What happens in a breach?


BreachPhoto by Studio d’Xavier
BreachPhoto by Studio d’Xavier

Barclaycard Merchant Services have published the following case study of a merchant PCI DSS breach. This is probably better than 90% of e-commerce retailers out there (which is presumably why BMS feel it is an encouragin case study for The Rest Of Us). Clearly, even in an anonymised case study, there will be a certain amount of whitewash, the practices outlined here make good reading for anybody carrying critical information and/or providing secure application/infrastructures.

Continue reading

UK Cop Humour

The Laughing Policeman

The Laughing PolicemanPhoto by Greater Manchester Police
The other day I wrote a post on the apparent attempt by a national newspaper to foment discussion in an online forum, entitled “Incitement to Violence“, (which is a neat summary of my own personal assessment of the situation, and worth precisely what you paid for it).  Since I don’t have access to the “raw” server logs of the forum in question, I surmised that its either a clumsy attempt to stir up (more?) racial tension, or alternatively an equally clumsy attempt to smear a national newspaper which has in the past, been less than kind to certain ethic groups in this country.

Continue reading

When your laptop (and you) are under duress

rocket racer--shot under duress

rocket racer--shot under duressPhoto by richardzx

For a while I have pondered the knotty problem of what should one do when one’s “life, fortunes and sacred honour” are under threat. It appears I’m not alone in this, as the hacker community is starting to respond. 

First of all, what is duress?

Continue reading

Twitter knows where you live, silly

You Are Here

You Are HerePhoto by loulou

I was listening to Jeremy Vine (@thejeremyvine) talking about the rising tide of Twitter hatred, especially towards women who express a voice. Apparently two XX chromosones and an opinion make you a target for “Cyber-Sexual Stalking”, which sounds distasteful from first, second or third person. Various suggestions were made by the “great and the good” who call into the show, including making Twitter charge (so that creating a troll account will involve registering “real world” details and paying a “nominal” fee). Mind you, how you will force twitter to charge is a separate subject entirely! Twitter have so far refused to exercise editorial content, which allows them to claim their status as a “common carrier”. One of the callers airily waved their hands and said “well of course, if someone posts IIoC, They take it down pretty quickly?” (sort of missing the point between offensive, objectionable behaviour and distributing pictures of a crime for gratification). If Twitter exercise editorial control over part of their content stream, then they will be deemed to have the power to exercise editorial control over the whole lot – which to use the metaphor, would be like picking out the single fly in a stream of water from a firehose. Not impossible, but very very difficult. And somewhat messy.
Continue reading

Big Data – too big to forensicate?

The Big Toy Hut's Zombie

The Big Toy Hut's ZombiePhoto by _Matn

Recently I was involved in an in-depth presentation, involving me preparing a paper and delivering to a panel of expert technologists and information security professionals. (At some point I may well publish the paper, but on with the story). As you would expect with such an eminent audience, the questioning was in depth and thorough, and the final question was this “I know you are skilled in forensics, but how would you go about doing a forensic analysis of Big Data”. Unfortunately my brain had leaked out through my shoes at this point (!) and not all my thoughts came through my mouth. These thoughts are all framed around the expectation that a forensic case will end up in court.
Continue reading

iPhone location consolidated.db to Google Earth KML

Having watched the media storm over the iPhone location database erupt in the last few days, I wonder why I didn’t release this before. First credit should go to Chris Vance and Nathan Broslawsky who discovered this in Sept 2010 – they were extremely helpful when I contacted them for advice in a forensics case. We all kept quiet in the interests of “responsible disclosure” – ah well.

Now its all out in the public domain, I release the hack script which converts an iPhone database into a Google Earth KML map.

There are lots of other useful tricks for mobile forensics!

(Now on github)

One of the nice things….

The Security geek community is a widespread one, and I’ve not talked with Vaughn Cordero, the author of the frankly awesome Mobile Sync Browser before. If you are trying to recover data from a bust iPhone backup, this is probably the only thing you need.

Vaughn is a thoroughly nice guy, and when he got my email out of the blue asking a forensic question, he responded as follows:

I usually have a look-see at individuals before dispensing these licenses, but anyone who listens to ELO can’t be half-bad, right? :)


Many thanks for your help, this one’s for you.

Startup releases FREE netflow/syslog forensics tool

Dark Reading reports that:

A new security startup founded by former Los Alamos National Laboratory security experts will come out of stealth mode on Tuesday, with a commercial version of an incident response tool they had built for the government lab.

Santa Fe, N.M.-based Packet Analytics will officially roll out Net/FSE Network Forensic Search Engine software, which collects and organizes Cisco NetFlow and syslog log data into a searchable format, helping analysts to investigate breaches as soon as they occur.

