Monday, 30 April 2012

Tools (30th April)

Weekly blog on tools that have come to my attention over the last week, it is not a comprehesive tool list but tools that I found interesting or details of tools I use that have been upgrade, this week the entry is smaller than usual as I'm delivering a training course for the week,

N-Stalker
http://www.nstalker.com/2012/04/25/updated-vulnerabilities-check-for-10-packages-including-typo3/
N-Stalker is now delivering new updates for N-Stalker 2012 Edition, including:

  • Updated vulnerabilities check for the following package:

    • WPtouch
    • AddToAny
    • Google Sitemaps Generator
    • gtrans
    • Jetpack
    • Add Link to Facebook
    • TYPO3
    • WordPress Download Monitor
    • Sidebar Login
    • CMS Tree Page View

    VoIP Hopper 2.04 released
    http://voiphopper.sourceforge.net/
    VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop security test. VoIP Hopper is a VoIP infrastructure security testing tool but also a tool that can be used to test the (in)security of VLANs

    Monday, 23 April 2012

    What do IT security Pro's fear

    Reading the news articles today, I found two interesting articles, both effectively about what IT Pro's fear in terms of a cyber attack. I have tweeted both articles https://twitter.com/#!/GeraintW however the articles seem to give contradicting views, until you start to read through the reports.

    Computer Weekly ran with "UK firms see competitors as greater cyber attack risk than criminals" http://www.computerweekly.com/news/2240148880/UK-firms-see-competitors-as-greater-cyber-risk-than-criminals

    Help Net Security ran with "IT security pros most afraid of highly publicised attacks" http://www.net-security.org/secworld.php?id=12786

    Interestingly both are quoting Bit9's 2012 Cyber Security Survey (which whilst links are available I have not managed to download the fully report, keep getting 404 errors)

    According to CW more than half of UK companies expect a cyber attack in the next six months, but see competitors as a greater risk than criminals,.

    The article from Help Net Security says more than half (61 percent) of respondents believe Anonymous and other hacktivist groups are most likely to target their organization

    The CW is focused on the UK industry in its reporting whilst Help Net Security are going for a more global focus in its reporting. So despite the differing headlines, the content is similiar as you would expect when the source for both report is the same. Obviously CW is more UK focussed, whilst Help Net Security is aimed at a more international audience.

    However is does pose the question, What do IT Pro's fear most? and the would the answer be differnent if it was asked of the senior non-IT management.

    a) A highly publicised breach by hacktivists, where there is high risk of loss of brand trust, or
    b) A more discreet attack by a competitor aimed at Intellectual Property

    What would your answer be?

    Tools (23rd April)

    My weekly blog on the tools that have come to my attention over the last week, it is not a comprehesive tool list but tools that I found interesting or details of tools I use that have been upgraded.

    Nessus 5.0.1 Released
    http://blog.tenablesecurity.com/2012/04/nessus-501-released.html
    Tenable is pleased to announce the release of Nessus 5.0.1! This is a point release (moving from 5.0 to 5.0.1), containing enhancements and minor bug fixes. This release improves the stability on all platforms, and solves Windows-specific issues related to installation and packet forgery.

    CIntruder v0.1 Beta Released
    http://www.toolswatch.org/2012/04/cintruder-v0-1-beta-released/
    CIntruder (Captcha Intruder) is an automatic pentesting tool to bypass captchas. If this tool works it would be useful additional to some web vulnerability testing.

    DEFT v7.1 Computer Forensics Live CD Released
    http://www.toolswatch.org/2012/04/deft-v7-1-computer-forensics-live-cd-released/
    DEFT it’s a new concept of Computer Forensic live system that use LXDE as desktop environment and WINE for execute Windows tools under Linux and mount manager as tool for device management.

    IronWASP v0.9.0.3 released -A web application vulnerability Testing Tool
    http://th3mast3r.wordpress.com/2012/04/23/ironwasp-v0-9-0-3-released-a-web-application-vulnerability-testing-tool/
    IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing, developed by Lavakumar Kuppan.
    It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.

    Sunday, 22 April 2012

    Hollywood Effect on Digital Forensics

    This is a title of a popular talk I have given to various branches of the BCS, IET and InstMC over the last three years. It developed as a means of explaining Digital Forensics to new students studying Computer Security and Forensics at the University of Bedfordshire at both undergraduate and postgraduate level. A number of students had unrealistic views on what Digital Forensics is and what it can achieve, this was meant to be a light introduction to the topic, given them insight into what they would be studying during the course, whilst correcting any miscomprehension developed from watching to much entertaining TV and Hollywood drama.

