Anonymity, Antisocial Behavior, Integrity, and Cybercrime

Anonymity, Antisocial Behavior, Integrity, and Cybercrime.

The negative impacts of cybercrime continue to escalate.  Globally-integrated financial services organizations are virtually, if not totally-dependent on effective Internet communications.  That requires a broad spectrum of Internet-facing interfaces.  About the only characteristic those interfaces must share, is effective resistance to the totality of hostile agents using the Internet as part of their supply-chain.  Fulfilling the infrastructure, operations, and information security role keeps getting tougher.  As we develop risk management strategies and plan our investments, insider-related cybercrime must also be on many of our top priority lists – as some hostile agents directly or indirectly work for us.

A little more than a year ago on this blog I tossed out a recommendation that you should “Integrate employee background checking and monitoring into HR processes” as a component of your strategy to resist credential-enabled cyber-crime.  I made the recommendation without clearly explaining its potential connectivity with the broader story about widely-deployed bot networks that was the focus of that post.  Insiders can play a key role in enabling many types of cybercrime.  They are one source of bulk identity information – a key raw material for organized Internet crime.  And they are an important source of targeted, high-value intellectual property as well.

In one form or another, we are all involved in re-architecting and optimizing our organizations to better address the challenges of the global financial services marketplace.  As our organizations search for top talent and demand lower operating costs, we are increasingly required to support a workforce that is broadly-dispersed and interacts with corporate resources via one or more remote interaction channels.  As the workforce is more thinly dispersed across the globe, and as workers are treated more openly (or simply think or “feel” they are being treated) as commodities, an increasing fraction of those individuals will likely feel alienated or disassociated from the corporation.  Conventional wisdom has supported the idea that there is a relationship between each worker’s sense of membership and satisfaction with their employer, and their willingness to engage in insider crime.  Similarly, many have accepted the notion that increasing anonymity enabled by remote Internet interactions tends to increase cybercrime.  It is, though, important to periodically question conventional wisdom.

In that context, earlier today I read a Purdue University Dissertation by Ibrahim M. Baggili entitled, “Effects of Anonymity, Pre-Employment Integrity And Antisocial Behavior On Self-Reported Cyber Crime Engagement: An Exploratory Study.”  If you have even a passing interest in better understanding the relationships between anonymity, antisocial behaviors, integrity, and cybercrime, I strongly recommend this dissertation as a starting point for your research.  Dr. Baggili reviews the literature on these topics.  The literature posits that anonymity may trigger individuals to engage in antisocial behaviors characterized by low levels of integrity or simply dishonesty.  To understand the effect of anonymity on cyber criminals, Dr. Baggili first examines how anonymity is related to cybercrime.  He measures “the cybercrime engagement of people, their antisocial behavioral tendencies and their integrity, while manipulating their anonymity.”  (“Effects of Anonymity…,” page 46)

The dissertation is an enjoyable read.  Here, grossly over-simplified, are some of his conclusions:

• Self-reported antisocial behaviors and integrity were significantly correlated with self-reported cybercrime engagement.
• Anonymity also had significant effects on self-reported cybercrime engagement.
• Of the variables considered in his research, pre-employment integrity testing appeared to have the strongest predictive power of cybercrime engagement.

(“Effects of Anonymity…,” page 94)

So what?

Dr. Baggili’s excellent research and analysis seems rational-enough to be actionable as-is.  Consider working with your HR or employee recruiters to ensure that effective pre-employment integrity testing is integrated into their processes — at least for roles that have access to bulk sensitive information, or who have access to valuable intellectual property.  Use Dr. Baggili’s work, as well as the literature he references, as a foundation for that work.

-References-

“Effects of Anonymity, Pre-Employment Integrity And Antisocial Behavior On Self-Reported Cyber Crime Engagement: An Exploratory Study.” by Ibrahim M. Baggili https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2009-31.pdf
and videos of a presentation on this topic “CERIAS TALK – Channel 5 — Anonymity and how it affects Cyber Crime” by Ibrahim M. Baggili at: http://baggili.weebly.com/tv.html

“WSJ-WP-NYT Re-Tell ZeuS Infection for The Masses.” Completosec Channel, by Matt McCright  http://completosec.wordpress.com/2010/02/18/wsj-and-wp-re-tell-zeus-infection-for-the-masses/

“Anonymity of users is key issue in cyber crime: Kaspersky.” By Avantikumar, MIS Asia, October 22, 2009 (http://www.networkworld.com/news/2009/102209-anonymity-of-users-is-key.html)

“Night Dragon” — The New ‘More of the Same’?

“Night Dragon” — The New ‘More of the Same’?

A Wall Street Journal story reported earlier this month that attackers from China have been conducting sustained, coordinated, covert intellectual property and sensitive financial information thefts against energy corporations, in some cases for years.  They relayed that these “cyberattacks successfully took gigabytes of highly sensitive internal documents.”

The WSJ piece includes a “cyber warfare” spin on this activity.  Exploring Google Trends, and informal monitoring of the security and technical press suggests that hyping issues with references to “Cyber warfare” or “Cyber war” has been on the rise in some channels.  There seem to be many motivations for that hype.  In financial services, it is more productive to focus on the specific families of Internet-enabled criminal activity that are targeting global business (financial services, in my case), than to link communications about that activity with the broader, multi-purpose, “cyber warfare” moniker.

McAfee named these attacks “Night Dragon” in a recently-published report.

McAfee announced that they have “identified a string of attacks designed to steal sensitive data from targeted organizations” by perpetrators that “appear to be sophisticated, highly organized, and motivated in their pursuits.”  McAfee emphasized that these were not opportunists, preying on some shared industry weakness…  They say that the attacks could have been running for the last four years, but started no later than November 2009 and that individual company losses were in the many millions of dollars. (pages 3 & 7)

In that report they argued that these attacks were part of a broader trend where “adversaries are rapidly leveraging productized malware toolkits that let them develop more malware than in all prior years combined, and they have matured from the prior decade to release the most insidious and persistent cyberthreats ever known.” (page 3)

McAfee outlined the stages of “Night Dragon” attacks as:

• Compromised extranet webservers via SQL injection and remote command execution, as well as targeted spear-phishing.
• Uploaded hacker tools to these more “trusted” servers to attack each company’s intranet, desktops, and servers.
• Gained access to sensitive non-public information from internal desktops and servers.
• Accessed additional usernames and passwords to broaden their access to sensitive information.
• Used compromised perimeter web servers as command and control platforms for the company-internal desktops and servers.  They later enabled direct communication from infected internal machines to external comand and control infrastructure on the Internet.
• Used remote administration tools to explore other internal hosts, targeting executives.
• Exfiltrated gigabytes of email archives and other sensitive documents from executive’s compromised computers.
  (page 4)

McAfee points out that in global corporations, the attacker’s hunt for internal points of “weakness” is also global.  In this case, “Night Dragon” attackers persisted until finding a critical mass of their targeted information.  Proprietary and highly confidential information was stolen from individuals and executives in Kazakhstan, Taiwan, Greece, as well as the United States. (page 4)

McAfee concludes that “While Night Dragon attacks focused specifically on the energy sector, the tools and techniques of this kind can be highly successful when targeting any industry.”  Those of us in financial services should not assume that these attackers only care about oil…

The report is a good read, and if you have not had the opportunity to review it, you should.