The real-time tool is based on technology licensed exclusively from Los Alamos, which has been using the tool for five years to handle incident response investigations.

Packet Analytics is offering a free download of the basic tool, which supports up to one million events per day. Anything higher incurs a licensing fee — anywhere from $1,495 for up to 3 million events per day to $18,950 for 50 million events per day.

Neat stuff! And how rarely the words “free” and “forensic” go together :-)

Encrypted laptop poses legal dilemma

In the UK, its now a criminal offence under RIPA not to divulge decryption or in clear information.
I’m curious about this case – how do the LEO’s know there is naughty content on the device, if its encrypted?

Encrypted laptop poses legal dilemma

By JOHN CURRAN, Associated Press Writer 2 hours, 51 minutes ago

BURLINGTON, Vt. – When Sebastien Boucher stopped at the U.S.-Canadian border, agents who inspected his laptop said they found files containing child pornography. But when they tried to examine the images after his arrest, authorities were stymied by a password-protected encryption program. Now Boucher is caught in a cyber-age quandary: The government wants him to give up the password, but doing so could violate his Fifth Amendment right against self-incrimination by revealing the contents of the files.

Experts say the case could have broad computer privacy implications for people who cross borders with computers, PDAs and other devices that are subject to inspection. “It’s a very, very interesting and novel question, and the courts have never really dealt with it,” said Lee Tien, an attorney with the Electronic Frontier Foundation, a San Francisco-based group focused on civil liberties in the digital world.

For now, the law’s on Boucher’s side: A federal magistrate here has ruled that forcing Boucher to surrender the password would be unconstitutional. The case began Dec. 17, 2006, when Boucher and his father were stopped at a Derby Line, Vt., checkpoint as they entered the U.S.

Boucher, a 30-year-old drywall installer in Derry, N.H., waived his Miranda rights and cooperated with agents, telling them he downloads pornography from news groups and sometimes unknowingly acquires images that contain child pornography. Boucher said he deletes those images when he realizes it, according to an affidavit filed by Immigration and Customs Enforcement.

At the border, he helped an agent access the computer for an initial inspection, which revealed files with names such as “Two year old being raped during diaper change” and “pre teen bondage,” according to the affidavit. Boucher, a Canadian with U.S. residency, was accused of transporting child pornography in interstate or foreign commerce, which carries up to 20 years in prison. He is free on his own recognizance.

The laptop was seized, but when an investigator later tried to access a particular drive, he was thwarted by encryption software from a company called Pretty Good Privacy, or PGP. A grand jury subpoena to force Boucher to reveal the password was quashed by federal Magistrate Jerome Niedermeier on Nov. 29. “Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop,” Niedermeier wrote. “The password is not a physical thing. If Boucher knows the password, it only exists in his mind.” Niedermeier said a Secret Service computer expert testified that the only way to access Boucher’s computer without knowing the password would be to use an automated system that guesses passwords, but that process could take years.

The government has appealed the ruling. Neither defense attorney James Budreau nor Vermont U.S. Attorney Thomas Anderson would discuss the charge. “This has been the case we’ve all been expecting,” said Michael Froomkin, a professor at the University of Miami School of Law. “As encryption grows, it was inevitable there’d be a case where the government wants someone’s keys.” Authorities have encountered such dilemmas before, but have used other methods to learn passwords, including installing surveillance devices that capture keyboard commands. Sometimes investigators have given up before a case reached the courts. In a 2002 case, the FBI used a keyboard program to obtain gambling records from the computer of Nicodemo Scarfo, Jr., the son of a jailed New Jersey mob boss. In another case, an officer found child pornography on the laptop of a man who flew into Los Angeles International Airport from the Philippines. But a federal judge later suppressed the evidence, ruling that electronic storage devices are extensions of the human memory and should not be opened to inspection without cause. That case didn’t hinge on a password, though.

Orin Kerr, a law professor and computer crime expert at George Washington University, said the distinction that favors the government in Boucher’s case is that he initially cooperated and let the agent look at some of the laptop’s contents. “The government can’t make you give up your encryption password in most cases. But if you tell them you have a password and that it unlocks that computer, then at that point you no longer have the privilege,” he said. Tien, the attorney with the Electronic Frontier Foundation, said a person’s right to keep a password secret is a linchpin of the digital age. Encryption is “really the only way you can secure information against prying eyes,” he said. “If it’s too easy to compel people to produce their crypto keys, it’s not much of a protection.”

