A new wave of mass SQL injection attacks seen in mid-August to hit over half a million websites, including parts of Apple’s site serves as a weighty reminder of the growing prevalence of mass injections and of SQL [...]]]>

This article just reiterates the point, once again, that companies need to be more proactive in their security:

A new wave of mass SQL injection attacks seen in mid-August to hit over half a million websites, including parts of Apple’s site serves as a weighty reminder of the growing prevalence of mass injections and of SQL injections in general as a favorite means of hackers to tap into organizations’ infrastructure and data resources.

In light of these attacks, security researchers believe now is as good of a time as any to revisit some best practices necessary to prevent mass SQL injections and mitigate the risks associated with injection attacks. These practices are hardly revolutionary, but it is clear that they aren’t being implemented as widely as they need to be.

via Five Ways to Stop Mass SQL Injection Attacks – DarkReading.

our liveForensics tool addresses issue #2 outlined in this article: “Implement filtering and monitoring tools.” As the article suggests, liveForensics provides monitoring at both the application and database level, helping to mitigate the risk of SQL injection attacks.

Check out the additional benefits of liveForensics.

Vodafone has backed down in the face of angry opposition from Google Android customers, who last week received a software update thinking it contained Android 2.2, [...]]]>

I am sure people in favor of control over their expensive devices (smart phones and the like) can site this is a reason users should have a choice:

Vodafone has backed down in the face of angry opposition from Google Android customers, who last week received a software update thinking it contained Android 2.2, but instead found it contained Vodafone’s branded 360 service.

The Vodafone 360 service was launched in October last year. Essentially, Vodafone 360 is a user interface that puts social networking on the front screen of the phone, and arranges the users’ contacts so you can reach any person with a phone call, IM, text or other call – or send a location message to meet up.

However it also installs irremovable Vodafone-branded apps and bookmarks, including links to dating sites.

via Vodafone Backs Down In Row With Android Users | eWEEK Europe UK.

Although still an evolving concept, penetration testing is becoming more common and more critical for organizations housing confidential data.

What is penetration testing? In simple terms, penetration testing is basically a planned attempt to hack into your system in order to determine any vulnerabilities and weaknesses. Testers simulate [...]]]>

What is penetration testing?
by Lee Haas

Although still an evolving concept, penetration testing is becoming more common and more critical for organizations housing confidential data.

What is penetration testing?
In simple terms, penetration testing is basically a planned attempt to hack into your system in order to determine any vulnerabilities and weaknesses. Testers simulate attacks from malicious sources and evaluate the effectiveness of your security measures. An assessment report is presented outlining the findings and, often, recommendations for improving security are provided.

Who needs it?
Many organizations, such as financial institutions and insurance companies, are subject to industry regulations requiring proof of due diligence in regards to securing data. Penetration tests not only demonstrate due diligence to the regulatory bodies, but also to consumers and customers, providing a deeper level of trust.

A thorough penetration test will safeguard against hackers or employee theft, saving the company from potential financial loss. The assessment also provides a guide for the best allocation of funds and resources.

How does it work?
A penetration test is an active analysis of your system. An attack is simulated and testers are able to look for poor system configuration, flaws in hardware or software and other operational weaknesses. At the conclusion of the test, an assessment is provided detailing the areas of potential weaknesses and vulnerability.

The test may detect:

• Router or firewall penetration
• Password guessing /sniffing / cracking
• Web application attacks
• SQL Injection
• Cross-site scripting
• Denial of Service (DoS)
• Vulnerable port/service exploits
• Social Engineering (human-directed) attacks
• Password acquisition
• Email spoofing
• Phishing
• Spear phishing
• Wireless network attacks
• Open or weak WLANs
• Hidden or stealth WLANs
• Encrypted WLANs authentication/handshake traffic
• Wireless traffic
• Information leaks

Computer forensics experts are skilled in various techniques used to recover and analyze data for use in a legal investigation. They have the ability to dig deeper and provide more than the average IT technician. When you are in need of a [...]]]>

How to find a verify a computer forensic expert
by Lee Haas

Gone are the days when employees kept rolodexes on their desks.  According to the How Much Information? study conducted by the University of California Berkeley, 92% of all new information in 2002 was stored electronically.  This percentage appears [...]]]>

Departing employees and data theft
New techniques shift power back to companies
By Andrew Hoog and the viaForensics team

Gone are the days when employees kept rolodexes on their desks.  According to the How Much Information? study conducted by the University of California Berkeley, 92% of all new information in 2002 was stored electronically.  This percentage appears to increase each year with some informal estimates that 97% of all business documents are now created electronically.  While commentators frequently discuss the impact this business shift has on electronic discovery, the implications for departing employee data theft are just as significant but often overlooked.

