SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads Aug 5, 2010: Decon 18 and more

The DefCon conference ended on Sunday, and this year's edition of the "World's Largest Hacker Conference" (as many call it) didn't disappoint. We have news and coverage from a forensic and incident response viewpoint, including news about the Wikileaks incident you might not have seen elsewhere. Blackberry is getting hammered on security, well that's what many headlines read. We have a different take. Web tracking and privacy is getting a higher profile, what are the forensic implications? Many home and business networks are "protected" by popular router/firewalls for sale at big box electronics stores. New research reveals breach mechanisms that have forensic and incident response implications. The truth slowly is revealed, along with peoples' private parts, about images from the Whole Body Scanners. And, in the Levity Section: DefCon18 Social engineering contest a hit at DefCon.

Good Reads / Good Audio:

  • "I know what happened with the Wikileaks from Brad Manning because I was there. I'm the one who called the U.S. Government." A press briefing at DefCon, called to announce a non-governmental effort to fight cybercrime and terrorism, took a surprising turn when the group's director revealed that he was the person who arranged for former hacker Adrian Lamo to turn over leaked classified military documents to the U.S. government. Chet Uber, director of Project Vigilant, traveled to DefCon18 in Las Vegas to recruit volunteers for the project from the ranks of DefCon attendees, a rich source of talent for his technically intricate mission ? attributing crimes to their funders and perpetrators by monitoring internet traffic for "footprints in the digital sand." In the course of answering questions from reporters about Vigilant, Uber stopped talking, and then began to discuss his personal involvement with Lamo, whom he described as a friend of his, and who works for Uber as a Viglant volunteer. Uber said he wanted to "right a wrong," referring to criticism of Lamo in the hacker community since his meeting with federal authorities. In the file below, you can hear Uber's description of how he persuaded Lamo to meet with the feds, turn over the documents, and reveal everything he knows. The audio file is six minutes long, and includes Uber's account of his interactions with Lamo by phone during the meeting, when Lamo called him for encouragement. You may download the interview here. Wired.com is reporting that former hacker Adrian Lamo has now denied he had classified documents received from accused leaker Bradley Manning. IDG News Service reporter Robert McMillan reported on Sunday that he had confirmed Uber's story with Lamo via email. Lamo is denying only that he possessed documents, not the other elements of Uber's story. Read more about Project Vigilant in this story: Non-governmental crime-fighting effort seeks to ramp up with hacker volunteers
  • Editor's Note: Readers who missed it, may want to check out Richard Bejlich's post, Project Vigilant is a Publicity Stunt
  • How to Hack Millions of Low-Cost Router/Firewalls - Picture this: It's chaos in the halls of DefCon18 in Las Vegas. Thousands of people, most of them security geeks, are packed into the hallway leading to a talk by Craig Hefner entitled: "How to Hack Millions of Routers." The vulnerability that Hefner uncovered is hugely significant. He was able to demonstrate how a most consumer/small business-grade router/firewalls are just not secure from easy external attack using a rebinding attack. Millions of these routers are sold and promoted as "firewall protection for your data." Many small businesses use these devices as the only barrier between confidential data and the public internet. Medium and large companies use these devices in satellite offices, and for home workers. This attack opens the door wider to a form of covert entry into many networks. These types of attacks add complexity to incident response, as it is not common to assume that an attacker breached the network THROUGH the firewall. Read Heffner's report, Remote Attacks Against SOHO Routers.
  • Issue Four of Digital Forensics Magazine is out and it contains an article by our very own Rob Lee titled, "Becoming a Digtal Forensics Professional." In the article Lee offers advice for folks interested in getting into the field as well as what he thinks are the essential qualities of a good digital forensics practitioner. Also on page 29 of the issue, there's a contest involving a little piece of evidence from a disk image. If you can answer the question correctly and your name is drawn, you'll win a free ticket to SANS' WhatWorks in Digital Forensics and Incident Response Summit, either in the EU or in the US depending on your location.*

News:

  • Banks have long since stopped moving paper checks from one location to another, preferring the economy of scanning. What if someone broke into the digital repository where they store all those pictures of checks?? Someone did.
  • About a week ago, the mainstream press started running stories about "security problems" with the Blackberry service and Middle-Eastern nations, particularly, UAE. Well, there are no "problems" with the security of Blackberry and their Blackberry Enterprise Service (BES). Blackberry and the BES do such a good job of encryption and privacy, and THAT is the problem. The mainstream press is finally catching on. See: For Data, Tug Grows Over Privacy vs. Security. It appears that the UAE wants a real-time tap, or "bump in the wire" to peer into email traffic as it's flowing. The unspoken understanding is that Western governments can gain access to some data from RIM, although that access might not be real-time data. Other questions arise from this public dust-up: What access to data will RIM provide to parties in civil legal matters? That's a topic few seem to be asking.
  • The Wall Street Journal (WSJ) has published a number of stories in the last week about online tracking and privacy. As any forensic professional knows, internet usage and mobile phone locations and habits are recorded and easily tracked. What members of the general public are just starting to find out, is that their internet and smartphone usage is the product and the advertiser is the customer. The price of "free" services like Facebook, Gmail, Blippy, iPhone/Andriod apps is a loss of privacy, security, or, in some cases, both. The WSJ published another story about tracking, with some interested: The Information That Is Needed to Identify You: 33 Bits. At DefCon18 in Las Vegas, Mike Bailey and Rafal "Raf" Los gave a talk about the security failures on many of these popular sites. Following the formal talk, the two presenters conducted an informal Q&A session. The session began with a question about Blippy ("See What Everyone Is Buying" is their tag line), but quickly drilled deeper into the mindset of non-business decision makers regarding security and privacy today. This is a big, important topic with both business and forensic implications. For example, how private is the tracking data on this site in terms of criminal and civil matters? What obligations do businesses have to protect the infomation from users that might not understand the repercussions of using one of these sites? The discussion with Mike Bailey and Rafal "Raf" Los is about 30 minutes long, and they get more candid as the discussion proceeds. This segments also gives a feel for what it's really like to be at DefCon, one of the most candid security events of the year. For the a stream or a download of the audio, go to: Candid Comments From Security Experts on Why Web Apps Aren't Safe.
  • From the "I Knew It" Department: As a forensic professional, I thought is was just silly for the TSA ("The Feds') to keep claiming that the airport "naked" whole body scanners didn't retain evidence. The successful prosecution of a case might require forensic digital evidence, and what could be more convincing than photos of a person trying to sneak contraband past a security checkpoint? Back in January 2010, I interviewed Brook Miller, VP with Smiths Detection, the makers of "the puffer" machine, and one of the whole body scanner manufactures. He admitted that in the TSA specs for the whole body scanners there is a provision to save the images, contrary to TSA claims at the time of the interview. The TSA changed their story, claiming images are only stored during training. Smith could not explain how one would audit the proper use of the images stored at anytime without some recording and audit mechanism. According to a story by Declan McCullagh of Cnet, "Now it turns out that some police agencies are storing the controversial images after all. The U.S. Marshals Service admitted this week that it had surreptitiously saved tens of thousands of images recorded with a millimeter wave system at the security checkpoint of a single Florida courthouse." Read Declan McCullagh's story: Feds admit storing checkpoint body scan images. See Levity section below for a satirical look at Whole Body Scanners.

Levity:

  • Social Engineering Contest a Hit at DefCon ? Mitnick drops by. Most target companies fail. "Apple is fairly well known for its superior security," the man in the see-through sound booth deadpanned. He was in a phone conversation with an Apple employee, who was unaware that perhaps 150 technically sophisticated voyeurs were observing the call. Audience members squirmed silently in their seats. A few covered their mouths to suppress laughter. The guys running the show pressed fingers to lips, a warning to maintain quiet in the room. The caller's self-imposed mission was to learn as much as possible about Apple's IT infrastructure, and when you consider the nature of the event — a social engineering contest at an annual gathering of hackers, no further explanation is necessary. The organizer, a group called Social-Engineer was approached by DefCon to develop the contest, which received scrutiny from the FBI when it called for contestants earlier this year. A handful of contestants dropped out at the last minute after having been threatened by employers, said Chris Hadnagy, one of the organizers of the contents. "We had one guy that told us he was actually given a pink slip, and told that it would be signed when he came back if he competed." You can hear Hadnagy explaining the contest and the law enforcement inquiry, read the complete story, with audio (3 minutes long) and see photos of the event, at The CyberJungle. Or, you may download just the interview here.
  • For a satirical take on the Whole Body Scanner story, check out this "Onion.com -like" take: Nation's Perverts Endorse Full-Body Airport Scanners.

Coming Events:

Digital Forensics Case Leads for 20100805 was compiled by Ira Victor, G17799, GCFA, GPCI, GSEC, ISACA, CGEIT. Ira Victor is an analyst with Data Clone Labs, He is also Co-Host of The CyberJungle, the nations first live radio news talk show on security, privacy and the law, Saturdays 10a-12noon PT/ 1p-3p ET. Ira is President of Sierra-Nevada InfraGard, and a member of High Tech Crime International Association.

* Editor's Note: Digital Forensics Magazine has provided Case Leads contributors complimentary access to the magazine for the purpose of this and future content reviews.