Network Security Consulting Blog

In part two of this series I discussed some of the difficulties involved with conducting forensics investigations on iPhones. Are these investigations easier when mobile devices other than iPhones are the targets of investigation? The answer is that it depends.

Let’s begin with BlackBerry forensics. A simple way to conduct a forensics investigation on a BlackBerry is to use the BlackBerry Desktop Manager to make a backup of the databases on this device. To do this, click on the Backup/Restore icon. The Backup/Restore dialog box will appear. Click on Backup (for a full backup) or Advanced (for special backup options). Read more…

Emagined Security Consultant: Dr. Eugene Schultz, PhD, CISM, CISSPSmartphone Forensics: Part 3 Network Security

The iPhone is widely used today. Numerous survey results not surprisingly indicate that the IPhone has now grown to 50 percent of the smartphone market. Market leading technology spawns supporting technology, and the iPhone is no exception. While doing research for writing this blog entry I found that over ten forensics tools for the iPhone exist. However, despite the availability of numerous iPhone forensics tools (some of which are free), I cannot honestly say which one I would use if I had to perform a forensics analysis of an iPhone at this minute, because all of these tools have at least some significant limitations. Read more…

Emagined Security Consultant: Dr. Eugene Schultz, PhD, CISM, CISSPSmartphone Forensics: Part 2 Network Security

If you look a little ways back in the archive of Emagined blogs, you’ll see a three part series that I wrote on mobile computing security several years ago when I was still at High Tower Software. In that series I enumerated and described some of the major security risks involved in mobile computing and predicted that these risks will only become bigger over time. And then more recently I wrote about vulnerabilities in the iPhone, something that I really badly want to purchase for myself, but something about which I am also too nervous (because of all the vulnerabilities in this product) to motivate me to do so.

Given the plethora of risks associated with smartphones, paying attention to and fixing smartphone vulnerabilities is imperative. There is also another side of smartphones, however. It involves some of the methods and techniques that information security professionals often use—forensics methods. Forensics in smartphones has been mostly overlooked in the past, but the almost ubiquitous use of smartphones nowadays has brought this area to the forefront of interest both within and outside of the law enforcement community. Smartphones are now routinely used in the commission of crimes, for example, such as when a drug dealer uses a smartphone to call another to confirm a drug dropoff time and location. Although phone call logs are available from telecom providers, information on individual cell phones themselves is not—thus the need for forensics analysis of smartphones.

Methodology for conducting forensics investigations with conventional computing systems such as PCs is widely agreed upon and used in real-life settings. Forensics investigators record information about the setting in which evidence is being gathered, make image copies of hard drives, label, attest, seal, and hand over to an evidence custodian any evidence that has been gathered, and (usually) use a forensics tool to methodically analyze working copies of hard drives and other evidence (e.g., physical evidence). Hardware tools that quickly image hard drives are widely available. If such tools are not available, a forensics investigator can always use forensics software to duplicate the information on hard drives, even though doing so is much slower. And just about every forensics investigator understands where system binaries and configuration files are located on a conventional computing system as well as where and how perpetrators hide information on the hard drives of these systems, e.g., using slack space to hide pornographic pictures.

The same is not true of smartphones, however. As I have previously said, smartphones have operating systems that more closely resemble “normal” operating systems in mainstream computing systems with every new generation of these products. So, for example, the iPhone’s operating system has become increasingly (but not completely) identical to the Macintosh operating system, DarwinOS. But the hard drive of an iPhone is quite different from a Macintosh hard drive. The first part of the former consists of a 300 MB read-only partition. The second part, the user data partition, is the rest of the storage space—the part of the hard drive in which pictures, email, and other files are stored. Conventional forensics tools do not in general interface with smartphone hard drives, something that usually necessitates buying special software that is often available from vendors who make forensics tools for conventional computing systems. Additionally, making a physical connection between a smartphone and a computer running specialized forensics software requires obtaining a specialized cable, e.g., one that provides an interface between physical ports on the smartphone and a conventional computing system.

In the next of this series of postings we’ll look at forensics for iPhones. Then afterwards we’ll look at forensics for BlackBerry devices and other types of smartphones. Stay tuned.

