Monday, February 20, 2012

The Art of Deception: Controlling the Human Element of Security

We must never forget that the human being is always the weakest link in a security system, not the technology itself. International Intelligence Limited just published this great article explaining how social engineering has evolved over the past few years. If don't know what social engineering really is, then I could tell you that it is the art of obtaining confidential information by manipulating legitimate users over the phone, online, and even in person. No medium is really safe from these guys, so watch out!

Click to see the movie

"Historically, the motivation has been intellectual challenge, bragging rights, access to sensitive information, simple curiosity, or our biggest fear - malicious intent. By knowing why we are at risk, we can better protect ourselves from the foolish things we do, thereby allowing social engineers to exploit us."

If you want to read further on this subject, Kevin Mitnick, a renowned and reformed hacker, has published an excellent book presenting different scenarios where social engineers have manipulated users to gain access to confidential information. The Art of Deception: Controlling the Human Element of Security has been written like a novel, so reading it is both entertaining and informative. If you are in charge of security for your company, you should definitely buy this book. After having read it, you will then be able to teach your users about how to recognize a social engineering attack. It is your job after all, so do it!

Credits: |

Saturday, February 18, 2012

Senhas do MacOS podem ser "recuperadas em minutos", afirma Passware

A Passware causou furor ao anunciar, a alguns dias atrás, que seu produto Kit Forensic v11 é capaz de recuperar senhas de discos MacOS encriptados com FileVault. O que num primeiro momento parecia anunciar uma grave falha de segurança no armazenamento de senhas do OS da Apple, numa leitura mais atenciosa revela explorar uma "provável vulnerabilidade" já conhecida na interface FireWire...

Utilizando o "Kit Forensic v11", esses dados podem ser puxados da memória via FireWire e analisados, possibilitando a extração das senhas do usuário. Todo o processo levaria poucos minutos e independe da complexidade da senha ou de uso da criptografia do FileVault. Segundo a Passware, a única forma de impedir essa captura de dados é desligando o computador e desabilitando a configuração de login automático do Mac OS X. Assim, os dados são de fato removidos da memória e não podem ser recuperados.

Pesquisei um pouco mais sobre o assunto e encontrei um artigo fantástico no The Loop, escrito por Jim Dalrymple. Neste artigo, ele afirma que a interface FireWire é segura o suficiente para só liberar acesso a esses dados após a digitação da senha do usuário. 

Recomendo não só a leitura do artigo, como também dos comentários postados.


Thursday, February 16, 2012

Migrating cases from Oracle to PostgreSQL @ FTK

One of the news brought in AccessData FTK version 3.4 was the ability to use the PostgreSQL database, which generated many questions among users of older versions. Maybe one of the main questions is about the migration of the cases created in Oracle for the PostgreSQL.

Thinking about it, AccessData has released a video on how to "migrate" the cases of an Oracle database to a PostgreSQL database.


Wednesday, February 15, 2012

AccessData releases FTK4!

Forensic Toolkit 4 is now available! 

This major release is designed to deliver enterprise-class capabilities at a stand-alone price. Now, you can leverage the full functionality of AD Enterprise against a single live remote node. This means FTK users can conduct remote investigations to eliminate travel, reduce response times, and speed acquisitions…. And organizations gain incident response capabilities that are so critical in securing networks. In addition to AD Enterprise functionality, FTK 4 users are able to integrate malware triage and visual analytics with two new FTK add-on modules, the industry-first Cerberus malware triage and analysis module and our new state-of the art Visualization solution.

FTK continues to be the most innovative solution on the market, as well as the best value, giving you integrated functionality that would normally cost tens of thousands of dollars. It’s time to learn the meaning of next-generation digital investigations…

What’s New in FTK 4?
Single-Node Enterprise
Install a persistent agent on a single computer to enable the remote analysis and incident response capabilities of AD Enterprise. Preview, acquire and analyze hard drive data, peripheral device data, (RAM Windows Only) and volatile data on Windows®, Apple® OS, UNIX® and Linux® machines. Uninstall the agent at any time, and push it out to a different computer.

Expanded RAM Analysis
FTK 4 now provides VAD tree analysis. To see a full list of static RAM analysis capabilities, view the FTK data sheet.

New File System /File Type Support

  • YAFFS and YAFFS2
  • Exchange 2010 EDB
  • 7zip
Enhanced decryption support (with proper credentials)
  • Checkpoint Pointsec disk encryption
  • Sophos Safeguard Enterprise (latest version)
  • Multi-password capability
Increased processing performance, especially on systems with more than 8 cores.

