Showing posts with label cybersecurity. Show all posts

Monday, January 8, 2024

Avoid Computer Crimes

A reminder for all:

A person may not intentionally, willfully, and without authorization alter data stored by a computer database.

MD Criminal Law Code § 7-302 covers (among other things) intentionally inserting records, sign-ups, registrations, etc for the purpose of disrupting the proper use of the service. Intentionally signing someone up for a listserv to get that listserv blocked for sending spam clearly falls within this.

For the non-Maryland folks, 18 U.S. Code § 1030 is your guiding light.

Intentional disruption of someone else's use of Internet services is a crime.

Flooding a candidate's volunteer signup system with fraudulent entries to exhaust the system and prevent actual volunteer's from registering: computer crime.

Collecting the credentials of a campaign staffer and using it to download the emails from their account to distribute publicly in an effort to discredit and embarrass the campaign: computer crime.

We do not want or need to resort to computer crime to undermine functions of the electoral process, nonprofit organizations (even those with despicable goals), or generally civil society. (Judgement withheld regarding explicit government corruption. Reading recommendation: The Burglary: The Discovery of J. Edgar Hoover's Secret FBI, Book by Betty Medsger)

To defenders: Protect your systems and accounts as if people are fine with breaking laws. Loosing the confidentiality, integrity, or availability of your data is not mitigated by "Hey, that was illegal!"

Wednesday, February 22, 2017

What are three corporate policies to mitigate risks for cybersecurity attacks at the global level?

What are three corporate policies to mitigate risks for cybersecurity attacks at the global level?

Disable macros at the policy level A very common point of entry for malware, be it botnet, remote access trojan, or ransomware, is through the built-in scripting language of Microsoft Office: macros. In fact, the middle of 2016 saw a very large campaign of spammed Office malware leveraging macros within Macro-enabled Document Templates. (Molyett & Lee, 2016) With Windows 10 and new updates to Office the enterprise level configuration, Group Policy, can enable "Block macros from running in Office files from the Internet" (Khanse, 2016) which is a feature that should always be used. Any person on the network that needs to open such files should be provided a virtual machine for reading those files.

Submit all email attachments and links to a sandbox scanner Other than Office macros, spam carries with it malware executables, links to exploit kits, and various nested file solutions to execute malcode. An effective network protection policy is to have all incoming emails be submitted to an automated scanner. (Eckstein, 2015) Such a solution does delay emails by a few minutes, but avoiding a ransomware infection is well worth it.

Two factor authentication The last common delivery through email are directions to phishing websites for collecting user credentials. When a user falls for one of these sites, which often can look pixel perfect due to the same technologies being available to the scammer as to the original web developer, then the attacker gains the user login and password for the copied service. This was how the Hilary Clinton campaign chairman, John Podesta, had his email's hacked in 2016. (Vaas, 2016) By accidentally logging into a fake Google Mail support page, attackers collected his credentials. Two factor authentication usually means that, in addition to knowing the secret password and the not-so-secret username, a user must also possess a physical device to successfully login. Phishing attacks then fail to provide access even once credentials have been harvested.

Eckstein, P. (2015). AMP Threat Grid Extends and Bolsters Our Ability to Combat Malicious Malware. Cisco. Retrieved from https://blogs.cisco.com/ciscoit/b-sec-10232015-amp-threat-grid-combats-malicious-malware
Khanse, A. (2016). Prevent and block Macros from running in Microsoft Office using Group Policy. The Windows Club. Retrieved from http://www.thewindowsclub.com/block-macro-malware-microsoft-office
Molyett, M. & Lee, M. (2016). Macro Intruders: Sneaking Past Office Defenses. Cisco Talos. Retrieved from http://blog.talosintel.com/2016/08/macro-intruders-sneaking-past-office.html
Vaas, L. (2016). DNC chief Podesta led to phishing link ‘thanks to a typo’. Sophos. Retrieved from https://nakedsecurity.sophos.com/2016/12/16/dnc-chief-podesta-led-to-phishing-link-thanks-to-a-typo/