    Whilst developing the talk, I found a number of articles that actually described what is called the "CSI: effect" and I used this as a basis for the talk, whilst in the talk I briefly discuss the effect before moving on to giving examples of incorrect forensic techniques in some of the crime dramas, I thought I would produce a round of the evidence I found.

    One of the first instances I found mentioned was a quote from a UK Forensic Investigator about an episode of CSI: Crime Scene Investigator.

    TV show CSI: Crime Scene Investigation failed to follow a basic rule of looking for evidence: don't switch on the computer. In the offending episode, chemistry boffin Greg Sanders (played by Eric Szmanda) walks on to a crime scene, turns on a nearby computer and begins accessing email

    The errors here are obviously, proper crime scene investigation procedures where not followed and would a chemistry boffin really by a digital forensic investigator, without a proper chain of evidence showing that evidence was not tampered with it would not be acceptable in a court of law.

    The investigators on the hit CBS show CSI: Crime Scene Investigation make it look easy, but the science employed by real crime labs has "serious deficiencies," according to a federal report requested by Congress. A 2005 Justice Department survey reported that there are 389 publicly funded crime labs in the USA handling 2.7 million often-backlogged cases a year. Although the popular CSI series "suggest that convictions are quick and no mistakes are made," the report says, the reality is that many labs are understaffed, undertrained and under-regulated.

    In the UK Lord Justice Leveson was reported on the BBC News 6 Nov 2009  http://news.bbc.co.uk/1/hi/uk/8347410.stm as saying witnesses were reluctant to come forward because of the mistaken belief that forensic and expert evidence was paramount. The judge called it the "CSI problem", a reference to the television drama in which cutting edge forensic skills are used to solve crimes.

    There have been a number of quotes about the CSI: effect in the press America
    • The myth of quick-and-easy crime busting may be starting to get in the way of law enforcement. Forensic scientists speak of something they call the CSI effect, a growing public expectation that police labs can do everything TV labs can. This, they worry, may poison jury pools, which could lose the ability to appreciate the shades of gray that color real criminal cases. —Jeffrey Kluger, "How Science Solves Crimes," Time Magazine, October 21, 2002
    • Durst was acquitted in November. To legal analysts, his case seemed an example of how shows such as CSI are affecting action in courthouses across the USA by, among other things, raising jurors' expectations of what prosecutors should produce at trial. Prosecutors, defense lawyers and judges call it "the CSI effect," after the crime-scene shows that are among the hottest attractions on television. —Richard Willing, "'CSI effect' has juries wanting more evidence," USA Today, August 5, 2004
    • It’s called the CSI effect, after the show," she said. "The prosecution is expected to reconstruct the case for the jury, just like they do on TV. The jury wants to be wowed with pictures, just like on “CSI”. They want my case to be worthy of an Emmy. They don’t want to be let down and if they are, they won’t convict." —John Darling, "CSI: SOU," Mail Tribune, November 23, 2005
    In the UK Detective Superintendent Mark Lacey, head of Northamptonshire Police's standards department was reported in the Daily Mail http://www.dailymail.co.uk/news/article-1225282/Top-policeman-blames-forensic-CSI-giving-public-unreal-expectations.html  on 5th Nov 2009 as telling fellow officers the public had increasingly unrealistic expectations. He referred to flashy American TV series CSI: Crime Scene Investigation, where detectives use cutting-edge forensic technology at crime scenes to catch crooks in hour long episodes.  
    The NCSTL (National Clearinghouse for Science, Technology and the Law) at Stetson University College of Law which is a program of the National Institute of Justice, Office of Justice
    Programs, United States Department of Justice. Produced a report in October 2010 "Is Television more Believable than Science: The National Academy of Sciences (NAS) Report's Effect on the CSI Effect" where it stated

