Twitter Trouble

While playing with my new ipad, I can across an interesting article on The Last Watchdog about the US Federal Trade Commission's complaint against Twitter.

I'd read about twitter's security breach in April last year where an employee's personal email account was hacked and provided admin passwords to the social networking site, but had somehow missed the earlier breach where apparently nothng more complicated than a brute force attack revealed the site's weak, lower case, common dictionary word administrative password!

From the article some of the major points from the FTC's complaint are Twtter's failure to:
  • Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks
  • Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts
  • Suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts
  • Providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users
  • Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days
  • Restricting access to administrative controls to employees whose jobs required it
  • Imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses
Additonally Twitter are "barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years".

Hackers, Fraudsters and Politicians.

The House Standing Committee on Communications have released the results of their findings into Cybercrime in a report entitled Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime.

I haven't had a chance to digest the near 300-page document yet, but news.com.au has reported some interesting excerpts from it:

Among its final 34 recommendations were:

— The creation of an around-the-clock cyber crime helpline.

— Changes to the law to make unauthorised installation of software illegal.

— Companies who release IT products with security vulnerabilities should be open to claims for compensation by consumers.

That last point seems to be the most potentially controversial and problematic, but I'll hold judgement until I've had a chance to read the entire report...

BYO Forensic Lab

After recently reading and learing about the requirements for setting up a Forensic laboratory, I did a little more research into the subject and came across a fairly recent article on csoonline.com entitled "How to Build Your Own Digital Forensics Lab - for Cheap". While the article is fairly brief and doesn't go into issues such as chain of custody or the capture of volatile data, the author does provide some cool tips on making a usb device read only and points to some free tools for imaging a suspects disk.

The article also has a link to the handy little "Secret Service's Best Practices For Seizing Electronic Evidence, Pocket Guide for First Responders" [pdf] which has tips such as photographing the screen before powering off a suspect machine and performing the power-down by yanking the power cord (and where appropriate removing the battery). For servers in a business it recommends not yanking out the power cord, but calling a pro and restricting access to avoid damaging the system, disrupting legitimate business and (of course!) reducing the potential for officer and department liability.

It's a cool little guide and an intersting insight into law enforcement procedures.

Top 10 Hollywood Stupid Hackers

News.com.au has a fun little gallery on the "Top 10 Hollywood Stupid Hackers" covering films from 'the Net' and 'Firewall' to 'Tron' and 'Jurassic Park'.

They did miss 'Swordfish', which showed that hacking was all about how quickly you can mash the keyboard...

Best quote of the lot: "I shouldn't have written all of those tank programs" by Kevin Flynn (Jeff Bridges) in TRON.

Wii Forensics

A recent article on Networkworld.com mentions how difficult it can be to recover information from smartphones and game consoles.

I can imagine smartphones are particularly difficult, given the constantly changing nature of the hardware in use and the proliferation of mobile operating systems such as Windows Mobile 7, Android, iphone OS, WebOS and BlackBerry OS. The modified or custom file systems can also be challenging as I've read that the xbox360 uses FATX and that the PS3 uses a proprietary version of ext2.

However a particular quote from the article that caught my eye was ""You can take a Wii onto the Internet and it doesn't save sites or browser history....If you type in a Web address and surf, 10 minutes later there's no record of it." Intrigued by this comment, a bit more digging came up with this paper [pdf] on Wii Forensics.

Dr Turnbull highlights the lack of internal storage (excluding the 256MB flash memory) and proprietary file system as being some of the difficulties in Wii Forensic analysis. The paper makes for interesting reading.

Shout outs

A couple of plugs for blogs of friends:

Fellow AISA member Steven Atcheson has recently started his own Information Security related blog blog called 'Keeping it Simple'.

Another friend, Tim Davoren of ENSTOR also has a blog largely based around storage, backup and disaster recovery called Dav's Disorder.

CSIRT

ENISA (The Europrean Network and Information Security Agency) have freely released alot of materials on setting up a CSIRT or CERT.

The step-by-step guide [pdf] seems like a great starting point and they even include exercise materials.

They also have a section on CSIRT-related tools which lists useful tools for every stage of an investigation.

National Cyber Security Awareness Week

It's National Cyber Security Awareness week this week (6–11 June)

From the website:
National Cyber Security Awareness Week is an annual initiative of the Australian Government held in partnership with industry, community and consumer groups and state and territory governments.

It is designed to raise awareness among Australians of cyber security risks and simple steps they can take to protect their personal and financial information online.

