Hacking a hacker?

While doing some recent reading on Digital Foerensics I came across a particularly interesting older case where a Russian hacker was caught by the FBI and charged with computer intrusion and fraud. While this doesn't sound like anything too out of the ordinary what caught my attention was some of the details.

The FBI alleged that Ivanov and other international hackers gained unauthorized access into computers at CTS Network Services (an ISP) and used them to attack other e-commerce companies, including two credit card processors, where he stole customer financial information and used this information in the usual fraud schemes. Nothing too out of the ordinary so far.

Once the FBI had identified their culprit, in order to make the arrest they lured him and an accomplice to the US on the premise of offering a job as an IT security consultant. When the pair arrived, the FBI had them remotely connect to their machines back in Russia as a demonstration of their skills for the new prospective employer. But not all was as it seemed, as the FBI were keylogging the machines the Russians used in the US and used these captured credentials to connect to the Russian computers and extract the evidence they needed (without a search warrant) to prosecute Ivanov and his accomplice.

Do the ends justify the means? The Russian Federal Security Service, or FSB, didn't think so, started criminal proceedings against the FBI Agents for unauthorized access to computer information. Meanwhile back in the States, the Agents involved were awarded the director’s award for excellence as the case was the first in bureau’s history to “utilize the technique of extra-territorial seizure.”

The assistant US District attorney commented that he "wouldn't call it hacking" when discussing the Agent's actions and a federal judge agreed, rejecting motions filed that sought to suppress the evidence obtained from the computers with Ivanov eventually being sentenced to three years in prison.

Do, in this case, the ends justify the means? Or is it simply the beginning of a slipperly slope allowing state-sanctioned hacking in the name of justice?

This case is wan older one and was 'pre-9/11', so I wonder what effect the PATRIOT act has had in the intervening years...

Secure Search

Google have released a beta of their SSL-enabled search page. An interesting concept in that while it protects the end user while performing searches, any ssl protection is lost when the searcher clicks on a link and goes directly to the desired page.

An important point is: "...Google will still maintain search data to improve your search quality and to provide better service. Searching over SSL doesn’t reduce the data sent to Google — it only hides that data from third parties who seek it."

Personally i'd prefer a version of their search engine that didn't maintain my search data, but given some of Google's other recent actions and CEO Eric Schmidt's views on privacy, I'm guessing it isn't coming soon....

On the other hand they are making the recent awesome interactive 'pac man' google logo a permanent feature! (although not everyone thinks it was a good idea...)

Last Accessed Timestamps

I was speaking with Microsoft Tech Support recently about some disk performance issues and an interesting point came up. On large NTFS volumes, the Enhanced Write Filter performance can be sped up by making a registry change to disable the last access date/time stamps. This disables the last access information written to each file as it is accessed, resulting in faster disk read-access:

In the Registry, create HKLM\System\CurrentControlSet\Control\FileSystem\Disablelastaccess and set to 1.

(you can also run an fsutil command in Windows 7/2008: fsutil behavior set disablelastaccess 1)

Microsoft like this idea so much, that the default setting in Windows 7 and Windows Server 2008 is to have the last access disabled (something I have verified on my Windows 7 laptop and in a Windows Server 2008 Standard VM).

This has interesting repercussions for security and computer forensics personnel. If nothing else, if left with the default settings, it removes a tool from the investigation arsenal.

Windows Computer Investigation Guide

During my current Digital Forensics study I recently stumbled across a guide from Microsoft entitled the “Fundamental Computer Investigation Guide for Windows" which is a download containing the basic Microsoft guide, a sample Internal Investigation Report, a sample Chain of Custody document and a sample Impact Analysis document.

Although at 55 pages the guide isn't going to make you a Forensics guru, as a free starters guide it hits all the main points we've learnt so far - initially assessing the situation, obtaining authorization, reviewing any policies or legal restrictions, bieng thourough and methodical in the assessment, acquisition of data, analysis of the data and reporting on the findings. It also contains an applied scenario to tie together all the points previously discussed (set at the Woodgrove Bank - an organization, along with Tailspin Toys and Contoso, that will be all too familar to those who've done a few Microsoft exams).