Saturday, October 22, 2016

Presenting digital evidence

Testifying and/or writing a report such a critical part of a computer forensics experts job because even the greatest forensic expert's work is all for naught if the knowledge cannot get out of the expert's head. Without someway to convey the discoveries, to pass on the knowledge, there is no benefit from the work. Rather than a useful job, the expert is just carrying out their hobby: learning what they can for the sake of learning it. Testifying or producing a report is what makes that knowledge accessible to others.
Report writing is important because it documents the expert's job in a way that it is repeatable: able to be reproduced and peer reviewed. It records the details of the work such that the expert can remember them when months of other analysis has occured between the examination and when they finally testify about it. (Garnett, 2010) This report is what will remain over time to be accessed by clients, lawyers, future students, and even the expert themself.
Testifying is the most important because it is where the forensic examination yields its fruit. Laywers can present the findings, and deliver a report, but that very sterile presentation misses the social impact of testimony. Jurors or judges, they likely don't have the experience, training, or skill to truely process what they would read in the report on their own. The testifying expert is lending their presence, history, and experience behind the conclusions on the paper, their testimonty bolsters the argument from a lawyer. (Boundless, 2016)

Boundless. (2016, June 18). How to Incorporate Expert Testimony. Retrieved October 12, 2016, from Boundless Communications: https://www.boundless.com/communications/textbooks/boundless-communications-textbook/supporting-your-ideas-9/using-testimony-48/how-to-incorporate-expert-testimony-196-4203/
Garnett, B. (2010, August 25). Intro to Report Writing for Digital Forensics. SANS. https://digital-forensics.sans.org/blog/2010/08/25/intro-report-writing-digital-forensics/.

Confusion of terminology: exploit

From my experience, the term exploit could be very easily confusing between these four sets of actors. To a digital forensic expert, they are discussing the vector that was used to gain access to the system or how a limited user elevated to privileged access. (Govindavajhala & Appel, 2009) How did this file end up on the computer when all the user did was load a clean webpage with an ad? How did this driver get installed by the secretary?
For the potential jurors, how they process the word exploit is highly dependant on their background. Webster's Dictionary defines exploit as one noun and two verbs, but none of those three definitions will help the juror understand the connotations of a computer exploit. (Merriam Webster, 2016) To someone with a signals analysis background, exploit means to acquire intelligence from a signal or data stream. (mkroot, 2014) This is a miscommunication I have had myself talking with a vulnerability researcher in my early days of computer security, when I discussed exploiting the USB traffic between cell phone and workstation.
For folks with a more legal background, the lawyer and judge included, exploit can carry a much darker connotation. Often exploitation in legal discussions is a blanket for abuse, rape, and harassment. (Russell, 1984)
This potential issue, caused by the same vocabulary being overloaded as field-specific jargon, won't ever be able to be entirely eliminated. According to Crystal, a well educated English speaker might know between 15,000 and 23,000 words... words that will be used to convey all of the objects, ideas, emotions, and events of their entire life. (Crystal, 1987) With such a limited number of words, it is inevitable that they will be reused across fields or else the fields will use ultra-specialized words which are only accessible to the field practitioners, like the sciences use. Ultra-specialized words that are unaccessible to outsiders would fail to solve this problem too, as they must be comprehended by the outsiders that make up other jurors, judges, and lawyers.
The most significant way the issue can be reduced is for the presenter of the term to keep in mind the existance of other uses of it. That way they can be certain to address the potential conficts with the other context presented with the term, as well as clearly explain what they mean by it.

Crystal, D. (1987). How Many Words? English Today. No 12
Govindavajhala, S., & Appel, A. W. (2009). U.S. Patent Application No. 11/699,607. Identifying unauthorized privilege escalations
Merriam Webster. (2016). Exploit. http://www.merriam-webster.com/dictionary/exploit
mkroot. (2014). Sigint: definition, qualities, problems and limitations. https://blog.cyberwar.nl/2014/10/sigint-definition-intrinsic-qualities-problems-and-limitations-quotes-from-aid-wiebes-2001/
Russell, D. E. (1984). Sexual exploitation: Rape, child sexual abuse, and workplace harassment.