Emagined Security Consultant: Dr. Eugene Schultz, PhD, CISM, CISSPSmartphone Forensics: Part 1 Network Security

About two months ago I purchased a laptop running Windows 7 Home Premium. Like so many others, I never bought Windows Vista, and my only experience with Vista was in trying to help Vista users who had a question or experienced a problem that they could not solve. I never liked Vista. As I look back on my experiences with the operating system, I think that the combination of the 3D desktop, performance problems, and dialog boxes popping up everywhere and just about all the time pretty much precluded my chances of feeling favorable towards this operating system. Ads that portrayed Windows 7 as much more user friendly and favorable reports from early Windows 7 users convinced me that I needed to try this operating system.

I’ve owned my Windows 7 laptop for a little over two months now. In general, I like this operating system (although I very much miss some of the features of my Mac, so much that I sometimes go back to using it, especially for multi-media functions). I’m glad that the 3D desktop has disappeared, and the I cannot for one second complain about the performance, which certainly is due in large part to my running the 64-bit version of this operating system. I also like the fact that I by default login as an unprivileged user, something that greatly reduces risks such as visiting malicious Web sites or opening email messages that contain a malicious attachment. As in Vista, the Windows User Access Control (UAC) feature pops up a dialog box whenever I am about to engage in a potentially risky action from a system stability and/or security standpoint. I must admit that after being annoyed by having been presented with hundreds of such dialog boxes, I have tuned them out. I now barely skim the text within each such dialog box before clicking “Yes,” but I now think I would rather have UAC than to not have it.

Windows 7 also has some more annoying features. Until my boss showed me a setting to change the default cursor/pointer behavior, I found that the pointer sometimes ended up in strange places, normally in an extreme corner of the screen, when I had no intention of making it move in such a manner. Additionally, windows used to re-size themselves seemingly out of nowhere and the Windows 7 “snap” feature in which two windows on a display suddenly butt up to each other, each taking half of the screen, is something that some users may appreciate, but I am not one of those users. I like the way the cursor/pointer and window sizing worked in Windows XP and other previous versions of this operating system—why change something that has worked so well?

Already a number of vulnerabilities in Windows 7 have been identified. One of the most serious is a vulnerability in the Server Message Block (SMB), the protocol used for file and printer sharing, which if exploited can cause denial of service. This vulnerability also exists in Windows Server 2008. Another is in UAC, which works just fine with applications that involve interaction with users, but not when a third-party application invokes code by proxy via a built-in Windows application. In this case UAC does not prompt users concerning whether or not they want to continue when something potentially risky (e.g., when invoked code may be malicious) is about to happen. Worse yet, any malware that is invoked runs with full Administrator privileges.

One of the most troublesome vulnerabilities in Windows 7, however, is in connection with the Virtual DOS Machine (VDM), something that was first built into Windows NT when it was first released in 1993 so that 16-bit applications could run in 32-bit computing environments on 386 and higher architectures. The problem is with BIOS calls in the Virtual-8086 mode monitor code. An unprivileged malicious user running a 16-bit application on the VDM can issue calls that escalate privileges and ultimately gain complete control of the system. This flaw exists in all Microsoft operating systems with a VDM, meaning that this vulnerability has existed in Microsoft operating systems for a long time.
Microsoft has not yet released a patch for this serious vulnerability, but several workarounds can be used. One possible workaround is for someone with Administrative privileges on Windows 2003 and up to modify a Group Policy setting that prevents 16-bit applications from running. One has to invoke the Group Policy Editor, then go to Computer Configuration -> Administrative Templates -> Windows Components -> Application Compatibility and set this option to “True.” This will prevent any access to the VDM.
No operating system is perfectly safe from a security point of view. I’ll take Windows 7 security over Windows NT or Windows 2000 security any day. And it is nice that Windows 7 is more user friendly than Windows Vista. But the presence of legacy vulnerabilities in this newest release of the Windows operating system genuinely troubles me. It is well time for Microsoft to take a cue from OpenBSD, in which new code is written to replace patched code in each subsequent release of this operating system. Copying this practice will not solve all the legacy vulnerability problems in Windows operating systems, but it would at least be a good start.