    Several television shows, such as CSI, glamorize forensic evidence. The CSI Effect occurs when people believe that the forensic techniques used in these shows are the same techniques that are used in real-life forensic science. They believe that DNA can be found on every piece of evidence, that fingerprints can be found in every case, and that forensic scientists can prove--with one hundred percent accuracy--that two sets of fingerprints are a match. Thus, these people believe forensic evidence is everywhere and that forensic science is never wrong. Unfortunately, forensic evidence is not ubiquitous, and forensic science is sometimes wrong.
    The false belief that forensic evidence is needed in every case, as well as the false belief that forensic science is one hundred percent accurate creates the problem that embodies the CSI Effect. These beliefs lead jurors to favor the defense unless the prosecution superfluously admits forensic evidence. Because such evidential admission is costly or otherwise unnecessary, prosecutors often try to mitigate the CSI Effect during jury selection by informing the jury about the limitations of forensic science

    Also the Honourable Donald E. Shelton, J. wrote a report  The 'CSI Effect': Does It Really Exist http://www.ojp.usdoj.gov/nij/journals/259/csi-effect.htm, in Mar. 2008  for the National Institute of Justice in the USA in whic he concluded "CSI viewers had higher expectations for scientific evidence than non-CSI viewers"

    So does the Hollywood effect really exist?

    Newly published research suggests nuggets of misinformation embedded in a fictional television program can seep into our brains and lodge there as perceived facts, that’s the conclusion of a study published in the journal Human Communication Research Volume 37, Issue 4, pages 509–528, October 2011. With dramas that are based on real life jobs, people who are not aware of what happens in a forensic lab could well believe that it is an accurate representation especially when the production companies have taken effort to where possible make it a realistic representation other than the artistic licence required to make it entertaining and fit in the time scale of the programme.

    For details of my talk "Hollywood Effect on Digital Forensics" please see my web site http://bit.ly/I1nNsN if you are interested in me given the talk please contact me.

    Saturday, 21 April 2012

    Technorati claim process

    register the blog with Technorati  98H465JQZS5K

    Taxonomy for Privacy in the Information age

    My thoughts on Privacy in the Information Age to enable privacy of an individual’s data there must be confidentiality, to ensure only those who have the right to see the information should have access, to do this there must be authentication to prove they are the person with those rights. There has to be access control to ensure the authorised user has the correct access to the data, this will help ensure the integrity of the data. In all transaction there must be nonrepudiation to ensure access can and changes cannot be denied. At all times the data must be availability to ensure the data is available to those who need it only when they need it.

    I have taken the tradition computer and information security and twisted them around to put privacy at the centre, surrounded by the factors that are required to protect privacy.

    Privacy in the Information Age (c) 2012 G Williams

    Privacy -- Ensuring that individuals maintain the right to control what information is collected about them, how it is used, who has used it, who maintains it, and what purpose it is used for
    Confidentiality -- Ensuring that information is not accessed by unauthorized persons
    Integrity -- Ensuring that information is not altered by unauthorized persons in a way that is not detectable by authorized users. The data also has to be accurate
    Authentication -- Ensuring that users are the persons they claim to be
    Access control -- Ensuring that users access only those resources and services that they are entitled to access and that qualified users are not denied access to services that they legitimately expect to receive
    Nonrepudiation -- Ensuring that the originators of messages cannot deny that they in fact sent the messages
    Availability -- Ensuring that a system is operational and functional at a given moment, usually provided through redundancy; loss of availability is often referred to as "denial-of-service"

    Wednesday, 18 April 2012

    The cookie directive

    Econsultancy has surveyed more than 700 marketers for their opinions on the EU cookie laws, and to find out what preparations have been made for the May 26 deadline.  http://econsultancy.com/uk/blog/9298-82-of-digital-marketers-see-the-eu-cookie-law-as-bad-for-the-web-survey

    Do you know what cookies are on your site?

    One of the questions that needs answering is do you know about all the cookies are on your site and what they are doing. Hopefully as it is your site you do, but what about 3rd party cookies attached to included widgets from other suppliers.?
    • Shopping cart functionality
    • Google Analytics or similar analytics, tracking or website optimisation tools
    • Any form of "remember my settings" style functionality
    • A content management system
    • Third-party plugins - such as Facebook Like buttons, Twitter feeds
    • YouTube Videos - Even with privacy-enhanced mode
    Cookie Audit

    Before you can create the right cookie compliance and privacy policy for your domain, you need to understand your compliance risks, firstly you must audit the types of cookies your website uses and decide on whether they require compliance

    If your site uses display adverts (banners, MPU panels or text ads) it's probably using cookies that require compliance measures.  If it is using analytics cookies, then they probably require compliance too.  If the cookies are just session cookies to make sure the website works (like log-in cookies) they may not need compliance.  It's a complicated situation and there's no quick fix, out of the box solution that's right for every business.

