Category: Uncategorized

Bloggers post confidential information, defamatory information, or just annoying information. Websites host stolen credit cards, hacking tools and techniques, or other things that you might not want. In the course of investigating these things, companies or law enforcement agencies frequently need to rely on information in the hands of third parties. An example of this is the various companies that offer data or computer locator services. If a corporate computer is reported lost or stolen, these services use various means to identify the computer, or the data on it. When the target computer is then used – generally to get online – the computer essentially “phones home” with its location. The computer doesn’t really give its location. At best, it can reveal the Internet Protocol (IP) address of the network it is on. While this information is helpful to the true owner of the computer, it is not sufficient to locate and/or recover the stolen hardware.

OnStar is one of the various services that provides motorist assistance, including Global Positioning Satellite location data. If you report the car stolen, they can remotely turn the GPS on, track the car, and even turn the telephone inside the car on and listen into the thieves’ conversations. All of this occurs on the network the real owners own and it reveals information about your vehicle.

Finding subscriber information When it comes to network based investigations however, we cannot easily track where the computer went. Once we have the IP address, we would look up the network that was assigned that block of IP addresses. It might be an Internet café in Riga, Latvia, or a giant Internet Service Provider in Dulles, Virginia.

What we really want is subscriber identification information. That is, what subscriber was assigned that particular IP address at that particular instant. Now of course, a lot of this information may be spoofed, and it is usually less than trivial to piggyback on a legitimate network (such as, a hacker using an open or insufficiently secured WiFi network.) Nonetheless, tracking down physical location data or subscriber data from a raw IP addresses is the ultimate goal of the investigator.

This is where technology and the law intersect – and not in a good way for either of them. While you can do a traceroute or a WHOIS search in a couple of seconds, in order to get subscriber data from an ISP requires some form of legal process (usually). ISP privacy policies legitimately protect this data, but they generally contain a provision (and one would be implied by law even if it wasn’t in the policy) that the information may be disclosed if there is a “valid legal order.”

In extreme situations (imminent threat to health and safety) the promise of a later subpoena may be sufficient. In the United States, for example, they can also use various legal processes – a grand jury subpoena, a formal investigative demand, an administrative subpoena, a discovery order, a search warrant, a Title III wiretap order, an order issued by the Foreign Intelligence Surveillance Court. Or, as recently revealed in The New York Times, various agencies including the Department of Defense and the Central Intelligence Agency (and of course the FBI) can issue what is called a National Security Letter (NSL) on their own authority to get this information.

A subpoena generally requires very little level of proof that the information demanded is relevant to whatever you are looking for, or may lead to the discovery of relevant information. Most people think that subpoenas are issued by a court or a judge — that you apply for a subpoena to a court, show them that the information is relevant, and then get an order. You see, to issue a subpoena there has to be an investigation authorized by a grand jury: a group of citizens authorized by the court to investigate crimes. To have a lawsuit pending, we have to have a “case or controversy” involving some violation or law or tort, which is capable of being heard in the court in which we have filed suit, which also has jurisdiction over the matter and the people involved.

The legal discovery process, particularly for civil discovery, is slow, unwieldy and ungainly. Just some “John Doe” who did the bad act. Oh yeah – getting wiretap or other orders for discovery related to national security, foreign intelligence and foreign terrorism under the Foreign Intelligence Surveillance Act (FISA.) The Bush administration has long argued that they were lawfully entitled to bypass the super-secret court set up under this law and demand records under what they later dubbed the “Terrorist Surveillance Network” because the FISA law was slow and cumbersome.

Imagine a standing court discovery order from an appropriate court that says the following: if a computer protected by this service is reported stolen, and it finds itself on a strange network, and “pings” home with its IP address, then and only then the owner or the provider of the LoJack services is entitled to an order of discovery from the ISP from which the IP address is associated, permitting discovery of the customer data associated with that IP address. The information may ONLY be used for the purposes of either filing a lawsuit against the perpetrator, or to turn over to law enforcement, or other reasonable purposes.

The court might also appoint a “Special Master” responsible for overseeing the discovery process.

http://www.securityfocus.com/columnists/438?ref=rss

The increasing use of portable devices and WiFi access to company IT resources means that truly personal control of data is a thing of the past. As a result, data on PCs, laptops, PDAs and smartphones – as well as back-up data on the network – needs to be encrypted. It’s now possible to install encryption solutions on most mobile devices.

You can also use authentication technology – tokens, biometrics and smartcards – to create a security system that is stronger than the sum of its parts.

Using a factory reset on your portable device may seem to be the easiest precaution before disposing of the unit, but factory resets are far from permanent, since they only delete the header information to your data. That way, even if a hacker manages to un-delete your portable device’s files, it stays secure, since it is encrypted. Even deleting the data files on the back-up system is not full deletion, as network/PC restore functions can regenerate the back-up files.

The optimum approach to mobile device security is to conduct a risk analysis and, from the results, formulate a best practice set of policies relating to the use of mobile devices across the entire organisation.

Don’t forget the cellular network backups. A growing number of cellular networks now support network-based data back-ups.