Data Gathering

There are many ways to accomplish hiding data on recordable media. Hiding data as random noise by encrypting it or using Steganography to embed the data within other data are two ways that get demonstrated often in media. (Provos & Honeyman, 2003) I will discuss two methods of hiding data which are based on the actual storage elements of the media itself. Our reading this week included a "Partial Overview of the Storage Media Ontology" (Dosis, Homem, & Popov, 2013) which describes the storage on a media: the physical space is logically split into partitions, data within partitions is mapped by a file system, and the file system maps chunks of data bytes to logical files.
The physical storage media breaks up stored data into sectors, typically 4096 or 512 bytes at a time. (Seagate, 2012) A sector is the smallest addressable allocation exposed to software programs. (DEW, 2002) File systems typically implement storage in clusters of sectors, rather than using sectors directly. (DEW, 2002) Each file system maps a collection of clusters to each file, resulting in a file consuming space equal the count of data bytes rounded up to the nearest multiple of cluster size. Each file system also records the true count of data bytes for the file. A careful eye will notice that this leaves a count of extra bytes, called slack space, which can be leveraged for secret storage. (Kaiwee, 2010) Small data can be stored in the slack space of a single file and larger amounts of data could be split across multiple slack spaces.
The second method of hiding information on a hard disk drive storage media depends on the fact that hard disk drives have seperate computing devices, Hard Disk Controllers (HDC), that sit between the system utilizing the stored information and the physical storage medium. (Holland & Vavaroutsos, 1994) The HDC contains the limits of storage capacity for the drive, which may not actually match the physical storage limits available. The ATA-4 standard allowed for a Host Protected Area, HPA, which is the space on the drive between the addressable capacity and the physical capacity. (Gupta, Hoeschele & Rogers, 2006) Someone hiding data in a Host Protected Area saves information to the highest addresses on a drive and then uses the SET MAX ADDRESS command to shrink the storage capacity to cap out before reaching that data. (Gupta, Hoeschele & Rogers, 2006) Normal disk operations, like with the BIOS or an operating system, do not see the HPA because the HDC reports that the storage capacity is only as large as the MAX ADDRESS that was set.

DEW. (2002). Hard Drive Clusters and File Allocation. DEW Associates Corporation. http://www.dewassoc.com/kbase/hard_drives/clusters.htm
Dosis, S., Homem, I., & Popov, O. (2013). Semantic representation and integration of digital evidence. Procedia Computer Science, 22, 1266-1275.
Gupta, M. R., Hoeschele, M. D., & Rogers, M. K. (2006). Hidden disk areas: HPA and DCO. International Journal of Digital Evidence, 5(1), 1-8.
Holland, A., & Vavaroutsos, P. G. (1994). U.S. Patent No. 5,367,669. Washington, DC: U.S. Patent and Trademark Office.
Kaiwee, C. (2010). Analysis of Hidden Data in NTFS File system.
Provos, N., & Honeyman, P. (2003). Hide and seek: An introduction to steganography. IEEE Security & Privacy, 1(3), 32-44.
Seagate. (2012). Desktop HDD Data Sheet. http://www.seagate.com/staticfiles/docs/pdf/datasheet/disc/desktop-hdd-data-sheet-ds1770-1-1212us.pdf

Preparations A through G were a complete failure

I agree that preparation for a digital search is the most critical step in a digital investigation. In 'Electronic crime scene investigation' the very first point called out for review is "First responders without the proper training and skills should not attempt to explore the contents of or to recover information from a computer or other electronic device other than to record what is visible on the display screen." (Ballou, 2010, pg x) This is called out so importantly because without the proper training, skill, and tools the collection of digital evidence is impossible: the lack of any of the three will result in destruction of the very evidence to be investigated. Acquiring and properly deploying those three things make up the preparation phase.
If only a partial preparation has occurred, say the correct tools are collected, but a properly trained responder was not able to be acquired, then those correct tools can used incorrectly which then throws off the whole investigation. Leach writes about an example where the proper tool, EnCase, may be used to examine a disk and file system evidence but to have set the wrong timezone for an evidence file. (2010) By botching the preparation phase and proceeding to Collection with an insufficiently skilled responder the evidence file was collected in a way that makes the data be examined incorrectly during the Examination phase. (Cisar, Maravic Cisar, & Bosnjak, 2014)
From a personal standpoint, I have written tools for performing network intrusion response. What is possible in the digital realm is virtually unlimited, given proper preparation. Without being prepared with the proper tools, or without the skill to use them, then some actions are just impossible. For instance, reconstructing recently deleted files (actually deleted, not just recycle binned) is quite possible with a tool that can read the raw disc data and is aware of the file system in use. Without a tool to access raw disc data, though, an investigator will not be able to do it. That is a fun tool to write, I helped with one.