The tools referenced in the guide are generally all included in the OS or free sysinternals tools, such as filemon, portmon, process explorer, etc, although EnCase and FTK are mentioned for performing a bit-wise acquisition.

While Microsoft do get bashed about alot of things (and security in particular), I am always surprised about the sheer amount of material they generate and freely distribute. If you deal with Windows and aren't familiar with the sysinternals tools, I recommend checking them out.

IBM Distributes Malware

Probably not the best place to go distributing malware.

(hmmm... these posts seem to be getting shorter... maybe tomorrow...)

Facebook Privacy

Alot has been said about Facebook privacy (or lack thereof). A friend passed along this fascinating link that graphically illustrates the evolution of privacy on facebook (or should that be devolution?)

Social networking contains all kind of dangers, from the typical social engineering and scamming to getting fired for 'chucking a sickie' and things far, far worse.

Of course, facebook, myspace or linkedin aren't responsible for the crimes that may be committed by users of their service, but sites like facebook they aren't helping matters by proclaiming 'privacy is dead' and purposely making more information public.

It has been said before, but bears repeating: don't put anything on the internet that you wouldn't want everyone to know. While I don't agree with mark Zuckerburg that 'privacy is dead', I do agree that for all intensive purposes, 'privacy is dead on the internet'.

And finally if you are a facebook user, here are 10 Privacy Settings Every Facebook User Should Know, or if you're tired of the whole social netowrking thing, how to delete your facebook profile in 5 minutes (and by the way, apparently you're not alone).

vSphere Hardening Guide

VMWare have recently released their vSphere Hardening guide. The blog post about it is here, and the guide can be downloaded directly from here [pdf].

From an inital runthrough, it seems quite comprehensive.

InfoSec Legal Risks II

Back in Feb I mentioned a Book I'd come across: Information Security: Managing the Legal Risks by Nick Gifford.

Recently Nick gave a great presentation at the AISA Risk Management Special Interest Group (RMSIG) in Sydney.

Some of the points that came out of his presentation** that I found rather interesting follow:

  • Most InfoSec-related cases are brought under the tort of negligence
  • Damages cannot be recovered under negligence for pure economic loss
  • No cases have yet been tried in Australia for under the tort of Negligence for InfoSec breaches ~ although cases have been settled before going to court
  • The highest privacy breach payout in Australia is around $8000 ~ leaving privacy breaches more damaging to reputation than financially (barring lost revenue from reputational damage of course!)
  • The Trade Practices Act Section 52 is the key area to pay attention to for Australian InfoSec professionals when verifying legal liability ~ it has less hurdles that proving negligence and can be 'creatively' applied by the courts.
  • The ALRC has recommended a new tort of "serious invasion of privacy" and recommended compulsory disclosure laws in Australia.
Nick also referenced an intersting quote from the FTC paper on Identity Theft [pdf]:
The Rule specifies that what is “reasonable” will depend on the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the information at issue. This standard recognizes that there cannot be “perfect” security, and that data breaches can occur despite the maintenance of reasonable precautions to prevent them
The formal acknowledgement that "perfect" security cannot exist from someone outside of IT is interesting to see.

Nick gave a great talk, and I do recommend his book.

**Any errors or omission of information in this post are my fault and not Nick's. I am no lawyer! So go seek your legal advice from someone who is!

Security the Amex way

While there are arguments against the effectiveness of PCI-DSS (Payment Card industry Data Security Standards) compliance, it's going nowhere soon.

With that in mind, a recent article caught my eye about how one of the big credit card companies handles it's own Information Security.

Some gems from the Amex response:

I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack.
This is one I've encountered before where transport-layer security is confused with authentication security. Their website could have 128,000 bit encryption, it won't help them when I guess your password is 123456.
We discourage the use of special characters because hacking softwares can recognize them very easily.
More easily than non-special characters? Wow.

The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed".

Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.

Would that not mean a single character password was even more secure?
Scary. Although a friend did comment "Well at least they have a password policy!"

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme