Security and State requirements

October 7, 2007 in Profiling with 0 Comments

Lately myself and my team have been trying to solve some more difficult security problems with the detection of certain malware. It used to be that detection of malicious activity could be done effectively with minimal state.

Lately every time we discover a new piece of malware, and entertain possible detection mechanisms, we constantly end up dealing with the issue of resource requirements to detect the malware for many of our proposed solutions.

Anyone else having similar issues? Would love to hear your opinion.

IDS vs IPS — Jan 2004

September 28, 2007 in Security with 0 Comments

This is another “Expert Article” that I wrote for my previous consulting firm ISA . I am posting it here for reference only. It was back when Intrusion Prevention Systems (IPS) were entering the market and all the claims about how they were better then Intrusion Detection Systems (IDS). Clients were confused about the differences between the technologies themselves as well as the underlying mechanisms used to detect malware. It was an attempt to explain it so general I.T. and business folks could get a base understanding.

The original URL is here, but at some point I expect it to go away.
You can also find it at archive.org here.

RBL Lists — 2003

September 28, 2007 in Security with 0 Comments

This is a quick article I wrote for a client in my consulting role at ISA. It was published on their website for clients to read and comment on. It was relevant at the time (Sep 2003), but today the information is quite dated and no longer relevant at all. My experience with ISPs and the ongoing spam problem, the advances made in spam delivery by the spammers, and the RBL list technology basically staying the same and not changing, has caused them to be useless. I am adding it here, just to record it for reference.

Mobile forensics

September 27, 2007 in Forensics, Wireless with 0 Comments

I attended a law enforcement presentation this evening on new forensics software for mobile phones. I’ve attended at least a dozen of these over the last 4 years and I’ve got to say I’m really disappointed. All mobile phone forensic software I have seen to date does not image the mobile or do a actual memory dump of the mobile independent of the mobile software. The software uses the API extract a copy of the data. The data is then stored in a file or database, which then permits you to search and view the information.

Extracting data in this way you are trusting the API to properly transmit all the information you requested. Maybe the code doesn’t transmit certain fields or data. What if this data is important to the investigation? How will the investigator know? In all presentation I’ve seen, when asked how the software handles records that are marked for deletion but not yet erased from memory, the answer is the API will ignore them, so they will not be transferred over for investigation.

Since the API on the target mobile is the actual interface used to extract the data from the mobile, it is not possible to ‘prove’ that what is on the phone is exactly what is on the copy. Suppose a judge asks an investigator “please prove to me that the extraction you used for analysis, exactly matches what you find on the mobile and show me that there is no way an error or bug in the software could have caused the data to be changed.” I wonder how many people would be comfortable swearing to that under oath? I would not be.

You would have to be sure the API doesn’t change, mis-interpret data, or have any bugs. Most mobile and personal data assistants (PDA) require a password to access any of the data. By going through the API, you are required to know this password in order to gain access. This makes it much more difficult, especially if the target is not aware they are under investigation and their mobile data is being extracted without their knowledge. You can’t ask the person under investigation for the password. If the mobile is ceased with a warrant, the owner may choose to not give up the password.

I’ve been waiting for mobile forensics companies to actually spend time and money to come up with ways to extract data from the different mobiles and PDAs directly and independently of the mobile API. How to analyze memory data and memory dumps from the mobiles. Instead, I keep seeing new GUI interfaces, new ways to connect to the mobile, new ways to store and transmit the data. No work seems to be done on the individual mobiles themselves and the problem of actual extraction with chain of custody preserved for evidence handling. Very disappointing.

