Photos from Black Hat and Def Con 17

• Photos from Black Hat 2009


• Photos from Def Con 17

Preparing for Black Hat 2009

The Black Hat USA 2009 conference begins in less than two weeks. I'm excited, but have a lot of preparation to do! I will be on a panel on Tuesday, and the executive briefings and then I am on a panel Wednesday morning.

I'm planning on a long week, and since I'm staying the weekend, I'll have time to relax and enjoy myself. There are lots of interesting topics for Black Hat and DEFCON. If you're going to be there, drop me a line!

Punishment Fitting The Crime

In the realm of computer security and ethics, it is important that criminals be punished as a deterrent to would-be-criminals everywhere. For example, if the SPAM KING goes to jail and pays millions of dollars in fines for filling our mail with junk mail, which he personally profited greatly from - that is reasonable.

In the news, we have two stories today. First, TJX (parent company of such chains as TJ Maxx) was fined $9.75 million for a huge breech of customer data. The Ukrainian hacker who masterminded the theft of 94 million credit card accounts from TJX has been sentenced to 30 years in jail. (Believe me, he is going to a Turkish prison for this crime and I can't imagine this will be a pleasant sentence. I think it makes our high-security prisons look like country clubs.) There were 11 people who were involved have convicted to date. Here is more, from SC Magazine:

TJX, which operates more than 2,500 outlets nationwide, agreed to pay $9.75 million to settle investigations by 41 state attorneys general, who were looking into the monster breach, announced in January 2007, that exposed as many as 94 million credit and debit card numbers.

Under the agreement, TJX will pay $5.5 million in settlement fees, plus $1.75 million to cover the cost of the states' investigations. In addition, the company will provide $2.5 million to establish a new Data Security Fund that states will use for a number of data security initiatives, including researching the benefits of technology, developing best practices or model laws, and establishing consumer outreach programs.

On the other hand, Jammie Thomas-Rasset, an unemployed, single mother from Minnesota, was fined $1.92M by a federal jury for reportedly downloading 24 songs. Is this proportionality? Is it at all befitting of the crime? These 24 songs could have been downloaded for $24.76 from iTunes - yet, she is attacked by the RIAA, and fined nearly two-million dollars. No, I don't think we have our priorities straight in this country. We are wasting the time of the courts and attacking our citizens, when there are real crimes to be dealt with.

(I understand her first lawyer had to back out, citing $130,000 in unpaid legal bills for defending her against the RIAA in the first case, which was declared a mistrial due to incorrect instructions given to the jury by the judge.)

Here is what Ms. Thomas-Rasset got for $1.92M:

• Guns N Roses "Welcome to the Jungle"; "November Rain"


• Vanessa Williams "Save the Best for Last"


• Janet Jackson "Let’s What Awhile"


• Gloria Estefan "Here We Are"; "Coming Out of the Heart"; "Rhythm is Gonna Get You"


• Goo Goo Dolls "Iris"


• Journey "Faithfully"; "Don’t Stop Believing"


• Sara McLachlan "Possession"; "Building a Mystery"


• Aerosmith "Cryin’"
  
• Linkin Park "One Step Closer"


• Def Leppard "Pour Some Sugar on Me"


• Reba McEntire "One Honest Heart"


• Bryan Adams "Somebody"


• No Doubt "Bathwater"; "Hella Good"; "Different People"


• Sheryl Crow "Run Baby Run"


• Richard Marx "Now and Forever"


• Destiny’s Child "Bills, Bills, Bills"


• Green Day "Basket Case"

Well, I do love Journey, so I'll buy that is worth $160,000 for those two songs, but Reba McEntire?? Come on now!

Social Networking: Manageable With Good Enterprise Policy

The following article comes from Security Wire Daily:

A majority of attacks on the Internet depend upon the exploitation of human nature through the abuse of trust. It is human nature, for example, to feel comfortable with Web-based social networks that include our friends and family. We don't expect these people to be hosting anything on their pages that would "attack" us.

Likewise, most wikis are created by well-meaning people, typically subject matter experts, and we tend to trust experts. We don't expect a page full of useful information to contain anything that would be harmful. However, there is plenty of evidence that such Web pages are being used to distribute malware, almost always without the knowledge of the page owner or creator.

