A Simple Plan to Ruin Your Boss: Plant Child Porn On His PC

August 10, 2010

A simple plan to ruin your boss: plant child porn on his PC.

This occurred in the UK in 2006 (it is just now working its way through the courts), and seems extreme.  The reality is that planted evidence can occur in many different forms:  Planted documents, images, and even emails.

While the deception in the UK case was broken through cell phone activity (the perpetrator made an “anonymous” phone call, and had been heard bragging about his exploits at a BBQ), a good forensic examiner goes beyond simple modified, accessed and created times to review other system information that backs up the method of arrival of the information on the system itself:

  • The insertion of USB devices: USB devices can leave quite a trail on a system, including the device manufacturer, type, even sometimes serial numbers.  Further activity supporting the insertion of the device can sometimes be correlated between file history analysis and searches for activity surrounding the specific device ID.
  • Metadata contained within the purported documents: Images, videos, audio files, PDF documents and other file types often have information regarding the date of creation (not necessarily introduction to the system), authorship, serial or license numbers of the product used, sometimes even information about the system that created them.
  • System files: Sometimes the introduction or generation of a file triggers other supporting files on the system.  Examination of these files can tell an investigator whether the file information matches up with what the system knows about the file.
  • Surrounding activity: Other activity on the system related to usage can be an indicator as well.  For example: If a file was supposedly downloaded from the internet, one would expect to see certain other activity surrounding the download if it was generated by the user.

A lot of these same techniques can be used to attack or defend other claims of the so-called “trojan defense” (aka “A Virus must have done it”).

Researching deliberate obfuscation CAN be a challenge, but in situations similar to the UK case a client is not at all dead in the water if an information forensics analyst is competent and able to look at the “Evidence Beyond the Hard Drive”™.


McAfee Alleged to Hand Subscriber Credit Cards to Third Party

April 8, 2010

A Federal class action suit filed by Rosen, Bien & Galvin, out of San Francisco alleges that McAfee uses deceptive techniques to “trick” users into handing their credit card information to a third party partner.

After entering the information, previously undisclosed charges charges appear on the user’s credit bill.  The suit alleges that when the user attempts to contact the third party to cancel the “service” they receive a recording that states it “does not offer cancellation or subscription services”.

The complaint also states that upon contacting McAfee the users are told that the AV software company cannot do anything about the charge.

Add this one to the “One More Reason McAfee Sucks” category, and file under “Dirt Rat Bastards”.

CourtNews Link:

Class Claims McAfee Pulled A Fast One


DEA Proposes Allowing Electronic Prescriptions for Narcotics

April 6, 2010

On March 31 the DEA published a proposal to allow electronic prescriptions for narcotics (Docket No. DEA-218I).

The effective date for this is June 1, 2010 pending congressional review.  The RFC section gives insight into how they plan to implement (bold text added by yours truly):  Identity proofing, access control, authentication, biometric subsystems and testing of those subsystems, internal audit trails for electronic prescription applications, and third-party auditors and certification organizations.

It looks like there will be a requirement to be “certified” to perform electronic fill of narcotic prescriptions, but is that really enough (think Heartland)?

There are several really interesting tidbits that can be derived from this document that I did not realize:

1. “The responsibility for the proper prescribing and dispensing of controlled substances is upon the prescribing practitioner, but a corresponding responsibility rests with the pharmacist who fills the prescription.” – This makes sense, but also indicates that they will likely follow a path where the responsible parties determine the means by which they accomplish an outline of requirements surrounding security related to narcotics prescription.  Ask yourself this:  Did HIPAA end internal patient record theft?

2. “[M]ost electronic prescriptions are routed from the electronic prescription or EHR application through intermediaries, at least one of which determines whether the prescription file needs to be converted from one software version to another so that the receiving pharmacy application can correctly import the data. There are generally three to five intermediaries that route prescriptions between practitioners and pharmacies.” – This points to the lack of standards, potential for screw ups and also multiple points of potential abuse.