Ballou, S. (2010). Electronic crime scene investigation: A guide for first responders. Diane Publishing.
Cisar, P., Maravic Cisar, S., & Bosnjak, S. (2014). Cybercrime and Digital Forensics–Technologies and Approaches. DAAAM International Scientific Book.
Leach, S. (2010). What Every Lawyer Needs to Know About Computer Forensic Evidence.

Cybercrime law - ECPA

The most important cybercrime law availabile to Law Enforcement right now is the Electronic Communications Privacy Act (ECPA) of 1986. This statute, along with amendments to it from the USA PATRIOT Act, provide law enforcement their modern wiretap powers. (OJP, 2013) Law enforcement would have been lost such access as communications moved off of the Plain Old Telephone Service, POTS, wires to digital Internet networks. (Frontier, n.d.) Due to changes in how data storage is used in the modern Internet compared to the expectations of the late 80s, the Department of Justice uses the ECPA to carry out warrantless retrieval of "abandoned" emails left on a server. (Reitman, 2012) Modern web-based email, starting with Google's GMail, provides storage capabilities measured in Gigabytes, which means a user can archive a lifetime of text email right in their mailboxes on the server without it ever being abandoned. (McCracken, 2014) Argued by some to be violating the protections of the 4th Amendment, accessing 180+ day old data without a warrant provides law enforcement a powerful tool for collecting stored data during investigations. (Reitman, 2012)

Frontier. (n.d.). What is POTS? The Connection. http://internet.frontier.com/resources/home-phone-information/what-is-pots/
McCracken, H. (2014, April 1). How Gmail Happened: The Inside Story of Its Launch 10 Years Ago. Time. http://time.com/43263/gmail-10th-anniversary/
OJP. (2013). Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2510-22. Office of Justice Programs. https://it.ojp.gov/privacyliberty/authorities/statutes/1285
Reitman, R. (2012, December 6). Deep Dive: Updating the Electronic Communications Privacy Act. EFF. https://www.eff.org/deeplinks/2012/12/deep-dive-updating-electronic-communications-privacy-act

Dangerous and getting worse: Ransomware Corporate Crime

Of all the ways that that corporate computer crime can occur, ransomware is the most damaging. This style of malicious attack can be delivered directly upon infection or after a system has been harvested for valuable data or utilized as a botnet node, allowing a final chance for an infected machine to be monetized. (Spring, 2016) Because it doesn't try to persist across reboots or maintain stealth over long periods of time, ransomware can work its destructive activity as soon as it lands on a system, even without Admin or root access. (Krebs, 2013) As such, typical separation of privilege defenses provide limited benefit because the files that are most at risk during a ransomware attack are those that the logged in user needs or creates. They have write access to their data, so malware they accidentally run does too.
Since the impact of ransomware is denial of service, it can target victims that require high availability requirements rather than the typical confidentiality requirements of companies and their intellectual property. This was demonstrated earlier this year when the Hospital industry was the target of an attack that ended up raking in a $17,000 decryption payout. (Gillum & Dishneau, 2016) Operations were interrupted for 10 days, days that put real human lives in danger. (Gillum & Dishneau, 2016)
Typical infections don't try encrypting all of the files on a target system, something that could interfere with the behavior of the malware itself. Instead they often limit the targeted files based upon file type hints form the file name: called the file extension. (Abrams, 2016 September) Just this month it was reported that a sample was found that includes the file extension of files encrypted by other ransomwares: Stampado. (Adams, 2016) This means that a victim could pay to decrypt their files just to learn that the decrypted version is still a locked up artifact of another attack. Some families, such as TorrentLocker, claim to be higher profile families like CryptoLocker which was of no relation. (Léveillé, 2014) Underhanded in dealing with victims, and underhanded in abusing others' brands.
Especially such underhanded dealings like Stampado demonstrate the absolute need for regular, off-system, backups. (Lennon, 2001) The off-system is important because the automatic backups of the operating system, such as Windows Shadow Copies, can and are deleted by most ransomware attacks. (Abrams, 2016 May) This style of attack, despite its increasing popularity and ease of payment, is not new, as demonstrated by the writings of Oswald, 2006, and Giri, Jyoti, & AVERT, also from 2006. All indications are that it will continue to get worse before it gets better, too. (Talos, 2016)