    Early adopter results

    The ICO's own research suggests this could be an issue. Since asking users to click a box if they agree to accept cookies from its site, the organisation says just 10% of visitors have complied.
    However, BT's experience points to a possible solution. Since March a pop-up message on its home page has told first-time visitors that unless they take up an offer to change its settings, then they have consented to its "allow all cookies" default rule.

    The ICO

    The ICO says it has not been prescriptive about the wording that firms use.
    However, organisations need to be careful about relying too heavily on opt-out schemes.
    "At present evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent," the regulator warns.
    It adds that those who fail to implement its rules properly could be fined up to £500,000.

    Conclusion

    For a UK company you must comply with the directive or face the ICO over the issue, in order to meet the directive you need to know what cookies are on your site including 3rd party and inform your users about cookie usage. You must have a proactive means of collecting acceptance. Get this stage wrong and your users may have a bad experience of your website and this could have a negative affect on your company or organisation.

    For more information on cookies see my article on cookies http://bit.ly/HfJ0vm, I will be at InfoSec on the 24th, 25th & 26th this month to talk about cookies on the IT Governance stand, see their web page about consultancy workshops http://bit.ly/HRVque

    Tuesday, 17 April 2012

    USB Sticks

    The BBC had a news article http://news.bbc.co.uk/1/hi/programmes/click_online/9712128.stm about the ultimate USB stick http://www.securityguardian.uk.com/- used by the secret service. If you lose it you can track its location and if it falls into the wrong hands you can even remotely scramble its content, providing it is not in a facility where it can't get GPS and GPRS signals. Extremly useful in a number of circumstances, however it reminded me of something that I saw a good few years ago about a forgetful USB stick, a google seach later.

    I found a article Microsoft patents self-destructing USB key for forgetful types http://www.engadget.com/2006/11/20/microsoft-patents-self-destructing-usb-key-for-forgetful-types/ the self-destructing USB memory keys, with enough battery life in them to power the key for one hour, after which the data disappears completely. With this one if you lose it you don't have to worry about connecting to it to delete it.

    Monday, 16 April 2012

    Tools (16th April)

    Although not a tool, there has been an interesting move in the EU about future legistation, The wired article " Watch Out, White Hats! European Union Moves to Criminalize ‘Hacking Tools’" http://www.wired.com/threatlevel/2012/04/hacking-tools/ highlights some of the reaction to the proposals. The UK Computer Misuse Act 1990 as modified by the Police & Justice Act 2006 which created Offence 3A does have the work "Intent" in it. However often it is more about how a tool is used rather than what the tool was designed for, the whistles in the Cap'n Crunch cereal boxes where designed as tools however also produced a 2600 Hz tone when blown phreakers like John Draper discovered that the free whistles also produced a 2600 Hz tone when blown. This allowed control of phone systems that worked on single frequency (SF) controls. The whistles where a tool that could be used for hacking but was not designed for this purpose. The debate on tools is going to go on for a long time and the lawyers will benefit the most.

    My weekly blog on the tools that have come to my attention over the last week, it is not a comprehesive tool list but tools that I found interesting or details of tools I use that have been upgraded.

    RitX Reverse Ip Lookup Tool v1.5 released
    http://code.google.com/p/ritx/
    RitX is a Reverse IP Lookup Tool that will allows you to use an IP address or domain name to identify all currently domains hosted on a server using multiple services and various techniques. RitX is a Perl script which uses multiple web services that provide this feature.

    OWASP Joomscan 4.4.2012 now scans for 623 vulnerabilities
    http://web-center.si/joomscan/joomscan.rar
    OWASP Joomscan is a tool for testing vulnerabilities on websites that use ‘Joomla’. This application allows you to view or Test the website on XSS attacks, SQL Injection, LFI, RFI, Bruteforce, etc.

