September, 2009

Things You Can Do to Help An Investigation

Sooner or later, you will be called upon, as an Admin or an Auditor, to assist or address a possible fraud or event pertaining to someone’s computer, laptop, pda or smartphone. People can be very anxious and over-react when an event is happening. Or, just as difficult, proceed to do nothing, because they’re not sure what to do.

Neither approach is truly helpful in investigating digital fraud, theft or other computer-related incident. I was asked to do an exam, a few years ago, of the hard drives of a CFO who had admitted to fraud and was fired. Her computer sat on her desk, and her secretary AND the company admin both logged into the computer over the course of weeks before we were engaged.

The problem? Every time someone logs in, files get changed. The secretary checked her email; the admin was checking something else. If the company had wanted to prosecute, the evidence on her hard drive was hopelessly muddied and would not have stood up in court.

Here’s the best idea: take the computer and LOCK IT UP. Don’t let it just sit there (so the defense attorney can point out anyone could have logged in) and don’t let people use it. Yes, we might use some volatile data in memory, but many times the computer is already turned off.

If events happen quickly, the fraudster leaves the building with/out access to his/her computer for the last time and it’s still running: LOCK IT UP. If it’s in an office, secure the office and don’t let anyone into it. If it’s in an open area, that’s when you’ll need to power it down and lock it up.

Will these rules fit every situation? Probably not. But they will fit 85%. If you know it’s going to be a forensic situation ahead of time, I hope management lines up someone to come in immediately, who can capture data from a live machine. But if not, and you’re first on the scene, the two rules above are the most important.

Next Generation ATM Skimmers

I was over on identitytheft.info watching some video feeds when I came across this one. It’s worth taking a look at not because the technique for attaching Bad Things is all that different, but because of the hardware the Bad Thing is using.

Check out the hardware used: a modified cell phone (to call home with numbers? how convenient!) a camera and an SD card. It’s the hack of the cell phone I find the most interesting. Of course, they didn’t give us any details on that, but I would be interested to know how it was modified, wouldn’t you?

Although identitytheft.info is rather self-serving in its presentation (providing a variety of services to “victims”) they often have newsfeed videos that are very well done.

For instance, there’s another video that shows a keypad that can capture the pin (instead of a camera) as you type it in glued over the regular keypad.

They recommend notifying the bank if you discover a skimmer; I recommend notifying the police. They’ll take care of notifying the bank(s).

Pumping Gas and Losing Your Shirt

I hadn’t really thought about it, but it made perfect sense the first time I read about it: thieves are capturing credit card and debit card data at the gas pump.

Given that the pump is acting as a big cash register, it makes perfect sense that skimmers could be attached the same way they are attached to an ATM.

Thieves open the pump using a skeleton key and install skimming devices to cables leading to the card reader and PIN pad that pulls data from a card’s magnetic stripe and records the cardholder’s PIN. If the PIN pad encrypts the PIN at the pump, they can attach a miniature camera to record PINS as cardholders enter them.

And this is what is significant: you can’t see the skimmer on the pump because it is inside the pump. There’s no way to know if you’re paying for gas and a little fraud, too.

The skimmers steal credit card numbers, but thieves prefer debit cards because they mean quick cash at automated teller machines. They use the information to make fake cards and hit ATMs – some across the country from the originating theft – for $200 to $800 a pop.

The money is often gone before the debit card holder knows it, and it can take time to correct the problem. One recommendation is to use the Credit rather than Debit feature when filling your tank. Debits allow immediate access to cash and don’t require a signature, two other reasons they are more attractive to criminals.

Skimming has been ramping up starting last year due to the bad economy; thieves need to access cash rather than goods they can resell elsewhere.

Thieves can leave these skimmers attached to pumps for months before removing them—and collecting data from thousands of credit cards. Then, the thieves either sell the credit card information on the internet or they make fraudulent duplicate cards with victim’s account numbers and expiration dates.

In one case, thieves left the same skimmer attached to a single gas pump in Washington for eleven months. (Did no one see this thing???) Then they came back, retrieved the device and drained hundreds of bank accounts in a single weekend.

In May 2008, an investigation was opened into a case in San Jose California in which thieves stole more than $200,000 from 180 victims. Authorities estimate that between $1 million and $3.5 million has been stolen from victims of gas pump identity theft in five states over recent months.