What is employee data theft?

Electronic documents by their nature are portable, easy to copy and more prone to theft than paper documents by employees.  This fact not only applies to the ease with which electronic documents are stolen, but also to the sheer quantity taken.  In August 2009, DuPont filed a lawsuit against a research scientist for breach of contract and misappropriation of trade secrets for stealing a large number of files.  It was alleged that research scientist, Hong Meng, stole more than 600 files by copying them to a portable hard drive. After a forensic investigation, over 550 of these files were found on Meng’s home computer.  This was not the first high profile instance of theft at DuPont; another research scientist was sentenced to an 18 month prison term for stealing proprietary company information valued at $400 million.

Not surprisingly, DuPont is not alone in its woes.  Outlined in a 2009 study conducted by the Ponemon Institute, data theft is rampant in the business world.  The study found that 59% of employees who either quit or are asked to leave take confidential or sensitive business information upon their departure.  Done without the employer’s permission, this confidential electronic information has the potential to be saved in multiple locations beyond the employer’s control and on devices unknown to the employer.

The reasons an employee takes confidential company information vary from being benign and misguided to intentional for the purposes of personal gain.  The Ponemon Institute study found that over 50% of departing employees claimed that one reason they took employer data was their perception that “everyone else did it when they left.”  This statistic alone underscores the importance and impact of a policy regarding the company’s confidential data that is well thought out, documented, communicated and enforced.

Other reasons cited in the report include the potential usefulness of the data in the future (53%), the employees’ sense of ownership around what they helped to create (52%); their belief that the company cannot trace the theft back to them (49%) while only 13% state the theft was an accident.

What kinds of confidential data do employees take?

An employee may steal valuable trade secret information as seen at DuPont.  However, not every business has these types of trade secrets.  The type of information an employee is most likely to steal is the information needed to do his or her specific job, usually information that is readily available to them.  To maintain a competitive advantage, the electronic information an employee uses everyday must be protected.  Everyday employees have access to a wide variety of electronic information which range from important (email lists and non-financial business information), to confidential (customer information), to private (employee records), through the most sensitive and potentially damaging data: financial records, databases with enormous company history, trade secrets and intellectual property.

When the employee is in IT or security, the access to confidential data is even greater.  According to a 2008 study by Cyber-Ark Software, almost 90% of IT employees indicated they would take sensitive company data if they were laid off.  The types of data itemized in the report include passwords, customer information, intellectual property from Research and Development (R&D), financial and other strategic plans for the company.

How do employees take confidential data?

Technology affords many methods for an employee to take data electronically from a company.  In the past, the most common method was to write the files to a CD or DVD, but a growing trend involves copying files to a portable USB storage device.   USB devices are easily concealed, ready to use and can hold vast amounts of data.

Smart phones

Surprisingly, most companies do not address the danger of stealing electronic information through smart phones which include the BlackBerry, iPhone and the emerging Android phones.  These devices often have enormous storage capacity (the most recent iPhone is capable of storing 32GB of data) and are easily connected to the corporate email system.  They can also access WiFi wireless networks for high transfer speeds and even have the ability to connect to a company’s private network.  The combination of storage, data access and ubiquity make a mobile communication device an ideal method of stealing data.

Email

Email is also another efficient way to take confidential data.  Most email services provide users with a website for email access and a generous storage quota.  With IT budgets constrained and limited spending available for security, personal emails generally flow unfettered through the enterprise.  Employees can easily email large amounts of data to personal accounts and then access it from anywhere in the world. While this is convenient to an employee, it can be very dangerous to the employer.  By using a personal email account, the employee not only circumvents the corporate email system but the account is beyond the control and scope of corporate investigations and most legal instruments.

Messenger Services

There are also many less common approaches to stealing data that are just as damaging as those mentioned so far.  These include websites focused on the sharing of data (for example, yousendit.com), Instant Messenger services (such as Yahoo, AIM, MSN, Google Talk), the venerable FTP (File Transfer Protocol), software which allows complete copies of hard drives and very sophisticated techniques which create encrypted tunnels for transferring data.  Suffice to say, it is impossible for a company to completely prevent data loss.  According to the U.S. Homeland Security Department, in 2008 there were 5,499 known breaches of U.S. government computers.

