after the July 2009 riots when the Internet was shut down for 10 months. In fact, The National Defense Mobilization Law, enacted in July 2010, stipulates that the state has broad authority in times of national defense mobilization and can, according to Article 63(1), take control of the telecommunication industry, the media, the information networks, and the energy and the water supply systems, among other things.
– snip –
Perhaps most importantly, however, the United States is not vulnerable because of threats from China, but because it has done a poor job of building cyber-defenses. Recall the embarrassment when the Pentagon revealed last December that live video feeds from its $4.5 million Predator drones were hijacked using $26 software downloaded from the Internet. Regardless of what China does or intends to do, if United States does not take appropriate measures to defend itself, then it would continue to be exposed to threats from various state and non-state actors.
Currently, with Cyber Command protecting the military networks and DHS protecting the rest of the government, everyone else is left on their own, and America’s critical infrastructures are not getting the best security technology this country has to offer. In China, however, cyber security has increasingly become a huge business. It has now contracted out the network security of the government and other crucial state-owned-enterprises to (semi-) private security firms: Venus Tech is responsible for the network security of the Ministry of Finance, National Grid, Civil Aviation Administration, etc.; NSFOCUS secures China Telecom, National People’s Congress, etc.; Feitian is responsible for securing Bank of China, the State Secrets Bureau, Ministry of Commerce, Sinopec, etc.; and Zhonghangjiaxin develops security systems for part of the People’s Liberation Army’s General Staff Department and Headquarter of the Armed Police ..”
Ella Chou, The Atlantic, 8 February 2011
http://www.theatlantic.com/technology/archive/2011/02/us-china-cyber-war-scenario-in-the-eyes-of-a-chinese-student/70855/ – last access 9 February 2011 – ( Full Article )
FBI serves 40 search warrants in Anonymous crackdown – coincided with the arrests of five UK youths accused of participating in the DDoS spree
“.. FBI agents executed more than 40 search warrants on Thursday as part of an investigation into coordinated web attacks carried out by the hacking collective known as Anonymous. The search warrants coincided with the early morning arrests of five UK youths accused of participating in the DDoS spree.
Word of the crackdown first surfaced in the US four weeks ago. Metropolitan Police in the UK confirmed their investigation in mid December.
“The FBI also is reminding the public that facilitating or conducting a DDoS attack is illegal, punishable by up to 10 years in prison, as well as exposing participants to significant civil liability,” the agency said in a press release.
Thursday’s arrests were part of an international police probe carried out by law enforcement agencies throughout Europe and the US. A French official told the Associated Press that a 15-year-old suspected of masterminding the attacks was arrested in December. The unidentified teen has since been released, but his computer was confiscated.
That same month, a 16-year-old boy in the Netherlands was arrested for allegedly carrying out attacks on Visa and MasterCard after the credit card companies stopped processing payments to WikiLeaks.
Researchers have said members of Anonymous modified a piece of open-source software to create what they call the Low Orbit Ion Cannon. The tool allows large groups of online protestors to simultaneously unleash torrents of data on websites they want to bring down ..”
Dan Goodin, The Register UK, 28 January 2011
http://www.theregister.co.uk/2011/01/28/fbi_crackdown_on_anonymous/ – last access 2 February 2011 – ( Full Article )
Reports of London Stock Exchange investigating cyber attacks.. not clear if they are isolated or related incidents ? although was it an inside job, was it a bug..
” .. The British and United States stock exchanges have reportedly enlisted the help of the security services after finding out they were the victims of cyber attacks.
According to media reports, the London Stock Exchange (LSE) is investigating a terrorist cyber attack on its headquarters last year, while US officials have traced an attack on one of its exchanges to Russia.
A report from The Times said that it had been told by ‘well-placed intelligence sources’ that the London Stock Exchange was trying to find the source of the attack, while a cyber security expert is reported as saying that the threat is ‘advanced and persistent’.
The Associated Press said that officials suspect the attacks were designed to spread panic among markets and destabilise western financial institutions .. ”
SCmagazine UK, Dan Raywood, 1 February 2011
http://www.scmagazineuk.com/stock-exchanges-in-the-uk-and-us-come-under-advanced-and-persistent-attack/article/195398/ – last access 2 February 2011 – ( Full Article )
– snip –
” .. GCHQ director Iain Lobban said last year that worms have already been designed to cause significant disruption to government systems, while former White House security advisor Richard Clarke told the RSA Conference Europe that the US and UK are woefully underprepared for an attack on critical infrastructure.
