Binary Intelligence

I have recently started using an iPhone for a variety of different functions related to my work. All in all, I have to say it is not my favorite phone, but it is serving a purpose in allowing me to become familiar with a variety of different options that this mainstream device offers. In working with the device and looking for a new Twitter client, I came across an application named Twinkle. I wanted to share with the community some of my observations from using the application.

Twinkle is a social networking application created by Tapulous for the iPhone or iPod Touch. It is similar to Twitter, with a few key differences. When a user first installs and runs Twinkle, the application requests an e-mail address to generate a Tapulous account. The e-mail address is utilized to confirm the account and a profile is created.

Matt sent me the link to this story today. This is a situation I have been following for a while:

A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age.

In an abrupt reversal, U.S. District Judge William Sessions in Vermont ruled that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, does not have a Fifth Amendment right to keep the files encrypted.

...

Boucher's attorney, Jim Budreau, already has filed an appeal to the Second Circuit. That makes it likely to turn into a precedent-setting case that creates new ground rules for electronic privacy, especially since Homeland Security claims the right to seize laptops at the border for an indefinite period. Budreau was out of the office on Thursday and could not immediately be reached for comment.

I would be interested in hearing the community's opinion on this matter.

Personally, I think this is wrong. While it sucks that people would use technology in such a manner, the effect of such a ruling would be extremely negative. With the DHS making claims such as:

A pair of DHS policies from last month say that customs agents can routinely--as a matter of course--seize, make copies of, and "analyze the information transported by any individual attempting to enter, re-enter, depart, pass through, or reside in the United States." (See policy No. 1 and No. 2.)

DHS claims the border search of electronic information is useful to detect terrorists, drug smugglers, and people violating "copyright or trademark laws."

And you join that with the authority to force users to give up passwords.. Well, lets just say I will not travel with client data on my system, even in an encrypted format. The argument of "If you have nothing to hide, you won't mind us looking" is invalid as well, as data is entrusted to me and I have an obligation to not share it.

And beyond that, anyone that is savvy enough to use encryption is also going to know to just keep their data in the cloud, encrypted, and access it when they reach their destination. Oh, use a product like Truecrypt, and place the encrypted container in your windows/system32 directory under the name of "explorer.dll".

These sorts of moves do nothing other then hurt legitimate use of technology while doing nothing to reduce the risk they are targeted too.

Thoughts on this matter are welcome.

Many people who are either laid-off from their job or simply moving to another opportunity often secretly take proprietary data from their employer on their way out the door, a study released this week found.

Nearly 60 percent of employees who quit a job or are asked to leave are stealing company data, according to report by the Ponemon Institute, a Tucson based research group. The survey was based on interviews with 945 adults who were laid off, fired or changed jobs in the last year.

Seventy-nine percent of those who admitted to taking data said they did so despite knowing that their former employer did not permit them to take internal company information.

WashingtonPost.com

Using technology to track a person's location is nothing new. For years, police have been able to trace cell-phone signals and use other dashboard devices such as automatic toll-collection systems to confirm a driver's whereabouts.

But the growing popularity of GPS systems -- in cars, cell phones and other hand-held devices -- gives authorities another powerful tool to track suspects.

Among recent cases:

*In September, a man in Butte, Mont., pleaded guilty to rape shortly after a judge ruled that evidence from the GPS unit in his car could be used against him at trial. Prosecutors planned to use it to show that Brian D. Adolf "prowled" through town for a victim.

*In New Brighton, Pa., a trucker's GPS system led police to charge him with setting his own home on fire. GPS records showed his rig was parked about 100 yards from his house at the time of the fire.

OrlandoSentinel.com

Richard linked to a very interesting story in the latest IANewsletter. Even if you don't believe in the concept of "Cyberwar", it is well worth a read.

At critical points in history, technological advances have driven fundamental changes in the conduct of warfare. The tank, radio, long bow, helicopter, machine gun, military robot, and unmanned aerial vehicle, among many other technologies, changed the face of warfare. Agile military organizations exploited these new technologies—by adopting innovative tactics, doctrine, cultures, and organizations—or faced irrelevance and probable defeat on the battlefield. However, occasionally, a new technology is so significant that it creates a
discontinuity in the conduct of war that necessitates creation of an entirely new military service. This situation occurred in the United States, resulting in the formation of the Air Force in 1947. The advent of air power fundamentally altered the conduct of warfighting and drove the transformation of the Army Air Corps into the United States Air Force.

It would be wrong to say that targeting the desktop is the "new" hot target, as it has been for some time now.

It makes sense. Why target where there is protection? For years, infrastructure was the place to attack. Then as multiple layers of protection was put in place, web apps became the hot target. Now, with the the web app remains not even finished smouldering, client side attacks is where it is at.

And why not? You always want to target the path of least resistance. Sure, there are still plenty of exploits left to discover on the infrastructure and web applications, but why go through the trouble when client side is such lower effort?

All you have to do is target applications that everyone is running. Acrobat, Flash, various web browsers, MS Office, etc etc. Best bet, target applications that are not supported in popular auto update/patch tools. That way, even when the vendor does release updates, most people won't have it installed.