National Cyber Security Awareness Week 2010 is from 6 to 11 June. It will promote six easy tips for better online security:

1. Install security software and update it regularly.
2. Turn on automatic updates so that all your software receives the latest fixes.
3. Get a stronger password and change it at least twice a year.
4. Stop and think before you click on links or attachments.
5. Stop and think before you share any personal or financial information about yourself or your friends and family.
6. Know what your children are doing online. Make sure they know to stay safe and encourage them to report anything suspicious.

Forensics & Virtual Machines

I'm a big fan of virtualization, and have seen first-hand how much of a 'game changer' it has been when it comes to infrastructure. With my recent studies of Digital Forensics I wondered how does virtualization 'change the game' when it comes to forensics?

In my so-far brief researching, there seems to have been a bit written about the use of virtualization in forensic analysis. The paper entitled 'Virtual Forensics' [pdf] from ForensicsFocus.com is an interesting start, discussing VMs as a target and the use of VMs to make analysis easier. This presentation from 2005 is boldy titled "Virtual Machines: The Ultimate Tool for Computer Forensics" while this paper [pdf] claimed that "the environment created by VMWare differs considerably from the original computer system, and because of that VMWare by itself is very unlikely to produce court admissible evidence" and suggests that a hybrid approach of using a standard forensic image along with a VM for analysis is the best approach.

There also seem to be plenty of ready to run virtual machine images or appliances to assist the forensics practitioner, but what happens when the target machine is a VM?

This article from cio.com mentions one of the potential problems is that VMFS (VMWare's file system used to store the 'guest' virtual machine images) is not well understood. A virtual machine is simply files on a disk, but when you want to capture a forensic image of a VM do you simply capture the 'disk files' (eg: vmdk file, NVRAM file, etc) or do you need the underlying host storage volume (the VMFS partition) to capture metadata (such as the last accessed time etc)?

The sheer size of the VMFS partition may also cause problems (think multi-terabyte LUNs), along with the fact that vmfs partitions may be shared amongst many guest VMs, which may cause problems if a forensic investigator is only authorized to investigate a single machine.

With continuing explosive growth of server virtualization and now the increase in interest in desktop virtualization it will be interesting to see what changes (if any) will be required for digital forensic investigators in the near future.

Crooks & Crypto

"Criminals are a superstitious cowardly lot" said none other than the caped crusader, Batman. But it seems they're a lazy lot too. The Register has an article on how 'belief that they won't get caught' and laziness has meant that the feared widespread use of cryptography by criminals has not come about.

It was this fear that has lead governments (most notably the US) to float the idea of criminalizing the use of encryption software or requiring the Government hold a key in escrow (such as with the Clipper chip).

A few years go the UK passed a law ("RIPA section 49")requiring suspects to hand over encryption keys when requested or face fines and up to two years jail. They have since charged suspects under it.

A great piece on the controversy of whether encryption is harmful or not is also available here.

Cryptography is a tool and can be used for good or for ill. Personally I don't believe in a system where the Government holds keys in escrow without unprecedented transperancy around who is accessing keys (and why!) and don't believe such a system would ever be workable. Make Cryptography illegal? Well the 'bad guys' are already breaking the law and only law-abiding citizens would be disadvantaged.

Oh, and I'm more than happy for criminals to remain a lazy, overconfident and superstitious cowardly lot!

HDD decryption

Forensics Focus had an article about some software that "Decrypts TrueCrypt Hard Disks in Minutes". A pretty impressive & scary claim! Wondering how it works? I was too, so a quick visit to the manufacturers website gives some details on how the software works for HDD decryption:

Passware Kit scans the physical memory image file (acquired while the encrypted BitLocker or TrueCrypt disk was mounted, even if the target computer was locked), extracts all the encryption keys, and decrypts the given volume. Such memory images can be acquired using Passware FireWire Memory Imager (included in Passware Kit Forensic), or third-party tools, such as ManTech Physical Memory Dump Utility or win32dd.

Overall Steps

* Acquire a memory image of the seized computer
* Create an encrypted disk image (required for BitLocker only)
* Run Passware Kit to recover the encryption keys and decrypt the hard disk

So there is no gaping hole in the full disk encryption of bitlocker or truecrypt, the software extracts the keys from the forensically captured physical memory while the encrypted volume is mounted. This just further highlights the importance of being able to perform a live acquisition of the physical memory when the use of encryption is suspected...