Best advice: If you do want to use a credit or debit card at the gas station, go inside and make the purchase there. Inconvenient, but so is losing all the money in your checking account, or having to close your credit card account.

Who REALLY Owns Your Data

I had an up-close-and-personal experience today of “cloud computing.” It’s worth thinking about.

I had just finished reading Bruce Schneier’s essay on cloud computing, (which is a great read, by the way) and was considering the following point he recently penned in his Cryptogram:

As we move more of our data onto cloud computing platforms such as Gmail and Facebook, and closed proprietary platforms such as the Kindle and the iPhone, deleting data is much harder.

You have to trust that these companies will delete your data when you ask them to, but they’re generally not interested in doing so. Sites like these are more likely to make your data inaccessible than they are to physically delete it. Facebook is a known culprit: actually deleting your data from its servers requires a complicated procedure that may or may not work. And even if you do manage to delete your data, copies are certain to remain in the companies’ backup systems. Gmail explicitly says this in its privacy notice.

What if those companies delete your data because they don’t like it? Or some copyright is at issue and they “can’t” let you keep it, such as Amazon’s now notorious “removal” of the Orwell books due to copyright issues (How ironic is it that Orwell’s books were deleted???)

So, I’m logging into Skydrive this morning because I’m building an online collection of tools I can access when I’m on the road or someplace where I don’t have my computer or USB drives with me.

I’d uploaded about 3 gigs of tools, which might be considered by some to be “hacking” tools, including Cain and Abel, which (AV constantly tries to delete). But today, those directories and programs are nowhere to be found.

Big Brother Microsoft evidently doesn’t approve. And this is why we should all consider that if our data in the “cloud” doesn’t pass the vendor’s muster, our data will be deleted.

I’ll stick with my computer, for now.

Paying Attention to FTP

A newly discovered set of FTP flaws (a buffer-overflow) allows an attacker to install unauthorized software on an Internet Information Services (IIS) server or even to crash the box. The bad guys can plant code on your FTP servers or launch a denial-of-service (DoS) attack against your IIS website. The remote-execution vulnerability, which was first described on Aug. 31, could allow an attacker to run malicious code.

According to Microsoft, the vulnerable versions (versions 5 and 6 are affected, but version 7.5 is unaffected on Vista and Windows Server 2008) of the FTP service shipped on several Windows and Windows Server OSes over the years. The company says the latest version of the FTP service, 7.5, is not vulnerable.

These attacks can use an anonymous account that has both read and write permissions, but any user with read/write can perform the attack.

Microsoft has updated security advisory 975191, but there is not yet a patch available.

There are some workarounds are available for the FTP flaws. But keep in mind that they don’t really resolve the risks.

Here’s the primary recommendations:

* Upgrade the FTP service. If you’re running Vista or Windows Server 2008, Microsoft recommends upgrading to IIS 7.5. FTP sites will still need to be migrated from the FTP service in IIS 6 to the equivalent in IIS 7.5.

* Remove anonymous users. If you’re running versions of Windows other than Vista or Windows Server 2008, you’ll need to remove your anonymous FTP users.

* Disable the FTP service. If you don’t need the FTP service in IIS, turn it off.

With older versions of Windows Server, IIS, SMTP and FTP were installed by default. If that’s the case, uninstall them entirely. Why let an unused service take up resources AND provide a security flaw?

New Aircrack Just Released

If you’re like me, you’re always hunting for the free tools out there you can add to your arsenal to keep (or in my case, test) the security of your network. Just out, a great addition to my toolset, is a new update to the well-known tool, aircrack-ng

Why have such a tool, used by the bad guys? Because it’s used by the bad guys to get into your network. It’s updated to crack more protocols, including WPA/PSK. It was one of the first tools to provide a way to crack WEP.

I have about three hundred tools in my toolkit, and only three of them are commercial tools. I’ve had to build a spreadsheet to keep up. I also use Backtrack running in VMWare. You can download VMWare’s free product, the VMWare Viewer, if you have an image (like Backtrack) you just want to run.

I also noticed, while on Vmware’s site, that you can download VMWare server for FREE. They’ll give you some serial numbers, and you can try out all sorts of tools in safety.

It’s good to know how things work.