Digital Forensics: Blowing a Case in Five Minutes or Less

Digital forensics is an important function performed by experienced investigators.  However, most security incidents are not considered serious enough—at least not at first—to justify engaging a forensics professional for hundreds of dollars per hour.  So in-house security teams must have processes in place to ensure initial investigation activities don’t compromise evidence that might eventually end up in criminal or civil court.

Internal resources don’t have to be certified forensics investigators.  Most organizations can’t afford to keep someone with those qualifications on the payroll.  However, your security team should understand basic evidence preservation and handling techniques.  Even actions which seem reasonable and insignificant can render potential evidence useless.  Some examples of things to avoid when initiating an internal investigation include:

• Using or analyzing a target computer before creating a forensics copy of all attached storage
• Arbitrarily pulling cables from target computers before recording cable connections, preferably via a digital camera
• Pulling the power plug on a running computer without recording what is on the screen, preferably via a digital camera
• Turning on a computer which is powered off upon arrival
• Failure to initiate a written chain of custody for all items collected as evidence
• Failure to comply with local, state, and federal laws governing seizure of evidence

The United States Secret Service published a pocket guide for first responders, Best Practices for Seizing Electronic Evidence (http://tinyurl.com/ForensicsGuide).  It contains lists of guidelines for standalone PCs as well as servers and PCs connected to home or business networks.  In addition, the guide lists items you should include in your investigation reports.

The guide alone won’t make anyone on your team a forensics expert; you’ll still want to call in certified digital forensics analysts when presentation of evidence in court is a real possibility.  However, familiarity and use of the guide can help prevent spoliation during the first minutes of an incident response.

Good luck with mobile malware defense

Looking for softer targets, black hats are stepping up their efforts to take over your smartphones and wireless PDAs.  It was only a matter of time before these devices, once falling below the radar of financially motivated cybercriminals, began to look like softer targets than increasingly hardened enterprise networks.  So what can we do about it? 

In a paper published in March of 2005, I wrote about the potential for mobile device compromise.  However, the risk of anything other than Microsoft Mobile infections was very small at the time.  Even so, Microsoft Mobile devices didn’t carry much more risk than their Symbian-based cousins.  But now things have changed.  Smartphones which use Symbian OS—the vast majority—are facing a very real risk of becoming part of a “mobile botnet.”

A new worm known as Sexy View/Sexy Space, once installed on a phone, communicates back to a controlling server.  Connection to the server allows a black hat to communicate commands to one or more infected devices.  This is the basic requirement for a botnet.  Now your users’ cell phones, too, can eventually participate in the same botnets as their PCs.

Protection for cell phones has lagged far behind solutions created for laptops and desktops.  What this means is there are almost no solutions for enterprise anti-malware protection—defined as a solution which uses a central console to configure, monitor, and ensure up-to-date protection across all mobile devices.  However, there some things you can do to protect your organization’s smartphones and sensitive data residing on them.

1. Choose devices which can be configured to only allow download and installation of software verified as safe.  Apple’s and RIM’s online stored for the iPhone and Blackberry devices, respectively, are good examples.  But this isn’t a knock-out punch for mobile malware, as Symbian discovered with Sexy View and Sexy Space.  The purveyors of this new malware actually got the software approved by the Symbian online store.
2. Anti-malware for mobile devices has been available for some time.  McAfee has primarily focused on Windows Mobile devices, but is moving into the Blackberry space.  Kaspersky has a very robust solution for phones running Symbian 9.1, 9.2, and 9.3.  Most business class solutions cost around $30 per year per device and are updated by direct connection to the AV software vendor.  (Free products are available for personal use.)  Products usually include a firewall and often provide data encryption capabilities.

Security vendors are making progress, but until a true enterprise solution is available, security management of hundreds or thousands of handheld devices is very difficult.  We can always use policy (e.g., Blackberry Enterprise Server) to deny the download and installation of all third party apps.  However, this won’t be a long-term answer as tech-savvy users at all levels—including executive management—startto push back hard when these types of policies are rolled out.