The report also spurred some interesting follow-on reporting:

McAfee said that the Night-Dragon attackers stole proprietary information from the networks of Exxon Mobil Corp., Royal Dutch Shell Plc and BP Plc.  Michael Riley wrote for Bloomberg that sources told him Marathon Oil, ConocoPhillips and Baker Hughes were successfully targeted as well.  He highlighted opinions supporting the notion that the Chinese government is involved in this activity as part of their efforts to support a “massive economic leap forward.”  He went on to argue that “The thefts might trigger legal liability for companies that chose not to disclose them to investors.”  In the United States, investors expect that “material” corporate facts will be disclosed in a timely manner.  They also expect that corporations will implement adequate technology and procedures to protect their “crown jewels.”

Phil Muncaster outlined the McAfee report for V3, restating that “The attacks used methodical but far from sophisticated hacking techniques, including SQL injection, password hacking and remote access Trojans.”  He advised that “Companies suspecting that they may have been targeted are urged to look through anti-virus and network traffic logs” — the McAfee report offers some assistance concerning what to look for.  Unless your infrastructure is designed to retain, maybe even normalize, these logs, a multi-year historical investigation of host and network activity might not be a practical matter…

Fraser Howard of SophosLabs, highlighted that the McAfee report “emphasizes the persistent and coordinated attacks of organized groups against specific organizations, with the goal of extracting sensitive data.”  He argues that risk management professional, as well as all corporate leaders need to understand that “Night Dragon” was not special, rather that it is only an illustration of the Internet-enabled criminal menace that all organizations face today.

Fraser Howard’s argument about the new normal might be the most important message we can take from the McAfee report.  What do you think?

- References -

“Oil Firms Hit by Hackers From China, Report Says.” By Nathan Hodge & Adam Entous, 02-10-2011
http://online.wsj.com/article/SB10001424052748703716904576134661111518864.html?mod=WSJ_WSJ_US_News_5

“Global Energy Cyberattacks: ‘Night Dragon’” By McAfee® Foundstone® Professional Services and McAfee Labs™, February 10, 2011.
http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf And “Night Dragon.” http://www.mcafee.com/mx/about/night-dragon.aspx

“Exxon, Shell, BP Said to Have Been Hacked Through Chinese Internet Servers.” By Michael Riley – Feb 24, 2011
http://www.bloomberg.com/news/2011-02-24/exxon-shell-bp-said-to-have-been-hacked-through-chinese-internet-servers.html

“Hackers Breach Tech Systems of Oil Companies.” By John Markoff, 02-10-2011.
http://www.nytimes.com/2011/02/10/business/global/10hack.html?_r=2&hp

“Night Dragon hackers targeted Shell, BP and Exxon — IT security at global petrochemical firms called into question.” By Phil Muncaster, 02-24-2011
http://www.v3.co.uk/v3/news/2274971/shell-bp-exxon-mobil

“Night Dragon attacks: myth or reality?” by Fraser Howard, 02-11-2011
http://nakedsecurity.sophos.com/2011/02/11/night-dragon-attacks-myth-or-reality/

“Schwartz On Security: Unraveling Night Dragon Attacks.” By Mathew J. Schwartz, 02-17-2011.
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=229218811&cid=RSSfeed_IWK_All

Google Trends.
http://www.google.com/trends?q=cyber+warfare&ctab=0&geo=all&date=all&sort=0
According to a Google Trends search performed on Feb 27, 2011, material amounts of searches for “cyber warfare” began mid-2009.  There had been a small amount of noise in the news starting in 2001.  Pakistan generated more than twice the number of searches for “cyber warfare” than any of Singapore, India, or the United States, the next three highest, in that order.  That said, Washington, DC, USA, is the city that has generated the largest number of searches for “cyber warfare.”
Google searches and news references to “cyber war” follow a curve similar to that of “cyber warfare,” except that Pakistan no longer leads in searches, Singapore taking over that spot.

“Cyberwarfare Called Fifth Domain of Battle by Pentagon.” By Paul Wagenseil, Feb 16, 2011
http://www.securitynewsdaily.com/cyberwarfare-called-fifth-domain-of-battle-by-pentagon-0531/

Are You Better Prepared than Nasdaq?

Are You Prepared to Explain Why Your Enterprise Is Better Prepared than Nasdaq?

The value of any financial services corporation’s brand depends, in part, upon individual, investor, marketer, other intermediary, investor, analyst, and regulator faith that the corporation is effectively protecting the sensitive information and financial assets from abuse.

When the Wall Street Journal publishes “big” stories about successful hacking of major financial services institutions — like Nasdaq in this case — it seems reasonable to assume some of your customers, partners, investors, analysts, Board members, and more will have concerns about your capabilities to resist the same types of attacks.

This WSJ story is getting reflected throughout the press and beyond.  Additional facts about the situation are also being published — Reuters reported that an Internet-facing application vulnerability may have played a role, and the NYT reported that it was Nasdaq’s Director’s Desk, which is used by corporations, including their boards of directors, to store and share information.  After the original reports, Nasdaq revealed that the problem involved malware found in Director’s Desk, which had 5000 users…  It seems prudent for you to take the time to glance through these articles, think about your current situation and your plans, and then use some of the article content to prepare targeted communications about this issue in the context of your operations.

One key target population will likely be decision-makers throughout each line of business in your enterprise.  Unless your corporation is dramatically above the norm, you need to invest in exploiting opportunities like these.  It is time again to craft and deliver resources aimed at helping support better-informed decision-making about risk-appropriate investments in measures to protect information and financial assets, and supporting operations.

Updated 02-05-2011, 22:33, adding information about Director’s Desk.

-References-

“Hackers Penetrate Nasdaq Computers.” Feb. 5, 2011, by Devlin Barrett
http://online.wsj.com/article/SB10001424052748704709304576124502351634690.html

“Nasdaq Acknowledges Security Breach.” Feb. 5, 2011, by Devlin Barrett http://online.wsj.com/article/SB10001424052748704843304576126370179332758.html

“Nasdaq finds ‘suspicious files’ in hacker probe” Feb. 5, 2011, by Jonathan Spicer http://www.reuters.com/article/2011/02/05/nasdaq-hackers-idUSWEN712420110205

“Hackers Gained Access to Nasdaq Systems, but Not Trades.” Feb. 5, 2011, by Graham Bowley http://www.nytimes.com/2011/02/06/business/06nasdaq.html?partner=rss&emc=rss

WEF Risk Report Outlines Linkages and Risks to Watch

“World Economic Foundation Global Risk Reports 2011 Outline Linkages and Risks to Watch.

The World Economic Foundation just released its created a collection of resources to support understanding, thinking, and decision-making about risk.  The Global Risks Report 2011 is available as an interactive web site, or a 60 page PDF.

For context, WEF staff outline some of the resources used to product the 2011 report:

• “The starting point for Global Risks 2011 was a risk perception survey of 580 leaders and decision-makers across the world.”
• “The survey was supported by 18 workshops and over 50 expert consultations to assist the (World Economic) Forum’s in-house risk analysis.”
• “Survey respondents assessed the potential impact, likelihood, and interconnections of a range of 37 global risks, looking forward over a ten year period.”