Although designed to assist users in the event of a mobile phone loss or theft, the back-up poses a security risk if a third party obtains your network logon details, or if your old mobile number is re-assigned (as most are).

Many mobiles automatically back-up data from the SIM card to the phone, so moving your SIM card can leave contact data behind on the old handset.

Care should be taken when downloading or installing company data on a mobile device – even a mobile phone – as that information could easily fall into the wrong hands.

http://www.it-observer.com/articles/1314/how_safely_dispose_old_mobile_devices/

Low-interaction honeypots find the what, when, and how of an attack: “They are there to capture automated attacks and malware,” and don’t really interact with the attacker, he says.

High-interaction honeynets let the attacker exploit and interact with the machines more actively, thus capturing more details about the attack and attacker.

Not only do they incur overhead for IT — you need staff to manage them and their flow of information — but they are also limited to known vulnerabilities, for instance. “Honeynets are great collecting tools, but unfortunately the majority of the time they don’t provide information on a vulnerability that was not already public. Arbor, like other organizations that dabble in this type of attack analysis, uses a combination of darknets and honeynets to track malicious traffic for its ISP customers in its Atlas service.

“No one knows it’s a honeypot — it looks like an enterprise server.” That’s especially useful when attackers are targeting a specific organization’s IP addresses, he says. If they try to log onto a honeypot, they are doing something outside your corporate policy.” And the insider threat may be the sweet spot for honeynets in the enterprise, where the practice has not had much widespread use due to the overhead associated with the all the data they gather, as well as worries about asking for trouble by putting one up.

He says the Big Brother argument doesn’t fly here: “Corporations are well within their rights to deploy honeynets to secure their own networks and identify anyone doing things outside the corporate policy.”

http://www.darkreading.com/document.asp?doc_id=119081&WT.svl=news1_1

Is it reasonable to assume that an expert at testing Solaris, AIX, and other Unix flavours is also going to be equally as good on Windows? The truth is that most consultants have favourite platforms which they know at a deep level, and are either just competent or even incompetent with other platforms. Just as you wouldn’t use a tractor on a racetrack, or a Ferrari in a field, you wouldn’t put a Unix expert on a windows test, or an Oracle expert on a MSSQL assignment.

Consultants hate report writing The secret is out – consultants hate writing reports. You don’t ‘see’ the assessment – you see the report! The report IS the deliverable Remember, it is the Executive Summary that you will show to your manager, the remediation ad-vice that you will give to your team, and the classified vulnerabilities that your auditor will review.

The Methodology No doubt you’ve read, or at least skimmed through the “Methodology” paper on your suppliers web site, or their glossy brochure. It is designed to demonstrate a deep understanding of the assessment process. A consultant can do an excellent job without following the company methodology, but by not having a structure to work with, there is a good chance the results will be inconsistent at best, and dangerously incomplete at worst. It’s easy to wheel in a star consultant to win the business, but follow through with a trainee.

Finally, remember that companies don’t perform penetration tests, people do. So no matter which company you go to, it always boils down to the person you have working on your account.

http://www.it-observer.com/articles/1308/avoid_wasting_money_penetration_testing/

Organizations that select an MSSP as a security partner should be prepared to integrate the MSSP’s people, processes, and technology with their own to effectively improve their security posture.

Ensuring the long-term success of a security partnership is based on four key areas of focus: trust, operational extension, service reviews, and parallel roadmaps.

Managed security service providers that have earned certification under a widely recognized standard such as BS7799 have demonstrated their expertise in establishing, implementing, and documenting effective information management systems. Another certification, the Statement of Auditing Standard No. 70 (SAS 70) Type II, also provides client organizations assurances regarding specific control objectives that the MSSP has designed to meet customers’ unique needs.

Many companies, particularly financial services and other highly regulated organizations, require credible proof that an MSSP has processes and controls in place to provide a consistent, stable, and secure environment to safely monitor and manage customer data throughout the organization.

This requires an MSSP to have the depth and breadth of expertise to meet an organization’s current security needs.

http://www.it-observer.com/articles/1306/ensuring_successful_partnership_with_your_mssp/

The medical center’s intrusion prevention system (IPS), Web filtering tools, and other security and networking tools, for instance, are already converging, Khousnoudinov says. But that doesn’t mean the NOC and SOC will completely merge.

In fact, security analysts say you need a healthy separation between some duties, especially where security policy implementation and auditing is concerned.

Even Boston Medical, which is ahead of most organizations with its fusion of NOC and SOC duties, still keeps policy and auditing as well as its Windows Active Directory security separate from the overall NOC operation, according to Khousnoudinov. That prevents conflicts of interest or other related problems when, say, security must investigate internal access of the company’s resources, says Nicolett. “The security group in charge of investigations might [have to work on something] that involves privileged users,” he says.

The first place the NOC and SOC are converging is in event monitoring. “But control over what’s monitored and drilling down on this needs to be retained by the security staff,” Nicolett says. So start looking at your redundant call center or trouble-ticket systems, for instance, says Rob Enderle, principal analyst with the Enderle Group.

http://www.darkreading.com/document.asp?doc_id=112583&WT.svl=news1_2