    Maltego 3.1.1 Community edition released
    http://maltego.blogspot.co.uk/2012/04/maltego-311-community-edition-released.html
    Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format

    Saturday, 14 April 2012

    April Presentations

    A couple of CPD Opportunities this month

    I am presenting a talk on Wireless Networking on the 18th April at the Herts branch of the Institute of Measurement and Control, see their web site for details of the talk http://bit.ly/GHN0Xm,

    Synopsis

    Although the 802.11 protocol was released in 1997 by the IEEE and is by computing timelines is a mature technology with a large take-up of the technology by manufactures and users, there are still issues in implementing a practical network using wireless, especially in the non-commercial environment.
    This talk will look at the issues of implementing 802.11 networks, the tools that can be used and how these apply to the home environment. The talk will include practical demonstrations of the tools and techniques discussed in the presentation

    Also presenting my talk on Hollywood forensics on the 24th April at the Herts Branch of the British Computer Society, see their web site for details of the talk  http://bit.ly/AcZ3TC 

    Synopsis

    The success of forensics-based dramas like CSI, Numb3rs, and NCIS has ensured there is no shortage of applicants to study forensics. Hollywood and its public are enamoured by the apparently supernatural potency of the discipline. The ludicrous feats of deduction often scored by the stars of these shows have convinced many that modern forensics is fast-paced, glamorous work. The "CSI effect" has given the public and particularly some members of juries inflated expectations of computer forensic analysis. This talk looks at Hollywood and the TV interpretation of digital forensics and gives an insight into to how it is really done.

    Friday, 13 April 2012

    Akamai Update

    A further update on Akamai Netsession software.
    It launches the netsession_win.exe to listen on various UDP ports for incoming connection, it also listens of a number of TCP ports, the process is saved in the C:\Users\Administrator\AppData\Local\Akamai\ directory.

    UDP Ports

    60900
    63150
    55381
    54405

    It uses the following modules

    wow64cpu.dll
    ntdll.dll
    wow64.dll
    wow64win.dll

    If you stop the service in the control it restarts at the next reboot of the computer, however uninstalling it will stop the UDP incoming packets

    Akamai & UPD ports canning

    In the last week I have noticed a increase in UPD port scanning taking place on my network in the last three days. So as you may be aware I'm quite happy to look at the log files from the ADSL router and publish the findings. I have posted a number of entries on this and now have a static page with the monthly results.

    However I was surprised to find a pattern in the scanning, with a particular company's network being responsible. In this case it is Akamai who's network appears to doing these scans.

    IP Address Country Owner Attempts
    124.40.51.a Japan Akamai 1
    208.46.117.b USA Akamai 15
    209.107.220.c USA Akamai 16
    209.170.97.d USA Akamai 7
    213.248.117.e UK Akamai 9
    217.212.238.f France Akamai 7
    217.212.238.g France Akamai 6
    69.22.151.h USA Akamai 15
    69.22.151.i USA Akamai 11
    69.22.151.j USA Akamai 4
    72.246.k.l USA Akamai 9
    Total 100


    Akamai is an Internet content delivery network headquartered in Cambridge, Massachusetts, US.
    However they also use a form of peer-to-peer networking using end-users' computers. When users request a download of some large files served by this system, they are prompted to download and install "Akamai NetSession Interface", a download manager used to reduce download time and increase quality but also this software is also a peer-to-peer server, delivering content cached on the user's computer to other users' computers.

    The user agreement describes this vaguely as

     "You agree that the Software may send and receive commands and data related to participating publishers’ digital information ("Published Content") to and from the Akamai network and other Akamai NetSession Interfaces to facilitate the downloading of Published Content."

    An overview of their Akamai NetSession Interface can be found at http://www.akamai.com/html/solutions/client_overview.html

    Now I do have "Akamai NetSession Interface", it was installed when downloading Adobe's Captivate software to trial as a means of producing training presentations. Now I should of read the user agreement in more detail but having a 100 UDP scans to ports on my computer is 3 days is a bit intrusive.  The scans occur as I turn the computer on, and it is a various number each time.

    There is a console added to the control panel that allows some control monitoring of their software and it is possible to stop the service through the console, however it does not give a lot of detail of any files uploaded or downloaded, in my case it just lists the two files I downloaded.

    I will be looking at this in more detail and be blogging more in the future.

    Thursday, 12 April 2012

    Digital theft

    An article today "Code can't be stolen under federal law, court rules" http://news.cnet.com/8301-1009_3-57412779-83/code-cant-be-stolen-under-federal-law-court-rules/ caught me eye today. I found this interesting as how theft applies to the digital world.

    In the article it mentions how former Goldman Sachs programmer Sergey Aleynikov was convicted in December 2010 of downloading code for Goldman Sachs' high-speed computerised trading operations and uploading it to an overseas server before he left the Wall Street investment bank in 2009. Chief Judge Dennis Jacobs in an appeal against the conviction said "because Aleynikov did not 'assume physical control' over anything when he took the source code, and because he did not thereby 'deprive [Goldman] of its use". He went on to saw  "We decline to stretch or update statutory words of plain and ordinary meaning in order to better accommodate the digital age."

