Looking Forward to 2009

Thanks to all for a successful 2008! I'm glad I've gotten to know everyone involved in the chapter as I've met some great resources.

I'm excited about what's in store for 2009. There has already been some good discussion with the new chapter board and there are some great things in the works for next year.

The Exam Before Christmas

Twas the night before Christmas, when all through the lab
Not an examiner was working, except this tired crab.
All the evidence was filed and the forms were all signed,
In hopes that my work would soon be off my mind.

The drives were all wiped and in their special order,

With care taken not to be located next to the audio recorder.

I had documented I wrote to each sector a zero,
Knowing if it came up in court I would be a big hero.

When out of nowhere the doorbell did ring,

And I ran to the door opening it with a mighty swing.
It was my boss delivering me a brand new case,
And wanted it handled with utmost haste!

I hooked up the evidence to my write blocker,

I was moving so quick, just like a punk rocker.
Every action I took that was worthy of note,
Into my notebook the details I wrote.

When the image was complete,
The next step I could not cheat.
I verified my MD5 hash,
And was ready to go in a flash.

Into FTK the image did import,
I was handling the case like it was going to court.
Once all the pre-processing was done,
I was all set to start having my fun!

Into a server a hacker did intrude,
And the company thought they were quite screwed.
If customer records were read,
Then surely someone would lose their head!

If data was lost, victims must get word,

And hope that the company name was not to be slurred.

They needed me to look for artifacts left by the crook,
And document every action he took.

The attacker came in through an SSL hole,

And theft of user passwords appeared to be his goal.
But first I knew his privileges he would need to raise,
And I found his exploit, proving diligence pays.

After a bit more inspection I found a root kit,
And to Norman Sandbox I made sure to submit.
An answer came back, it was unknown malware,
And this is the point where I started to swear.

So I loaded up a brand new VM,
This trick always worked as a great little gem.

I ran the software to get a good trace,
And making such progress at a wonderful pace.

When I found the encrypted channel to a botnet,
That is when I really started to sweat.
This was a rare find, and quite good news.
I was going to give the hacker a case of the blues.

My report was wrote up with all of my work,
As I finished up I could not suppress a smirk.
The hacker's life would soon be a mess,
As I had identified his home IP address.

I sent the report out, through encrypted e-mail,
Knowing the hacker would soon be in jail.
Content to know I caused him such plight,

I sure hope he enjoys his last free Christmas night.

--- Written and submitted by Jim O'Gorman for the Best of the Blog Contest.

About Botnets, Video Games, and Bad Predictions

A year ago, I did a write up about the potential for botnets migrating to non traditional computing platforms. My conclusion was that seventh generation video game systems have the most potential from as a botnet platform based on a model that I defined in the write up.

Here we are a year later, and as it turns out, nope, no botnet on any video game system. So on that point, I have to hang my head and admit I am no better then any random caller to Art Bell. On the other hand, I do stand by my conclusion that video game platforms would make a good platform for for the creation of a botnet. However, the model I created needs work. There was a variable I did not account for.

Read more from BinInt.com.

Husband's Hidden Camera Taping Illegal

A woman, secretly videotaped in her own bedroom by her husband, will keep a $22,500 court judgment. That ruling Friday from the Iowa Supreme Court as it upheld a lower court decision.

In the Dubuque County, Iowa case, Cathy Tigges claimed her husband hid cameras in their bedroom and videotaped her activities. During divorce proceedings she argued the videotaping by Jeffrey Tigges was an invasion of privacy.

The Iowa Court of Appeals rejected Jeffrey Tigges' argument, her husband, that his wife had no reasonable expectation of privacy in their home. In its ruling, the Iowa Supreme Court said Cathy Tigges had a "reasonable expectation of privacy" in her bedroom and that her husband's covert videotaping violated her privacy.

Via WOWT.com.