The report does not stop at the traditional likelihood-impact graph, but delivers another view of the situation by outlining the interconnections between each of the global risks, and by organizing the risks into logical groups.  Their discussion of the web of interconnections between the risks and groups of risks may be the most important output of the 2011 report.  There is a lot of content in this report and supporting materials.  Risk management professionals involved in financial services should be able to make use of this rich resource in a variety of contexts.

After a quick scan of the materials, a few things stood out as useful for me.  Most immediately, the analysis of linkages between information security and other global risks will support my work attempting to help others make decisions about risks involved in global financial services.

This report includes a discussion of what the authors called the “illegal economy nexus” within the Risk Interconnection Map.  At its core, were three broad risks: illicit trade, corruption, and organized crime.  The authors argue that “emerging economies suffer under chronic threats to development as well as acute threats to stability,” while the advanced economies drive “the demand for the illegal economy nexus, face regional and global instability, as well as the pressure to participate in corrupt practices.”  [see: http://riskreport.weforum.org/#/2/7 and http://riskreport.weforum.org/#/?re_layout=0&re_IDs=28]

In the World Ecomonic Forum Risk Report, links between online data and information security extend into the illegal economy nexus through organized crime, corruption, and also have direct linkage to regulatory failures, critical information infrastructure breakdown, infrastructure fragility, threats from new technologies, and terrorism.

For a slightly more extended discussion of these linkages see: “The global risks barometer,” also by the World Economic Forum.

On page 37 of the “Barometer,” it defines “Online data and information security” as “The accidental loss of data or fraud online triggers a loss of confidence in data sharing, negatively affecting e-commerce and communication,” and then identifies a set of key risk drivers and indicators:

These drivers increase this risk:

• Lack of transparency on meta collection of data and algorithms
• Difficulty of tracing altered data and infiltrator activity and the lack of agreement on how to intervene when erroneous data is created or misallocated
• Incompatibility of new and old systems, carrying risks of destabilizing the network
• Increased reliance on cloud services for data storage and analytics

This driver can both increase or decrease risk.

• Extent to which policy and regulatory frameworks can keep up, given the lag between innovation cycles and government decision-making cycles

These drivers reduce this risk:

• Deterrent effect of clear legal framework to penalize offenders
• Information sharing among governments and private firms regarding loss events
• Improved education and personal awareness on ethical and moral responsibilities of online activities, including a false sense of security from encryption
• Development of best practices for data security

The report then outlines a number of “Global Impacts:”

• Disruption of global e-commerce and network communication as security concerns make users retreat from online services
• Paralysis of business and governance as trust decreases in data collection, storage, distribution systems and organizations processing mass data
• Increased degree of tolerance to breaches of privacy
• Negative blow to the open source society affecting data and process sharing which hampers innovation and trust
• Unexpected second- and third-order effects through the interconnectedness of systems and data which are generally poorly understood

In their polling and research, the authors of the “Risk Report” found that “cyber thieves experience a substantially lower feeling of guilt than is apparent in other criminal activities.” [page 66]  This idea or finding has been around for quite some time, sometimes a slice of it is abbreviated into a discussion about how individuals behave differently “at work” than they do when they work from home — which some personnel leaders discount.  But delivering this message to participants at the World Economic Forum Annual Meeting in Davos might help factor it into senior decision-making circles.

I have only touched on an extremely small subset of the content in this rich set of resources.  I strongly recommend it as a serious read for all security professionals in financial services.

-References-

“Global Risks 2011, Sixth Edition – An initiative of the Risk Response Network.”
http://riskreport.weforum.org/ or in PDF format at http://riskreport.weforum.org/global-risks-2011.pdf
World Economic Forum (January 2011) in collaboration with Marsh & McLennan Companies, Swiss Reinsurance Company, Wharton Center for Risk Management, University of Pennsylvania, Zurich Financial Services, with Co-editors: Kristel Van der Elst and Nicholas Davis.

“The global risks barometer.” by the World Economic Forum, at http://riskreport.weforum.org/barometers-2011.pdf

WSJ-WP-NYT Re-Tell ZeuS Infection for The Masses

WSJ, WP, and NYT Re-Tell ZeuS Infection for The Masses.

In a trio of stories today, the Wall Street Journal, the Washington Post, and the New York Times may have created some traction where corporate security staff have been struggling.  I am certain that many information security leaders in the financial services industry have fallen short in attempts to effectively describe the complexity of the attacks against our organization.  These three versions of the same story may have broken through…

Sure, from the perspective of an IT or information security professional they were a little off on some of the facts, and didn’t include some of what might seem like the most telling technical details, but they just might have gotten through.  For that they deserve some attention.  If you have not done so already, I strongly recommend passing the stories along to leaders in your organizations.  Or better — write your own summary of the source material from NetWitness and ship it as the cover letter to introduce the links.

The botnet discovered by NetWitness is not unique.  Cisco Systems documented the state of Zeus botnets in their 2009 Annual Security Report — mentioning that the Zeus Trojan infected 3.6 million computers worldwide by October 2009.

So what else will you find in the NetWitness report?

The Zeus code was delivered by obfuscated executables.  NetWitness wrote that “this particular malicious executable had less than a 10 percent detection rate among all antivirus products and the botnet communication was not identified by existing intrusion detection systems.” (page 3)

The overwhelming majority of compromised PCs were running Windows XP Professional SP2, with Windows XP Professional SP3, Windows XP Home Edition SP3, and Windows XP Home Edition SP2 (together amounting to more than 95% of all infected PCs). (page 5)

“The data we analyzed contain over 68,000 stolen credentials during a 4-week period.” (page 5)  The data included 75GB representing only a one-month snapshot from an attack that has lasted more than a year.

Not only were 68K username/password pairs stolen, NetWitness wrote that “the ZeuS Trojan allows for the theft of any file that is resident on an infected system, and a common target for this capability are encryption certificates used for access to banking, corporate VPN and other sensitive systems.  There were 1972 unique certificates files in the data set.” (page 6)  So, in nearly 2000 cases, the combination of a login credential and a certificate that identified the corresponding user’s PC were stolen.  Remember the “something you know plus something you have” requirement of entry-level strong authentication, this was a material loss for some number of targeted organizations.

They reported that the most recent activity seemed to have been directed as stealing credentials used with financial services organizations…  “The infected machines were simply scraping information when users communicated…” with the sites listed.  Web sites for most of the major global financial services organizations are listed as being specifically targeted by this attack, including, but not limited to: Citibank, HSBC, Suntrust, Bank of America, Wells Fargo, e-gold, US Bank, TD Canada Trust, National City, Citizens Bank, S3, WaMu, Wachovia, Chase, Barclays, Lloyds, Paypal, and many more.  (see pages 6-7 for the list)

“The attacks are continuing and corporate losses are still being compiled, said Tim Belcher, chief technology officer at Herndon, Virginia-based NetWitness Corp. ” (Jeff Bliss, Business Week)

A range of reporting appears to support that login credentials appear to have material monetary value in the criminal underground, and using this story as an example, criminals are using sophisticated techniques to steal user’s security phrases and corresponding answers as well.

