Forensically capturing a conventional disk is straightforward: power down the system, attach the drive to a portable forensic unit using a protective write-blocking device, and then capture the device bit-for-bit. Since the drive is protected by a write blocking device, the drive is presumed completely intact. Non-conventional mass storage devices (e.g., “solid-state disks,” hereafter “SSD”) implement features that invalidate the presumptive efficacy of write-blockers. This has implications in both the government and corporate worlds.

From a programming and management perspective, SSDs often appear as nothing more than very high performance plug compatible replacements for conventional disk drives. Disk drives however use magnetic recording technologies. Writing an updated record takes the same amount of time as writing the original record to previously unoccupied space. Erasing newly freed space requires the appropriate number of write operations, a significant performance penalty. For this reason, such security erase is almost always a settable parameter. The default setting is almost always off.

SSDs are different. Writing a virgin cell merely requires a write cycle. Rewriting a cell requires two cycles: an erase cycle and a write cycle. The erase cycle is governed by the physics, and takes time. Performance is improved by “pre-clearing” no longer needed cells (e.g., free space on the disk) during otherwise unused device cycles. This is the opposite of the case with magnetic storage. Since there are negligible positioning delays with SSD, pre-clearing is a performance issue. There are two approaches in use: an operating system-based implementation; and a controller based implementation invisible to the operating system. The hardware-based autonomous implementation is of interest to the forensics community.

Some SSD devices take the novel approach of mining the on-device file structure (e.g., Window's NTFS) for data about which areas of storage contain live data and which areas are slack space awaiting reassignment. The device controller “knows” that the first operation to these areas from the host operating system will be a write; thus it is safe to preemptively erase these areas in preparation. This is a substantial performance improvement and takes place on a controller-determined schedule. There is no intervention required on the part of the host computer to activate this activity. Thus, on a volume with a controller-recognized file structure (e.g., NTFS), a write-blocking device is only effective to the extent of protecting areas declared as currently in use.

A recent paper from Graeme Bell and Richard Boddington of Murdoch University in Perth, Solid State Drives: The Beginning of the End for Current Practices of Digital Forensic Recovery?,^[1] documented several consequences of this implementation approach with respect to standard best practices for digital forensic acquisitions. In short, the autonomous pre-clearing function rendered free space unrecoverable on short order from the time that the drive was powered-on.

The classic advice given to forensic investigators has been that a “quick format” operation is an ineffective technique for scrubbing data because the actual information could always be recovered.^[2] For autonomous SSD devices with knowledge of NTFS, this presumption seems to be extremely questionable.

Documentation for the autonomous erase functionality is not readily available. However, it would logically seem to be limited to standard NTFS volumes on standard partitions. It does not seem applicable to devices used in RAID arrays or to volumes created using whole disk encryption (e.g., TrueCrypt). In those cases, it is difficult to see how the device controller, which is not privy to either the complete picture (e.g., RAID) or a cleartext copy of the data (e.g., TrueCrypt), could determine the necessary information. As noted by Bell and Boddington, the automatic nature of the resetting function on space determined by the controller to be unallocated has several implications for standard forensics procedures:

• data in unallocated space will quickly disappear on such a device (Quick format will actually cause the drive contents to be erased on short order)
• the data recorded by a forensic acquisition with a write-blocker will be inconsistent with a subsequent acquisition until the reset process has completed. The cryptographic checksums (e.g., MD-5, SHA-1) generated on successive acquisitions will thus be inconsistent.

The paper goes on to note that conventional interpretations of scrubbed drives are almost always in the negative (e.g., “deliberate erasure,” “destruction of evidence”). Since there are a number of legitimate reasons for quick formats and file deletes, the potential for erroneous interpretation is significant.

Going further, there is cause for concern beyond the forensics community. Systems managers are well aware that errors in file system tables are not uncommon, nor have they been unrecoverable. In this case, we have an autonomous actor (e.g., the SSD) interpreting the file structure. An error in file system structures is now an automatic short-term erase order for the affected data.

There is also a long history of coordination difficulties with file systems accessed from two uncoordinated systems. There is significant potential for file system and data corruption in these situations. In the past, this has primarily occurred with the file structures themselves. In particular, there are often problems with free space management and multiple allocated blocks. Autonomous erasure of deduced dead information would seem to be a previously un-encountered risk.