 

Help for the Clueless

For the past four years, I haven’t connected to any public hotspot unless I was using a service which encrypts my session over the local network unless I was doing someone not even remotely important online.  I did this—and continue to do so—because it’s been common knowledge for at least long that connecting to public wireless is like posting your personal information on a bulletin board in the parking lot; it’s available to anyone interested in looking.

So why are so many users still connecting to hotel, airport, coffee shop, rogue, and restaurant public wireless networks and sending passwords, PINs, and other sensitive information in the clear?  A few years ago we might have given them the benefit of the doubt.  But today there is enough information available from numerous sources to ensure every computer user has at least heard that public wireless is dangerous.  In my opinion, the problem is they can’t be bothered or they have no clue how to protect themselves.

Evidence of the problem showed up recently in an online article in which the author writes,

“Much of the time, people just log in to the first robust network they see,” says AirTight spokeswoman Della Lowe. “When we did our airport study, we found only 3 percent of the people were using secure networks.” (Wireless Cybercriminals Target Clueless Vacationers, Fox Charlotte, 11 Jul 2009)

As security professionals, we may need to speak a little louder about solutions for this growing—and largely ignored—problem.  Every chance we get we should discuss with our mobile business users, acquaintances, and anyone else who will listen how to protect themselves, including:

1. Resisting the urge connect to the first hotspot they see without giving it some thought and without protecting their user session
2. Using HTTPS protected Web mail, such as Gmail
3. Using online VPN services, such as WiTopia or ShareVPN, both fee-based but inexpensive

Going beyond one-off user solutions, organizations with more than a few mobile users should encourage or force their users to access the Internet via a company-hosted VPN solution, such as SSL VPN.  Under no circumstances should company laptops access the Web via public hotspots unless the sessions are encrypted, at least through the hotspot infrastructure.

Send secure email free, including attachments

The other day (or once upon a time, whatever), I tried to use Gmail to send an attachment encrypted with SecureZIP.  I was quickly reminded by the Google email service that it didn’t allow encrypted attachments.  So I tried our restaurant’s Yahoo mailbox.  Same result.  I needed to send a secure attachment, and I didn’t want to sign up for a for-fee service to do so.  So I searched the Web for a free secure mail service.  I found two which show promise: Lockbin.com and SendInc.com.

Lockbin.com was simple to use.  After accepting the user agreement and entering a CAPTCHA string, I was presented with the text entry form shown below.  Since the connection established with the site was encrypted (HTTPS), anything I entered and sent was safe from unauthorized sets of eyes.

I entered a short test message and clicked Continue.  The next window (below) prompted for a password to lock the message until picked up by the recipient.  The password, or “Secret Word,” has to be sent to the person receiving the message via standard email, phone call, text message, etc.  I entered a password and clicked Continue.

 

Finally I was prompted for my name, my email address and the recipient’s email address.  I was also shown how the alert message would look when it showed up in the destination mailbox.  The text was not editable at this point.  Clicking enter again, the message was sent. 

Since I had sent the test message to one of my addresses, an alert quickly appeared in my mailbox (shown below) letting me know I had a secure message to retrieve.  To read the message, I clicked the link as instructed.  This opened a secure session with Lockbin.com.  After entering the password I provided when I sent the message, I was shown the message text.  Simple, but not quite what I needed.

There are two potential issues with Lockbin.  First, the sent email is deleted from the Lockbin server as soon as the recipient opens it.  If the person you correspond with doesn’t understand this, you might find yourself resending it.

Second, Lockbin doesn’t support attachments.  This is OK if what you want to share is a small list of private data.  However, I needed to send a complete document.  So on to SendInc.

Like Lockbin, SendInc is a free secure email service which requires no downloads.  But unlike the first solution, SendInc is a better fit for home office or small business use.

With SendInc, I can send up to twenty messages per day.  This would be a serious limitation for larger businesses, but it’s fine for my needs.  And although there is a send limit, I can receive an unlimited number of secure messages.  The best thing about SendInc, however, is that I can include attachments up to 10 MB.