This attack was based on a foundation of luring unsuspecting employees at targeted firms into downloading malicious applications from sites that are either controlled by the hackers or legitimate sites that have been compromised, or by coaxing the users into opening e-mail containing malicious attachments or links to the same (see my discussion of this topic earlier this month).

What can we do?  The usual measures…

1. Set up users with least privilege on all platforms.
2. Employ up-to-date AV with heuristics enabled on PCs and on email choke points, and on web proxies.
3. Ensure that multiple layers of controls are enabled on a network-edge web proxies.
4. Confirm that application security considerations baked into the full software development life-cycle.
5. Write and enforce the use of
   1. Minimum security (configuration) standards,
   2. Aggressive vulnerability assessments,
   3. Ongoing configuration monitoring and
   4. Fine-grained configuration management.
6. Configure enough event logging, and then
   1. Maintain effective event correlation & analysis,
   2. Alarming, and
   3. Multi-level reporting and
   4. Trending.
   5. May also need new categories of monitoring, correlation, alarming, and reporting — for example, excessive login attempts (failed and successful).
7. Comprehensively protect “internal” identities (user name/password pairs, digital certificates, and anything else used to identify your user base).
8. Resist the use of internal identities in uncontrolled environments where they are much more likely to be stolen.  This may take some planning and organized roll-out if you have this issue already.
9. Integrate employee background checking and monitoring into HR processes.
10. Consider investing in DLP technology.

What did you think was the most important message of the NetWitness-based reporting?

–References–

“Broad New Hacking Attack Detected — Global Offensive Snagged Corporate, Personal Data at nearly 2,500 Companies; Operation Is Still Running.” By Siobhan Gorman, Feb 18, 2010, http://online.wsj.com/article/SB10001424052748704398804575071103834150536.html?mod=WSJ_hpp_LEFTTopStories
and then an excellent supporting illustration at:
http://online.wsj.com/media/wsj_HACKb100217.gif

“More than 75,000 computer systems hacked in one of largest cyber attacks, security firm says.” http://www.washingtonpost.com/wp-dyn/content/article/2010/02/17/AR2010021705816.html, By Ellen Nakashima, Feb 18, 2010

“Malicious Software Infects Computers.” http://www.nytimes.com/2010/02/19/technology/19cyber.html, By John Markoff, Feb 18, 2010

The source report — “The ‘Kneber’ BotNet — A ZeuS Discovery and Analysis.” http://www.netwitness.com/nwwp10/20100216-febnw/NetWitness_wp_tkbn021610.pdf, Feb 17, 2010

“Cisco 2009 Annual Security Report.” http://cisco.com/en/US/prod/vpndevc/annual_security_report.html and the full report at: http://cisco.com/en/US/prod/collateral/vpndevc/cisco_2009_asr.pdf

“Newly Discovered Zeus Spinoff Botnet has Wide Impact.” http://www.scmagazineus.com/newly-discovered-zeus-spinoff-botnet-has-wide-impact/article/164059/, by Angela Moscaritolo, Feb 18, 2010

“Over 75,000 systems compromised in cyberattack.” http://www.computerworld.com.au/article/336726/over_75_000_systems_compromised_cyberattack/, By Jaikumar Vijayan, Feb 18, 2010

“Global Hackers Breached 2,400 Companies, Security Firm Says.” http://www.businessweek.com/news/2010-02-18/global-hackers-breached-2-400-companies-security-firm-says.html, By Jeff Bliss, Feb 18, 2010

HTML 5 – Persistent Offline Storage As A Risk Management Challenge

HTML 5 – Persistent Offline Storage As A Risk Management Challenge

I just watched an excellent Shmoocon presentation by Michael Sutton called, “Pulling The Plug — Security Risks in Next Generation Offline Web Apps.”

His main theme is that the HTTP Cookies and Flash Local SharedObjects that developers use today are going to be relatively rapidly overtaken by HTML5′s persistent offline storage (with Gears to continue as a transitional technology).  WebKit browsers already handle offline data storage today (Safari on Mac OS & iPhone, and Google Chrome).

We have all been associated with cookies as indicators of authentication as well as a “live” session.  And most of us have been much nearer than we would wish to Flash and its “cookies” (LSOs).  Mr. Sutton argues that is the past.

Increasing pressure to make web applications mobile friendly and/or off-line friendly, has resulted in the importance of “local” storage rapidly accelerating for an extended period.  HTML5 has many new features, but persistent offline storage may have the greatest impact on financial services risk management (it may also have dramatic impacts in the Health, retail, and transportation industries as well, but those are the topics of other blogs).   As more and more data persists on mobile devices, attacks against those data stores will increase.

HTML5 uses SQLite as its relational data store.  Mr. Sutton highlights a key risk issue for this approach by reminding us how many applications today are vulnerable to XSS attacks, and then outlining enumeration logic for an SQLite attack:

(1) Identify Tables
SELECT name FROM sqlite_master WHERE type=’table’
(2) Identity Table Structure
SELECT sql FROM sqlite_master WHERE name=’table_name’
(3) Access and use the data
db.open(‘local_database_name’)
var data;
var rs = db.execute(‘SELECT * FROM __DOJO_STORAGE’);
while (rs.isValidRow())  (
data = data + (rs.field(0) + ‘#’ + rs.field(1));
data = data + ‘\n’;
rs.next();
)
alert(data);

Criminals will necessarily find something much more interesting for the data than our “alert”…

I strongly recommend this presentation to all security professionals.  He describes a world where writing risk-appropriate applications is going to keep getting harder — much harder.  And HTML5′s persistent offline storage will challenge our software architects, application designers, risk managers, marketing executives, and risk management professionals.  What do you think?

-Reference-
http://www.ustream.tv/recorded/4537736

The Shmoocon 2010 Schedule and Presentations: http://www.shmoocon.org/presentations.html

APWG Reports Criminals Focusing on Financial Services and Succeeding

APWG Reports Criminals Focusing on Financial Services and Succeeding

“These criminals are rapidly figuring out how the financial industry works, where there is big money and large transfers, so they can basically do large wires out of these accounts without setting off fraud alerts.” Linda McGlasson, Managing Editor, Bank Info Security, quoting Dave Jevans, Chairman of the APWG.

The Anti-Phishing Working Group (APWG) has published phishing activity trend reports for years.  They recently released their report for Q3 2009.  It is the result of their scanning more than 22 million unique PCs during the three month period — which seems like a useful sample size.  More than 11 million of those PCs were infected with malicious software, and almost 16% (1.87 million) of those were infected with banking trojans or password stealers.  Financial services security and risk management professionals need to keep this information front-of-mind as we deal with problem-solving across a broad spectrum of issues and situations.

I strongly recommend that you invest, or continue to invest creativity and sustained energy in ensuring that your security staff, as well as your entire workforce understand that “phishing” is (what APWG described as) a complicated “criminal mechanism employing both social engineering and technical subterfuge to steal” sensitive and valuable information.  It is a “big deal” because it continues to be successful on a scale that delivers attractive profits to criminals at what continues to be minimal risk.