New Regular Expression Support for Index Searching
FTK users can now search for advanced combinations of characters against the index.

Added support for soft dongle licensing in virtual machines.

Add Integrated Malware Analysis with CERBERUS
Cerberus is a malware triage technology that is available as an add-on for FTK 4. The first step towards automated reverse engineering, Cerberus provides threat scores and disassembly analysis to determine both the behavior and intent of suspect binaries.

Add state-of-the-art data analytics with VISUALIZATION*
With our new visualization module you can view data in seconds in multiple display formats, including timelines, cluster graphs, pie charts and more.


Monday, February 13, 2012

A Career in Forensics: 5 Key Steps

Joseph Naghdi, an experienced computer technologist, transitioned to digital forensics in early 2000 because he was intrigued by how data is stored and discovered on computers. Today, he's a forensics analyst at Computer Forensics Lab, a U.K. consultancy specializing in computer forensic services and advanced data recovery. The high point of his work, he says, is when he solves tough cases, such as a recent phishing attack against a UK bank that almost led to the transfer of 3 million pounds.

With the rise in cyber-fraud and various breach incidents, digital forensics is becoming a growing field with plenty of opportunities. The job involves determining the cause, scope and impact of security incidents; stopping unwanted activity; limiting damage; preserving evidence and preventing other incidents. Digital forensics experts typically investigate networks, systems and data storage devices.

The average salary for digital forensic professionals is about $81,000 in the U.S., according to the salary research and data website PayScale, but specialization in mobile architecture, devices and cloud computingcould lead to higher salaries.

Information security professionals interested in making a transition to a career in digital forensics, as Naghdi did, need to take five key steps, experts say.

1. Develop Windows Expertise

Because 90 percent of the systems that forensics experts investigate are Microsoft Windows-based, practitioners need to understand the core technology, says Rob Lee, director and IT forensics expert at Mandiant, a certified forensics instructor at SANS Institute.

"Kind of like in the Army, you need to know how to shoot a rifle - Windows is the rifle of computer forensics," Lee says. Information security professionals who want to specialize in forensics must understand all aspects of how Windows works, including how information is stored, he contends. He also suggests developing expertise in mobile devices and cloud computing.

2. Obtain Specialized Training

Greg Thompson, security manager at Canada's Scotia Bank, who is also an (ISC)2 advisory board member, believes the best way to learn about digital forensics is to obtain training at schools or certification bodies, including the International Association of Computer Investigative Specialists, Sans Institute and the International Information Systems Forensics Association.

Thompson recently hired two professionals from community colleges in Canada who were trained in applying forensic investigative techniques and skills. "The main skill is developing a creative mind-set to think like an attacker in responding to the situation," says Thompson, who oversees the forensics practice at Scotia Bank.

He also recommends security professionals take online courses, seek help from professionals with law enforcement backgrounds and learn on the job. In particular, he encourages developing expertise in forensic investigations of mobile devices, firewalls and malware.

3. Build a Broad Technical Background

When investigating unauthorized data access, for example, forensics experts must know how to recover lost data from systems, analyze log entries and correlate them across multiple systems to understand specific user activity. "This requires a solid understanding of networks, systems and new types of malware intrusions and analysis," says Marcus Ranum, CSO at Tenable Network Security. "Only a broad IT exposure can help professionals understand the different types of data and what is most critical to capture."

Naghdi emphasizes the need for good computer programming skills to understand how data is stored and how hard disks operate. "Strong programming skills often help the forensic expert in understanding and discovering the different ways of storing and recovering data," he says.

4. Gain Legal Knowledge

Forensics specialists need to understand breach notification regulations as well as the legal implications of not maintaining a proper chain of data custody. They also need to understand, for example, how a cloud computing provider will identify, locate, preserve and provide access to information when the need arises, as well as how to legally preserve data for litigation purposes. "More and more practitioners need to understand the legality around data retrieval, storage and protection," Lee says.

5. Understand Upstream Intelligence
Gathering upstream intelligence involves such steps as observing outgoing messaging patterns or filtering infrastructure for suspicious source rules or inappropriate user behavior. This may provide significant insights into the security posture of an organization.

Forensics goes far beyond relying on recovering pictures, data and e-mails in order to solve a case. "We now require professionals to be engaged in intelligence gathering and analysis and to work across multiple machines, different environments and devices, which could lead to investigating advanced hackers that are moving within the organization," Lee says.

Complexity of Investigations

Digital forensic investigations are becoming far more complex.

