I picked up the following from SC Magazine:
University College Berkeley hit by second data breach in six months
The standout here is the quote:
“…a website hacker may have had access to their social security numbers and birthdates.”
This could simply be sloppy reporting, but if it is true that someone accessed the PII via the Journalism School website then this is a fundamental architecture flaw and probably a rookie information security mistake.
Leave a Comment » | 
Inforensics News | Tagged: data breach, information security | 
Permalink
Posted by inforensics
Platform: Kindle 2
Artifact Type: Log
Information Type: GPS Location
Caveats: Debug mode and 611 logging must be on.
Usefulness: Very Limited
I was interested in what information was available via a Kindle 2 to assist in investigations. In poking around to see what work others have done I found two sites that were really in depth and had great information:
Kindle Hacking: http://kindle2hacks.com/
Igorsk Blogspot: http://igorsk.blogspot.com/
These two sites do a great job dissecting the Kindle and Kindle 2.
Because inquiring minds want to know, I did a cursory review via FTK and Encase of a brand new Kindle 2, and did not find a whole lot that was very interesting. Based on my reading of the two blogs above, it seems the more useful bits occur once you have access to the actual filesystem.
One item caught my attention: the “611 Log”. Upon activating debug mode and turning on this log, one thing immediately stood out: Latitude and Longitude information.
It is important to say that this log is going to be limited in an actual investigation, but it is worthy of note just the same.
The primary items that limit its usefulness are:
*** Important Note: I am not forcing you to do stuff to your Kindle 2, if you do and mess your device up you have no one to blame but yourself. These steps worked great for me, you take the life of your Kindle 2 in your own hands if you decide to play along. ***
Now that I have doused you with cold water, here is how you actually turn the logging on:
Follow the excellently written directions found on the Kindle2 hacking blog here. Look for the “Enable Debug Mode” section. Do not continue on through the USB networking section… unless you just want to!
Next, type: ‘help
That is a single hash, found near the “}” under the Sym menu, followed by the word help. All of your commands from here on out will be prefaced with that character. You should see an informational pop-up that looks like this. Take a moment to enjoy some of the possibilities of what you are seeing.
Next, close the pop-up and type the following: ‘log611
There will be a short hesitation, a screen blink and that is it. When you plug your Kindle 2 into the USB cable and attach to your system you will find a folder called “611″ and a log that is formatted: YYYY.MM.DD.HH (Hour in military time). Open that log and peruse to the “1xRTT” section. In this section you will find “Latitude” and “Longitude”. These are the coordinates supplied by the cell tower.
If you turn off the Kindle 2 (ie. hit the slide button so the screensaver comes on) and travel, this log will not add information until you hit the slide again and it has a chance to hop back on the network.
To turn off the logging: Go to “Menu”> “Settings”. Then hit “Menu”>Restart.
Leave a Comment » | Forensics Beyond the Hard Drive | Permalink
Posted by inforensics
IMPORTANT INFORMATION REGARDING: Microsoft PowerPoint Vulnerability
OVERVIEW:
A vulnerability has been discovered in various software versions of
Microsoft PowerPoint. Exploitation of this vulnerability can lead to
code execution at the rights level of the logged in user. No patches or
workarounds have been released.
Microsoft has stated that exploit attempts have been seen in the wild,
on a limited/targeted basis.
AFFECTED VERSIONS:
Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office XP
Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft Powerpoint 2003
MITIGATING FACTORS:
As previously stated, successful exploitation limits malicious code
execution to the rights of the logged on user. Steps should be taken to
ensure permissions for various account types are regulated per
applicable policies.
Successful exploitation of this vulnerability requires user interaction
with the specially crafted PowerPoint file. Users would therefore have
to to click links in malicious e-mails, or otherwise convinced to visit
websites hosting malicious PowerPoint files. The best defense against
this is educating users on the dangers of accepting files and acting
upon links to websites provided to them via e-mail, IM, or other means
from unknown parties.
REPORTING AGENCIES:
Microsoft:
Leave a Comment » | Inforensics News | Tagged: information security, infosec, internet, Microsoft, patch | Permalink
Posted by inforensics
The Crimes Against Children Research Center has released a new report noting that the types of online sex crime offenses haven’t changed much, but the profile of your average online predator has been shifting.
I have read the actual report as well as the methodology (methodology available here, report available here) and, while I am no expert in report methodology, I can not spot any serious flaws. This seems to be a well thought out study that avoids the typical hysteria and FUD that is oh-so-common in this type of work.
Some notable findings:
There were some distinct differences between this report’s findings and my own perceptions:
For those that have kids or are involved in family law, internet crime or data forensics and investigations this is likely to be an interesting read.
Any further comments and observations would be great too!
Leave a Comment » | Inforensics News | Tagged: crime, data forensics, digital forensics, forensics, internet, legal, social network, technology | Permalink
Posted by inforensics
I love my Macbook Pro – ask anyone who knows me.
Before you Windows users leave thinking that this is YAFBR (Yet Another Fanboy Rant) you should all know that I believe strongly in using the right tool for the job – which does not always mean using the trusty Macbook, and sometimes using MS Windows instead (lord help me, but I said it and there is no taking it back). Sometimes it involves Linux or a BSD variant. I love them all for different reasons.
I am concerned with the number of Tweets I saw related to Conficker this morning that stated (not an exact quote) “Thank goodness I have a Mac – it is safer than a PC…Macs never get viruses” and other sentiments that denigrated MS Windows in a sometimes more, sometimes less manner.