Uri Rivner, head of new technologies at RSA Security speculated that the attack may have been an inside job .. ”
Phil Muncaster, V3.co.uk, 31 January 2011
http://www.v3.co.uk/v3/news/2274505/london-stock-exchange-cyber#ixzz1CpKtEy18 – last access 2 February 2011 – ( Full Article )
Another fine article picked out by Bruce in the last issue of cryptogram.
Interesting story on Brandon Mayfield, in particular what happened to Mayfield. Mayfield being a Lawyer and if the Algerian hadn’t come to light, it might have proved a very interesting case. Some snippets and link to full article below:
” .. If the Shoe Print Fits
– snip –
On 6 May 2004, a Portland, Oregon, lawyer named Brandon Mayfield was arrested for his alleged involvement in the terrorist bombings of four commuter trains in Madrid. The attacks killed 191 people and injured 2000 others. But Mayfield had never been to Spain, and his passport at the time was expired. The sole evidence against him was a partial fingerprint found on a plastic bag in a van used by the bombers. The FBI’s Integrated Automated Fingerprint Identification System had identified Mayfield as a possible match, and three FBI fingerprint experts as well as an outside analyst confirmed the identification.
– snip –
The analysts knew that Mayfield had converted to Islam, was married to an Egyptian woman, and had once represented a man in a child custody case who later turned out to be part of a jihadist group. That information swayed the FBI inquiry in Mayfield’s direction.
– snip –
Spanish authorities, however, argued that the fingerprint belonged not to Mayfield but to an Algerian with a criminal record, Spanish residency, and terrorist links. They were right. It took almost three weeks from his arrest, but Mayfield was cleared of the charges and released from federal custody. The U.S. government eventually agreed to pay him US $2 million for the mistake and issued a formal apology.
– snip –
Nike Air Force 1 [sneaker] is the most often encountered at U. S. crime scenes, turning up in about 17 percent of cases.
– snip –
Pattern recognition and other computational methods can reduce the bias inherent in traditional criminal forensics
– snip –
What computational forensics—or any forensics method, really—cannot do is determine whether a suspect did or did not commit the offense. That’s a matter for a judge and jury to decide. At trial, the role of a forensics expert is to testify whether the profile drawn from the evidence matches that of the suspect or of an unrelated person.
– snip –
Among all the classical forensics methods, the committee concluded, only DNA analysis has been shown to be scientifically rigorous .. ”
Sargur N. Srihari, Spectrum.ieee.org, December 2010
http://spectrum.ieee.org/computing/software/beyond-csi-the-rise-of-computational-forensics/0 – last access 19 January 2011 – ( Full Article )
DEFT 6 is based on Lubuntu with Kernel 2.6.35 (Light Ubuntu Linux) and DEFT Extra 3.0 (Windows).
deftlinux.net, 11 January 2011
http://www.deftlinux.net/2011/01/11/deft-linux-6-ready-for-download/ – ( More Info )
http://na.mirror.garr.it/mirrors/deft/deft_6.iso – Download ISO
DEFT 6 computer and network forensic packages list:
* sleuthkit 3.2.0, collection of UNIX-based command line tools that allow you to investigate a computer
* autopsy 2.24, graphical interface to the command line digital investigation tools in The Sleuth Kit
* DFF 0.8
* dhash 2.0.1, multi hash tool
* aff lib 3.6.4, advanced forensic format
* disk utility 2.30.1, a partition manager tool
* guymager 0.5.7, a fast and most user friendly forensic imager
* dd rescue 1.14, copy data from one file or block device to another
* dcfldd 188.8.131.52, copy data from one file or block device to another with more functions
* dc3dd 7, patched version of GNU dd to include a number of features useful for computer forensics
* Xmount 0.4.4, convert on-the-fly between multiple input and output hard disk image types
* foremost 1.5.6, console program to recover files based on their headers, footers, and internal data structures
* photorec 6.11, easy carving tool
* mount manager 0.2.6, advanced and user friendly mount manager
* scalpel 1.60, carving tool
* wipe 0.21
* hex dump, combined hex and ascii dump of any file
* outguess 0.2 , a steganography tool
* ophcrack 3.3.0, Windows password recovery
* Xplico 0.6.1 DEFT edition, advanced network analyzer
* Wireshark 1.2.11, network sniffer
* ettercap 0.7.3, network sniffer
* nmap 5.21, the best network scanner
* dmraid, discover software RAID devices
* testdisk 6.11, tool to recover damaged partitions
* ghex, light gtk hex editor
* vinetto 0.6, tool to examine Thumbs.db files
* trID 2.02 DEFT edition, tool to identify file types from their binary signatures
* readpst 0.6.41, a tools to read ms-Outlook pst files
* chkrootkit, Checks for signs of rootkits on the local system
* rkhunter 1.3.4, rootkit, backdoor, sniffer and exploit scanner
* john 1.7.2, john the ripper password cracker
* catfish, file search
* galletta 1.0
* pasco 1.0
* md5sum, sha1sum, sha224sum, sha256sum, sha512sum
* md5deep, sha1deep, sha256deep
* skype log view, skype chat conversation viewer
* Xnview, viewer graphics, picture and photo files
* IE, Mozilla, Opera and Chrome cache viewer
* IE, Mozilla, Opera and Chrome history viewer
* Index.dat file analyzer
* pdfcrack, cracking tool
* fcrackzip, cracking tool
* clam, antivirus 4.15
* mc, UNIX file manager
DEFT extra 3.0: http://www.deftlinux.net/2011/01/11/deft-linux-6-ready-for-download/ – ( More Info )
“While security on Android phone is pretty decent, applications can (and do) share data. We take advantage of this sharing (via ContentProviders) and extract the data for forensic purposes.”