Emagined Security Consultant: Dr. Eugene Schultz, PhD, CISM, CISSPMore about Windows 7 Security Network Security

OK, OK, I promise to move on after writing far too much lately concerning the waves of cyberattacks that are ostensibly coming from China. But I cannot resist writing just once more about this subject because of the huge implications for information security that the attacks that have now targeted the petroleum industry have. You probably are aware of the several day old news that ExxonMobil, Marathon and ConocoPhillips experienced attacks in which the perpetrators penetrated far into their networks where some of the most business-critical information was stored.

Over the years, I’ve done some kind of consulting work for every major petroleum company, and I’ve had a long-term relationship with some of these companies. Additionally, my father spent over 40 years of his career in the petroleum industry. I thus have learned quite a bit about the way this industry perceives and deals with information security risk. Several types of data were compromised in the recently reported attacks, but the most valuable type of compromised data are widely known as “basin seriatim” data. These are (please forgive my gross oversimplification) data that indicate where to drill for oil deposits as the result of using methods such as echo soundings. A petroleum company’s profitability depends to a large degree on ability to find sites that produce high yields of crude oil or shale. Each company performs soundings and other tests and then determines which sites appear to be most promising. Each company next submits a “lease bid” to obtain the right to explore for and produce oil from each chosen site. Because competition for certain geographical areas among oil companies can be extremely competitive, closely safeguarding basin seriatim data against unauthorized disclosure is highly critical from a business perspective. Strong controls against unauthorized access to these data are almost without exception in place on servers that store such data throughout the petroleum industry. Unauthorized destruction or alteration of these data could also be ruinous to a petroleum company, so strong controls to counter these risks are also commonly implemented throughout the industry.

I would rate the petroleum industry as *much* better than average in their practice of information security. Executive management within this industry for the most part understands the nature and magnitude of security risks much better than in most other commercial sectors. Furthermore, defense-in-depth strategies that include multiple layers of technical, physical and administrative controls for safeguarding valuable data and critical business processes are typically used. It is for this reason that the revelation that big petroleum companies have experienced massive breakins and information compromises (including compromises of basin seriatim data) shocks me so much.

What is perhaps even worse is that just like companies such as Lowe’s, TJX, and Heartland Payment Systems, the petroleum industry was unable to discover the waves of intrusions that started in 2008. Instead, U.S. law enforcement broke the news of the breakins to the petroleum companies in 2009. This strongly suggests that although the petroleum industry is using mainstream intrusion detection and intrusion prevention technology, this technology is simply not delivering what is needed from it. This should come as no surprise, as this kind of thing has been happening virtually everywhere for years. The nature of attacks has changed substantially within the last few years, but current “state’of’the’art” intrusion detection and intrusion prevention systems have the same basic detection mechanisms that they have had for years.

Security Information Event Management (SIEM) technology with strong event correlation functionality could and would have been highly useful in finding the attacks. Curiously, when I was in the SIEM industry a few years ago I approached the person in charge of intrusion detection in one petroleum company about the possibility of trying SIEM technology. I got absolutely nowhere—the person with whom I interacted was confident that the mainstream intrusion detection tools he was using were more than sufficient for his company’s purposes.

The message to organizations throughout the world is clear. If the petroleum industry has suffered a rash of such serious security incidents, and if this sector has exemplary security practices (which it for the most part does), no industry sector is safe. The real question now is which sector will be targeted next.

Emagined Security Consultant: Dr. Eugene Schultz, PhD, CISM, CISSPAnd Now the Petroleum Industry Network Security