Before you get too happy consider the information discussed at CanSecWest last week and published by Milw0rm prior to vendor notification. Check it out here (but come back!)
It is important to note that you are only as safe as your habits and software, Apple system or not.
I have worked a number of Apple forensics cases involving intrusion and interception of electronic communication. In each case the firewall was turned off (the user wasn’t aware of how to control the firewall) and there was an astounding lack of logging (the user didn’t know how to control or review logs on the Apple system).
I can also tell you that the number of these types of cases is definitely on the rise.
Here is a quick test: If your Apple (you can also insert Linux, *BSD, Windows) system was potentially compromised, how would you know? Can you pull up, right now, failed connection attempts, firewall logs, running process logs?
If not, then take that as your sign and make sure to get yourself battle-ready.
As bot-nets become more and more prevalent if you are not part of the solution you are truly a large part of the problem.
Leave a Comment » | Inforensics Opinion | Tagged: apple, conficker, information security, infosec, macbook, security | Permalink
Posted by inforensics
A while back I wrote an article for Evidence Technology magazine entitled “Seven Uses of Open-Source Software for the Digital Forensic Lab.” The article was primarily targeted towards law enforcement agencies that were having trouble getting funding for their labs. In addition to building the case regarding cost savings, I discussed other advantages to running open sourced tools.
At recent conferences I have been increasingly approached by law enforcement as well as corporate investigation teams for advice on dealing with budgetary constraints, so it seems time to resurrect the topic.
Here is a summary of the “Seven”, the original article is here:
What are some other “Can’t miss tools”? Drop a comment in and tell the rest of us.
Leave a Comment » | Tools and Tips | Tagged: digital forensics, forensics, information security, infosec, investigation, law enforcement, linux, open source | Permalink
Posted by inforensics
It is being reported that Mayor Kwame Kilpatrick is going after Skytel for the release of the text messages that led to the settlement of the police whistleblower lawsuit against him.
(source: The Detroit News)
It appears that the grounds for this action is the Stored Communications Act. As a non-attorney I am guessing that this will boil down to a few factors:
The Stored Communication Act does differentiate between a provider of services, and a provider of storage, so the Skytel contract wording will likely make a difference.
With all of the Kwame Drama aside, this could actually be interesting for providers, contract attorneys, e-discovery and forensics folks as well.
Here is a reference to another case with similar characteristics:
Leave a Comment » | Admissibility | Tagged: Admissibility, ediscovery, forensics, fourth amendment, Kilpatrick | Permalink
Posted by inforensics
When performing information forensics on Apple platforms we have a few options for acquisition:
Here is an article that describes yet another use for Firewire target mode. It is good to be reminded of the flexibility available through some of these features:
Macworld: “Firewire target disk mode to the rescue“
While I am at it, here is some more wonderful Mac goodness:
TUAW: “Keyboard Shortcuts During Mac OSX Startup“
Somewhat related to the Firewire target mode discussion above.
Download YouTube (in HD as well) using Safari or FireFox
(Also useful for other streams). Make sure to use the “HD” format so you can get .mp4 format in iTunes – otherwise you will need an FLV player.
Teleport: Control Multiple Macs With One Keyboard Mouse (Mac-centric Synergy-like program)
I have long used Synergy, but if you watch your logs you quickly realize that Synergy on a Mac is very “chatty”. This is a good stand in for Mac only control. If you need multiple OS support, then Synergy is for you. Here is a Synergy version that is friendlier to Macs.
Are there any “Can’t live without them” features I have left out?
Leave a Comment » | Tools and Tips | Permalink
Posted by inforensics
Information Week Article: “YouTube Wrestles With Scammer-Generated Content“
InformationWeek reports that YouTube is “struggling” with posted videos showing such things as stolen credit cards, PINs, etc. They go on to talk about how difficult it is to screen video content.
A single line mentions that meta-content can be used for screening (searching for keywords that can identify the content), but a YouTube spokesman goes on to say that they rely “on our community to know our community guidelines and flag content that violates the guidelines.”
First of all, the type of community that will be looking for that niche content isn’t going to be all that quick to flag it.
Secondly, how hard would it be to build a signature base of meta-word and behavioral screening to remove the largest portion of objectionable (illegal) content? Here are a few ideas to think about as you read the article – feel free to post your own:
I realize full well that these techniques can be gamed just like anything else, but it seems to me that they are viable, not so hard to implement (I use components of them in my work – although the scale is different!), and a darn spot better than relying on the crooks to report themselves!
Leave a Comment » | Inforensics Opinion | Tagged: credit card, data breach, Fraud, Google, Scams, skimming, YouTube | Permalink
Posted by inforensics
I was sure that the concept of “security through obscurity” had been thoroughly debunked by now, evidently not.
A recent Freedom of Information Act request for a list of .gov domain names was denied by the GSA. You should know this about me: I am all for state secrets – I think that, realistically, a government must have secrets. This is perhaps an argument for another day.
Given the nature of DNS, cached DNS, etc. how long do you think before some of these “hidden” domains show up anyway?
Let’s be clear: I really don’t think this is a huge deal, but it can be a source of mental fun for the rest of us. So here is a “wake up it is hump day” mental exercise for you (This WILL be graded, you WILL need to know this for the test!):
What would be a more effective “security through obscurity model” for the government to use, while still listing the required domains?
I will start the ball on this (and therefore open myself up to immediate criticism!):
How would you set out to discover these “hidden” domains?
Feel free to post any ideas – or chide me for wasting your time and making you read this cruft!
Leave a Comment » | Inforensics News | Tagged: information security, infosec, internet | Permalink
Posted by inforensics