Customer Service

September 27, 2007 in customer service, musings with 0 Comments

This morning, I went into Starbucks to grab a Cafe Latte before going into work. This is not my normal procedure, but I had to get an oil change done on my car which was long overdue, and they were not open yet.
I ordered a Cafe Latte and a muffin. An issue came up and another employee came over to place my order. I paid. When my drink came, the lady who took my order said “Oh, I’m sorry I only charged you for a coffee, not a Cafe Latte.” I offered to pay the difference, but she said not to worry about it and have a good day. I was shocked! It was so nice to have a customer service person actually realize that the inconvenience experienced by a customer to have to pay the difference was not worth the actual difference between the two items. What I found more pleasing was that the employee was actually ‘empowered’ to make that decision. Often times, the employees know this, but now a days so many of the front line employees are forbidden to make any decisions for fear of loosing their job or other punishment. “Don’t think. Just follow the procedure!” It made my day. And I’ll go back to that Starbucks.

Fridges in Toronto and security threats

September 23, 2007 in musings with 0 Comments

A charity organization in Toronto called “The daily bread” placed fridges around the city of Toronto as a way to raise awareness of the less fortunate. The article in “TheStar.com”, talks about the fridges and indicates that “Security personnel weren’t impressed” …. ummm so what?

Who are these Security Personnel? The police, private security companies, CSIS? It doesn’t say who they are. Even if they indicate which “security personnel” why do they care? Why is it bad? Why should people not do that? Come on people, let’s think for a moment.

If bad people were going to plant a bomb, or release toxic gas or some other awful ‘terrorist’ plot, do you think they would put fridges out in the middle of public, making it obvious ‘something is different’? Or do you think they might covertly do this, making it hidden, not obvious so that no one would notice and have maximal effect? How have the terrorist attacks in the world that have happened in the last 10 years played out? Obvious or covert? Threats like Operation Alberich recently foiled in Germany are the real threats that we need to be focused on and smart investigative work by law enforcement is what uncovers them, not running around worrying about fridges. Unfortunately, these real operations take time and for obvious reasons are kept out of the public ‘eye’ until they are close to being over.

How about doing some real investigation, finding out why the fridges were put there and what the point was? How about working with these types of organizations so that when they decide to do things to raise public awareness like this, they could actually give the “Security personnel” a heads up knowing that they would be more likely to discuss logically and cooperatively then just say ‘No’.

Heck, the fridge doors were even configured so they wouldn’t latch and couldn’t be closed, so no one would get caught inside them. I suspect they were even going to come back and pick them up had it not been interpreted as a ‘security threat’.

We have to stop playing security to the lowest common denominator. We need some smart people to actually come up with and implement security that makes sense — not as part of politics, or some business venture.

Why Smart Cops Do Dumb Things

September 23, 2007 in law enforcement with 0 Comments

Essay written by Bruce Schneier that I really like. Discusses why we focus on security procedures that are useless and put the investment in security into the wrong things (CYA). I post it here, so I have a reference to it for future.

Dynamic Botnets

September 22, 2007 in Profiling, Security with 0 Comments

A research paper / tutorial I wrote a few months back. It shows one of the many BotNets that was detected and tracked by my team. The goal of this paper was to show how a typical Dynamic BotNet communicates, the implications these BotNets can have to ISPs, why traditional detection and mitigation is not enough to stop them and why behavioural detection not just simple static signatures are needed to detect and mitigate this type of malicious software.

Internet Privacy

September 20, 2007 in Privacy and Anonymity with 0 Comments

I’m all for Privacy and personally I am concerned where technology is headed in terms of Privacy. I think the public doesn’t understand the implications and will eventually wake up and go ‘what happened’ but then it will be too late. Similar to global warming and cigarettes. However, I think this is going too far.

If you choose to put something on the web, then there is reasonable expectation it will be searched, indexed, and archived for life. Learn it, understand it, accept it, and don’t put anything up you don’t want that done with.

Privacy and Anonymity

September 20, 2007 in Privacy and Anonymity with 0 Comments

Privacy compared to anonymity is something that I constantly explain to clients. They often think they are the same thing and if you have one, you have the other. This is very untrue however.

This article by Bruce Schneier, is really well written. It talks about tor and the recent release of e-mail addresses by an individual that was watching tor exit nodes. More to the point of this entry however, it explains very well the difference between privacy and anonymity.

Page 23 of 25« First...1020«2122232425»