What do the Chinese Communist Party and FINRA (Financial Industry Regulatory Authority) have in common? They both want to control and/or censor all communications by their communities. In the case of the Red Chinese, of course, this affects things like whether Tiananmen Square gets sprayed with machine gun fire or Google gets to do business in China without shame. In the case of FINRA in the US, this affects whether registered representatives and their financial firm employers can use social media unfettered. Free speech? What free speech?
Recently, FINRA announced that financial firms are responsible for “monitoring” and “archiving” all communications on social media sites such as Facebook and Twitter by people in their employ, mostly targeting registered representatives, those authorized to trade securities for their firms, their clients, or who advise individuals about securities and financial markets.  In fairness, FINRA’s guidance sounds pretty reasonable: “supervise the use of social networking sites to ensure that recommendations are suitable and their customers are not misled.” And they also state that, “FINRA does not endorse any particular technology to keep such records, nor are we certain that adequate technology currently exists.” OK fair enough. But what to do?
This reminds me of deliberations I participated in back in the mid-1990s in which the security and operations people in regulated financial firms were told to “archive everything forever,” as a kind of “shot across the bow” by regulators frozen in the headlights of the exponentially growing phenomenon called The Internet. No known technology then satisfied “archive everything forever.” But that didn’t stop the regulators. There has always been a requirement to archive communications made on paper. Later, it was realized that a lot of faxed communications might be bypassing postal mail-based controls. Later still, recorded phone lines were required (creating kind of a “hot line” class of phones within trading rooms – if you needed to make a personal call, better use a pay phone or a big, clunky cell phone like the ones used by the “LowScore Band” in those commercials) which generated lots of coping behavior among those who needed to communicate regarding non-firm business. Trouble is, as was well-documented in the original “Wall Street” movie (Oliver Stone plans to release the sequel to the 1987 classic this year) fraudsters also could still escape monitoring by using the same coping mechanisms. Remember Charlie Sheen breathing into his phone, “Blue Horseshoe loves Anacot Steel”?
This also evokes memories of a case I worked on early in my Wall Street career. A young trader had posted a comment on a Yankees bulletin board (now there’s and arcane term for you in 2010…) in response to an inappropriate posting of a credit card offer on the same board. The credit card offer was not in any way illegal, but it so angered the young trader that he posted an expletive laced rant about how “this board is for Yankees fans,” etc. etc. from his firm email account. We got five or six sternly worded complaints from people, some of whose children were users of the Yankee-fan board site themselves, who were worried that our firm would tolerate such language. OK, personal speech by a trader on his lunch time. But: using a firm-provided and firm-identified email origin. This damaged the firm’s reputation. The young trader even said to us, “I knew I should have waited until I was home,” to make the angry post. He was not surprised to be fired. Fast forward to today, though. The distinction between personal and firm identified email is way fuzzier. Could someone have researched the IP address used for a typical HTTP session and linked the firm with the bad language in the same way? Maybe. Would the firm arrive at the same conclusion about perceived damage to reputation? Seriously open to question. This vivifies the problem regulators face today though it has nothing to do with fraud.
“Archive everything forever” was a great example of the kind of clueless regulation securities professionals have faced for a long long time. Remember, this statement came at a time when Bernie Madoff was probably into his second decade of his little scheme, and the SEC had already conducted its first investigation of Madoff Securities and found nothing untoward. The problem really is, in today’s climate of “get the greedy bankers,” it is likely that regulation designed to prevent fraud will get more draconian and less effective. What’s called for is banks and securities firms to take the initiative and provide tools to their employees and agents to help keep everybody out of trouble.
The answer, I think, is found in emergent information technologies today. Information security has reached a great watershed in its evolution from preventive, inwardly focused tools to externally focused, product and value enhancing tools. I foresee a day when it will truly be possible to differentiate firms by the security they demonstrate, not just dubious self-assertions. In Part 2 of this blog, we’ll develop this idea more completely.

Emagined Security Consultant: James M. Anderson, CISSP, CISM, CGEITArchive Everything Forever, Part 1 Network Security

I read with some dismay a recent report by Foote Partners that said that the IT and IT security market is not likely to improve from its current dismal state until the end of this calendar year. Let’s face it—the last 18 months have been anything but ideal for information security professionals. I know many highly knowledgeable and accomplished information security professionals who have been out of work for a prolonged period of time now. Some are just about ready to give up—a real shame not only in terms of a psychological perspective, but also from the standpoint that their knowledge and skills are going unused when they could instead greatly contribute to risk management efforts and business enablement within organizations.

As I have said before, a certain amount of whining concerning the status of information security within organizations exists. The reasoning goes something like this: “Information security is really critical given the level of risks that my organization faces, but executive management remains clueless and indifferent about it.” I’ve also previously said that I believe that (as the CISM exam preparation materials state) if executive management does not really understand and value the contribution of information security to a business, it is imperative that the information security manager initiates an concerted effort to educate executives concerning what information security has accomplished and promises to deliver in the future. Doing this is no easy task, as face-to-face time with executive management is generally extremely limited, but somehow “best-of-breed” CSOs manage to succeed in this task.