In its “3rd Quarter ‘09 Phishing Activity Trends Summary” the report included:

Financial Services rose back to the top of most targeted industry sectors in Q3 after a brief displacement by Payment Services in Q1 & Q2 of 2009.  54% of all phishing targeted financial services during Q3, 2009 [Page. 7]

Over the quarter, the proportion of crimeware‐specific (malicious code designed specifically against financial institutions’ customers) malware remained consistent, while data‐stealing malware rose. [See page 8]

The number of rogueware variants fell as gangs turned to ransomware to extort money from users. [See page 9]

The total number of infected computers in Q3, represented more than 48.35 percent of the total sample of scanned computers. [See page 10]

Overall, the criminal activity they describe in this report is composed of two high level components:

Social Engineering Component: Personal identity data and account credentials are prominent examples of their targets.  Criminals are increasingly sophisticated in their social-engineering efforts using spoofed email that appears to come from legitimate businesses and agencies to direct financial services employees, as well as customers to counterfeit websites designed to trick the recipient into divulging identity (starting with user name-password pairs) and financial information.
Technical Component: Criminals plant malicious software (malware) onto PCs to steal credentials directly.  This is often carried out using a combination of software and remote command-and-control systems to intercept user’s identity information — usually their login account name(s) and password(s).  They use a variety of technical means to corrupt “local navigational infrastructures” — hosts files, DNS, or, look-alike or obfuscated target server names, to misdirect users to carefully-crafted counterfeit websites.  Another approach to credential and other identity information is to employ phisher‐controlled or phisher-rented proxies used to monitor and intercept users’ keystrokes [See page 2 for more detail].  Because of the diversity of potent methods of employing malicious software, the APWG used to include monthly counts of ‘password‐stealing malicious code URLs’ and ‘password stealing malicious code unique applications’ in their reports.  Their researchers have determined that this has “proven systematically unreliable.”  In its place, they now report on “Detected Crimeware,” which they believe provides a “more precisely descriptive measure of malevolent code trends” [See page 8].

They define “crimeware attacks” as:

“…designed with the intent of collecting information on the end‐user in order to steal those usersʹ credentials. Unlike most generic keyloggers, phishing‐based keyloggers have tracking components which attempt to monitor specific actions (and specific organizations, most importantly financial institutions, online retailers, and e‐commerce merchants) in order to target specific information. The most common types of information are: access to financial‐based websites, ecommerce sites, and web‐based mail sites.”

They define “Malevolent Software” as:

“Crimeware (data-stealing malicious code designed specifically to be used to victimize financial institutions’ customers and to co-opt those institutions’ identities);

Data Stealing/Generic Trojans (code designed to send information from the infected machine, control it, and open backdoors on it);

Other Malware (the remainder of malicious code commonly encountered in the field such as auto-replicating worms, dialers for telephone charge-back scams, etc.)” [Page 8]

Unless users understand that serious phishing is composed of many facets can we expect them to resist criminal’s efforts on this front.  User-awareness and training is a sub-optimal solution to resisting criminal phishing attacks.  It seems, though, to be an essential component of our risk-management plans on this front.  The phish-resisting vendor technology and services are maturing, but they are still only a fraction — maybe even a small fraction — of what I believe would be a risk-appropriate level of due diligence in the financial services industry today.

The report also reports that:

More than 300 brands per month were hijacked by phishing campaigns. [Page 3]

More than 60% of malicious phishing web sites include some form of user’s intended target web site name in its URL. [Page 3]

98.7% of malicious phishing web sites use a hostname instead of just an IP address. [Page 3]

99.94% of malicious phishing web sites sites are accessed using HTTP via TCP port 80 (which needs to be “open” to support your Internet-enabled business activities). [Page 3]

Criminals employ round 150 unique URLs to attack each targeted brand. [Page 5]

So, what should we make of all this?  One way to view this is that it helps to explain what the FDIC was reporting about increasing thefts via electronic funds transfers (EFT) last year.  In 2009, the Federal Deposit Insurance Corporation (FDIC) reported that it had detected an increase in the number of unauthorized electronic funds transfers (EFT) as well as an increase in the resulting direct financial losses.  These EFTs were placed through automated clearing houses (ACH) and wire transfers.  The FDIC also reported that in most of these cases, the fraudulent transfers were made using stolen credentials.

Credential theft is a big criminal business.  It plays out in many ways.  One way is a direct assault on financial services enterprises — because that is where so much money is concentrated.  I believe that we need to continue increasing and fine-tuning our efforts to ensure that our leadership and our workforce understand what they are up against.  In order to meet our threshold due diligence obligations, we are going to be making additional financial and human investments to resist these types of attacks.  What do you think?

-References-

“Phishing Trends: Numbers up, Corporate Accounts Targeted Analyst: ‘I Think We’re in for a Challenging Year.’” January 27, 2010. By Linda McGlasson, Managing Editor, Bank Info Security.
http://www.bankinfosecurity.com/articles.php?art_id=2119

“3rd Quarter ‘09 Phishing Activity Trends Summary.” By the Anti-Phishing Working Group.
http://www.antiphishing.org/reports/apwg_report_Q3_2009.pdf

“FDIC: Alert About Fraudulent Electronic Funds Transfers (EFTs).” August 26, 2009.
http://www.bankinfosecurity.com/regulations.php?reg_id=1666

Odd Lincoln National Breach Disclosure

Lincoln National Breach Disclosure Breach Of 1.2 Million Customers.

There are many legacy behaviors that result in sharing of user name/password pairs.  Some of the most difficult examples to deal with involve the use of “shared” administrative credentials.  The articles today about Lincoln National’s credential-sharing incident present a challenge to all of us in financial services businesses.  I have been involved in a number of merger/acquisition efforts and was never surprised to find the use of shared passwords throughout the technology and operations ranks.  It seems to be a legacy assumption expressed by software architects, engineers, and developers.  Too many of those responsible for database administration seem to assume that credential sharing is an integral part of what they do.  Lincoln says that they are going to carefully research operations across their organizations and eliminate the use of shared credentials.  If they can achieve this goal, much of the rest of this industry will be on the defensive.

Here is my outline of the of what I have seen released today:

1. User credential sharing at Lincoln was initially reported to the Financial Services Regulatory Agency (FINRA) by an “unidentified source.”
2. Lincoln’s response said that the credential was used only at two of their investments-related subsidiaries.
3. The credential provided administrative access to a customer portfolio information system that consolidates detailed customer account data from “hundreds of disparate sources” including transaction-level activity from what appears to be all lines of their business.
4. The portfolio information system contained records for 1.2 million customers.
5. Shared user credentials are forbidden by Lincoln policies.
6. Lincoln hired outside council.
7. The outside council then hired a specialty forensic investigation organization to assess what happened.
8. Lincoln subsequently found a total of 6 shared user name/password pairs associated with the portfolio information system in question.
9. The user name/password pairs were “created and distributed by the system administration team to certain home office and support staff to perform administrative functions, respond to registered representative inquiries and review client account activity.”
10. In a carefully-worded conclusion, Lincoln wrote that they are “unaware of any reported instance of identity theft or fraud related to this vulnerability” and that they have “determined that this incident does not constitute a breach of security as defined under New Hampshire law.”
11. Nevertheless, Lincoln wrote to the New Hampshire Attorney General that “All shared usernames and passwords have been discontinued.”
12. And that Lincoln has “heightened their enforcement of the existing (Lincoln) policy that prohibits shared usernames and passwords.”
13. Lincoln also said that “Individuals whose personal information was exposed to this vulnerability will receive voluntary notification, and the offer of free credit monitoring.”
14. The company also committed to conduct a “comprehensive review of their client information systems for similar vulnerabilities.”
15. Lincoln will be notifying their customers in at least 13 states.
16. This will necessarily result in non-trivial expense and (possibly) some amount of damage to Lincoln’s reputation.

