Nearly two weeks ago Admiral Mike McConnell, the former U.S. Director of National Intelligence (DNI), testified about the preparedness of the U.S. in the event of a cyberware at a meeting of the U.S. Senate Commerce, Transportation and Technology Committee. He said that if the U.S. were to be attacked in a cyber war, the U.S. would lose. Admiral McConnell’s testimony created shock waves among members of this committee, who reportedly did not have a clue that the U.S. was so dismally prepared for cyberwarfare. Jim Lewis, who heads the government’s Commission on Cybersecurity, followed Admiral McConnell by saying that most of the U.S.’s critical computing infrastructure is within the commercial sector, but this sector is not doing enough to safeguard computing assets. According to Lewis, no improvements in cybersecurity practices within private industry are likely to occur unless regulations require these improvements. Read more…
Network Security
Earlier this week I once again went to the RSA Conference in San Francisco. I could have gone to some of the presentations and panels, but once again I chose to not do so. Why? I have found that many times one can learn more from meeting and talking to people at this conference rather than attending sessions, and once again I found this to be mostly true.
I went to the RSA Conference last year and noted in a blog entry shortly afterwards that attendance had dropped considerably from 2008. An unfortunate outcome was my having to deal with the conference’s PR firm, which objected to my mentioning the then downward turn in attendance. Good news—this firm should have no objection whatsoever to my saying without any reservation that the attendance for RSA 2010 was dramatically higher than last year. My main metric, good or bad as it might be, is how easy it is to get from point A to point B within the Moscone Convention Center. This year I had to constantly dodge people in the main upstairs areas and down below in the exposition hall. Seating areas were crowded. There is no doubt that attendance was at least back to its 2008 levels, or very possibly even higher. Read more…
Network Security
In a SANS NewsBites editorial a little over a week ago I lamented the fact that to date software companies have for the most part not been held responsible in legal cases for damages resulting from bugs in their code. I described this situation as “the single greatest enabler of bug-infested coding on the part of vendors.” A mentor and also friend of mine, the legendary Bill Murray, sent me a message with a plethora of excellent comments concerning the issue of liability related to software bugs. His commentary on this issue is so outstanding that I decided to (with his advance consent) publish it as a blog posting. Read more…
Network Security
My friend and colleague Donn Parker, security consultant and researcher par excellence, gives an RSA session entitled “Alternatives to Security Risk Management” (RSA P2P 204A Weds at 1pm Burgundy 222) in which he attempts once more to debunk the myth that “risk can be managed” in information security. Donn has been on the forefront of thinking about information security since the 1970s and he is used to being ignored by all types of people who either don’t get it or haven’t figured out a way to exploit an idea for profit yet. Sometimes his rants can seem quixotic but almost always look prescient after-the-fact. Here is an example. Donn is not saying that “risk doesn’t matter” (although read below for more on this notion), but he is saying that the idea that an organization can use quantitative techniques analyzing detailed risk profiles around data and controls to make decisions about information security is pure bunkum. I agree…mostly. Read more…
Network Security
This is the last of a seven-part series on smartphone forensics. The topic is what do with the information that has been copied from smartphones and other mobile devices such as iPods. We’ll assume that the forensics data have been copied to a special handheld device for mobile device forensics (such as one that Guidance Software makes), a PC (ideally one on which a forensics tool is running), or a secure USB drive. (The best forensics procedure is actually to make two copies, one a best evidence copy to be stored in a forensics vault, and the other a working copy for forensics analysis.) One of the risks in making forensics dumps is the possibility that information obtained in this manner might be altered on the computer or device to which it has been copied. The copied data must thus be accessible in read-only mode so that nothing can be changed. Additionally, a hash value (preferably using one of the SHA family of hash algorithms) of the data should be computed and, if possible, compared to the hash value of the data on the original device. Forensics tools make performing all these procedures much easier and more error proof, but experienced forensics investigators can do just about anything without such tools if necessary. For example, it is possible to set a Registry value in Windows XP to prevent the ability to write. Read more…
Network Security
The first posting in this series provided an introduction to smartphone forensics. Parts two, three, four and five covered forensics in iPhones, BlackBerrys, Motorola smartphones, and iPods, respectively. So far we’ve gone over how to use forensics procedures to capture data from each type of cell phone as well as some of the challenges involved, but we haven’t really gone farther in the forensics process. This sixth posting in this series covers some of the other extremely important procedural considerations, These include how to gain access to data on smartphones, ensuring that all relevant data are captured, protecting the integrity of data, dealing with differences in operating systems and file systems, and being careful to avoid errors that can easily invalidate a forensics investigation. Read more…
Network Security
So far this series has covered forensics for the iPhone, Blackberry, and Motorola smartphones. I was just about ready to wrap-up this series when I suddenly realized that iPods and similar devices are now also increasingly the focus of forensics investigations. Accordingly, this posting covers forensics for iPods.
One of the most important initial considerations regarding forensics investigations with iPods is that these devices are often physically connected to computers. Whenever so, the iPod becomes a mounted device on the computer. You can determine whether or not an iPod is mounted on another computer by looking at the iPod’s screen. If “Do Not Disconnect” is displayed, the iPod is mounted, and it thus has to be unmounted before it is physically disconnected from the computer. To do this on Macintosh computers, drag the iPod icon to the trash bin on the Mac desktop. To do this on Windows computers, click the “Unplug or eject hardware” icon that is displayed in the task bar in the lower right hand part of the display. If the iPod is not unmounted before being physically disconnected from a computer, the iPod’s hard drive can be damaged. Read more…
Network Security
Although both iPhones and BlackBerrys command a disproportionate share of the smartphone market, many smartphone users have other types of smartphones that may also need to be forensically analyzed. Motorola phones are good examples. Motorola has manufactured a wide variety of smartphones that are similar in look and feel, but that may also differ from each other in a number of ways. Suppose that law enforcement suspects that evidence concerning a crime that has been committed exists on a Motorola p2k or p2k05 phone. On most of these phones it is first necessary to go to the Menu and then to the Flash&Backup function to start the processes of obtaining a copy of information stored on this device. A menu consisting of six backup selections will appear. Read more…
Network Security