With Lockbin, no account is necessary.  This is not true with SendInc.  This is probably due to the eventual offering of a for-fee service for users with a need for more than 20 outgoing secure messages per day.  SendInc knew immediately after I entered my email address that I didn’t have an account.  I was presented with an account activation form.  Once the form was complete, I entered an activation code sent as the final form completion step.  Now I was ready to enter the test message, as shown below.

After entering my test message and attaching a 5 MB Word attachment, I clicked the send button at the bottom of the form.  The email was  immediately processed, and I received a notification in my Gmail account.  The following image shows the contents of the alert.

Again, I simply clicked the provided link to establish a secure session with SendInc.  However, the Gmail account I sent the message to was not registered with SendInc.  So I was required to activate an associated account with a form similar to the one I completed when activating the sending account, as shown in the following image. 

Once both accounts were activated, I was able to send and receive secure messages with them by supplying the relevant passwords.  Messages once processed are not retained by SendInc.

Both of these solutions work as advertised.  Neither are perfect, and I wouldn’t use them to share national defense secrets.  But I don’t deal with national security issues.  For quick messages without an attachment, Lockbin is certainly easier to use.  For attachments, there is always SendInc.

Review of the ioSafe Solo Backup/DR Drive

I don’t get excited about technology very much anymore.  After almost 30 years in this business, I’ve become rather jaded to most emerging technology.  So I have one thing to say about the ioSafe Solo drive—WOW!!

I received an evaluation unit from ioSafe a couple of days ago.  It came in a plain white box, but it weighed quite a bit.  Big piece of iron I have to spend an afternoon configuring, I thought.  So I waited until the weekend.  Removing the drive from the box I found the drive unit, a USB cable (which closely resembles the cable I use on my USB printer), and a power cable. The drive unit is about the size of a toaster.  But unlike my toaster, it weighs about 15 pounds. 

The manual wasn’t much.  Since I was connecting the drive to my laptop running Windows XP SP2, the installation instructions pretty much consisted of: 1) plug the drive into an outlet, 2) plug the USB cable into the drive and into the computer, and 3) turn on the drive.  This was good.  I like simple.

I followed the directions, and 20 seconds after I turned on the drive I had a new 500 GB drive connected and ready for action.  According to the manual, Apple computer users will have to do some formatting work before they can use the unit.

Now you might be asking, “so what?”  Well, there is more to this drive than meets the eye.  Within 5 minutes of unpacking the gear, I had a backup drive which provides the following:

• Fire protection for temperatures reaching 1550 degrees Fahrenheit for 30 minutes (tested per the ASTM E119 protocol)
• Water protection, tested for immersion up to 10 feet for 72 hours
• FloSafe air cooled, providing forced air cooling through plastic vents which melt shut to protect the unit when ambient temperature reaches 200 degrees Fahrenheit
• Metal case which can be easily bolted to the floor or secured with a cable lock
• A three year warranty and ioSafe’s data recovery services for one year

Additional features include 7200 rpm drives and USB 1.0 and 2.0 support, with data transfer rates up to 480 Mb/s.

I was pretty interested in this drive by this time.  It’s a perfect backup solution for my home office and the restaurant we own.  So I looked up the price.  I was not disappointed.  The ioSafe Solo can be ordered with one of three data capacities, as listed below:

• 500 GB at $149
• 1 TB at $229
• 1.5 TB at $299

You can upgrade the data recovery service from one year to up to five years, adding up to $100 to each of the prices listed.  These are retail prices.  A quick look at Amazon.com shows discounted pricing.  If you are an Amazon Prime customer with free shipping, you can also save the $25 or so it takes to get it to your door.

So my Solo unit sits next to my laptop, quietly protecting my data.  Quiet is relative, but it emits a very, very low hum which is almost undetectable in a quiet room and absolutely absent when listening to Slacker.com.  It looks pretty good, too, with blue lights on the front indicating a power on state. 

This is an excellent drive at an affordable price.  If you currently pay monthly fees to support over-the-Web backups, if you still use backup tapes, or if you have simply decided it’s too much trouble to look for and implement the right backup solution, you should definitely take a look at the ioSafe Solo.  I highly recommend it.