I am curious about how this will play out with retail and institutional customers.  Will they press for more evidence of policy-compliant behaviors, will the institutional crowd include this in negotiations for a better deal, will anyone bolt?

This was an expensive exercise, and Lincoln is not finished investing in the “cleanup.”

To some extent Lincoln’s public behavior sets a precedent for other financial services corporations.  Lincoln’s behaviors when confronted with this incident, and their follow-on commitment to hunt down (and, they imply, eliminate) the use of shared credentials throughout their infrastructure and operations establishes a high bar.

Regardless of its applicability in U.S. courts, this is something that more than a few financial services organizations will need to deal with.

For those in the financial services business, shared user credentials are also prohibited by our security policies.  This is just one of the entry-level security requirements for all corporations in our business.  Those who are unable or unwilling to ensure that a risk-reasonable proportion of their workforce align their behaviors with that commitment are now on notice.

– References –

“Lincoln National Discloses Breach Of 1.2 Million Customers.”
http://www.darkreading.com/vulnerability_management/security/privacy/showArticle.jhtml?articleID=222301034 and http://doj.nh.gov/consumer/pdf/lincoln_financial.pdf

One Promise of Social Media

One Promise of Social Media.

“Social media users believe there is protection in being part of a community of people they know. Criminals are happy to prove this notion wrong.” ["Cisco 2009 Annual Security Report." page 6]

Cisco security is not the first organization to deliver this message.  They do, though, present the case well, within a much broader 2009 study.

The authors highlight how criminals take advantage of the way social media users tend to trust a person or a resource because someone they know did so.  The problem here is that is has been relatively easy for criminals to:

• Create large numbers of on-line identities,
• Inject themselves into social media sites most appropriate for any given set of identities,
• Succeed at making a critical mass of associations (friends or connections), for each of them, harvest the list of everyone they know, and then
• Based on your relationship(s) with people they know, begin to coax them all to “click” on your invitation to share in something of value…

At that point, a criminal can use established techniques and technologies to deliver a trojan down-loader to the PC of everyone who “clicks.”  Remember, the key message is that Cisco research in 2009 suggests that criminals are increasingly successful at exploiting social media user’s belief that there is effective “protection in being part of a community of people they know…”

There is vast potential for crime here.  Facebook reported 350 million users at the end of 2009, and Twitter had 23.5 million users in the U.S. alone and more than twice that many worldwide (Quantcast or TechCrunch).  When a criminal gets a virtual “foothold” in any given network of “friends” the power of “trust between users” kicks in — and the “success” rate or, in business terms, the return on investment, is vastly higher than in a more random, mass-mailing approach to hooking unsophisticated Internet users.

So, why should you care?

In financial services, many leaders and infrastructure service owners seem to be nearly intoxicated with an urge to exploit the power of “free” social networking for profit.  They want corporate staff to work this new territory from within the enterprise, as well as from where ever they are.

Play it forward:  This could result in tighter integration of business operations and infrastructure with many types of social networking sites.  Staff would be motivated to inject themselves into existing webs of individuals as well as to build new ones in order to deliver targeted information, offers, opportunities, etc.

Based on what we know about criminal activity and techniques in this environment, how long would it be before your infrastructure was polluted with credential-stealing malware, and your new “friends” are feeling digially assualted by their interactions with your brand?

At the same time, corporate staff will become the targets of top tier attempts to heist enterprise-internal credentials, with special attention to those who have access to bulk customer data — think database and server administrators — and those who have access to corporate accounts and wire transfer systems — likely in finance and investment divisions.

Either scenario — customer abuse, or credential theft from corporate insiders — presents serious risk issues in the financial services industry.

Criminals are expert at delivering high-quality malware to PCs for the purposes of extracting value — stealing credentials and other sensitive information is a key capability because in they are a liquid commodity in the global criminal marketplace, or holding control of PCs in order to extract a ransom from owners.  Both lines of illicit business seem to deliver attractive profits.  Internet-enabled crime has established itself as a potent and nimble force.  It continues to demonstrate tremendous sensitivity and creativity, and a capacity to quickly evolve as needed.

So, what can we do?

This is a tough one.  The first move appears to be executive education.  Senior leaders need to understand that the social media marketplace is at least as rich with risk as it might be with revenue and profit potential.  I believe that the risks of moving into the social media arena without careful risk management plans grossly outweigh the potential benefits.  That said, I believe that the potential for finding value in technology-assisted social networking is real-enough to warrant our serious attention and some of our best human resources.

Maybe some combination of a vendor-provided scrubbing of all corporate interactions with targeted social networks — think highly customized filtering web proxies that include reputation services — along with authorization to participate provided only on a strictly-managed “need-for-my-role” basis, and clearly communicated and simply documented “rules of engagement” for all staff involved.  All the standard anti-malware measures, network monitoring, event correlation, alerting, alarming, reporting, incident management processes, and more need to be in place as well…

Again, this is a tough one.  What do you think?

-Update on 01-24-2010-

The BBC published a story today about a football powerhouse attempting to protect their brand by attempting to “pull out” of social media all together.

“Manchester United Warns About Social Networking.”
Manchester United Football Club has posted a message on its website explaining that its players do not belong to online social networks.
It advises users to treat any profiles in the names of its players with “extreme scepticism”.
The club says this is because of the high numbers of people impersonating team members online.

http://news.bbc.co.uk/2/hi/technology/8470735.stm

-Resources-

“Cisco 2009 Annual Security Report.” (the report covers a lot more material that I refer to above)
http://cisco.com/en/US/prod/collateral/vpndevc/cisco_2009_asr.pdf

One Promise of Social Media.

“Social media users believe there is protection in being part of a community

of people they know. Criminals are happy to prove this notion wrong.” [page

6]

Cisco security is not the first organization to deliver this message.  They

do, though, present the case well, within a much broader 2009 study.

The authors highlight how criminals take advantage of the way social media

users tend to trust a person or a resource because someone they know did so.

The problem here is that is has been relatively easy for criminals to:

create large numbers of on-line identities,
inject themselves into social media sites most appropriate for any given set

of identities,
succeed at making a critical mass of associations (friends or connections),

for each of them, harvest the list of everyone they know, and then
based on your relationship(s) with people they know, begin to coax them all

to “click” on your invitation to share in something of value…

At that point, a criminal can use established techniques and technologies to

deliver a trojan downloader to the PC of everyone who “clicks.”  Remember,

the key message is that Cisco research in 2009 suggests that criminals are

increasingly successful at exploiting social media user’s belief that there

is effective “protection in being part of a community of people they know…”

There is vast potential for crime here.  Facebook reported 350 million users

at the end of 2009, and Twitter had 23.5 million users in the U.S. alone and

more than twice that many worldwide.