I am still reviewing the text document (it is long) but I am also preparing and educating myself in this area – I feel some cases coming.

Original Federal Register Text:

FR Doc 2010-6687


New Tricks: Data Mining With Google Spreadsheets

March 22, 2010

Happily, I stumbled across the following link:

Now You Can Mine Data With Google Queries Too

The interesting bit is below the comic where they actually reveal a method I hadn’t thought of: 

Using a query embedded in Google Spreadsheets to mine and graph data in Google’s engine.

While the actual instructions are terse, I was able to get things up and running by visiting the actual example, and then copying and pasting the individual cells for examination.

Here is the blow by blow:

First, decide what you want to mine.  One of the examples is for income, we will use this one.

Open up Google spreadsheets and in cell A2 put (complete as printed here):

=””””&”I make $”&B2&” per year”””

[NOTE:  WordPress jacks up the quotes, so you are going to have to replace all of the quotes in the above with double quotes, or it won’t work!]

Initially it is gonna look like this “I make $ per year”.

Now in B2 put a dollar amount: 45,000.

You should see your number populate in B1 now.

Finally, the magic that actually gets the query info.

Put the following in C2:

=importXML(“http://www.google.com/search?num=100&q=”&A2,&#8221://p%5B@id=’resultStats’%5D/b%5B3%5D”)

[NOTE: Same problem here – WordPress tries to mess with the multiple quotes.  Replace all double AND single quotes manually and you will be fine, otherwise you will get an Error.]

After a brief load time you should see a number returned.  This is the number of returns that included your statement in cell A2.

Now copy and paste A2 and C2 down the line and change your values accordingly as you move down.

To create the graph, simply open “Insert->Chart” and choose your graph type.

To populate the graph with your data, make sure to clear the box right under “What Data?” and then click and drag down column C on your spreadsheet.  Make sure to remove Column C as labels.  You should see your data represented in the preview.

That’s it!  The world is now your oyster!  I can’t wait to apply this in some cases I am working on, I am still mulling over where this can be most useful, but the possibilities boggle the mind.


Financial Institutions Using Live Data Sets in Test Environments

March 16, 2010

A recently released survey finds 83% of financial firms use production data for testing.  What this means (for the non-developers) is that your customer data is used unmasked and in its full form to test systems that, by the very fact that they should be TEST systems, have an unknown level of security and integrity.

Even though the study was commissioned by a company that works specifically with data protection in test environments (important to call out bias!), I believe the numbers on this one – especially when I go back and research the number of financial institution data breaches that have occurred because “live” customer data sets were in the hands of a third party contractor, or other employee off-site.

I have done development work on health data and I understand full well the challenges of creating meaningful data sets (as well as the enormous expense) for testing purposes.  The bottom line comes to this:  There is no excuse that justifies exposing personal data in this manner.  Period.

In performing penetration tests a common tactic that we use during the “recon” phase is to look for servers that are obviously development systems.  We do this because patch levels and security are typically at a minimum on these systems and they are usually the “low hanging fruit”.

So it makes me wonder – just what justification can possibly make these guys think this is OK?

Here are some more stats from the study that should give you pause:

  • identity compliance procedures (used by only 56 percent of companies surveyed);
  • intrusion detection systems (used by only 47 percent of companies surveyed);
  • data loss prevention (DLP) technology (used by only 41 percent of companies surveyed); and
  • Social Security number usage (88 percent of those surveyed still use this as a primary identifier)

Remember these findings the next time you read a news release regarding a financial institution data breach and some chuckle-head says that they are quite certain no sensitive data was taken or misused.  The very next question to ask is: How would you even know?