I once had a lawyer call me up asking me to act as expert for the defence in a case similar to this. 37 IIOC images were the basis for arrest, 34 of which had been recovered from deleted file space. In my early discussions with the lawyer, I surmised that the defendant could have inadvertently downloaded these in the pursuit of his personal browsing of adult content, been shocked and horrified, and sought to put them beyond reach by deleting them. I then asked for more details on the other three.
“Ah”, said the lawyer, uncomfortably. “He was printing those out when the police raided his home”.
Needless to say, the “shocked and horrified” mitigation went straight out of the window! My view on these matters is that people put their jobs, family, and liberty on the line when they view this kind of material on line, and that acquiring the habit of viewing adult content leads to a search for more and more extreme content due to the desensitisation as one becomes accustomed to the images, thereby leading to greater illicit thrill-seeking. This process continues until one breaks the law and is then eventually caught. The definition of obscene material in the UK is that which tends to corrupt and deprave those that view it – as I understand it from police who are engaged in this activity, rarely does a person decided to leap straight into the most taboo material, instead they wander down this slippery slope until its Too Late.
RIPA is a difficult law, and there is the question on how does one determine between the guilty party who has no knowledge of an encrypted item, and a guilty person who is concealing evidence of another crime, using cryptographic methods. There is very little case precedent on this, and many legal pundits are making hay on the speaking circuit with their opinions. RIPA can be used as a threat to encourage a suspect to divulge keymat/clearmat, however hardened criminals may well cop to a RIPA conviction, rather than face the potential greater penalties of their original offence. One of the interesting experiences with Highfire (www.cryptorights.org/research/highfire) was discussing with Amnesty their view on crypto – very opposed to it, as the use of crypto in harsh regimes had led to documented experience of individuals facing extreme coercive measures to divulge keymat – thus crypto was seen as an increased risk, not a risk reducer!

Ye olde ebaye fraude

I’ve not seen one of these for ages. I got the attached email in today, and thought “eh?” (I rarely buy stuff on ebay, have a hard-to-guess password, and change it regularly.

All the email looks genuine, and the image source tags all point to the right place?

Should I click on the link kids?
(Cries of “Yes!”, “No!”, “Its behind you!”, etc. – well it is panto season after all.)

I logged onto eBay using a separate browser window and checked my messages. Nothing. I felt fairly clean. So I opened up the HTML of the email (and yes, this is why HTML emails are dangerous, they look cute and cuddly, but have unexpected nasties inside.)

I found this:

If you want to unsuspend your account now click the link below:
<A HREF="ftp://Administrator:merlin@">


So don’t. Still with me? Good, there’s more.

For us gentle souls who don’t eat HTML for breakfast (and you are wise, it will make you burp), what this means is that if I were to click on that nice inviting link offering to unsuspend my account now (why suspend my account for only 7 days, then offer to unsuspend it?) I then get to go to a password protected page on a machine indicated only by its IP address.

Where’s that machine?
Curious soul that I am, I checked out the IP address. It’s listed in the DNS as:, PTR, cpe-066-026-069-024.nc.res.rr.com

which means that someone somewhere has downloaded a piece of malware which has taken over their machine and is quietly and happily using it to serve out viruses, trojans, and other nasties.

Where’s the sender?
Looking at the headers of the email, I gathered the following juicy bits:

Received: from mail.bick.com ([] helo=saturn.Bickford.com)
by faraday.net.versatilia.com with esmtp (Exim 4.43)
id 1J4fKh-000546-N9
for I'm-not-quite-dumb-enough-to-put-my-email-address-here@gmail.com;
Tue, 18 Dec 2007 16:30:15 +0000
Received: from User ([]) by saturn.Bickford.com with
Microsoft SMTPSVC(5.0.2195.6713);
Tue, 18 Dec 2007 10:19:10 -0600

Versatilia are my ISP, and a thoroughly nice bunch and very sharp. It looks like mail.bick.com is running an open mail relay. They’re a firm of architects by the way, based in Kansas. So, using the abuse.net mail tester, we see:
>>> RSET
>>> RCPT TO:
>>> DATA
>>> (message body)
<<<> Queued mail for delivery


The sender (listed as "User" above, in bright green - looks like its an IP address in the former Yugoslav republic of Macedonia. They have evidently found more worlds to conquer!

inetnum: -
org: ORG-Ud4-RIPE
netname: MK-UNET-980713
descr: UltraNet d.o.o.
country: MK
admin-c: MDP1-RIPE
tech-c: JPM7-RIPE
mnt-lower: AS8830-MNT
mnt-lower: MNTNER-AS
mnt-domains: MNTNER-AS
source: RIPE # Filtered

The router offering its route is shaper.unet.com.mk (

Law officers, if you read this, there's some work there for you. If by chance the machine owner of logs onto my blog from Raleigh, USA and reads this, then go look at Get Safe Online. Change your passwords, backup your information, and reinstall your OS. You're done.

And folks, this took 5 minutes to check on, and by doing so my personal information lives to fight another day.