All of the methods described above cover intentional data theft by employees.  However, an employee may also inadvertently expose confidential data by installing software onto his or her computer.  Over half of all respondents to the Ponemon Institute’s survey admitted to downloading personal internet software to their company computers.  Many of these programs contain a trojan horse or other malware which seeks out confidential data and copies it to data caches on the Internet for retrieval by unauthorized individuals.

Furthermore, company secrets can be leaked through social networking sites. Today, secrets can be leaked through status updates on these sites, where ‘updating your status’ is a common phrase.  Both current and departing employees can inadvertently leak company information by disclosing their current ‘status’ or updating online profiles. For example, a recent Microsoft development was leaked to the public through an online posting on Linkedin.com.

What can you do to protect your clients?

Clients need to protect themselves not only before a data theft has occurred but definitely after such an event.  Clients frequently do not understand that failing to take preventive measures may preclude an effective response to the data theft.

Before a theft occurs, you should offer your client advice on appropriate IT policies and technology necessary to protect their valuable data.  If a theft has already occurred, legal counsel can provide advice on how to investigate the theft and what legal remedies may exist, such as litigation.

Policy

The first protection an employer should have in place is a thorough and well communicated set of company policies and procedures .  Two policies and one procedure in particular are essential to the protection of company confidential data: (1) Acceptable Use Policy, (2) Data Classification and Retention Policy and (3) New and Departing Employee Procedures.

The Acceptable Use Policy is a comprehensive policy governing the use of all company assets and in particular should include safeguards to prevent the theft of confidential data, as well as general policies limiting the copying of information and use of computer hardware or software which puts company data at risk.  Keep in mind that developing an effective policy may require trading employee convenience for data security.  The assessment of these issues will involve difficult decisions that each company must make after weighing the benefits versus the consequences.

The goals of the Data Classification and Retention Policy are to identify all types of data created within a company and the amount of time it should be retained.  While this may seem obvious, the process needed to develop an effective policy is arduous, demands participation from numerous departments throughout an organization and an attention to detail.  After classifying the various data within a company, other policies can specifically address the data types and how to control and protect them.  This policy is also instrumental in developing an effective e-discovery strategy.

Finally, direction must be provided to the Information Technology department to ensure that an employee’s computer equipment is properly handled, starting from the initial setup through the eventual decommissioning of the system.  Without specific procedures, it is extremely difficult to use the results of a computer investigation in a legal proceeding since most IT departments will significantly modify an employee’s computer once they have departed.

Technology

Even with a thorough set of policies and procedures in place, it is impossible to prevent an employee from stealing confidential data. The next important step in prevention is to deploy effective technical solutions to protect your data.  In many companies, a few minor changes to the IT system can yield significant results.

One important change is to remove employees from the Administrator group on their computer.  This prevents them from installing any software or hardware.  Also, companies should not allow employees to create CDs/DVDs or copy data to USB drives unless there is a business need.  In some instances, only the IT department should have the authorization to make or create such data.

Many companies eliminate attaching a printer to a single computer.  This not only prevents theft of confidential data (by printing) but also allows for improved print management.  Companies should also consider deploying a device which can monitor and block websites that are malicious, in violation of the Acceptable Use Policy, not required to operate the business or allow easy transmission of data.

Finally, companies should implement a centralized logging device.  This device will receive all of a company’s log files for aggregation and allows a single view of what is happening throughout the organization.  In addition, it can provide critical information as to whether or not your system was compromised by outside entities.

Getting help via forensics (computer and mobile)

While policies and technology will prevent casual data theft, determined employees will still steal data.  If this occurs, protect your company by proving two things; that the departed employee took information without your permission and that the stolen information caused harm.  This is where computer forensics is important.  Companies must first have documentation of the theft by proving that the theft originated from their systems.  Computer forensics experts can find and document instances of an employee’s improper conduct using specialized software, hardware and techniques.

Computer forensics experts can determine if an employee connected a device such as a removable USB storage device or if a CD was created which contained confidential data.  A true expert can even identify the make, model and serial number of the removable storage device, when it was first connected and the last time it was used.  They can also identify which data was deleted and often times can even recover the information.  Printing a document also leaves a trail which can be uncovered and can provide key information about the theft itself.  Frequently, websites visited by an employee will bring context to the theft or even constitute direct evidence.

An emerging discipline is mobile forensics which target smart phones such as an iPhone, Blackberry or Android phone.  Since they contain information which can provide significant insight on what an employee was doing leading up to the theft of data, it might also provide direct evidence of the theft.  As an example, a forensics investigation of an Apple iPhone will generally result in the recovery of 50,000 – 60,000 files, most of which the employee never realized existed or thought they had deleted.  For the iPhone, the files recovered include all voicemails that were ever left on the phone, all emails ever sent or received, and data users often believe is deleted but can be recovered – including text messages, contacts, call logs and pictures.  The blending of modern smart phones with GPS technology can also pinpoint a departing employee’s location at a particular date and time.  Of course, many privacy implications exist and should be thoroughly vetted, but lawyers should be aware of the data available if a company employs the services of a qualified computer/mobile forensics expert.

Information gathered during a forensic investigation can provide crucial evidence which enables the employer to seek legal redress from a employee’s data theft.  Remedies can include monetary damages or an injunction.  Unfortunately, many employers do not realize an employee has taken confidential information until weeks or months have passed. If the former employee’s computer is redeployed or altered by the company, the value of the evidence uncovered is severely diminished.

Whether to preserve forensically a departing employee’s computer is a business decision that must be considered in light of the employee’s access to confidential data.  One cost-effective precaution is to make a forensics copy of the hard drive or mobile device.  Should suspicions arise in the future concerning theft of confidential information (or a number of other potential matters), the results of a forensic examination conducted on the hard drive “mirror” will be as valid as if the original hard drive had been preserved and examined.

Legal remedies

Once a breach of security has been detected the remedies available to the former employer are limited. The Computer Fraud and Abuse Act (CFAA) have limited application to stolen confidential electronic information. This statute authorizes losses to be recovered in a civil action.  However, “losses” are defined as loss or damage suffered by computer systems.  In other words, losses of revenue or unfair competition are not recoverable under the statute.  The most widely used legal remedy in a case of stolen electronic information is an injunction followed by a claim for damages based on misappropriation of trade secrets. However, to support this claim of theft, evidence of actual damages must be shown.

An example of an injunctive order that was issued and upheld on motion to dismiss, was against Frank Ringo in Dental Health Products, Inc. v. Ringo.  Ringo was accused of stealing confidential information from his employer.  He had been issued a laptop by his employer which allowed him to access highly confidential information about customers, business practices, negotiating strategies, and sales reports. In July 2008, Ringo’s employer noticed that his sales were declining and Ringo submitted his resignation soon after.  That same month, his employer learned that Ringo was associated with a direct competitor.

Upon the return of Ringo’s laptop to the employer, computer forensics revealed that Ringo had installed and used special software (Norton Ghost) to copy the entire hard drive onto an external hard drive on multiple occasions.  From the evidence produced to the court on the motion to dismiss, there were not enough facts to base the injunctive relief on a violation of CFAA because ‘loss’ to the computer system must be shown.  However, the court denied the motion to dismiss because it found that the plaintiff had presented a case sufficient to find that Ringo misappropriated trade secrets of his employer.

Conclusion

With the percentage of business documents being created and stored digitally approaching 100%, the most important assets of a company are easier than ever to steal. And with nearly 60% of departing employees admitting to such theft, companies must find more effective ways to protect their assets.  Since litigation is expensive, time consuming and may not yield the desired results, the best strategies to prevent or minimize loss include:  (1) Development of a comprehensive set of policies and procedure, (2) Deployment and verification of IT security controls, (3) Proactively leveraging the power of computer and mobile forensics and if necessary, (4) seek legal redress.

Growing awareness that a company takes serious steps to protect digital assets can significantly reduce casual theft by employees.  With proper policies and procedures in place, the theft of data requires an intent to profit that is easily proved.  In such a case, a company which leverage computer and mobile forensics has the means to identify and document the theft to provide a sound basis for seeking legal redress as did DuPont.  The result is a company which operates more efficiently, proactively reduces theft, and has all available means to address thefts which do inevitably occur.

References:

http://www2.sims.berkeley.edu/research/projects/how-much-info-2003/execsum.htm#summary

As Dieter Spaar has pointed out in a mailing list post on the OsmocomBB developer list, he has managed to get a first alpha version of TCH Traffic Channel code released, supporting the FR and EFR GSM codecs.

What this means in human readable language: He can actually make voice calls from a mobile [...]]]>

Interesting technical development…

As Dieter Spaar has pointed out in a mailing list post on the OsmocomBB developer list, he has managed to get a first alpha version of TCH Traffic Channel code released, supporting the FR and EFR GSM codecs.