Sources:

http://money.cnn.com/news/newsfeeds/articles/globenewswire/185342.htm

http://cpwr.client.shareholder.com/releasedetail.cfm?ReleaseID=448389


ID Theft: It’s Not Just For Credit Cards Anymore

March 10, 2010

George Jenkins, the writer for the “I’ve Been Mugged” blog (http://ivebeenmugged.typepad.com) writes about a recent survey release discussing medical identity theft.  While this has been going on for a while (I had my first case involving electronic MedID theft 8 years ago) it serves as an excellent proactive warning:  THINK about any and all information systems that you give your ID to and QUESTION the flow of information.  We are not living in an age where blind trust/acceptance is acceptable.

The study was performed by the Poneman Institute and sponsored by Experian.  One of the Privacy analysts with Poneman was quoted (emphasis added):

“The two results that stood out to me were the more than $20,000 average cost to consumers who suffered ID/credit fraud as a result of a medical data breach, as well as the potential for physical harm to those who have their medical records ‘polluted’ due to healthcare fraud,” says Mike Spinney, a senior privacy analyst at Ponemon Institute.

The residual issue of “physical harm’ due to a corruption of medical records gives plenty to ponder – especially given the efforts to aggregate medical records in an electronic environment.  Also particularly interesting are the number of people that were aware they had a problem and did not report it.  I wonder about the psychology of that.

By the way – George is an excellently informed writer on these types of stories, and his blog is definitely worth a follow.

George Jenkins’ Link:

Survey: 5.8% Of US Adults Have Been Medical Identity Theft Victims


Please Disseminate:  Abused Women and Electronic Trace Information (in memory of Sandy B)

February 12, 2010

As many of you know, I recently had a case that ended tragically in a murder/suicide.

My client was an incredible woman who was trying to escape an abusive situation.  She had already fled her home and was working with a safe house.

It is my opinion that her husband used a specific electronic method to obtain information and identify her location.  He then followed her and waited until she came out of a store, ran her down with his vehicle and then took his own life.

Since this occurred I have spoken with a few safe house organizations and have come to realize that, while there is a marked increase in the use of electronic means to track an abused spouse, there is not a corresponding level of information on how to “Cut The Electronic Cord”.

In a recent Houston Chronicle article (Mary Flood, “Till Texts Do Us Part”, Houston Chronicle, Front Page, 12/17/2009) I covered with Ms. Flood a few of the areas that can be abused on cell phones and mobile devices.  While the article was helpful to a number of people, for some of them it was helpful in a way we had not intended — they were planning to use the information to further their own nefarious ends.

Realizing all of this, I have developed a web seminar that I will offer free to safe house organizations, divorce and family attorneys and abused women to attempt to share my knowledge base in the area of cutting electronic trails.  The webinar is entitled “Cutting the Electronic Cord: Managing Electronic Trace Information” and runs approximately 30 minutes.  I will provide the web seminar facility, call in number, and other resources to make this available.  There will also be a facility to handle live questions.

The seminar is NOT a marketing ploy and there will be absolutely NO commercialization or pitching of any products.

I have chosen my cause – and this is it.

If you are a family attorney or safe house organization you may contact me and schedule the webinar on your timetable.  Please be ready with at least three dates and times so that we can correlate calendars more efficiently.

On a go forward basis, I invite attorneys, safe house organizations and abused women to contact me free of charge for consultation.  I will supply safe house organizations with my direct cell phone for emergency events regarding questions related to electronic tracking means.

I am asking my business contacts, Facebook and Twitter contacts to disseminate this information, as well as my contact information, to appropriate sources so that we can start an education program in earnest.

With regards,

Aaron Hughes, CISSP
Vidoc Razor, LLC
Aaron.Hughes@VidocRazor.com
713-474-2286


UCB Data Breach

August 17, 2009

I picked up the following from SC Magazine:

University College Berkeley hit by second data breach in six months

The standout here is the quote:

“…a website hacker may have had access to their social security numbers and birthdates.”

This could simply be sloppy reporting, but if it is true that someone accessed the PII via the Journalism School website then this is a fundamental architecture flaw and probably a rookie information security mistake.