Open Source Android Digital Forensics Application, 1st March 2010
” Speaking at the Chaos Computer Club (CCC) Congress in Berlin on Tuesday, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network “sniffers,” a laptop computer, and a variety of open source software. ”
Bruce Schneier, Schneier on Security, 5 January 2011
http://www.schneier.com/blog/archives/2011/01/eavesdropping_o_5.html – ( Full Article )
“.. The Forensic Science Service is to be wound up, the Government said today.
Crime Prevention Minister James Brokenshire said action needed to be taken as the service was making operational losses of £2 million per month and was likely to run out of money by January. The aim is that there will be “no continuing state interest in a forensics provider by March 2012”, Mr Brokenshire told MPs.
Mr Brokenshire said: “The current challenging forensics market has put the FSS back into serious financial difficulty.
“FSS is currently making operating losses of around £2 million per month. Its cash is due to run out as early as January next year. It is vital we take clear and decisive action to sort this out.”
In a written statement to MPs, he went on: “The police have advised us that their spend on external forensic suppliers will continue to fall over the next few years as forces seek to maximise efficiencies in this area. HMIC (Her Majesty’s Inspectorate of Constabulary) concur with this assessment ..”
Wesley Johnson, The Independent, 14 December 2010
http://www.independent.co.uk/news/uk/home-news/forensic-science-service-to-be-wound-up-2160098.html – last access 15 December 2010 (Full Article )
“.. This white paper is intended for forensic analysts, corporations and consumers who want to understand what personal information is stored on the iPhone and how to recover it. The research reveals the vast amount of personal information stored on Apple’s iPhone and reviews techniques and software for retrieving this information. For questions about our research or our services, please contact us.
Note: viaForensics is independent and is not compensated in any way by the makers of the software reviewed in this white paper.
1. About this white paper
2. iPhone Forensics Overview and Techniques
3. Cellebrite UFED
4. FTS iXAM
5. Oxygen Forensic Suite 2010 PRO
6. Micro Systemation XRY
8. MacLock Pick
9. Black Bag Technology Mobilyze
10. Zdziarski Technique
11. Paraben Device Seizure
12. Mobile Sync Browser
14. EnCase Neutrino
15. iPhone Analyzer
16. Overall Rankings
17. Report Conclusions ..”
Andrew Hoog and Katie Strzempka, viaforensics, November 2010
http://viaforensics.com/education/white-papers/iphone-forensics/ – last access 26 November 2010 (Full Article )
“.. True story. Earlier this year I was handed a 12-year old floppy disk loaded with bad sectors and unmountable due to a missing/corrupted partition table. A lost cause? Nope. DD can still image the raw media, skipping unreadable sectors and padding the output file with zeros to keep file structures intact wherever possible.
I booted up a Helix Live CD and ran:
dcfldd if=/dev/fd0 of=floppy.img bs=4k conv=noerror,sync
After much grinding and hissing, DD finished with a fully intact 1.4MB floppy disk image. Almost made me want to scour through my old floppy collection. Almost ..”
Grep8000.blogspot.com, 9 September 2009
http://grep8000.blogspot.com/2009/09/forensic-recovering-12-year-old-floppy.html – last access 30 September 2010 (Full Article )