Michael N. Dundas

I had the privilege yesterday of speaking to some law enforcement personnel and forensics experts.  The topic was on DNS forensics, the SSL server_name option, and working with service providers.  I enjoyed the opportunity.   I really like talking about network forensics, and being surrounded by smart people that are experts in their field. It also allows me to practice my public speaking which is always good.

The DNS section of the presentation was based on my earlier two posts on DNS analysis which are here and here.   The SSL server_name option was based on my post that is here.  The “Working with service providers” I have never really posted about yet, but have been engaged with service providers all over the world for almost 5 years consistently, so I spoke about my experiences, and thoughts.

The presentation slides are here.

Title of this article doesn’t really do it justice. It is a good article that gives a high-level understanding of the concept of Trusted Booting of a device. Good read for individuals in or working with law enforcement and digital forensics. As this type of technology becomes more and more mainstream, it will become much more difficult to surreptitiously obtain access to or data from devices without the owners cooperation.

In Canada most citizens will have a Soical Insurance Number, commonly referred to as a SIN number. I recall getting mine when I was a teenager and was going to start working. Nowadays, you get one almost as soon as you are born. My daughter obtained one within months of her birth. I recall that, because I was surprised and for some reason I recall it was required. Of course, that immediately triggered thoughts of why do they need to do this now? Tracking? More detailed history of people? These and other conspiracy thoughts went through my mind.

Here is an article about an individual in Ontario, Canada, who was the culprit of identify theft through no fault of his own. The government, unable to properly secure sensitive information had his identity stolen. In the article it is stated:

“I don’t want any money — not a dime,” he said. “I just want a new social insurance number so that I can disassociate myself from the fraud and start my life over again.”

Seman said he has been fighting for a new SIN number in writing, in person and on the telephone for five years, but hasn’t been able to get one.

Unfortunately, very hard. This is very difficult and expensive problem, and even trying to solve it will not guarantee a solution. Today, a SIN number is the one thing that connects you the most. Almost any form you send to the government will have your SIN number. This number will be linked with all medical information on procedures that you have had, doctors you have seen, prescriptions you have been given. Financial corporations require it for financial transactions, bank accounts, mortgages, loans, stock trading. It is the key to your credit rating. Companies you work for require so they can submit income and other financial information to the government. This one number links you throughout the government, throughout the medial and financial worlds both in public and private databases and paper file systems. It really is a ‘key’ to finding out everything about you. And that is exactly how it is used.

In order to offer the ability to change your SIN number, the government would have to have a way to change every record in every database both public and private. It would have to be able to change this number on forms and records that have been filled out that are not electronic. If any mistake is made, then information on you is effectively lost. For example, suppose you were rushed to a hospital unconscious from a car accident. From the Identification on you, a drivers license confirmed your identity, which led them to your SIN number. The SIN number permitted the hospital to pull your medial records. Now suppose you had your SIN number changed, and a major medical procedure you had a few years ago at a medical facility did not change the SIN number. That information is now lost and is not available to the medical staff getting ready to treat you in the current emergency situation. One could argue that they can use name, birth date, and other details to find the required information. Although this is somewhat true, it is not as guaranteed as a SIN number. The SIN number is the best assurance of the accuracy of the linking of the information. Is this a bad thing? Maybe or maybe not.

The risk of giving individuals the ability to have their SIN number changed is not worth the overall risk or not being able to gather information or missing information by government, law enforcement and any one else looking to obtain details about you. That is why the solution is to give you negligible amounts of money, and offer you free credit report checking. It is easier and much less risky. Currently the number of people that have their identity stolen versus those that don’t is small.

Of course identity theft will only increase and this problem will get worse. Eventually, they will be forced to deal with it on a global scale. There are procedures I believe to obtain a new SIN number. Witness protection program and things of that nature, but these are very few scenarios, few people and are manageable.

Today, the problem is expensive to solve, difficult to solve with no guarantees of not having information lost, and it affects a few minor people’s lives. Government response is unfortunate, but logical. Personally, I don’t agree with it, but until it gets more visibility either by many more people being affected or a few very public people having their identities stolen not much will happen beyond the preventative steps you see today.

I hope there is more evidence than what is in this story and I hope this evidence is really compelling. If the man is actually guilty of child pornography related offenses then I hope he is charged and convicted to the full extent of the law. I was driving into work and heard this story on the news and it got me thinking about how easy it would be to frame someone with child porn or other incriminating evidence and then just ‘tip’ off the police.

Presently, I am putting the finishing touches on an advanced security course geared toward service providers. Shortly, I will be running this course for a major service provider. In the course we do actual malware deployment and analysis. The malware used is reasonably up-to-date and can be found active on the Internet today. The malware is very easy to use. Much easier than it was even 2 years ago. In some cases the malware uses standard libraries designed to write malware that are available on the Internet. One of the malware samples used for this course includes the ability to write ‘plug-ins’, similar to how you can write a plug-in for a web browser such as Firefox.

I am confident that law enforcement will do a detailed investigation of the suspects computers in the story above. But I’d argue that today it is possible to get malicious code, pictures or any type of incriminating evidence onto a PC leaving minimal to no trace behind. I’d suggest that this has gotten easier over the years and will probably get easier in the future. I and others have worked with malware that doesn’t ever write to storage, but stays resident in memory. Even if there is evidence left on the suspect system, does law enforcement do a detailed analysis for every complaint? I doubt they have the resources for that. For the sake of argument, lets assume that they do have the resources to do a detailed investigation of every system. Lets also assume that the investigation revealed that the evidence was planted externally and the owner had no knowledge of its existence and is innocent. Unfortunately it isn’t over for the owner when the investigation is concluded. There will be issues that will follow them for the rest of their lives. There will be the embarrassment of being suspected of a criminal act. The record of the arrest which can make it difficult to travel in the future even if there is no conviction. Looks and suspicions of others always wondering “Was he really innocent or did he just get lucky and is really guilty?”

I recently did a presentation on anonymous surfing and anonymous emailing for the High Technology Crime Investigation Assocation. HTCIA is a community that has goals to encourage, promote, aid and effect the voluntary interchange of data, information, experience, ideas and knowledge about methods, processes, and techniques relating to investigations and security in advanced technologies among its membership. The membership includes law enforcement, government, and private sector from different countries including Canada and the United States.

One thing I found challenging when creating the presentation was the technical level to target. HTCIA membership includes individuals and groups from many different disciplines. Most members have different levels of knowledge and experience within any given discipline. With that in mind, I tried to create a presentation that would be beneficial to the majority of individuals.

A PPT compressed slideshow of the presentation is here. There is also a PDF that can be found here. I’d recommend the PPT slideshow over the PDF. Animation doesn’t show well in the PDF and as a result some of the slides are covered over with different layers of the animation.

Essay written by Bruce Schneier that I really like. Discusses why we focus on security procedures that are useless and put the investment in security into the wrong things (CYA). I post it here, so I have a reference to it for future.

Sigh … this makes me sad.

Does anyone think through problems anymore or just follow procedures?
Do they think arresting a six year old will actually work and they will comprehend and understand the impact of they did?

http://tinyurl.com/25btu7