What this means in human readable language: He can actually make voice calls from a mobile phone that runs the Free Software OsmocomBB GSM stack on its baseband processor. This is a major milestone in the history of our project.While Dieter has been working on the Layer1 TCH support and the setup of the voiceband path in the analog baseband chip audio ADC/DAC, Andreas Eversberg has been quietly working on getting call control of Layer3 into a state where it can do all the signalling required for mobile-originated and mobile-terminated call.

Combining both of their work together, they have been able to make a 20 minute long voice call from a baseband processor running a Free Software GSM stack. For all we know, it is the first time anything remotely like this has been done using community-developed Free Software. Five years ago I would have thought it’s impossible to pull this off with a small team of volunteers. I’m very happy to see that I was wrong, and we actually could do it. With less than half a dozen of developers, in less than nine months of unpaid, spare-time work.

Sure, the next weeks and months will be spent on bringing the code from alpha level to something more stable, fixing known issues and known bugs, etc. But I’m confident the biggest part of the work on the OsmocomBB stack is behind us. Big thanks to the developer team driving this project forward.

via Harald Welte’s blog.

Life is about to become more difficult for countries trying to censor access to foreign websites. A system dubbed Collage will allow users in these countries to download stories from blocked sites while visiting [...]]]>

Good news for opponents of censorship. But embedding data in sites such as Flickr could also make it challenging for forensics.

Life is about to become more difficult for countries trying to censor access to foreign websites. A system dubbed Collage will allow users in these countries to download stories from blocked sites while visiting seemingly uncontroversial sites such as Flickr.

Collage relies on a well-established technique known as digital steganography, in which an image file is changed to encode the hidden message without obviously affecting the appearance of the image. A prototype version is due to be unveiled on Friday, 13 August.

via Hiding files in Flickr pics will fool web censors – tech – 09 August 2010 – New Scientist.

A photo or voice recording of the current user, or the current user’s heartbeat pattern can be compared to the photo, voice, or heartbeat pattern of the authorized user

via Five Ways the [...]]]>

Just read the summary of a recent patent by Apple for additional security measures they, I presume, are building into iOS.  Here’s one excerpt:

A photo or voice recording of the current user, or the current user’s heartbeat pattern can be compared to the photo, voice, or heartbeat pattern of the authorized user

via Five Ways the Apple Patent Will Improve iPhone and iPad Security – PCWorld Business Center.

Does anyone else find this a frightening development?  Do you want Apple or your employer to know your heartbeat or voice pattern?  And have the ability to pull “forensic data” at will.  This sounds like a rootkit built especially for Apple, your employer or really anybody that wants to know everything about you (including if you had 1 too many coffees).

As mobile forensic experts, we can recover some of this information (the heartbeat thing is beyond our reach) but there are many controls in place.  For criminal matters, there’s that whole search warrant thing.  For personal/civil, people have to own the phone, have it in their physical possession, sign a 7 page contract and then send us the phone.

Would you want Ford or your employer to track every where you car goes, just in case it gets stolen?  For the people cheering the improved security, I hope you think it through a bit more.

Beyond Reactive: Leverage Forensics to Increase Security and Auditability:

As network environments get larger, faster, and more complex, they become more difficult to secure. With numerous applications, users, and systems interacting, and a staggering [...]]]>

The St. Louis chapter of ISACA will present on proactive forensics during its 2010-2011 kick-off meeting on September 15th. Click below for details.

Beyond Reactive: Leverage Forensics to Increase Security and Auditability:

As network environments get larger, faster, and more complex, they become more difficult to secure. With numerous applications, users, and systems interacting, and a staggering array of increasingly complex threats, the number of events to monitor can be overwhelming.

Traditional IT security has largely failed to protect corporations, government and individuals. Typical firewall/anti-virus combinations are reactive and frequently circumvented, and provide little mitigation in the case of data breaches. The problem is apparent with numerous high-profile breaches getting headlines in the last several years DoD, PCI, HIPAA.

This session will focus on the use of proactive forensics and how an organization can audit live systems in real time. Proactive forensics provides advanced capabilities to protect internal & external systems at a very low level and is undetectable to attackers. Benefits discussed will include

• file system monitoring

• live memory capture

• user activity monitoring

• application-aware event monitoring, and

• malware detection

Additionally, we will discuss how this information can be combined with automated differential reporting and how to develop a user-friendly dashboard.

via Beyond Reactive: Leverage Forensics to Increase Security and Auditability – Event Summary | Online Registration by Cvent.