    Which gives us a problem when convicting cyber-criminals as too which law should be used. Could the same problem occur in the UK.

    In the physical world theft normally means deprive someone of their property and in the UK the Theft Act 1968 defines theft as

    (1)A person is guilty of theft if he dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it; and thief and steal shall be construed accordingly.
    (2)It is immaterial whether the appropriation is made with a view to gain, or is made for the thief own benefit.

    Interestingly it define property as

    (1)Property includes money and all other property, real or personal, including things in action and other intangible property.

    It also has defines “Belonging to another”..

    (1)Property shall be regarded as belonging to any person having possession or control of it, or having in it any proprietary right or interest

    So it in terms of whether software which is intangible would be included under the definition of property and of belonging to another.

    However in the UK as the USA there can be argument about the intention of permanently depriving the other of it as effectively a copy is made and therefore the owner is not deprived of the property. Taking a disk with the only code on it, or copying and then deleting the code would permanently depriving the owner of the code and therefore be prosecutable under the Theft Act in the UK under the these particular circumstances. It would be possible to use Intellectual Property right and copyright laws to prosecute an authorised copy of the code but the penalties are not as sever as the theft act.

    The Computer and Misuse Act 1990 and modified by the Police and Justice Act 2006 gives the following offences which do not apply to the theft of material, however it may be possible that section 1 could be used if access to the material was not part of an employee's role.

    1.unauthorised access to computer material,
    2.unauthorised access with intent to commit or facilitate commission of further offences,
    3.unauthorised modification of computer material
    3A.Making, supplying or obtaining articles for use in computer misuse offences


    There appears to be very little to protect businesses from competition from former employees, consultants or anyone else.

    In order to protect a company under English law businesses should set in place contractual obligations on employees and consultants to maximise the legal means to protect intellectual property rights, confidential information and trade secrets against information theft and industrial espionage at the outset, and during the course of the relationship as seniority increases to garner some protection against theft when an employee leaves for employment else where. When an employee does leave with confidential information it is a breach of confidence that the employers had placed in them. In UK law it is possible to have a breach of confidence

    The test for a cause of action for breach of confidence is.

    1. the information itself must have the necessary quality of confidence about it;
    2. that information must have been imparted in circumstances imparting an obligation of confidence;
    3. there must be an unauthorised use of that information to the detriment of the party communicating it.

    The test scenarios here are ones need for a digital theft/copying act to ensure that theft or copying of  of an intangible property can be prosecuted when it has a detriment affect on a business.

    It is interesting that at the end of the article about Sergey Aleynikov it mentions the appeals court the previous day had rejected the USA government's broad interpretation of a nearly 30-year-old anti-hacking law in trying to prosecute a man for misappropriation of trade secrets. The Appeals judges ruled yesterday that the government's interpretation of the 1984 federal Computer Fraud and Abuse Act could lead to millions of Americans being subjected to prosecution for harmless Web surfing at work, probably not the intention of the USA court or if common sense was used, but both cases highlight the need for careful wording of any legislation to ensure there are no loopholes or it is too broad in scope as common sense is not a constant across a population.

    Conclusion

    In the digital world it can be very difficult to apply laws that where developed for the physical world, also that computer laws are still not sufficient to cover adequate the type of offences that can be committed in the digital world. Legislators still do not understand what the digital world is and how manipulation of digital data can be very profitable and that laws need to implemented quicker to try and catch up with the digital economy.

    Monday, 9 April 2012

    Children and the Internet

    Recent articles, such as that from Davey Winder [PC Pro, 23rd Feb 2012] and reports from security research companies, including a report from Avast [Avast, 2012], are highlighting that cyber-criminals are now targeting children as part of their attack vectors in order to get malware onto computers. This posting looks at why this should be of concern to parents.

    If we examine the aims of a cyber-criminal, one of their aims would be to get malware installed on to the victim’s machine as silently as possible so that the victim would not be aware of the installation and be unable to take action to remove or neutralise the malware. The aim of the malware could be to recruit the machine into a botnet, steal information from the victim or possibly even both activities.