(http://www.quantcast.com/twitter.com#demographics and

http://www.techcrunch.com/2009/08/03/twitter-reaches-445-million-people-

worldwide-in-june-comscore/).  When a criminal gets a virtual “foothold” in

any given network of “friends” the power of “trust between users” kicks in –

and the “success” rate or, in business terms, the return on investment, is

vastly higher than in a more random, mass-mailing approach to hooking

unsophisticated Internet users.

So, why should you care?

In financial services, many leaders and infrastructure service owners seem to

be nearly intoxicated with an urge to exploit the power of “free” social

networking for profit.  They want corporate staff to work this new territory

from within the enterprise, as well as from where ever they are.

Play it forward:  This could result in tighter integration of business

operations and infrastructure with many types of social networking sites.

Staff would be motivated to inject themselves into existing webs of

individuals as well as to build new ones in order to deliver targeted

information, offers, opportunities, etc.

Based on what we know about criminal activity and techniques in this

environment, how long would it be before your infrastructure was polluted

with credential-stealing malware, and your new “friends” are feeling digially

assualted by their interactions with your brand?

At the same time, corporate staff will become the targets of top tier

attempts to heist enterprise-internal credentials, with special attention to

those who have access to bulk customer data — think database and server

administrators — and those who have access to corporate accounts and wire

transfer systems — likely in finance and investment divisions.

Either scenario — customer abuse, or credential theft from corporate

insiders — presents serious risk issues in the financial services industry.

Criminals are expert at delivering high-quality malware to PCs for the

purposes of extracting value — stealing credentials and other sensitive

information is a key capability because in they are a liquid commodity in the

global criminal marketplace, or holding control of PCs in order to extract a

ransom from owners.  Both lines of illicit business seem to deliver

attractive profits.  Internet-enabled crime has established itself as a

potent and nimble force.  It continues to demonstrate tremendous sensitivity

and creativity, and a capacity to quickly evolve as needed.

So, what can we do?

This is a tough one.  The first move appears to be executive education.

Senior leaders need to understand that the social media marketplace is at

least as rich with risk as it might be with revenue and profit potential.  I

believe that the risks of moving into the social media arena without careful

risk management plans grossly outweigh the potential benefits.  That said, I

believe that the potential for finding value in technology-assisted social

networking is real-enough to warrant our serious attention and some of our

best human resources.

Maybe some combination of a vendor-provided scrubbing of all corporate

interactions with targeted social networks — think highly customized

filtering web proxies that include reputation services — along with

authorization to participate provided only on a strictly-managed “need-for-

my-role” basis, and clearly communicated and simply documented “rules of

engagement” for all staff involved.  All the standard anti-malware measures

need to be in place as well…

Again, this is a tough one.  What do you think?

-Resources-

“Cisco 2009 Annual Security Report.”

http://cisco.com/en/US/prod/collateral/vpndevc/cisco_2009_asr.pdf

Ready For Employee Theft and Sabotage

Are You Ready For Employee Theft and Sabotage?

For many in the financial services industry, the global economic catastrophe has increased the frequency of employee theft and sabotage (broadly-defined).  While some of these incidents are little more than inconvenient reminders that “people are our weakest link…” others will require an immediate and comprehensive response, along with the creation of court-ready evidence (identification, copying, preservation, and documentation of the incident-relevant digital evidence).  We all need to ensure that we are effectively resisting these behaviors, but those efforts will necessarily be imperfect.

This is not a new obligation.  Career criminals continue to expand their use of technology in the course of their illegal activities.  One component (there are many others) of reasonable processes required for dealing with this situation include “computer forensics.”  This is also a key component of our tooling and processes dealing with new insider crime linked to the toxic economic environment.  Increasingly, “computer” includes a broad range of mobile devices, but I will defer that discussion for another post.

If you have not yet prepared for this situation, you (or your surrogate) might go to http://www.sleuthkit.org/, read up on The Sleuth Kit and Autopsy, download a current copy of BackTrack (or one of the many other forensic toolkit bootable CDs) and start training — the important issue is starting somewhere.  Or, alternatively, get in touch with your favorite risk management consulting house and get their advice about becoming better prepared.  They might just point you to one or more of the specialty forensic consulting practices — and you could do a lot worse than to get one of them on retainer.  The time to start getting ready for a criminal incident at your business is not the moment you get the call from your boss, or one of your corporate lawyers, compliance officers, or accountants — even worse, a reporter from the Wall Street Journal.

There are a number of good books on this topic (search google or amazon).

There are a broad spectrum of activities that are included under the label of “computer forensics.”  In order to give you a hint at this range and complexity, a sampling of what they include (but are not limited to) appears below:

• Respond to live incidents (The attack is ongoing).
• Respond to recent incidents (hours or days old).
• Respond to historical incidents (months old or longer).
• Determine whether an attack/theft/sabotage/etc has actually occurred.
• Assemble and maintain a toolkit you can employ at the scene of a computer-related crime.
• Analyze volatile data and nonvolatile data.
• Safely perform and document forensic duplications.
  Create a bitstream image of the evidence.
  Prepare for subsequent verification of the evidence using one-way hash functions.
  Understand hash and signature analysis.
• Collect and analyze network-based evidence.
• Identify and analyze print spool data.
• Identify and analyze files of unknown origin.
• Identify and document all start-up and shutdown activity.
• Identify and document authentication and authorization activity.
• Identify and document system and data access.
• Reconstruct web browsing behaviors.
  Including recovery and analysis of cookies.
• Document all e-mail activity.
• Identify & document domain name ownership and the “real” source/destination of e-mails.
• Identify and analyze system and application changes – invest special effort to privilege changes.
  This includes the Windows registry and event logs, as well as application residual files.
• Identify and analyze data changes – with special attention to creation and destruction activities.
  Includes analysis of slack and unallocated space, and recovery of deleted files.
• Identify and analyze errors and faults.
• Perform keyword and email searches.
• Build time-lines of user and application behaviors.
• and lots, lots, more…

If computer forensics are not something that you or your staff are well prepared to execute, I strongly recommend that you consider moving on an immediate plan to develop a minimum competency in this area starting today.

-Resources-

U.S. Secret Service’s “Best Practices For Seizing Electronic Evidence.” Version 3. http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf

“Searching and Seizing Computers and Obtaining Electronic Evidence Manual — Chapter 5 — Evidence”
http://www.cybercrime.gov/ssmanual/05ssma.html, and more broadly http://www.cybercrime.gov/ssmanual/index.html and the Federal Rules of Evidence: http://www.law.cornell.edu/rules/fre/overview.html, and finally,
http://www.cybercrime.gov/cclaws.html.