There should be no mysteries concerning cutbacks in information security staffing. Bad economic times foster cost cutting measures, and seldom is any function or group within an organization spared from them. But then I got to thinking that groups and functions within organizations that are perceived to be extremely valuable from a business perspective generally fare better when it comes to staffing than those that are not. Staffing cutbacks within information security may thus be unusually easy for executive management to make when they do not really understand what information security brings to the table, so to speak. The fact that some of the top information security practices in the world are currently hiring information security professionals instead of laying them off serves as strong proof-in-point.

There is an old saying, one that I do not completely agree with, that goes like this: “Every victim participates in his own victimization.” I wonder to what degree this saying applies to some information security practices today. I wonder how many CSOs have viewed cutbacks as inevitable and, accordingly, have waited with dread until cutbacks have actually occurred in a kind of self-fulfilling prophecy scenario. I wonder how much different the staffing cutback situation in these practices might have been had there been more of an effort to fight the downsizing trend by instead attempting to educate executive management concerning the value of information security to the organization. The task is not by any means easy, true, but the effort is more than justified by the fact that the reward, if obtained, is so great.

Emagined Security Consultant: Dr. Eugene Schultz, PhD, CISM, CISSPA Realiistic Look at Cutbacks in Information Security Practices Network Security

The word that Google experienced numerous break-ins to its systems spread quickly last week. Not only were numerous Google systems breached, but as considerable amount of intellectual property was also stolen. The attackers exploited a zero-day vulnerability in Microsoft’s Internet Explorer as well as variety of other vulnerabilities. Google was not the only organization targeted by these attacks, however; reports indicate that approximately 30 other organizations (but most probably many more than this) also fell victim to the same type of attacks that started a little over one month ago and ended the first week in January this year.

The most recent round of attacks are really nothing new, and all fingers keep pointing to China as the source of the attacks. Why?

1. Compromised machines sent information gleaned from them to servers in China. The fact that this happened is, of course, no proof that the origin of the attacks was from China, as a group of attackers from another country could have broken into and gained control of these servers. Still, the fact that Chinese servers were involved in the malicious activity is one fact that points to China.

2. Google brought in an information security consultancy to determine what had happened. A consultant from this company reported that the sophistication of the attacks is very high—that the malicious code used in the attacks is far more complex than mainstream attack tools. By all appearances, the author(s) of this code must have obtained financing to be able to obtain the time needed to develop code of this level of sophistication; it is a well-known fact that China has financed such efforts in the past.

3. The malicious code discussed in 2. above incorporated a rarely found algorithm used to determine whether data corruption has occurred when it sends information. This algorithm’s source code has so far been found only on Chinese systems, another fact that implicates China.

4. Google reported that numerous attacks targeted the gmail accounts of human rights activists in China. The Chinese government has carried on a running battle with these activists for years and is highly motivated to find information about them and their activities.

5. Several Google employees with ties to China may have aided the attackers in their efforts. The employees suspected of having done this have had their network access suspended while an investigation is being conducted.

Interestingly, the US government announced that it would lodge a formal protest to China over the break-ins to US systems. Additionally, Google’s initial reaction was to announce that it was considering not doing business in China any more. I doubt whether anything either entity does with respect to China will make much of a difference because China is the proverbial 1000 pound gorilla. It is in many ways the enemy of the US and other free-world countries, yet these countries have a huge potential market in China and they can also obtain very affordable labor there. What everything boils down to is a cost-benefit analysis where the costs (e.g., constant break-ins into US systems, theft of trade secrets by bugging rooms, and more) are hugely outweighed by the benefits (e.g., gigantic sales opportunities and considerably cheaper labor). So, protests or not and threats to discontinue doing business or not, China is firmly in the driver’s seat, something with which the US government and the US commercial sector have had to come to grips.

Here is a final thought—who is the biggest provider of cloud computing services? Google is the correct answer. And the latest round of break-ins was by no means the first for Google. One might thus think that Google might not exactly be a world leader in the practice of information security. So once again we have a great example of just how great the risks associated with cloud security are.

Emagined Security Consultant: Dr. Eugene Schultz, PhD, CISM, CISSPAll Fingers Keep Pointing to China Network Security