    In order to do a silent installation, a cyber-criminal will need to either try to get the malware to install itself silently by exploiting vulnerabilities on the system or make use of a software feature to perform a silent update. An additional method is to use trickery to get the user of the targeted device to do something that will give the necessary permission for the install without them realising what they have done. The final method to get malware installed is to use a Trojan, where a wanted application or utility, such as a game has an unwanted companion in the form of the malware.

    A feature of malware distribution techniques over the last few years has been the move from targeting adult sites to compromising main stream sites with drive by download malware or adding links that redirect surfers to a malware infected site.

    The adult user should be more wary of the risks of internet surfing which should make them a harder target, however, young children are more vulnerable as they are not aware of the risks of using a computer. The risk of young children being exploited online has increased as they are now being allowed access to computers and the internet at an increasingly younger age, the Internet is taking over from the TV as the electronic nanny in many households as computers, games consoles etc. are occupying children while parents get on with something else.

    The targeting of young children’s use of the internet is going to bypass controls that older and hopefully more experienced and wary user will be following. The malware distributors are increasing the likelihood of placing malware on a computer by taking advantage of naivety of children, especially in the pre-teen generation.

    The targeting of children is mainly in the form of drive by downloads where the cybercriminal has targeted the web sites that children are likely to use. The targeting is aimed at  pre-school age upwards with games designed to be attractive to young children, BitDefender Online Threats Lab, one of the security vendors doing research in this area of cybercrime, reported recently on a range of Flash-based games that where colourful and attractive to young children which came complete with a trojan. They even found one application where the very act of swiping the paintbrush over an online pet to change the colour of the virtual animal, which is a common action in most pre-school games, was enough to trigger redirection to an infected site.

    For slightly older children, the attackers are using social media for phishing attacks by targeting adverts and postings that are attractive and attention grabbing to children and trying to get them to click onto affected sites so that malware can be installed.

    In addition to the targeting of children as described there has been an increase in the number of leisure sites been attacked. In particular online game sites have attracted a number of attacks, since the attack on Sony online sites was reported in April 2011 a number of other games/gaming sites have been targeted and player details stolen.
    • June 2011, EVE Online, Minecraft Cyber Attacks
    • June 2011, Sega
    • Nov 2011, valve steam
    • Dec 2011, Square enix
    As to why children and leisure sites are being target all if we look at an urban legend that states that when William "Willie" Sutton, a prolific U.S. bank robber, who was asked why he robbed banks his reported reply was “That is where the money is.” This line has been used to describe why cybercrime has been increasing as that is where the money is now; there is also less risk of being caught in targeting online shops, banks etc. then physically holding up a bank. With online leisure activities such as gaming, gambling and betting have taken off in popularity, we have to be aware of not only the attacks on online banking but also attacks on both our own and our children’s leisure interests and activities.
     
    For a parent or guardian they need to be aware that unintentionally their children could be a risk to them losing credit card and other identity information as well as computers and other devices becoming infected and possibly part of a botnet and is not the only risk to their financial and identity information, there is increasing evidence showing that parents are giving their credit and debit card details to their children and this will make the phishing for and harvesting of credit/debit card data easier as the naivety of children is easy to take advantage of.

    At a seminar (EEESTA seminar 2011, Professor Sasse) one of the Professor Sasse told of a respondent to a survey about “chip n pin” that was very enthusiastic about it, as she could give her card and pin to her children and send them to the shops. In additionally to a number of studies that have been conducted on this, I have personally know were a very trusting parent has given their credit card details to children to make online purchases via iTunes etc. or have setup accounts with their card details for the children to use. With younger and naive children having accessing to the financial details of their parents I would expect to see an increase phishing and malware targeting children as they are the weakest link in the security chain.

    Additionally I would expect banks and other financial institutions are going to be looking at this phenomenon, in particular when it comes to the terms and conditions about credit card fraud and losses. I would expect to see investigations of fraud and losses looking at whether children had access to credit card details to determine if the card holder has meet the terms and conditions of their credit card/bank contract when deciding whether to pay out to cover losses.

    Tools (9th April)

    My weekly blog on the tools that have come to my attention over the last week, it is not a comprehesive tool list but tools that I found interesting or details of tools I use that have been upgraded.

    OWASP iGoat
    http://code.google.com/p/owasp-igoat/downloads/detail?name=owasp-igoat-1.2.tar.bz2&can=2&q=
    iGoat has been designed and built to be a foundation on which to build a series of iOS security lessons. The initial iGoat release will include a handful of lessons to work through, but one of the aims of the project is to build a community of developers to help build out additional lessons over time — much as WebGoat has before it.