The Sleuth Kit and Autopsy Browser are open source digital investigation tools (a.k.a. digital forensic tools).  They run on Windows and Unix/linux systems.  They can be used to analyze NTFS, FAT, HFS+, Ext2, Ext3, UFS1, and UFS2 file systems and several volume system types.  The Sleuth Kit (TSK) is a C library and a collection of command line tools. Autopsy is a graphical interface to TSK.  http://www.sleuthkit.org/

The Sleuth Kit: http://sourceforge.net/projects/sleuthkit/
Autopsy: http://sourceforge.net/projects/autopsy/
BackTrack: http://www.backtrack-linux.org/

A list of bootable CDs with The Sleuth Kit & Autopsy, as well as large collections of additional utilities designed to assist you in your forensic work: http://wiki.sleuthkit.org/index.php?title=Tools_Using_TSK_or_Autopsy

“Computer Forensics Procedures and Methods.” By Dr, J. Philip Craiger, Assistant Director for Digital Evidence, National Center for Forensic Science & Department of Engineering Technology University of Central Florida
http://ncfs.ucf.edu/craiger.forensics.methods.procedures.final.pdf

“Windows Forensic Analysis DVD Toolkit.” (Second Edition)  By Harlan A. Carvey. Syngress, June 11, 2009.
http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Second/dp/1597494224/ref=dp_ob_title_bk

“File System Forensic Analysis.  By Brian Carrier.  Addison-Wesley Professional, March 27, 2005.
http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/ref=pd_sim_b_1

“Real Digital Forensics: Computer Security and Incident Response.”  By Keith J. Jones, Richard Bejtlich, and Curtis W. Rose. Addison-Wesley Professional, October 3, 2005.
http://www.amazon.com/Real-Digital-Forensics-Computer-Security/dp/0321240693/ref=pd_rhf_shvl_4

And a 2008 list of web resources on forensics: http://geschonneck.com/security/forensics/

For many in the financial services industry, the global economic catastrophy has increased the frequency of employee theft and

sabotage (broadly-defined).  While some of these incidents are little more than inconvenient reminders that “people are our

weakest link…” others will require an immediate and comprehensive response, along with the creation of court-ready evidence

(identification, copying, preservation, and documentation of the incident-relevant digital evidence).  We all need to ensure that

we are effectively resisting these behaviors, but those efforts will necessarily be imperfect.

This is not a new obligation.  Career criminals continue to expand their use of technology in the course of their illegal

activities.  One component of reasonable processes required for dealing with this situation include “computer forensics.”  This

is also a key component of our tooling and processes dealing with new insider crime linked to need in the toxic economic

environment.  Increasingly, “computer” includes a broad range of mobile devices, but I will defer that discussion for another

post.

If you have not yet prepared for this situation, you (or your surrogate) might go to http://www.sleuthkit.org/, read up on The

Sleuth Kit (http://sourceforge.net/projects/sleuthkit/) and Autopsy (http://sourceforge.net/projects/autopsy/), download a

current copy of BackTrack (http://www.backtrack-linux.org/) (or one of the many other forensic toolkit bootable CDs) and start

training — the important issue is starting somewhere).  Or, alternatively, get in touch with your favorite risk management

consulting house and get their advice about becomming better prepared.  They might just point you to one or more of the specialty

forensic consulting practices — and you could do a lot worse than to get one of them on retainer.  The time to start getting

ready for a criminal incident at your business is not the moment you get the call from your boss, or one of your corporate

lawyers, compliance officers, or accountants — even worse, a reporter from the Wall Street Journal.

There are a number of good books on this topic (search google or amazon).

There are a broad spectrum of activities that are included under the label of “computer forensics.”  In order to give you a hint

at this range and complexity, a sampling of what they include (but are not limited to) appears below:

Respond to live incidents (The attack is ongoing).
Respond to recent incidents (hours or days old).
Respond to historical incidents (months old or longer).
Determine whether an attack/theft/sabotage/etc has actually occurred.
Assemble and maintain a toolkit you can employ at the scene of a computer-related crime.
Analyze volatile data and nonvolatile data.
Safely perform and document forensic duplications.
Create a bitstream image of the evidence.
Prepare for subsequent verification of the evidence using one-way hash functions.
Understand hash and signature analysis.
Collect and analyze network-based evidence.
Identify and analyze print spool data.
Identify and analyze files of unknown origin.
Identify and document all startup and shutdown activity.
Identify and document authentication and authorization activity.
Identify and document system and data access.
Reconstruct web browsing behaviors.
Including recovery and analysis of cookies.

Document all e-mail activity.
Identify & document domain name ownership and the “real” source/destination of e-mails.
Identify and analyze system and application changes – invest special effort to privilege changes.
This includes the Windows registry and event logs, as well as application residual files.
Identify and analyze data changes – with special attention to creation and destruction activities.
Includes analysis of slack and unallocated space, and recovery of deleted files.
Identify and analyze errors and faults.
Perform keyword and email searches.
Build timelines of user and application behaviors.

-Resources-

U.S. Secret Service’s “Best Practices For Seizing Electronic Evidence.” Version 3.

http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf

“Searching and Seizing Computers and Obtaining Electronic Evidence Manual — Chapter 5 — Evidence”
http://www.cybercrime.gov/ssmanual/05ssma.html, and more broadly http://www.cybercrime.gov/ssmanual/index.html and the Federal Rules of Evidence: http://www.law.cornell.edu/rules/fre/overview.html.

http://www.cybercrime.gov/cclaws.html

The Sleuth Kit and Autopsy Browser are open source digital investigation tools (a.k.a. digital forensic tools).  They run on

Windows and Unix/linux systems.  They can be used to analyze NTFS, FAT, HFS+, Ext2, Ext3, UFS1, and UFS2 file systems and several

volume system types.  The Sleuth Kit (TSK) is a C library and a collection of command line tools. Autopsy is a graphical

interface to TSK.

http://www.sleuthkit.org/,

The Sleuth Kit: http://sourceforge.net/projects/sleuthkit/
Autopsy: http://sourceforge.net/projects/autopsy/
BackTrack: http://www.backtrack-linux.org/

A list of bootable CDs with The Sleuth Kit & Autopsy, as well as large collections of additional utilities designed to assist you

in your forensic work.

http://wiki.sleuthkit.org/index.php?title=Tools_Using_TSK_or_Autopsy

“Computer Forensics Procedures and Methods.” By Dr, J. Philip Craiger, Assistant Director for Digital Evidence, National Center

for Forensic Science & Department of Engineering Technology University of Central Florida

http://ncfs.ucf.edu/craiger.forensics.methods.procedures.final.pdf

“Windows Forensic Analysis DVD Toolkit.” (Second Edition)  By Harlan A. Carvey. Syngress, June 11, 2009.

http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Second/dp/1597494224/ref=dp_ob_title_bk

“File System Forensic Analysis.  By Brian Carrier.  Addison-Wesley Professional, March 27, 2005.

http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/ref=pd_sim_b_1

“Real Digital Forensics: Computer Security and Incident Response.”  By Keith J. Jones, Richard Bejtlich, and Curtis W. Rose.

Addison-Wesley Professional, October 3, 2005.

http://www.amazon.com/Real-Digital-Forensics-Computer-Security/dp/0321240693/ref=pd_rhf_shvl_4

And a list of web resources on forensics: http://geschonneck.com/security/forensics/