Corporate IT departments should be particularly concerned. What was a previously a simple matter of running a recovery utility against a disk with corrupted structures may now involve multiple actors, all of which are operating with no mechanisms for synchronization. This is a matter for concern, since the possible risks may invalidate previously sound operating procedures, leading to data loss.

Notes

References

Reproduced from Dangerous Assumptions: Solid-State Disk Behavior Underlying Digital Forensics an entry in Ruminations -- An IT Blog by Robert Gezelter. Copyright (c) 2011, Robert Gezelter. Unlimited Reproduction permitted with attribution.

Nowadays WikiLeaks is a hot story for a good reason – it is not very common for confidential documents of the world’s most powerful government to be published on the Internet. And some of these documents are, to put it mildly, embarrassing.

Here I am not going to write about whether it was legal for WikiLeaks to publish such information or not, whether the information should have been made public because of the public interest or not, what is going to happen to its founder (at the time of writing this article Julian Assange was in custody) etc.

The problem is – if WikiLeaks is going to be shut down, a new WikiLeaks will appear. In other words, the threat of leaking information to the public is constantly increasing. (By the way, before he was jailed, Julian Assange had announced he would publish incriminating information about a major U.S. bank and its malpractice.)

I want to touch here on the corporate point of view – what if we are the next target of WikiLeaks or its clone? How to ensure the security of our information and prevent the damage of such a large incident?

Simple example

But how does information security look like in practice? Let’s take a simple example – for instance, you leave your laptop frequently in your car, on the back seat. Chances are, sooner or later it will get stolen.

What can you do to decrease that risk? First of all, you can make a rule (by writing a procedure or a policy) that laptops cannot be left in a car unattended, or that you have to park a car where some kind of physical protection exists. Second, you can protect your information by setting a strong password and encrypting your data. Further, you can require your employees to sign a statement by which they are legally responsible for the damage that may occur. But all these measures may remain ineffective if you didn’t explain the rules to your employees through a short training.

So what can you conclude from this example? Information security is never a single security measure, it is always more of them together. And the measures are not only IT-related, but also involve organizational issues, human resources management, physical security and legal protection.

The problem is – this was an example of a single laptop, with no insider threat. Now consider how complex it is to protect the information in your company, where the information is archived not only on your PCs, but also on various servers; not only in your desk drawers but also on all your mobile phones; not only on USB memory sticks but also in the heads of all employees. And you may have a very disgruntled employee.

Seems like an impossible task? Difficult – yes, but not impossible.

How to approach it

What you need to solve this complex problem is a framework. The good news is that such frameworks already exist in the form of standards – mostly widespread is ISO 27001, the leading international standard for information security management, but there are also others – COBIT, NIST SP 800 series, PCI DSS etc.

I’m going to focus here on ISO 27001 – I think it gives you good ground for building the information security system because it offers a catalogue of 133 security controls, and offers flexibility to apply only those controls that are really needed in relation to risks. But its best feature is that it defines a management framework for controlling and directing the security issues, therefore achieving that security management becomes a part of the overall management in an organization.

In short – this standard enables you to take into account all the information in various forms, all the risks, and gives you a path to carefully resolve each potential problem and keep your information safe.

Consequences for business

So, should the corporations be afraid that their information will leak to the public? If they are doing something illegal or unethical, they certainly should.

However, for companies operating legally, if they want to protect their business, they cannot think only in terms of return on investment, market share, core competence, and long term vision. Their strategy must also take into account the security issues, since having insecure information can cost them much more than for example a failed launch of a new product. By security I mean not only physical security because it is simply not enough anymore – the technology makes it possible for information to leak through various means.

What is needed is a comprehensive approach to information security – it doesn’t matter whether you use ISO 27001, COBIT or some other framework, as long as you do it systematically. And it is not a one-time effort, it is a continuous operation. And yes – it is not something your IT guys can do alone – it is something the whole company has to participate in, starting from the executive board.

Cross posted from ISO 27001 & BS 25999 blog - http://blog.iso27001standard.com

Applications on mobile phones are all the rage. I spend more time on my apps than I do making calls. That time spent is often with those I connect with on social media.