    OWASP ZAP 1.4.0
    https://code.google.com/p/zaproxy/downloads/list
    The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
    It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

    Medusa v2.1 Released
    http://www.foofus.net/?page_id=51
    Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

    Enema: Powerful tool for SQL injection
    http://code.google.com/p/enema/downloads/list
    A non automated SQL Injection tool

    Wednesday, 4 April 2012

    Cookie Article

    An update on the series of entries that I wrote about cookies, I have published an article on my website about cookies based on the series of entries that I wrote on this blog in March 2012 in response to the ending of the ICO deadline on the implementation of the UK cookie law (PECR). The aim of the blog entries and this article is to give some background on cookies that was easily understandable, the privacy issues, and what the legal situation was with having cookies on your website and want was needed to be done to ensure the site complied with the new regulations.

    The article can be found at http://www.geraintw.co.uk/cookies.html I am in the process of building the website, which is a very slow process as I'm fitting the development around other activities.

    Monday, 2 April 2012

    Port 12200

    As part of my analysis of the attempts on an ADSL router, I have been looking at the source port of the attempts and the majority of scans are coming from port 12200 on the scanning machines.



    A quick check of the uses of the port on the interent revealed the following usage:
    • employed as one of the switch ports of a storage area network (SAN) of storage disks covered by U.S. patent 6947939, which has the capacity to facilitate communication between two switch ports in different zoning configurations.
    • utilized by Tenebril's software Ghost Surf which usually launches up by default as a wide open proxy. It has also been employed by GnucDNA, which is one of the crucial elements in building peer-to-peer (p2p) applications for Gnutella clients or networks.
    • has also been recommended as a replacement for the well known port 80 and port 8080 when they are blocked by the Internet Service Provider or when they are rejected by the linksys router.
    One common footnote on a number of websites was that port 12200 has been associated with scanners looking for open proxies to take over maliciously, well that ties up nicely with the port being used for open proxies. If I can find the necessary spare equipment I being to put an ADSL modem in front of a firewall and router and fit an ethernet tap to capture the packets from the attempts for a more detailed analysis.

    Tools (April 2nd)

    My weekly blog on the tools that have come to my attention over the last week, it is not a comprehesive tool list but tools that I found interesting or details of tools I use that have been upgraded.

    Wireshark 1.6.6
    http://www.wireshark.org/download.html
    The current stable release of Wireshark is 1.6.6. It supersedes all previous releases, including all releases of Ethereal. You can also download the latest development release (1.7.0) and documentation

    Deft 7.1 Available
    http://www.deftlinux.net/download/
    Deft 7.1 ISO is online since March, 30
    DEFT 7 is based on the new Kernel 3 (Linux side) and the DART (Digital Advanced Response Toolkit) with the best freeware Windows Computer Forensic tools. It’s a new concept of Computer Forensic system that use LXDE as desktop environment and WINE for execute Windows tools under Linux and mount manager as tool for device management. It is a very professiona and stable system that includes an excellent hardware detection and the best free and open source applications dedicated to Incident Response, Cyber Intelligence and Computer Forensics.

    A new tool that I will be looking at
    http://ironwasp.org/download.html
    IronWASP v0.9.0.3 released -A web application vulnerability Testing Tool
    IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing, developed by Lavakumar Kuppan. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.


    Sunday, 1 April 2012

    This months presentations

    I will be giving two talks this month, Wireless Security on the April 18th, 2012
    Hertfordshire branch of Institute of Measurement & Control see their web site for details http://www.instmc.org.uk/Hertfordshire/events-programme and Hollywood Forensics on the April 24th, 2012 at the Hertfordshire Branch of the BCS please see their web site for more details http://www.herts.bcs.org/future.htm

    Analysis of logfiles (March)

    Last month's analysis of my ADSL Router's logfiles suspect port scans

    Month
    No Attacks
    DOS
    Port Scans
    Unique IP
    Unique Countries
    Mar 2012
    156
    129
    27
    77
    5

    Country Attacks
    Turkey 73
    China 40
    UK 29
    Germany 13
    Russia 1


    Breakdown of attempts

    27 attempts from a single UK address
    27 attempts from a single Chinese address
    13 attempts from another Chinese address
    13 attempts from a German address
    2 attempts from another UK address
    2 attempts from a Turkish address
    The rest where single attempts from unique IP address mainly Turkish