But hopefully it will raise awareness
on
Computer Forensics
·
· Score: 1
Well, the benefit is that people become more aware of what is possible, what they can do to stop it, and what needs to be maintained/protected for a proper investigation. But yes, it is true that some people fancy themselves experts after reading a single book. Hopefully, though, their lack of credientials will hinder them from being hired or placed into a true forensics position, and will only serve to help them track down the culprit on their server in the case that they do not wish to prosecute the case but wish to track down the source of the intrusion for future monitoring reasons.
If anything else, it will hopefully make system admins in a corporate setting realise that if they wish to pursue the case in a court, they can't go stomping through the system like a bull in a china shop. Perhaps it will afford them an option to minimize the impact and liability caused by a system compromise, while preserving the system in a way that the real forensic experts can examine the system.
Do not shut down the machine... yank the cord.
on
Computer Forensics
·
· Score: 1
As a rule, forensic investigators try to do a cold boot (including yanking the cord or just turning off the machine)
Actually, a good forensic's examiner would not "just turn off the machine." You are correct about yanking the cord. The cord, however, must be pulled from the back of the machine, not the wall.
Never go through the regular shut down process and do not pull the cord from the wall. The industry standard (and best practice) is to pull the cord from the back of the machine.
Sadly, not every police department has a cybercrime unit and thus do not actually have the resources or expertise to pursue the matter. Unfortunately, although you might have tracked the information down, it may not be prosecutable because of the manner by which you discovered it. While I am sure you did a fine job, the problem is that for things to be admissible in court, there are certain procedures that much first be followed to ensure forensic integrity. That is there to protect the accused from tampering. That might not even be an issue here, but it's something to consider.
In the case of our local cybercrime unit, they indeed had the resources and expertise to track down the culprit in one cyberstalking case and did so in a sound manner, but one of the district bigwigs decided to drop the case (after months of hard work) because it was "too technical" and that "an average jury wouldn't be able to understand the case." So, it might not be your PD as much as the other district entities over them.
However, everyone has a right to their day in court and if the individuals affected wanted to pursue the matter themselves in court, they would be within their rights to.
Ideally, something like EnCase Enterprise would already be installed on the machine. The Enterprise edition of EnCase allows for network security analysis and creates a rather nice report and image of what is going on.
The problem with this (thus making it ideal is): 1) most corporations do not have programs like EnCase Enterprise installed prior to the attack 2) EnCase is prohibitively expensive.
You can make an image of the server in the case that it is warranted, but that requires you to have an equal or larger storage medium to which to make the image.
In the case of a police matter where a crime has been committed and your system is being investigated, however, it is basically: Tough. They generally avoid unplugging and bagging and tagging when they can, but if you are being investigated and they have the proper paperwork, they can seize the server.
Actually, believe it or not, but that is indeed technically true in the United States that by viewing the illegal content, you are in turn committing a crime. Especially in a home or corporate setting. However, if you can prove that it was as a part of a regular investigation, it would not seem that you would be brought up on charges for it. I mean technically, opening a coke bottle without the supervision of a licensed engineer is illegal in the state of Oklahoma, but you won't find many people in jail for it.
Some of our cybercrime units were discussing that, under the current poorly-drafted laws, it is technically illegal for them to possess that content as a result of a forensics investigation. But then again, most reasonable courts wouldn't prosecute such a case. But I do remember this coming up in conversation with a cybercrime unit in the past, but this is second-hand information that has not been confirmed by evidence, so take it with a grain of salt.
Perhaps not, unless customer contact information was involved, specifically credit card information, addresses, names, etc.
But in my examples:
-large university systems -health care systems -tag agencies
and such and such. Yes, the protection of that information is extremely important. Just think about the information that someone would have on you by compromising just your local tag agency. When companies collect and store information about their customers, they owe it to their customers to protect that information.
But you are absolutely correct in stating that, in most cases, budget is the deciding factor. But its amazing what good administration can do to counter budget issues. A lot of times, but not always, it is poor administration (again, putting things online out-of-order) and such and such that causes these compromises.
If a company doesn't want to take extra steps to protect information, they they should consider not storing that information on a system accessible to the outside.
That is the problem. Prior to 9/11, there had been no comparable act of terrorism. While right now, things have been mostly peachy in the realm of cyber security (and when it's not, the public is not likely to hear about it), there is a general feeling in the cyber security community that our day will come. This time, however, they are actually attempting to prepare for it; how can that be a bad thing? Even if ineffective, there is effort being applied.
You would be suprised at who sits behind those computer screens and what their intention is. If the United States has an entity for electronic and cyber warfare, it seems that our enemies would have something similar. Now, back to the teenager thing... it is a sad truth that many compromises of confidential systems have been made by a teenager that is "just curious," but also some of these teens have developed an angsty hatred of the U.S. government and consider it a game to take it down.
You might not see it as terrorism... until the 911 systems go down. Until the IRS systems are compromised and your entire identity is stolen and abused. Until major systems are undergo a DDoS when you suddenly need them. That is why these preventative measures need to be in place, and why our youngest and brightest are being trained to take on this endeavor.
However, I don't think that 12 year old terrorists was the focus here. It is the damage that can be caused by even a 12 year old in context with what can be achieved by a highly trained individual who applies it for malicious purposes.
Actually, as I mentioned in another post, the students in these programs must basically double-up duty. They must learn the fundamentals as well as the security aspects.
The expiration date is true of most majors. I received my bachelors degree in Electrical Engineering and had three years of Mechanical Engineering, and beyond the basics, most of the specializations which students take on during their masters study, given technology trends, will carry an expiration date. That is why most college graduates should consider continuing education. In our program, the students learn the same fundamentals as a "regular" CS student, but then must learn in courses such as:
Some courses offered:
--Computer Security
--Secure Electronic Commerce
--Enterprise Security Management
--Secure System Administration and Certification
--Network Security
--Computer and Network Forensics
--Information System Assurance
--Advanced Computer Security and I know there is also an Operational Security course being discussed, among others.
They also earn certificates in: Information Security Professional (INFOSEC), Designated Approving Authority (DAA) and System Administrator (SA), Information Systems Security Officer (ISSO) and System Certifier (SC)
They must also carry out special side research projects as well.
Yes, burn out is initially high until the students become accustomed to having a lot asked of them, but the students make it through it and come out as highly competitive professionals (and highly paid), and the agencies they go into often pay to send them to school to keep up with technology trends. In five years, they can expect to be right back in the classroom (while working), but they will be paid for this. They are also paid to go to conferences. I would say that, after they emerge from the fire, most of them actually have a better understanding of the fundamentals because they get to apply them in a specific area, and also concentrate beyond the narrow focus of getting something to work, but to get it to work securely. They still go through the basic programming, operating systems, networking, and other courses as the other students do. Also, because of their constant presenting and paper-writing in addition to their regular studies, they come out of the program as personable professionals who can write and speak in a public forum, basics that are often neglected in other programs.
The students in this specialization don't get out of the fundamentals. Call it fundamentals+.
One of, unless I misunderstand you. The SFS program that has been in place at many universities have been around since 2000/2001.
Although the major is still labeled as Computer Science or a variation thereof, all courses in the masters program are geared toward cyber security.
Some courses offered:
--Computer Security
--Secure Electronic Commerce
--Enterprise Security Management
--Secure System Administration and Certification
--Network Security
--Computer and Network Forensics
--Information System Assurance
--Advanced Computer Security and I know there is also an Operational Security course being discussed, among others.
It also offers certificates in: Information Security Professional (INFOSEC), Designated Approving Authority (DAA) and System Administrator (SA), Information Systems Security Officer (ISSO) and System Certifier (SC)
It is still a rather new thing, though. There are only a handful of universities (albeit a suprising number) offering these programs.
Really? As someone who just finished studying and reading the CERT guide for System Administration and Accreditation (yes, it was torture), I find that most system administrators do not know the principles within, or recklessly choose to disregard some of the most helpful ones. Many system administrators are seat-of-the-pants, self-taught individuals who learn along the way as issues come up, and sometimes miss some of the fine points of securing a system. A lot of admins push large upgrades on production systems, or use test systems still connected to the main network (the recent 60,000 computer fiasco reported in/. is a good example), don't practice isolation, choose their products on budget or because of a last minute need (although sometimes this is unavoidable), do not configure firewalls correctly, do not lock down their systems tightly, etc. Sometimes they do everything they should, but out of order. A lot of people don't realize the importance of order in bringing systems online. Many times, these are on critical systems or systems which contain confidential information. Customer information is put at risk, simply because the administrators do not know any better. A lot of companies hire admins who are actually unqualified, but who can do a "good enough" job because they don't understand what to look for in an admin. Not all admins are this way, but a suprising number of them are.
If admins out there honestly knew everything there was to know about security, and administer their system to the CERT guide specs, then I would be impressed. Because my experience in observing everything from large university systems, health care systems, tag agency (all-you-need-for-identity-theft-agencies, more appropriately) systems, corporate systems (credit card information and personal information), is that this simply isn't so. A lot of penetration testing reveals vulnerabilities in areas that are clearly stated in that CERT guide.
Those should be the steps (generally) for most projects.
A program that doesn't go through budget planning, cooperation with the private sector, risk assessment, remediation, and further research and development, as well as education about the program, is exactly why we have to problems that we do. People complain that programs are pushed and rushed from start to finish without any forethought or planning, and then are critical when that planning goes into place. I suppose people would prefer seat-of-the-pants development, no security considerations, isolation from the private sector, and a total lack of budgeting?
If only most projects (government or private sector) could go through such planning and still get pushed out in a timely manner! I see this as a good thing.
That is very true. Many colleges simply have a few security courses, and that is it.
But there are some colleges with offer the five major security certifications and offer network security, ecommerce security, network programming, penetration testing, operational security, forensics, enterprise security managment, and more courses which basically make up a secondary Computer Science program. Those students still have to learn all of the fundamentals, but also push themselves to learn the security aspects. These courses are also often taught by ex-government workers, ex-hackers, and such. I know of at least one that is also broadening their program to include electrical engineering and hardware aspects as well, so things like biometric sensors are covered in addition to programming databases.
I was suprised at how many programs there are in the nation which gear into this stuff; unfortunately, it is probably not enough. Most CS or IS programs focus on the theory and some practical implications, but stop at the security implications.
The National Science Foundation (NSF) and the Department of Defense (DoD) already sponsor Scholarship For Service (SFS) programs like the Cyber Corps to train students in aspects of cyber security with the intention of placing them in government information assurance positions.
And many colleges are developing Centers for Information Security (CIS), and among those, that is where you see the government encouraging these programs.
The tag line, I believe, is "Defending America's Cyberspace."
Complaints mean nothing if people take no action
on
Tin Foil Passports?
·
· Score: 1
On one hand, I agree with this, although I must say that RFID chips do not have internal power sources and would probably make it through a toss in the washing machine (people are often suprised that at electronics manufacturers, newly placed circuit boards are oftentimes run through a large, expensive, glorified dishwasher) and, because they are so small (did you know that some versions of RFID can actually be *printed* with special ink), they are quite hefty and able to withstand a lot of things thrown at them. I agree, though, that this is certainly an imperfect application and that the chips are not indestructable, and that the inconvenience caused by a failed trip would be large. It would be quite annoying to be stuck somewhere and people would indeed complain. I am by no means supporting the RFID-implanted passports and was simply commenting on how the authentication should be run. Since this is in place to make things secure, an allow-all system would certainly decrease security, and having a system that doesn't use the RFIDs at all would just be silly and inefficient. (Why have them in the first place, then?)
However, I should note regarding your comment about chips beginning to fail and people complaining that you would be suprised (or perhaps not) at how complacent people can be. For instance, credit card stripes sometimes wear down with time (after being sat on, heated up, wet, etc.) and won't swipe well. Yet credit cards are still widely used. People stomp their feet, get aggravated, then go home and call their credit card company for a new credit card. The inconvenience of some doesn't automatically mean that the end to an application. Unfortunately, at times, the inconvenience of many does not as well. If anything, that is part of the problem.
People complain about these things, but few do anything to correct it.
I have used Encase, among other toolkits. While it is a fine program and has lots of bells and whistles, it cannot do everything that some of the cheaper forensics suites can do, and vice versa. I also did not find its interface quite as intuitive. It really depends on your intended application for it. If you are working for a company and would like something in place for network-based intrusion response, EnCase Enterprise is set up for that. However, if you are looking at work as a forensics analyst, there are other tools out there that are a bit more budget-friendly that are also admissible in court, some of which do a better job in certain areas. EnCase is indeed prohibitively expensive for some people so, if you work for a government or law enforcement agency where budget is an issue, I suggest first checking out iLook because it is free to those agencies. There are other programs such as Foremost that you might want to look at as well, as it is quite handy in looking at header information. FTK is about (not quite) the same as EnCase or iLook, but is a cheaper version. However, if you have the budget for it, EnCase does have its place in the forensics world (I am not completely put-off by it) and is indeed the most widely accepted forensics tool that I am aware of.
Some programs handle pulling up JPGs really well, some pull hidden images embedded in other images well, some do text string searches really well... Like I said, it really depends on what you're wanting.
I went into some detail about EnCase the last time a forensics suite was brought up in a front page story, but since I do not currently have a subscription, I cannot conveniently bring up the links to those comments, although I am sure they could be found with a little searching. However, if you have any specific questions, feel free to email me at dexterpexter@gCOWmail.com [minus the herbivore] and I can try answering any questions you might have.
(As a side note, forensics analysts do use Knoppix CDs in live responses. Ideally, you would do so with witnesses. If you arrive at a machine that is off, you use a live CD to boot up the computer and mount the suspect drive (read only) to make a copy of it using dd. This is your "working copy" that the actually investigation is done on. You should never perform an investigation on the original subject machine.)
and most Microsoft ITs don't even know that you can use a linux system to diagnose Windows problems
Luckily the Incident Response and Forensics Analysts (to whom this seems to be directed) do know that you can use a Linux live CD to boot up the computer and mount the suspect drive (read only) to make a copy of it using dd if the machine is off when they arrive. It is an industry practice. This is just another potential tool to add to the toolkit.
However, you are correct in asserting that the standalone systemadmin might not know about these sort of tools. However, now those that read Slashdot are informed, and so bit by bit the information spreads. Also, most of the system administrators I know do not get their system administration tools information from "major" news sources like CNN. Most of them get their information through searches created by need, trade magazines, word-of-mouth, or places like Slashdot. I can go back to my own program and spread this link if I was so inclined, and a fair amount of future forensics and security professionals would then know about this tool, and perhaps pass it along wherever they go. The news of these tools reach a fair amount of the audience for which it was intended.
A product does not need Microsoft endorsement to be successful, especially in these boutique fields such as forensics where Microsoft is not even a player.
Although I mostly agree with you, I hate for people to get the wrong impression of computer forensics. Computer forensics in particular doesn't just stop at the tools, and you are correct in that it isn't terribly difficult to plug in a tool and hit the enter key. The "real" forensics analysis, however, begins after you use these tools.
I mean, the best tools in the world can pull potential evidence from a machine, but I have yet to see one that can interpret it. That is where the 'forensics abilities' come in. Not just anyone can do a forensics analysis well.
But yes, forensics is used a little broadly for my tastes as well. However, the poster insinuated that computer (specifically Windows) based forensics was a silly notion. I submit that computer crime, although dealing with electrons, is just as involved as traditional forensics, only we have our own version of DNA, revealing letters, robbery crime scenes, etc... It is just wears a different hat.
That might be true on a single home computer where you are trying to track down intrusions while having no intention of pursuing the matter legally.
However, in the forensics world, you have to acquire evidence in a forensically-sound way that does not change system settings or alter volatile data. When dealing with digital evidence, you have special considerations that you do not want to alter any of the evidence (such as date stamps) or you cannot use that evidence in court, and you must also prove that you didn't alter the system in a way that it produces false evidence. (This is tantamount to tainted DNA)
For this, something like Knoppix is great. Not only that, it is tested and admissible in court. If something does not meet the Daubert Federal Rules of Evidence, it means squat in court. So, while boutique tools might be the right tool for the job if you just plan to plough through and only get a few pieces of evidence to satisfy immediate needs, if you plan on prosecuting, you have to approach things differently.
So, perhaps not the "best" method as far as a standalone "get it done" incident response goes (although this is a matter of opinion more than anything else), but when you're dealing with the forensics world and crimminal proseecution, there are all sorts of invisible hoops that one must jump through.
Actually, if you wanted to be really clever about it and doubted the quality of tin foil (although it should be noted that most people unknowingly actually use aluminum foil), you could use a copper mesh and wrap the passport several times. Copper shielding is rather hefty.
The problem is that a shielded passport, if the RFID is applied correctly, would be an invalid passport. It therefore should do you no good since the identification methods (which should not be set to allow all until a problem comes up) should flag you for coming through without being read. Otherwise, the only ones they would likely catch are those who aren't smart enough to know how to shield their ids, which is something someone with the motive to do something would make it their business to know, thus rendering this measure ineffective. Also, if one has to remove their passport from the shielding to be read, then it is exposed (if briefly), and that invalidates the measures taken if you subscribe to the privacy concerns that someone with a reader (which you will be suprised to know are very accessible and fairly cheap for someone who stands to benefit from having one, and can actually be built practically by someone with enough know-how) could use that time to lift the information.
I am hoping that there is strong encryption involved with this implementation of RFID; not all RFID implementations are very secure and, the sad truth is, from my experience, that most are not.
This reminds me of a story I was once told by someone who did work that brought in all kinds of conspiracy nuts claiming that they were reading these people's minds. This woman came in every day with an aluminum foil hat folded on her head. Every day they would sort of shrug her off, feigning interest in what she had to say. Well, finally one day one of them decided to have a little fun with her and said "You know, we can read your mind because your little hat there isn't grounded." The next time she came by the desk, she had a chain of paperclips from the hat, dragging the ground. heh heh. Needless to say, it provided a bit of amusement for some time.
Microwaving it should make it invalid
on
Tin Foil Passports?
·
· Score: 2, Insightful
But then, when they actually applied the intended use of the RFID, your passport would appear invalid.
An invalid passport should be only as good as no passport at all. Your social protest would have little more success than holding you up, and then, you would need to get a new RFID-enabled passport before you could do anything for which a passport is needed, and you would be back exactly where you started.
I doubt that they are putting the RFIDs in for the hell of it; they probably actually intend to use that identification technology. However, if they don't have readers in place for identification purposes or worse, use them as a default-allow unless there is a bad reading (which would be a complete security hole if they use it as the sole form of identification and removed the human interaction aspect since you wouldn't throw any alarms, not being read, and thus wouldn't be flagged), your idea would work. If they are smart about it, however, it should not.
Actually, it is very much not irrelevant because EnCase, despite its bells and whistles, is not the end-all forensics tool.
You might also consider a program like iLook, which is free to government and law-enforcement agencies, assuming that you are not an independent forensics analyst.
There are many forensics programs besides EnCase which are acceptable in court, many new ones of which I have been trained to use over the last three or four months, and many which have been available for a while. In fact, EnCase will not do everything that some of these other tools (which are admissible in court) will, although it is a nice and useful program in its own right. I don't know who gave you the impression that EnCase is the only court-admissible source of evidence recovery because I can tell you from experience that is incorrect, at least for the entities that I am familiar with... so I suppose I should ask for more details on your specific situation. I have seen a multitude of tools (used by entities such as the Secret Service, the FBI, and local police CyberCrime units, and even a team from NASA) in practice. There has been a move to use other tools such as iLook because in some cases, EnCase is prohibitively expensive or cannot handle the specific incident. I understand the value because I have got to see them in practice. (Although I do appreciate your providing a link because others could benefit from the site as well):)
Well, typically you would want a larger test set than that. But, as another poster pointed out, they were indeed trying to test this on seven PCs, but "infected" the other 60,000.
So, while they were heading down the right road, they still had the testbed connected to the same network as the production machines, which is a no-no. And they had scripts that were too wide-reaching.
But ideally, yes, you are correct in that you would want to set up a set of machines and test them first.
A testbed should never be connected to a network in a way that such a large error could occur. One of the first rules to good system administration is to test on an isolated testbed, which this very apparently was not.
The grandparent post had it correct in calling this a "leaky" sandbox.
True, although if they had followed the CERT system guide to system administration (I know, this is more U.S.-centric), those 60,000 PCs should never be connected so intimately on the same network (segmentation on large networks is important for this very reason.) Secondly, a "testbed" should never be connected to the main network. It should be isolated for this very reason.
This was certainly an example of failure at the speed of light and exactly why networks shouldn't be administered in that way.
Of course, I am with you in waiting for more hard details.
I want to tag onto this comment by adding an explanation of why a forensics tool being open source in nature makes it an ideal environment.
In computer forensics, you cannot use just any tool in an investigation. Your goal is not only to obtain a forensically-sound investigation of the system (one which allows you to analyze and obtain evidence without changing the system information on the duplicate), but also to obtain this information in such a way that it is admissible in court. Finding all of the evidence in the world will not help you if you cannot put the crimminal away.
In the forensics world, there is something called the "Daubert rules" for acceptance for court. This basically tests a forensic tool's reliability and trustworthiness in being used as a form of evidence in court, to assure that the technique doesn't alter or damage the evidence in a way that it should not be admissible in court.
This tests looks at, in the case of a forensics tool:
1. whether the theory or technique can be and has been tested 2. whether it has been subjected to peer review and publication 3. the known or potential error 4. the general acceptance of the theory in the scientific community 5. whether the proffered testimony is based upon the expert's special skill
With 2., this becomes much easier if the tool is open source, although it is not impossible with closed source software. With open source, the entire community can review the software and test it, oftentimes free, as many open source tools go.
So, although it does not have to be open source, open source lends itself well to the forensics community.
Slashdot Mirror
Well, the benefit is that people become more aware of what is possible, what they can do to stop it, and what needs to be maintained/protected for a proper investigation. But yes, it is true that some people fancy themselves experts after reading a single book. Hopefully, though, their lack of credientials will hinder them from being hired or placed into a true forensics position, and will only serve to help them track down the culprit on their server in the case that they do not wish to prosecute the case but wish to track down the source of the intrusion for future monitoring reasons.
If anything else, it will hopefully make system admins in a corporate setting realise that if they wish to pursue the case in a court, they can't go stomping through the system like a bull in a china shop. Perhaps it will afford them an option to minimize the impact and liability caused by a system compromise, while preserving the system in a way that the real forensic experts can examine the system.
As a rule, forensic investigators try to do a cold boot (including yanking the cord or just turning off the machine)
Actually, a good forensic's examiner would not "just turn off the machine." You are correct about yanking the cord. The cord, however, must be pulled from the back of the machine, not the wall.
Never go through the regular shut down process and do not pull the cord from the wall. The industry standard (and best practice) is to pull the cord from the back of the machine.
Sadly, not every police department has a cybercrime unit and thus do not actually have the resources or expertise to pursue the matter. Unfortunately, although you might have tracked the information down, it may not be prosecutable because of the manner by which you discovered it. While I am sure you did a fine job, the problem is that for things to be admissible in court, there are certain procedures that much first be followed to ensure forensic integrity. That is there to protect the accused from tampering. That might not even be an issue here, but it's something to consider.
In the case of our local cybercrime unit, they indeed had the resources and expertise to track down the culprit in one cyberstalking case and did so in a sound manner, but one of the district bigwigs decided to drop the case (after months of hard work) because it was "too technical" and that "an average jury wouldn't be able to understand the case." So, it might not be your PD as much as the other district entities over them.
However, everyone has a right to their day in court and if the individuals affected wanted to pursue the matter themselves in court, they would be within their rights to.
Ideally, something like EnCase Enterprise would already be installed on the machine. The Enterprise edition of EnCase allows for network security analysis and creates a rather nice report and image of what is going on.
The problem with this (thus making it ideal is):
1) most corporations do not have programs like EnCase Enterprise installed prior to the attack
2) EnCase is prohibitively expensive.
You can make an image of the server in the case that it is warranted, but that requires you to have an equal or larger storage medium to which to make the image.
In the case of a police matter where a crime has been committed and your system is being investigated, however, it is basically: Tough.
They generally avoid unplugging and bagging and tagging when they can, but if you are being investigated and they have the proper paperwork, they can seize the server.
Actually, believe it or not, but that is indeed technically true in the United States that by viewing the illegal content, you are in turn committing a crime. Especially in a home or corporate setting. However, if you can prove that it was as a part of a regular investigation, it would not seem that you would be brought up on charges for it. I mean technically, opening a coke bottle without the supervision of a licensed engineer is illegal in the state of Oklahoma, but you won't find many people in jail for it.
Some of our cybercrime units were discussing that, under the current poorly-drafted laws, it is technically illegal for them to possess that content as a result of a forensics investigation. But then again, most reasonable courts wouldn't prosecute such a case. But I do remember this coming up in conversation with a cybercrime unit in the past, but this is second-hand information that has not been confirmed by evidence, so take it with a grain of salt.
Perhaps not, unless customer contact information was involved, specifically credit card information, addresses, names, etc.
But in my examples:
-large university systems
-health care systems
-tag agencies
and such and such. Yes, the protection of that information is extremely important.
Just think about the information that someone would have on you by compromising just your local tag agency.
When companies collect and store information about their customers, they owe it to their customers to protect that information.
But you are absolutely correct in stating that, in most cases, budget is the deciding factor. But its amazing what good administration can do to counter budget issues. A lot of times, but not always, it is poor administration (again, putting things online out-of-order) and such and such that causes these compromises.
If a company doesn't want to take extra steps to protect information, they they should consider not storing that information on a system accessible to the outside.
That is the problem. Prior to 9/11, there had been no comparable act of terrorism. While right now, things have been mostly peachy in the realm of cyber security (and when it's not, the public is not likely to hear about it), there is a general feeling in the cyber security community that our day will come. This time, however, they are actually attempting to prepare for it; how can that be a bad thing? Even if ineffective, there is effort being applied.
You would be suprised at who sits behind those computer screens and what their intention is. If the United States has an entity for electronic and cyber warfare, it seems that our enemies would have something similar. Now, back to the teenager thing... it is a sad truth that many compromises of confidential systems have been made by a teenager that is "just curious," but also some of these teens have developed an angsty hatred of the U.S. government and consider it a game to take it down.
You might not see it as terrorism... until the 911 systems go down. Until the IRS systems are compromised and your entire identity is stolen and abused. Until major systems are undergo a DDoS when you suddenly need them. That is why these preventative measures need to be in place, and why our youngest and brightest are being trained to take on this endeavor.
However, I don't think that 12 year old terrorists was the focus here. It is the damage that can be caused by even a 12 year old in context with what can be achieved by a highly trained individual who applies it for malicious purposes.
Actually, as I mentioned in another post, the students in these programs must basically double-up duty. They must learn the fundamentals as well as the security aspects.
The expiration date is true of most majors. I received my bachelors degree in Electrical Engineering and had three years of Mechanical Engineering, and beyond the basics, most of the specializations which students take on during their masters study, given technology trends, will carry an expiration date. That is why most college graduates should consider continuing education. In our program, the students learn the same fundamentals as a "regular" CS student, but then must learn in courses such as:
Some courses offered:
--Computer Security
--Secure Electronic Commerce
--Enterprise Security Management
--Secure System Administration and Certification
--Network Security
--Computer and Network Forensics
--Information System Assurance
--Advanced Computer Security
and I know there is also an Operational Security course being discussed, among others.
They also earn certificates in:
Information Security Professional (INFOSEC), Designated Approving Authority (DAA) and System Administrator (SA), Information Systems Security Officer (ISSO) and System Certifier (SC)
They must also carry out special side research projects as well.
Yes, burn out is initially high until the students become accustomed to having a lot asked of them, but the students make it through it and come out as highly competitive professionals (and highly paid), and the agencies they go into often pay to send them to school to keep up with technology trends. In five years, they can expect to be right back in the classroom (while working), but they will be paid for this. They are also paid to go to conferences. I would say that, after they emerge from the fire, most of them actually have a better understanding of the fundamentals because they get to apply them in a specific area, and also concentrate beyond the narrow focus of getting something to work, but to get it to work securely. They still go through the basic programming, operating systems, networking, and other courses as the other students do.
Also, because of their constant presenting and paper-writing in addition to their regular studies, they come out of the program as personable professionals who can write and speak in a public forum, basics that are often neglected in other programs.
The students in this specialization don't get out of the fundamentals. Call it fundamentals+.
One of, unless I misunderstand you. The SFS program that has been in place at many universities have been around since 2000/2001.
Although the major is still labeled as Computer Science or a variation thereof, all courses in the masters program are geared toward cyber security.
Some courses offered:
--Computer Security
--Secure Electronic Commerce
--Enterprise Security Management
--Secure System Administration and Certification
--Network Security
--Computer and Network Forensics
--Information System Assurance
--Advanced Computer Security
and I know there is also an Operational Security course being discussed, among others.
It also offers certificates in:
Information Security Professional (INFOSEC), Designated Approving Authority (DAA) and System Administrator (SA), Information Systems Security Officer (ISSO) and System Certifier (SC)
It is still a rather new thing, though. There are only a handful of universities (albeit a suprising number) offering these programs.
Really? As someone who just finished studying and reading the CERT guide for System Administration and Accreditation (yes, it was torture), I find that most system administrators do not know the principles within, or recklessly choose to disregard some of the most helpful ones. Many system administrators are seat-of-the-pants, self-taught individuals who learn along the way as issues come up, and sometimes miss some of the fine points of securing a system. A lot of admins push large upgrades on production systems, or use test systems still connected to the main network (the recent 60,000 computer fiasco reported in /. is a good example), don't practice isolation, choose their products on budget or because of a last minute need (although sometimes this is unavoidable), do not configure firewalls correctly, do not lock down their systems tightly, etc. Sometimes they do everything they should, but out of order. A lot of people don't realize the importance of order in bringing systems online. Many times, these are on critical systems or systems which contain confidential information. Customer information is put at risk, simply because the administrators do not know any better.
A lot of companies hire admins who are actually unqualified, but who can do a "good enough" job because they don't understand what to look for in an admin.
Not all admins are this way, but a suprising number of them are.
If admins out there honestly knew everything there was to know about security, and administer their system to the CERT guide specs, then I would be impressed. Because my experience in observing everything from large university systems, health care systems, tag agency (all-you-need-for-identity-theft-agencies, more appropriately) systems, corporate systems (credit card information and personal information), is that this simply isn't so.
A lot of penetration testing reveals vulnerabilities in areas that are clearly stated in that CERT guide.
Those should be the steps (generally) for most projects.
A program that doesn't go through budget planning, cooperation with the private sector, risk assessment, remediation, and further research and development, as well as education about the program, is exactly why we have to problems that we do. People complain that programs are pushed and rushed from start to finish without any forethought or planning, and then are critical when that planning goes into place. I suppose people would prefer seat-of-the-pants development, no security considerations, isolation from the private sector, and a total lack of budgeting?
If only most projects (government or private sector) could go through such planning and still get pushed out in a timely manner! I see this as a good thing.
That is very true. Many colleges simply have a few security courses, and that is it.
But there are some colleges with offer the five major security certifications and offer network security, ecommerce security, network programming, penetration testing, operational security, forensics, enterprise security managment, and more courses which basically make up a secondary Computer Science program. Those students still have to learn all of the fundamentals, but also push themselves to learn the security aspects. These courses are also often taught by ex-government workers, ex-hackers, and such. I know of at least one that is also broadening their program to include electrical engineering and hardware aspects as well, so things like biometric sensors are covered in addition to programming databases.
I was suprised at how many programs there are in the nation which gear into this stuff; unfortunately, it is probably not enough. Most CS or IS programs focus on the theory and some practical implications, but stop at the security implications.
The National Science Foundation (NSF) and the Department of Defense (DoD) already sponsor Scholarship For Service (SFS) programs like the Cyber Corps to train students in aspects of cyber security with the intention of placing them in government information assurance positions.
And many colleges are developing Centers for Information Security (CIS), and among those, that is where you see the government encouraging these programs.
The tag line, I believe, is "Defending America's Cyberspace."
More information on the SFS program can be found here:
http://www.sfs.opm.gov/ScholarshipMain.asp
On one hand, I agree with this, although I must say that RFID chips do not have internal power sources and would probably make it through a toss in the washing machine (people are often suprised that at electronics manufacturers, newly placed circuit boards are oftentimes run through a large, expensive, glorified dishwasher) and, because they are so small (did you know that some versions of RFID can actually be *printed* with special ink), they are quite hefty and able to withstand a lot of things thrown at them. I agree, though, that this is certainly an imperfect application and that the chips are not indestructable, and that the inconvenience caused by a failed trip would be large. It would be quite annoying to be stuck somewhere and people would indeed complain. I am by no means supporting the RFID-implanted passports and was simply commenting on how the authentication should be run. Since this is in place to make things secure, an allow-all system would certainly decrease security, and having a system that doesn't use the RFIDs at all would just be silly and inefficient. (Why have them in the first place, then?)
However, I should note regarding your comment about chips beginning to fail and people complaining that you would be suprised (or perhaps not) at how complacent people can be. For instance, credit card stripes sometimes wear down with time (after being sat on, heated up, wet, etc.) and won't swipe well. Yet credit cards are still widely used. People stomp their feet, get aggravated, then go home and call their credit card company for a new credit card. The inconvenience of some doesn't automatically mean that the end to an application. Unfortunately, at times, the inconvenience of many does not as well. If anything, that is part of the problem.
People complain about these things, but few do anything to correct it.
I mentioned EnCase here, but gave no details.
I have used Encase, among other toolkits. While it is a fine program and has lots of bells and whistles, it cannot do everything that some of the cheaper forensics suites can do, and vice versa. I also did not find its interface quite as intuitive. It really depends on your intended application for it. If you are working for a company and would like something in place for network-based intrusion response, EnCase Enterprise is set up for that. However, if you are looking at work as a forensics analyst, there are other tools out there that are a bit more budget-friendly that are also admissible in court, some of which do a better job in certain areas. EnCase is indeed prohibitively expensive for some people so, if you work for a government or law enforcement agency where budget is an issue, I suggest first checking out iLook because it is free to those agencies. There are other programs such as Foremost that you might want to look at as well, as it is quite handy in looking at header information. FTK is about (not quite) the same as EnCase or iLook, but is a cheaper version. However, if you have the budget for it, EnCase does have its place in the forensics world (I am not completely put-off by it) and is indeed the most widely accepted forensics tool that I am aware of.
Some programs handle pulling up JPGs really well, some pull hidden images embedded in other images well, some do text string searches really well...
Like I said, it really depends on what you're wanting.
I went into some detail about EnCase the last time a forensics suite was brought up in a front page story, but since I do not currently have a subscription, I cannot conveniently bring up the links to those comments, although I am sure they could be found with a little searching. However, if you have any specific questions, feel free to email me at dexterpexter@gCOWmail.com [minus the herbivore] and I can try answering any questions you might have.
(As a side note, forensics analysts do use Knoppix CDs in live responses. Ideally, you would do so with witnesses. If you arrive at a machine that is off, you use a live CD to boot up the computer and mount the suspect drive (read only) to make a copy of it using dd. This is your "working copy" that the actually investigation is done on. You should never perform an investigation on the original subject machine.)
and most Microsoft ITs don't even know that you can use a linux system to diagnose Windows problems
Luckily the Incident Response and Forensics Analysts (to whom this seems to be directed) do know that you can use a Linux live CD to boot up the computer and mount the suspect drive (read only) to make a copy of it using dd if the machine is off when they arrive. It is an industry practice. This is just another potential tool to add to the toolkit.
However, you are correct in asserting that the standalone systemadmin might not know about these sort of tools. However, now those that read Slashdot are informed, and so bit by bit the information spreads.
Also, most of the system administrators I know do not get their system administration tools information from "major" news sources like CNN. Most of them get their information through searches created by need, trade magazines, word-of-mouth, or places like Slashdot. I can go back to my own program and spread this link if I was so inclined, and a fair amount of future forensics and security professionals would then know about this tool, and perhaps pass it along wherever they go. The news of these tools reach a fair amount of the audience for which it was intended.
A product does not need Microsoft endorsement to be successful, especially in these boutique fields such as forensics where Microsoft is not even a player.
Although I mostly agree with you, I hate for people to get the wrong impression of computer forensics. Computer forensics in particular doesn't just stop at the tools, and you are correct in that it isn't terribly difficult to plug in a tool and hit the enter key. The "real" forensics analysis, however, begins after you use these tools.
I mean, the best tools in the world can pull potential evidence from a machine, but I have yet to see one that can interpret it. That is where the 'forensics abilities' come in. Not just anyone can do a forensics analysis well.
But yes, forensics is used a little broadly for my tastes as well. However, the poster insinuated that computer (specifically Windows) based forensics was a silly notion. I submit that computer crime, although dealing with electrons, is just as involved as traditional forensics, only we have our own version of DNA, revealing letters, robbery crime scenes, etc... It is just wears a different hat.
That might be true on a single home computer where you are trying to track down intrusions while having no intention of pursuing the matter legally.
However, in the forensics world, you have to acquire evidence in a forensically-sound way that does not change system settings or alter volatile data. When dealing with digital evidence, you have special considerations that you do not want to alter any of the evidence (such as date stamps) or you cannot use that evidence in court, and you must also prove that you didn't alter the system in a way that it produces false evidence. (This is tantamount to tainted DNA)
For this, something like Knoppix is great. Not only that, it is tested and admissible in court. If something does not meet the Daubert Federal Rules of Evidence, it means squat in court. So, while boutique tools might be the right tool for the job if you just plan to plough through and only get a few pieces of evidence to satisfy immediate needs, if you plan on prosecuting, you have to approach things differently.
So, perhaps not the "best" method as far as a standalone "get it done" incident response goes (although this is a matter of opinion more than anything else), but when you're dealing with the forensics world and crimminal proseecution, there are all sorts of invisible hoops that one must jump through.
Actually, if you wanted to be really clever about it and doubted the quality of tin foil (although it should be noted that most people unknowingly actually use aluminum foil), you could use a copper mesh and wrap the passport several times. Copper shielding is rather hefty.
The problem is that a shielded passport, if the RFID is applied correctly, would be an invalid passport. It therefore should do you no good since the identification methods (which should not be set to allow all until a problem comes up) should flag you for coming through without being read. Otherwise, the only ones they would likely catch are those who aren't smart enough to know how to shield their ids, which is something someone with the motive to do something would make it their business to know, thus rendering this measure ineffective. Also, if one has to remove their passport from the shielding to be read, then it is exposed (if briefly), and that invalidates the measures taken if you subscribe to the privacy concerns that someone with a reader (which you will be suprised to know are very accessible and fairly cheap for someone who stands to benefit from having one, and can actually be built practically by someone with enough know-how) could use that time to lift the information.
I am hoping that there is strong encryption involved with this implementation of RFID; not all RFID implementations are very secure and, the sad truth is, from my experience, that most are not.
This reminds me of a story I was once told by someone who did work that brought in all kinds of conspiracy nuts claiming that they were reading these people's minds. This woman came in every day with an aluminum foil hat folded on her head. Every day they would sort of shrug her off, feigning interest in what she had to say. Well, finally one day one of them decided to have a little fun with her and said "You know, we can read your mind because your little hat there isn't grounded." The next time she came by the desk, she had a chain of paperclips from the hat, dragging the ground. heh heh. Needless to say, it provided a bit of amusement for some time.
But then, when they actually applied the intended use of the RFID, your passport would appear invalid.
An invalid passport should be only as good as no passport at all. Your social protest would have little more success than holding you up, and then, you would need to get a new RFID-enabled passport before you could do anything for which a passport is needed, and you would be back exactly where you started.
I doubt that they are putting the RFIDs in for the hell of it; they probably actually intend to use that identification technology. However, if they don't have readers in place for identification purposes or worse, use them as a default-allow unless there is a bad reading (which would be a complete security hole if they use it as the sole form of identification and removed the human interaction aspect since you wouldn't throw any alarms, not being read, and thus wouldn't be flagged), your idea would work. If they are smart about it, however, it should not.
Actually, it is very much not irrelevant because EnCase, despite its bells and whistles, is not the end-all forensics tool.
:)
You might also consider a program like iLook, which is free to government and law-enforcement agencies, assuming that you are not an independent forensics analyst.
There are many forensics programs besides EnCase which are acceptable in court, many new ones of which I have been trained to use over the last three or four months, and many which have been available for a while. In fact, EnCase will not do everything that some of these other tools (which are admissible in court) will, although it is a nice and useful program in its own right. I don't know who gave you the impression that EnCase is the only court-admissible source of evidence recovery because I can tell you from experience that is incorrect, at least for the entities that I am familiar with... so I suppose I should ask for more details on your specific situation. I have seen a multitude of tools (used by entities such as the Secret Service, the FBI, and local police CyberCrime units, and even a team from NASA) in practice. There has been a move to use other tools such as iLook because in some cases, EnCase is prohibitively expensive or cannot handle the specific incident.
I understand the value because I have got to see them in practice. (Although I do appreciate your providing a link because others could benefit from the site as well)
Well, typically you would want a larger test set than that. But, as another poster pointed out, they were indeed trying to test this on seven PCs, but "infected" the other 60,000.
So, while they were heading down the right road, they still had the testbed connected to the same network as the production machines, which is a no-no. And they had scripts that were too wide-reaching.
But ideally, yes, you are correct in that you would want to set up a set of machines and test them first.
A testbed should never be connected to a network in a way that such a large error could occur. One of the first rules to good system administration is to test on an isolated testbed, which this very apparently was not.
The grandparent post had it correct in calling this a "leaky" sandbox.
True, although if they had followed the CERT system guide to system administration (I know, this is more U.S.-centric), those 60,000 PCs should never be connected so intimately on the same network (segmentation on large networks is important for this very reason.) Secondly, a "testbed" should never be connected to the main network. It should be isolated for this very reason.
This was certainly an example of failure at the speed of light and exactly why networks shouldn't be administered in that way.
Of course, I am with you in waiting for more hard details.
I want to tag onto this comment by adding an explanation of why a forensics tool being open source in nature makes it an ideal environment.
In computer forensics, you cannot use just any tool in an investigation. Your goal is not only to obtain a forensically-sound investigation of the system (one which allows you to analyze and obtain evidence without changing the system information on the duplicate), but also to obtain this information in such a way that it is admissible in court. Finding all of the evidence in the world will not help you if you cannot put the crimminal away.
In the forensics world, there is something called the "Daubert rules" for acceptance for court. This basically tests a forensic tool's reliability and trustworthiness in being used as a form of evidence in court, to assure that the technique doesn't alter or damage the evidence in a way that it should not be admissible in court.
This tests looks at, in the case of a forensics tool:
1. whether the theory or technique can be and has been tested
2. whether it has been subjected to peer review and publication
3. the known or potential error
4. the general acceptance of the theory in the scientific community
5. whether the proffered testimony is based upon the expert's special skill
With 2., this becomes much easier if the tool is open source, although it is not impossible with closed source software. With open source, the entire community can review the software and test it, oftentimes free, as many open source tools go.
So, although it does not have to be open source, open source lends itself well to the forensics community.