In November 2007, the MySpace profiles of Alicia Keys and a number of other recording artists were found to be serving up malicious code. McAfee Inc. also recently reported a malicious MySpace friend request which, when clicked, popped up an apparently legitimate "Automatic Update" window that, in fact, tries to download what McAfee described as a "malware cocktail" containing additional downloaders, several Trojans and a remote administration tool.

So, in addition to enterprise concerns over productivity losses to social networks and privacy issues arising from their use, particularly at work, there are now some direct security threats in play, including network compromise via infected pages. (To get a measure of just how much "drive-by" malware is being distributed by Web pages --including but not limited to social networks -- take a look at "The Ghost in the Browser" published last year by researchers at Google.)

Continued here...

The Insider Threat

Simon Potts wasn't happy with his job. He was what they call a 'disgruntled employee'. After ten years working for KPJ Industries, as a loyal employee, he has rarely been recognized for doing a good job. He has been passed over for promotion, and this year he knows that his raise was smaller than other employees. He was mad that co-workers were showing up late for work, taking on much less of a workload, and still getting a bigger raise than he was. He deserved more, but his boss had it out for him. Bob, the office manager, always seemed to resent Simon's ability, and Simon was sure he spoke ill of him to other managers. Simon realized this was a dead-end job, and his days were numbered. It was time for him to take what he deserved, and then quit. That would be satisfying, and when he sold the customer database to a competitor, it would teach them a lesson. At least, this was the rationale Simon used when he decided to steal a sensitive customer database, with credit card numbers, from KPJ Industries in November, 2008.

Simon Potts was viewed by his management as a nice guy, but they didn't feel he was motivated. He took on a lot of work, but had a hard time completing projects on time. So, when the new year came along, Simon was given a score of "meets requirements" in his performance review. His manager tried to explain how Simon could do better, but he felt that no matter what he said, Simon took it too personally. There were signs that Simon was a disgruntled employee, but the company had no training for managers on how to identify and deal with disgruntled employees.

On November 11th, 2008, Simon notices his manager has gone to lunch and left his office unlocked. Simon has been planning for some time, and finally worked up the nerve to walk into Bob's office. He closed the door behind him and quickly moved to Bob's desk. The computer was unlocked. The company security policy locked the screen after thirty minutes, so it was pretty common to find co-worker's computer unlocked over lunch. Simon inserted a USB thumb drive and installed a keystroke logger, KSL.exe. Now, everything that Bob typed would emailed once a day to Simon. Simon was sure this would expose how his management talked about him behind his back. He would take Bob's passwords and gain access to the company CRM database, which contained sensitive customer information, such as credit card numbers, email and home addresses.

Simon returned to his desk, confident that he would quickly have what he wanted, and then he would remove the keystroke logger and quit. In the meantime, he spent his lunch using search engines to find prospective buyers for the database he hoped to acquire.

In the first day, Simon had Bob's passwords and he used this to log into Bob's email from his computer. He read through past mail, looking for some evidence that Bob really had a grudge against him. Maybe he would find evidence that he could use to sue the company, and make a few extra bucks. He didn't find anything, but got into the habit of reading Bob's email every day that week. Meanwhile, Simon found some people who were willing to pay several thousand dollars for the customer database. It was the day before Thanksgiving, and the company would be closed for four days. This was when Simon had planned to steal the database. He logged onto the CRM web interface and gave the command to save a copy of the entire database to his USB thumb drive. The job took 45 minutes, but he wasn't concerned, there was almost nobody left in the office that afternoon. He locked his desk, took the USB thumb drive and put on his jacket. With a smile on his face, he headed for the front door.

Simon thought he was clear and free, as he reached for the door, but that is when the security guard stepped out and stopped him. Simon's mind raced, he was sure it was nothing. After all, he had deleted the KSM program from Bob's computer, and he doubted they had any evidence of wrongdoing. That's when the police showed up, with Bob and the HR manager. Simon realized this wasn't going to be a very good Thanksgiving holiday after all.

As it turns out, Simon's trickery had not gone unnoticed. The first sign that something was wrong, was when Bob went into his email the day after Simon installed the keystroke logger. Usually, new mail was marked as unread, and for some reason, it was marked as read. In fact, for three days Bob noticed the same thing. Once in a while, during the day, he would see email come in as unread and before he had a chance to get to it, it would get marked as read. Bob called the help desk and they directed him to the company security team. It was clear that someone else was reading Bob's email and they began a computer forensics investigation.