Twitter and Facebook are the major players in social media and applications for them are a plenty.

TweetDeck

FREE. TweetDeck is your mobile browser for staying in touch with what’s happening now on Twitter from your iPhone or iPod Touch. TweetDeck shows you everything you want to see at once, so you can stay organized and up to date no matter where you are.

Create groups, search Twitter, manage multiple accounts and easily post your tweets or share photos, link and much more. Plus sync your existing TweetDeck columns between your desktop and iPhone. Nice and easy.

Twitpic Poster

FREE. This is a simple app for sharing pictures on Twitter using Twitpic service.
It’s super easy, all is done in 3 taps:
1. Select an image or take a picture
2. Upload to Twitpic
3. Enter Twitter message

You can also just take a picture and email it to your Twitpic address, but I find the Twitpic Poster easier and less cumbersome.

Seesmic

FREE. Do you have multiple social media accounts? More than one Twitter? Facebook? MySpace?  Seesmic for iPhone lets you update and view multiple social networks in an efficient and powerful application. Manage multiple Twitter accounts, your Facebook account, a Ping.fm account and organize all your accounts, searches, trending topics and lists in your customizable dashboard.

Facebook

FREE. Facebook for iPhone makes it easy to stay connected and share information with friends. Use your iPhone to start a conversation with Facebook Chat, check your friends’ latest photos and status updates, look up a phone number, or upload your own mobile photos to Facebook while on the go.

PingChat

FREE. PingChat! is the ultimate way to communicate with all of your friends, whether they use an iDevice, Android or BlackBerry. PingChat! provides free, unlimited, cross-platform, smartphone-to-smartphone messaging, with real-time conversations, group chat, media sharing, and much more. Simply create a Ping! ID, share your ID with all your friends, and start Pinging!

You won’t need to pay your carrier for text messaging. Wi-Fi or your current data plan is all it takes to send messages. Some apps offer free texting, but are exclusive to the U.S, or support few other carriers.

Send photos, videos, voice notes, contacts and map locations seamlessly directly in your conversations.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

There are good and bad hackers. Here is a window into what they do and why:

White Hat Hackers: These are the good guys, computer security experts who specialize in penetration testing and other methodologies to ensure that a company’s information systems are secure. These IT security professionals rely on a constantly evolving arsenal of technology to battle hackers.

Black Hat Hackers: These are the bad guys, who are typically referred to as just plain hackers. The term is often used specifically for hackers who break into networks or computers, or create computer viruses. Black hat hackers continue to technologically outpace white hats. They often manage to find the path of least resistance, whether due to human error or laziness, or with a new type of attack. Hacking purists often use the term “crackers” to refer to black hat hackers. Black hats’ motivation is generally to get paid.

Script Kiddies: This is a derogatory term for black hat hackers who use borrowed programs to attack networks and deface websites in an attempt to make names for themselves.

Hacktivists: Some hacker activists are motivated by politics or religion, while others may wish to expose wrongdoing, or exact revenge, or simply harass their target for their own entertainment.

State Sponsored Hackers: Governments around the globe realize that it serves their military objectives to be well positioned online. The saying used to be, “He who controls the seas controls the world,” and then it was, “He who controls the air controls the world.” Now it’s all about controlling cyberspace. State sponsored hackers have limitless time and funding to target civilians, corporations, and governments.

Spy Hackers: Corporations hire hackers to infiltrate the competition and steal trade secrets. They may hack in from the outside or gain employment in order to act as a mole. Spy hackers may use similar tactics as hacktivists, but their only agenda is to serve their client’s goals and get paid.

Cyber Terrorists: These hackers, generally motivated by religious or political beliefs, attempt to create fear and chaos by disrupting critical infrastructures. Cyber terrorists are by far the most dangerous, with a wide range of skills and goals. Cyber Terrorists ultimate motivation is to spread fear, terror and commit murder.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information and access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing another databreach on Good Morning America. (Disclosures)

We hear a lot of talk about needing good information security processes, but why are they so important? Well, besides being the basis for a strong security program and compliance with regulatory guidance, they also represent the best way to get consistency across the security initiative and between silos of knowledge. Done right, good security processes halt infosec by "cult of personality", but they aren't infallible. Here are three things that having good information security processes won't do:

1. Defense Without Funding – Even the best security teams often struggle to convince upper management of proper budget needs. While good security processes might help you generate metrics and real world threat insights that you can use to explain risk to your management, as the old saying goes, if they spend more on coffee than infosec, they will get hacked and they will deserve it. Even good processes can't save you if your security team is resource starved.