Music Industry to Abandon Mass Suits

The decision represents an abrupt shift of strategy for the industry, which has opened legal proceedings against about 35,000 people since 2003. Critics say the legal offensive ultimately did little to stem the tide of illegally downloaded music. And it created a public-relations disaster for the industry, whose lawsuits targeted, among others, several single mothers, a dead person and a 13-year-old girl.

Instead, the Recording Industry Association of America said it plans to try an approach that relies on the cooperation of Internet-service providers. The trade group said it has hashed out preliminary agreements with major ISPs under which it will send an email to the provider when it finds a provider's customers making music available online for others to take.

Depending on the agreement, the ISP will either forward the note to customers, or alert customers that they appear to be uploading music illegally, and ask them to stop. If the customers continue the file-sharing, they will get one or two more emails, perhaps accompanied by slower service from the provider. Finally, the ISP may cut off their access altogether.

Read more from the Wall Street Journal.

Hundreds of Stolen Data Dumps Found

A comprehensive new study that peers into huge troves of financial data stolen by cyber thieves confirms what experts have surmised from looking at much smaller, isolated caches of digital loot: That criminals can make hundreds, even thousands, of dollars a day selling data stolen with the help of widely available software toolkits.

Recent reports by security firms Finjan, RSA, SecureWorks and Symantec have shown that stolen identities, bank accounts and credit card numbers are sold in bulk every day in shadowy online forums, often for pennies on the dollar. In its analysis, Symantec found in 2007 that the going rate for the keys to assuming someone else's identity was between $14 and $18 per victim.

Those reports either presented conclusions based on examining a single cache of stolen data, or by observations based on watching transactions between cyber thieves. But a report released today by researchers at the University of Mannheim, Germany, offers a disturbing glimpse at the sheer abundance of this stolen data.

Read more from WashingtonPost.com.

U.S. not ready for cyber attack

The United States is unprepared for a major hostile attack against vital computer networks, government and industry officials said on Thursday after participating in a two-day "cyberwar" simulation.

The game involved 230 representatives of government defense and security agencies, private companies and civil groups. It revealed flaws in leadership, planning, communications and other issues, participants said.

The exercise comes almost a year after President George W. Bush launched a cybersecurity initiative which officials said has helped shore up U.S. computer defenses but still falls short.

Read more from Reuters.com.

Malware madness and spammers in the slammer: The year in cybercrime

One of the most disturbing cybercrime trends in 2008, many security analysts say, has been the emergence of a full-blown underground economy where credit card information, identity theft information, and spam and phishing software are all available for relatively low prices.

Security software company Symantec became the latest company to raise red flags about what it called the "underground server" economy last month, when it issued a report estimating that roughly $276 million worth of goods and information is available on online black markets. Credit card data accounted for 59% of the information available for sale on underground servers, Symantec reported, with identity theft information (16%), server accounts (10%), financial accounts (8%) and spam and phishing programs (6%) trailing far behind.

Read more from Network World.

CYB3RCRIM3

I recently ran across this blog (via Grand Stream Dreams) and thought it was worth noting. CYB3RCRIM3 is written by a law professor and has some helpful insights into the legal aspects of technology. Recent posts include:

• Fantasy Crime
• MapQuest as Hearsay
• The Nigerian Defense?
• Cartoon Child Pornography?
• Trojan Horse Warrant?
• Scope of Consent
• "Name"
• Antiforensics
• Attempt?
• Laptops and Borders . . . Again

http://cyb3rcrim3.blogspot.com/

Give Your Forensic Images the Boot, Part I

Here's a post I completed for the Sans Forensics Blog. Part II should be coming soon.

http://sansforensics.wordpress.com/2008/12/12/give-your-forensic-images-the-boot-part-i/

Top 9 IT security threats for 2009

Threat #5 Careless Employees (Rising Threat): Mistakes made by careless or untrained employees can lead to a significant security compromise. A poor economic climate puts strains on employees causing them to cut corners or important duties. It can also lead to less formal employee training.

Threat #6 Reduced Budgets (Rising Threat): A weak economy leads companies to tighten their budgets, which results in less headcount and less money for upgrades and new systems.