The computer forensics investigator started with what they knew: someone was reading Bob's email. They went to the email team and found that two computers at different IP addresses on the network were accessing his account at the same time. It was easy to see who the culprit was, however, it would not be wise to confront Simon at this time. In order to convict Simon, or just to prove Simon was really breaking security policies so he could be fired, they would need to be careful in gathering evidence. They would need to follow the company's process for computer forensics investigations. The most important thing in an investigation is to ensure that the evidence is properly gathered and not altered. In court, they might have to prove they did not tamper with log files.

The next step was to ask the network team to capture traffic from Simon's computer. They attached a logging device to the span port on the switch that Simon's computer was directly wired to. On Bob's computer, they made a cloned copy of his hard drive, using the computer forensics 'rig' that would ensure an exact copy was made. Bob's original hard drive, and a copy were kept for the investigation, and another copy was replaced in Bob's computer so he could continue working. A search showed that a keystroke logger has been installed, but was later removed. Simon did uninstall the program, but he forgot to clean up the system logs that showed what he had done, and when.

At night, after Simon went home, the investigator did something similar with the hard drive in his workstation. He made a cloned copy, that later showed what Simon had been doing. The forensics investigation of Simon's hard drive clearly showed that he had been web surfing (through the company web proxy) and reading email using Bob's credentials. At this time, Simon had not stolen the customer data, and before leaving work each day, Simon cleared his browsing cache. The forensics software was able to find deleted files and show that Simon was not only reading Bob's email, but also shopping for a buyer for the customer database he planned to steal.

With strong evidence of wrongdoing, the computer forensics investigator worked with the database team to watch for a login from Bob's account. Simon did not have the authorization to dump the entire database, but Bob did. It was obvious that Simon wanted to not only steal the data, but frame Bob for the theft. When Simon logged on and started the download, that is when the HR manager called in the police. Everyone was waiting at the front door, for Simon to attempt to leave with the database. When the police found the USB thumb drive, they had the evidence they needed.

Simon was taken downtown, to the police headquarters, where he was interrogated. Simon thought he could blame it all on Bob. He tried to explain that he caught Bob stealing the data, and he was going to the HR manager with proof. When the police listed all the evidence the computer forensics investigation uncovered, Simon admitted what he had done and pleaded guilty.

If this case had been different, and gone undetected until Simon left with the data, the company could probably still have proven that he was the culprit, after the fact, but some of the data would have been missing and they would not have been directly logging his network traffic. Still, his sloppy actions got him noticed sooner on, and the company was able to protect their data and catch Simon in the act.

In a recent Computerworld survey (2/24/09), it was shown that 60% of US workers steal company data when they leave. Technical employees are more likely to do sabbotage than less technical employees, who typically try to steal data, to leak or sell to competitors, in ways very similar to what Simon did. This emphasizes the importance of having authorization rules for who can access data, having good security logging and auditing those logs. Often, sensitive data must follow the protection guidelines of regulations, such as HIPAA, GLB, PCI or Sarbanes-Oxley. This case also shows the importance of having a well-defined computer security forensics process in place.

RSA Conference 2009

I was just reading this article (LINK) about the 2009 RSA Conference, held in San Francisco last week. I haven't spoken to my friends, who organize the the conference yet (OFFICIAL SITE), but it seems that numbers were somewhat down as expected this week, due to the economy.

I spent the last week here, in Moline, at my desk. As it turns out, I have a huge number of projects going on that need me here, and so our new travel policy (not to travel) made sense to me. I was happy to stay here, keep working (and keep my job!) But, I must say, I was a bit nostalgic, since this would have been my 10th conference. I think having missed this year, 2010 will be even better. I can only hope that the economy improves and that this great venue for information security doesn't dry up and fade away! We probably can't ever have things the way they were five or ten years ago, but for many of us, this is the one chance we get to meet up with all of our friends, catch up and review what's new in the security industry.

Seminar on Brain Science, April 4th

There will be a seminar at Trinity Hospital at Terrace Park (4500 Utica Ridge Rd., Bettendorf, IA) on April 4th, 2009. The speakers will be Lynn Hudson and Denes V. Agoston, two research scientists. Lynn Hudson will speak on 'What Can Biomedical Research Do for You?' and Denes V. Agoston will speak on 'Regenerative Capacity of the Brain: Integrative Medicine and Traumatic Brain Injury.'

The event starts at 10AM, and it sponsored by the Bettendorf Public Schools.