2. Pet Project Sink Holes – We've all been there, a manager or executive has this idea that steam rolls into a project and yet is just a doomed thing to start with. IT and other parts of the business, including security, can get drawn into the vision and throw a seemingly never ending set of resources down the gullet of this project that never seems to progress, but just won't die. Unfortunately, this another place where strong processes just don't help. Once the project steals the imagination of the executive team, the game is pretty much over. You ride along or die. Where you can win here with strong processes though, is by defining good minimum levels of resources that your policy forbids being switched to other tasks. Then, at least, you have a base to stick to when one of the hurricanes of fail comes over the horizon.

3. Zombie Apocalypse – Nope, they won't help you here either. Good processes tend to break down when the zombies are munching on the brains of your teams as a snack. Yeah, we know, we saw the screenplay too, but we still think that whole Charlie Sheen in grubby clothes and grey make up thing is just another tacky grab for more attention.

Seriously, other than these, good processes help with infosec. Get started on them right away, before the zombies reach the data center....

Cross-posted from [link] 

Source: "State of Security" Blog, MicroSolved, Inc.

Near Field Communications, or NFC, is the exchange of information between two devices via wireless signal. For example, a wireless signal emitting from your cell phone can act as a credit card when making a purchase.

This year, over 70 million mobile phones will be manufactured and sold with NFC built in.

NFC can be used in other ways beyond credit card transactions. It can integrate with hardware, such as your car, to unlock a door. It can activate software.

Soon enough, using your phone as a credit card will be commonplace. Mobile contactless payments, in which you pay by holding your phone near the payment reader at the register, are expected to increase by 1,077% by 2015.

According to a study by Boston-based research firm Aite Group, “The gross dollar volume of U.S. mobile payments is estimated to grow 68 percent between 2010 and 2015, but the mobile payments will continue to represent only a ‘tiny portion’ of U.S. consumer spending for many years.”

Mobile payment is still in the testing phase in the United States, Canada, and other countries around the world.

Security is paramount. A new type of smartcard-based SIM is at the core of mobile payment security. It contains a small computer with its own software designed to protect the payment account information. Your credit card provider will make sure that mobile payment is fully secure, or it will not happen.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses identity theft in front of the National Speakers Association.

Our culture deemphasizes individual responsibility. In my mind, life begins when you begin taking responsibility for everything in your life. Personal security is fundamentally your own responsibility and, while you may not be responsible for a crime happening to you, you are the one in the best position to prevent it.

In the last decade, as much as 80% of all banking has taken place online, a major change after hundreds of years of traditional banking. Online banking is all about convenience. It has become apparent that these conveniences of technology have outpaced consumers’ security intelligence. It is possible to secure systems in a way that will defeat most online criminal activity, but that level of security comes with inconveniences that the consumer may not be equipped to handle.

Doug Johnson, the American Bankers Association VP of risk-management policy, explains, “The banking industry wants consumers to monitor their online accounts for unauthorized transactions on a continuous, almost daily, basis. That’s because PCs and smartphones have become the online bank branch for a lot of individuals. The customer needs to really recognize that security is most effective when they work in partnership with their financial institution.”

While banks are fighting their own battles to combat fraud and account takeover, it is imperative that the banks’ customers adhere to security fundamentals.

• Set your computer’s operating system to update critical security patches automatically.
• Make sure your firewall is turned on and protecting traffic from both directions.
• Always run antivirus software, and set it to update virus definitions automatically.
• Use a protected wireless network.
• Never click links within the body of an email. Instead, go to your favorites menu or type the address into the address bar.
• Check your online bank statements frequently.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information, as well as access to live fraud resolution agents. For additional tips, visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss online banking security on CBS Boston.