Threat #7 Remote Workers & Road Warriors (Steady Threat): Telecommuting and mobile workers are on the upswing.

Read more from Help Net Security.

Cyber Attack Linked to Company of Former Russian Spies

The recent cyber attack on the U.S. military's classified computer network has been traced to a front company run by several former Russian KGB or Federal Security Service spies, FOX News has learned.

The attack led the Pentagon to ban the use of external hardware devices, such as flash drives, because that's how the "worm" got into the classified military network.

FOX News has learned the intrusion was discovered by the U.S. military in Afghanistan -- and that the attack came through the local Internet service provider that the Afghans (under U.S. supervision) contracted out to a front company run by former Russian spies.

The U.S. military relies on this Internet service provider. Homeland Security Secretary Michael Chertoff on Wednesday warned the Russians had already used cyber warfare in Georgia.

Read more from FoxNews.com.

Hacker Accesses Local Dental Records

A computer hacker in Gainesville, Fla., has gained access to the personal information of more than 300,000 dental patients across the country, including thousands in Omaha and Council Bluffs.

Retired widow Jean Petersen, 84, of Council Bluffs, has never been to Florida or visited the University of Florida College of Dentistry.

But Peterson recently received a letter from the school that said a computer containing personal information of University of Florida dental patients had been illegally accessed by an intruder. Among the information on the computer was Petersen's Social Security number.

Read more from KETV.com.

UK police: 'We need crime breathalysers for PCs'

Detective superintendent Charlie McMurdie, architect of the UK's Police Central E-crime Unit (PCeU), said frontline police ideally need a digital forensic tool as easy to use as the breathalyser, to help them deal with growing numbers of computers being seized during raids on suspects' homes.

McMurdie said such a tool could run on suspects' machines, identify illegal activity - such as credit card fraud or selling stolen goods online - and retrieve relevant evidence.

She told silicon.com: "Do we need to seize five computers in a suspect's house or could we use a simple tool to preview on site and identify there's that one email we are looking for and we can then use that and interview the person now, rather then waiting six to 12 months for the evidence to come back to us?

Read more from Silicon.com.

Cybercrime leaves cybercops in the virtual dust

"The problem is that there aren't enough well-trained investigators, prosecutors and judges to use it effectively," he said.

In the courts, where penalties are traditionally imposed based on damages, the extent of damage caused by cybercrime is hard to assess, and it's tough to get victims involved. Individuals often don't realize what's happened, and businesses -- breach disclosure laws notwithstanding -- are generally reluctant to go to court.....

"The law is irrelevant to most cyberhackers – they can operate out of anywhere," said Mary Kirwan, a former cybercrime prosecutor in Canada. "The reality for law enforcement is that if you want them to act as speedily and effectively as the international cybercrime community, you need to give them the tools. If the hackers share all their information, and businesses and governments share none of their information, you can imagine which does better."

Read more from SearchSecurity.com

20% of teens say they've put nude pics of themselves online

A survey of 1,280 teenagers (users age 13-19) and young adults (age 20-26) conducted by the National Campaign to Prevent Teen and Unplanned Pregnancy and CosmoGirl.com has revealed that one out of five (20 percent) teens overall have posted nude photos or video of themselves on the Internet—that number goes up to a third when young adults are included. While 71 percent of teen girls and 67 percent of teen guys who have sent these photos say they've sent them to a boyfriend or girlfriend, 15 percent overall said they've sent nude photos to people they only "knew" online. For women, that percentage stays the same when they turn into young adults, although the percentage of young adult men goes up to 23 percent.

Read More from ars technica.

Congrats, Tim!

Tim Vidas won this year's DC3 Digital Forensics Challenge. Tim is a Nebraska HTCIA Chapter member and encouraged the creation of the chapter from the very beginning. Tim has done some amazing work in the field and should be acknowledged for his contributions.

Congratulations on the win, Tim!

Dues Renewal

Dues renewals for 2009 is now open. Our chapter dues are $40 per year. Take advantage of everything membership has to offer!