Abrams, L. (2016, September 15). Stampado: Taking Ransomware Scumbaggery to the Next Level. Bleeping Computer. http://www.bleepingcomputer.com/news/security/stampado-taking-ransomware-scumbaggery-to-the-next-level/
Abrams, L. (2016, May 9). Locky Ransomware Information, Help Guide, and FAQ. http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help
Gillum, J. & Dishneau, D. (2016, Mar 29). FBI probing virus behind outage at MedStar Health facilities. AP. http://bigstory.ap.org/article/cf41601903fd4cc492718c12b01d9d1c/fbi-probing-virus-behind-outage-medstar-health-facilities
Giri, B. N., Jyoti, N., & AVERT, M. (2006). The Emergence of Ransomware. AVAR 2006
Léveillé, M. (2014, December) TorrentLocker: Ransomware in a country near you. ESET. http://www.welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf
Lennon, S. (2001, August). Backup Rotations - A Final Defense. SANS Institute.
Krebs, B. (2013, November 13). How To Avoid CryptoLocker Ransomware. Krebs on Security. http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware
TALOS. (2016). Ransomware: Past, Present, and Future. http://blog.talosintel.com/2016/04/ransomware.html
Spring, T. (2016, May 13). Cerber Ransomware on the Rise, Fueled by Dridex Botnets. ThreatPost. https://threatpost.com/cerber-ransomware-on-the-rise-fueled-by-dridex-botnets/118090/
Oswald, E. (2006). Ransomware becoming a serious problem. BetaNews, July, 24, 2006.

Tuesday, January 13, 2015

How many bits of entropy will stop a targeted attack?

Over at security.stackexchange there is currently the following question:

The OpenPGP (private) key format stores the key symmetrically encrypted ... key expansion takes about a second on my computer (GPG).
With this kind of setup, is it possible to make it hard enough to brute-force that it's sane to have the private-key publicly available?
I expect the answer depends on the passphrase complexity. E.g. if you somehow managed to have a passphrase with 256 bits of entropy, then an attacker would be better off just guessing the derived key instead of the passphrase - which in this case amounts to brute-forcing an AES key (which I'd consider hard enough to be "safe"). So the question might really be "how complex does your passphrase have to be to make this safe?".

Source Question at security.stackexchange.com

I touched on this thought in my comment over there, but would like to muse on the question a bit more.

His is talking about having his encrypted private key publicly exposed, most likely in a way that it is associated back to one of his accounts. Unless he plans on never actually using the key pair, there will be exploitable benefits to someone malicious to have the private key. Forge messages, open messages sent to him, possibly open messages sent from him. Also, just the thrill of winning may drive folks to attempt this challenge.

Folks, don't issue challenges like this. Remember Todd Davis, the LifeLock CEO that put his Social Security Number in the ads because of how confident he was in his product? He has been identified as an identity thief victim 13 times. And that is with his entire companies' mission and reputation on the line (a reputation that the federal government viewed as $12 million dollars tarnished!). Don't do it!

Once the challenge is issued, it isn't just a question of can the password be cracked. It now becomes a question of can he be hacked. Well crafted, personalized malicious emails (spear phishing) being sent to him, possibly even coming from his compromised friends. When you are a target, anyone connected to you may become a target. As a target, a large amount of personal information can typically be gathered including address, phone number, family members and more. Unfortunately this activity, doxxing, is fairly common as a type of online harassment. Challenged enough what can someone do with all this information?

Not a *likely* outcome. Source: XKCD

If a hacker gains control of your computer, they can place software to harvest your sensitive data: passwords, pseudonyms, possibly financial information.

Please, don't intentionally make yourself a target. (Says the guy that ran for Congress in 2014)

Sunday, November 10, 2013