For example, Lance Watson, chief operating officer and forensic investigator for Avensic, a forensics and e-discovery consulting company, tackles such challenges as locating information in the cloud or helping clients track and analyze e-mails and text messages on mobile devices. "It's become harder to investigate user activity or discover digital evidence quickly because of remote locations and multiple storage devices used," he says.

The growth in cloud computing and mobile devices has further strengthened the market for forensic pros by increasing demand for eDiscovery services, which involve preserving, collecting, managing and producing electronic evidence relevant for a court case.

The demand for eDiscovery services is leading many companies to establish an internal eDiscovery team rather than relying on an outsourcer. And this is creating new job opportunities. For example, Thompson of Scotia Bank recently transitioned from outsourced eDiscovery to an in-house forensics and data recovery team largely to gain cost savings and get better control of investigations and data.

Naghdi of Computer Forensics Lab says information security professionals can expect demand for forensics experts to grow. "There is definitely an uptake in hires for forensic experts, and this trend will continue," he says. But to make a successful transition to a role in forensics, Naghdi says, security professionals must "have an inquisitive mindset to find new ways of exploring emerging areas and finding digital evidence."

source and credits:

Tuesday, February 7, 2012

Dados "anônimos" dos usuários podem ajudar a rastreá-los

Dados reunidos diariamente por logs de internet (endereço de IP, cookies, sistema operacional, tipo de navegador, entre outros) podem ameaçar a privacidade online porque podem ser utilizados para identificar a atividade de máquinas individuais, de acordo com pesquisadores da Microsoft. 

Enquanto isso, análise de tais dados quando tornados anônimos podem ajudar a detectar atividades maliciosas e melhorar a segurança na web como um todo, adicionaram os especialistas.

Os pesquisadores descobriram também que, em 62% das vezes, informações de HTTP de agente de usuário podem sozinhas identificar um host com precisão. Combine esses mesmos dados com um endereço de IP e a exatidão salta para 80.6%. Se as informações de agente de usuário são combinadas apenas com o prefixo do IP, ainda assim a precisão é de 79.3%, afirmou a equipe.

O índice mais alto surgiu quando mais de um ID de usuário era ligado a um único host, o que seria o caso de uma família que compartilha um único computador, produzindo uma exatidão de 92.8%. A análise dessa informação aparentemente benigna foi baseada em agosto de 2010, a partir de dados anônimos do Hotmail e Bing de centenas de milhões de usuários. Os pesquisadores então tentaram descobrir se apenas uma parcela do log de informações poderia revelar um único host.

A descoberta foi de que mesmo dados anônimos podem acabar vazando informações. Por exemplo, substituir um endereço de IP por seu prefixo ainda exibe detalhes suficientes que, quando combinadas com outros outros fatores registrados, podem aumentar a exposição. “Prefixos granulados de IPs alcançam precisão de rastreabilidade similar a informações de endereço de IP quando são combinadas com outros agentes de usuário”, pontuaram os pesquisadores. 

A partir do Hotmail, os especialistas coletaram informações a respeito dos tipos de navegador e sistema operacional, fonte do endereço de IP, tempo de login e IDs anônimas de usuários. Já no Bing, foi possível reunir agentes de usuários HTTP, origem das consultas dos endereços de IPs, tempo das consultas, cookies de identificação emitidos pelo Bing e a data de criação dos cookies.

Depois disso, o passo seguinte foi detalhar a quantidade de dados capazes de identificar um usuários que era revelada por esses logs comuns. Eles não estavam tentando descobrir as atividades específicas dos indivíduos, mas sim entender os padrões de atividades agregadas e explorar suas implicações.

Os pesquisadores afirmaram essa utilização de dados se enquadra nas políticas de privacidade da Microsoft, já que há termos que não permitem que essas informações sejam disponibilizadas para estudiosos externos. Outra descoberta foi que os provedores de serviço podem reconhecer 88% dos dispositivos que recebem um cookie, limpar o cookie, para depois retornar ao site, caso eles examinem outros fatores de identificação que foram extraídos durante a conexão inicial. Mesmo se estiver utilizando um modo de navegação privada, que é desenvolvido para proteger a identidade do usuário, mesmo assim ele pode ser identificado, pontuaram os estudiosos.

“Nossa análise sugere que os usuários que não desejam ser rastreados devem fazer muito mais do que simplesmente limpar os cookies”, já que, conforme foi levantado pelo estudo, em alguns circunstâncias excluir os cookies pode ajudar a identificar um host em particular. “Comportamentos atípicos como limpar os cookies a cada solicitação pode, ao contrário do que se pensa, distinguir um usuário daqueles que não o fazem”. concluíram. 

Com informações de Network World. Original de IDG NOW.