Also, remember that Dec. 31st is the deadline for your Best of the Blog submission. A free seat to the Reid Interview and Interrogation class is up for grabs!

Overwriting Hard Drive Data: The Great Wiping Controversy

Often we hear controversial opinions in digital forensics on the required or desired number of passes to utilize for properly overwriting, sometimes referred to as wiping or erasing, a modern hard drive. The controversy has caused much misconception, with persons commonly quoting that data can be recovered if it has only been overwritten once or twice. Moreover, referencing that it actually takes up to ten, and even as many as 35 (referred to as the Gutmann scheme because of the 1996 Secure Deletion of Data from Magnetic and Solid-State Memory published paper by Peter Gutmann) passes to securely overwrite the previous data. One of the chief controversies is that if a head positioning system is not exact enough, new data written to a drive may not be written back to the precise location of the original data. We demonstrate that the controversy surrounding this topic is unfounded.

This article is part of a larger collection available from SpringerLink.

Omaha Forensics

The following content was posted on Elwood.net.

SANS asked me to mentor another local mentor class here in Omaha. Details are up on the SANS site. Last time I thought it went really well, we seemed to have a lot of fun and went beyond the standard material for a bit of “value add” during the course. Because really, there is no point in showing up once a night for ten weeks to hear me say the same thing that is in the book and on the MP3s you get. Instead, what we did was cover what issues students had on the material that was covered for that week, hit the hard parts of the new material, and then did something relevant.

So, we are doing it again. If you live in the local area, and are into forensics at all, you could sure do a lot worse. SANS is running a promo that if you sign up before the end of the year, you get a $200 gift card to the Apple store. Plus, if you are a member of a local infosec organization they will give you 10% off the price.

Also, just a reminder that I also blog on the SANS forensic blog, so check that out if you have not yet.

Also, I will be taking place in a local forensic and incident response talk here in Omaha on the 11th. If you are interested in coming, shoot me an e-mail and lets see about getting you comped. I expect it will be a good time, and its only half a day.

Businesses urged to devise digital-forensics plans

"Unless the organisation has developed a detailed planned response to typical risk scenarios, much potential evidence will never be collected or will become worthless as a result of contamination," wrote Sommer, a visiting professor for the London School of Economics. "What is needed is a forensic readiness plan."

Businesses should first identify the threats faced by their organisation that may require digital forensic evidence. Firms should then identify to what extent they can already collect that evidence, and what remains to be done. Once organisations have familiarised themselves with potential legal issues — including admissibility, data protection and limits to surveillance — an action plan should be produced, wrote Sommer.

Read more from ZDNet.co.uk

Read the Guide to Digital Investigations and Evidence

Hackers Hijacked Large E-Bill Payment Site

It appears hackers were able to hijack the company's Web sites by stealing the user name and password needed to make account changes at the Web site of Network Solutions, CheckFree's domain registrar. Susan Wade, a spokeswoman for the Herndon, Va., based registrar, said that at around 12:30 a.m. Dec. 2, someone logged in using the company's credentials and changed the address of CheckFree's authoritative domain name system (DNS) servers to point CheckFree site visitors to the Internet address in the Ukraine. DNS servers serve as a kind of phone book for Internet traffic, translating human-friendly Web site names into numeric Internet addresses that are easier for computers to handle.

Read more from WashingtonPost.com

Misdemeanor conviction for Lori Drew leads to more legal debate

The mother, Lori Drew, was indicted on one count of conspiracy and three counts of accessing protected computers without authorization to obtain information to inflict emotional distress. In the end, all Drew got were three misdemeanor counts of computer fraud for having misrepresented herself on the popular social network MySpace.

Putting aside the emotional charge of the trial, legal experts agree that the verdict sets an interesting, if not completely frightening, precedent. Essentially the conviction amounts to Lori Drew being found guilty of violating the MySpace terms of service. This is the first time criminal charges have occurred for violation of the terms of service on a Web site.

Read more from The Tech Herald