And right now, the situation is not so good.

There is a really fun and nasty exploit floating around for Acrobat reader, and it looks like Adobe is in no hurry to fix the problem:

Adobe has scheduled the patch for March 11th. If you believe that Symantec notified them on February 12th, this is almost a full month from news of a live exploit to a vendor response. If the vendor involved was Microsoft, the press would be tearing them apart right now. What part of "your customers are being exploited" do they not understand?

Now that has been followed up with a 0 day in Excel.

Details are sparse, but it looks like Symantec has discovered a code-execution vulnerability in Excel 2007 and Excel 2007 SP1. The issue is being actively exploited in the wild by a variant of the Mdropper trojan.

There is no patch for the vulnerability yet, so until one arrives, don’t open anything that looks like an Excel document from sources you cannot completely trust and verify.

With the way it is looking, there is a good chance MS will have Excel patched before Adobe does Acrobat.

Now, with the Acrobat exploit, I know there are some people upset that the details were made public. Well, sorry folks, it was being exploited in the wild and Adobe did not care. Adobe felt it was better to hide the problem rather then protect their customers.

Making these sorts of details public is the only thing that makes us safer in the long run.

Interesting editorial in todays Wall Street Journal:

Like other forms of terrorism, cyber war offers an attacker asymmetrical advantages and can be used by individuals as well as governments to debilitate and confuse civilian and military targets. The more governments and economies rely on the Internet, the more vulnerable they become. Michael McConnell, the recently departed National Intelligence Director, called cyber security "the soft underbelly of this country."

Guidance Software Inc. bills itself as the leading provider of technology that helps companies dig up old e-mails and other electronic documents that might be evidence in a lawsuit. Yet when Guidance itself had to face a judge, it was accused of bumbling its internal digital search.

Whether Guidance intentionally hid documents or just couldn't find them is a matter of dispute. The company said it did all that was required. But its inability to cough up certain e-mails, even over several months, led an arbitrator to accuse it of gross negligence and proceeding in bad faith.

At the very least, the case shows how thorny electronic evidence searches can be, even for a specialist.

From FoxNews.com.

While catching up on links that I saw filtering through on twitter this week, I came across a very good write up on using Facebook to help with a pentest. This sort of indirect approach is always great, and with social media (still!) being rather new to many companies and users, there are not defenses up in many cases.

And for that matter, how do you create a off the shelf product to protect against this sort of attack? It seems like far too often, if there is not an off the shelf product, companies don't have any protection. Anything that is not just off the shelf is actually work to get in place, sooo....

Never discount the laziness of a target.

Considering a Career in Computer Forensics?

There are a lot of people who post about wanting to get into the field of computer forensics. People who are just interested in the field, soon to be graduates of the many new computer forensic degree programs, or IT folks thinking about a career change.

And there are many people who post about whether or not computer forensics is the right career choice for them.

The typical response on the forums is, "If you have a passion for technology and love to learn new things, then this might be the right field for you."

While having a passion for technology and getting down in the details of computer data and file systems is definitely a pre-requisite for this type of field. There are some things that anyone who is considering this as a vocation should contemplate before deciding if this is the right career path.

Gone are the days of spending two hours writing a police statement.

In Derbyshire, officers are swapping their notebooks and pens for a small memory card, so that hours of film can be gathered as evidence on something as small as a fingerprint.

It is the latest way to get the best out of technology that's already been tried and tested.

Headcams have been worn by police officers in other parts of the country for quite a while, but here in Derby city centre they're being used alongside a new computer system which means officers can store and retrieve the footage quickly and easily.

In the time it takes to burn the evidence onto a DVD, an officer could be back out onto the street.

From BBC News.

Police Blotter: Courts split over police searches of handhelds

While catching up on the news tonight, I saw a post on slashdot about the IT job market going in the tank.

Thing about that is, business is up for us. We have a ton of work coming in. Both Matt and I are busier now then we have been in a while. Thing is, what does this mean?

Is the business we are getting due to the fact people are already getting desperate and doing stupid things? Or are things not as bad as news articles would like us to believe, in an attempt to get us worried so we pay even more attention to the news?

For me, its hard to tell either way. All I know is, I would like a few more hours added to the day for the next month or so please.

Today, IBM announced the results of its 2008 X-Force Trend and Risk report, which found corporations put their own customers at risk for "cybercriminal activities" by failing to properly defend their servers against identified exploits.

Two main trends were reported in the X-Force report. First, today's websites are the "Achilles' heel" for IT security. This is the culmination of the attacker's desire to infiltrate the website's software to allow their applications to infect end-user machines coupled to the corporations using standard, off-the-shelf applications which have known exploits. According to their report. 74% of the web applications deployed have had no patches applied. And trends show the volume of attacks seen at the end of 2008 were 30x greater than the number of attacks seen early in the summer months.

The second major trend is a switch away from primarily browser defect and ActiveX script attacks to those involving Flash and PDFs. The research recorded a 50% increase in Q4'2008 in the number of URLs that were hosting exploits compared to the sum total from all of 2007. Spammers are also switching to these compromised web-site tactics for an expanded reach.

Read More from TG Daily.