Forensics Beyond the Hard Drive: Kindle 2 Logging

June 26, 2009

Platform: Kindle 2

Artifact Type: Log

Information Type: GPS Location

Caveats: Debug mode and 611 logging must be on.

Usefulness: Very Limited

I was interested in what information was available via a Kindle 2 to assist in investigations.  In poking around to see what work others have done I found two sites that were really in depth and had great information:

Kindle Hacking: http://kindle2hacks.com/

Igorsk Blogspot: http://igorsk.blogspot.com/

These two sites do a great job dissecting the Kindle and Kindle 2.

Because inquiring minds want to know, I did a cursory review via FTK and Encase of a brand new Kindle 2, and did not find a whole lot that was very interesting.  Based on my reading of the two blogs above, it seems the more useful bits occur once you have access to the actual filesystem.

One item caught my attention: the “611 Log”.  Upon activating debug mode and turning on this log, one thing immediately stood out:  Latitude and Longitude information.

It is important to say that this log is going to be limited in an actual investigation, but it is worthy of note just the same.

The primary items that limit its usefulness are:

  • It is not on by default
  • It only logs GPS coordinates when the Kindle 2 is actually turned on (screensaver is not “On” for our purposes)
  • The readings are from cell towers, and not actual queries to GPS satellites, so the information is definitely not as accurate.

*** Important Note:  I am not forcing you to do stuff to your Kindle 2, if you do and mess your device up you have no one to blame but yourself.  These steps worked great for me, you take the life of your Kindle 2 in your own hands if you decide to play along. ***

Now that I have doused you with cold water, here is how you actually turn the logging on:

Follow the excellently written directions found on the Kindle2 hacking blog here. Look for the “Enable Debug Mode” section.  Do not continue on through the USB networking section… unless you just want to!

Next, type:   ‘help

That is a single hash, found near the “}” under the Sym menu, followed by the word help.  All of your commands from here on out will be prefaced with that character.  You should see an informational pop-up that looks like this.  Take a moment to enjoy some of the possibilities of what you are seeing.

Next, close the pop-up and type the following: ‘log611

There will be a short hesitation, a screen blink and that is it.  When you plug your Kindle 2 into the USB cable and attach to your system you will find a folder called “611” and a log that is formatted: YYYY.MM.DD.HH  (Hour in military time).  Open that log and peruse to the “1xRTT” section.  In this section you will find “Latitude” and “Longitude”.  These are the coordinates supplied by the cell tower.

If you turn off the Kindle 2 (ie. hit the slide button so the screensaver comes on) and travel, this log will not add information until you hit the slide again and it has a chance to hop back on the network.

To turn off the logging:  Go to “Menu”> “Settings”.  Then hit “Menu”>Restart.


Microsoft Powerpoint Vulnerability

April 3, 2009

IMPORTANT INFORMATION REGARDING: Microsoft PowerPoint Vulnerability

OVERVIEW:
A vulnerability has been discovered in various software versions of
Microsoft PowerPoint.  Exploitation of this vulnerability can lead to
code execution at the rights level of the logged in user.  No patches or
workarounds have been released.

Microsoft has stated that exploit attempts have been seen in the wild,
on a limited/targeted basis.

AFFECTED VERSIONS:
Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office XP
Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft Powerpoint 2003

MITIGATING FACTORS:
As previously stated, successful exploitation limits malicious code
execution to the rights of the logged on user. Steps should be taken to
ensure permissions for various account types are regulated per
applicable policies.

Successful exploitation of this vulnerability requires user interaction
with the specially crafted PowerPoint file.  Users would therefore have
to to click links in malicious e-mails, or otherwise convinced to visit
websites hosting malicious PowerPoint files.  The best defense against
this is educating users on the dangers of accepting files and acting
upon links to websites provided to them via e-mail, IM, or other means
from unknown parties.

REPORTING AGENCIES:

Microsoft:

Microsoft Security Advisory (969136)