Among the 10 people targeted in the conspiracy were Brennan; then-Deputy FBI Director Mark Giuliano; National Intelligence Director James R.
Clapper; Greg Mecher, the husband of White House Communication Director Jen Psaki; and other government officials.
The group called itself Crackas with Attitude, and it was led by a co-conspirator going by the name of Cracka. "She talks mad shit abt snowden," Liverman said on December 10, 2015 in an online chat with Cracka, referring to a target who is believed to be Psaki, according to a statement of facts signed by Liverman and filed in US District Court for the Eastern District of Virginia. (The document refers to Mecher and Psaki as Victim 3 and the spouse of Victim 3 respectively.) "If you come across anything related to [Victim 3's spouse] let me know.
If you find her cell or home number omg gimme." Liverman went on to say he wanted to "phonebomb the shitt [sic] outta" Psaki. The statement of facts shows Liverman discussing other intrusions with Cracka.
After getting a cellphone number Cracka had unlawfully obtained from a breached online account belonging to Victim 2, Liverman dialed it to make sure it belonged to the government official, whose real-world identity couldn't be immediately confirmed by Ars. Liverman "then paid an online service to automatically dial Victim 2's phone number once an hour, for 30 days, and leave a threatening recorded message." "We will keep a close eye on your family" Liverman later sent text messages to the cellphone that read in part: "We will keep a close eye on your family, especially your son." The message included a photo of the son that had been unlawfully obtained from one of Victim 2's compromised accounts.
That same day, Liverman publicly posted the cellphone number to pseudonymous Facebook and Twitter accounts and wrote: "This line will be active for only 24hrs, so call/sms it if you want to talk to me ... i also accept sexy nudes lol." Two days later Liverman told Cracka: "if we could get [Victim 2] swatted that would be amazing." Swatting is the term for falsely reporting violent crimes in progress to emergency responders in an attempt to elicit a response from special weapons and tactics police officers. Cracka used Victim 2's official credentials to gain unauthorized access to the Law Enforcement Enterprise Portal, an online database that's supposed to be available only to law enforcement officials.
At Liverman's request, Cracka used his access to obtain a list of more than 80 police officers and law enforcement employees in the Miami area. On January 6, 2016, Liverman posted the list online. The group allegedly also published a 47-page security clearance questionnaire containing highly personal information, which Brennan completed to obtain his post.
Around the same time, the group published a separate spreadsheet containing the personal data of the 29,000 FBI and DHS employees.
A day later, a group member allegedly presented evidence showing it had hijacked accounts belonging to Clapper. According to an affidavit filed in September, the group didn't rely on computer hacking to break into restricted accounts.
Instead, members used social engineering in which they impersonated their targets and various IT support personnel purporting to help the victims. On October 11, 2015, one of the suspects allegedly accessed the account belonging to Brennan by posing as a technician from Verizon.
The suspect then tricked another Verizon employee into resetting the password for Brennan's Internet service. Prosecutors said the suspects went on to take over a Brennan AOL account. The group allegedly used similar techniques to access other accounts.
The affidavit said another group member appeared to gain access to a law enforcement database by calling an FBI help desk and asking that Giuliano's password be reset. Now, Liverman faces a maximum possible sentence of five years in prison at sentencing, which is scheduled for May 12. The statement of facts filed with Friday's guilty plea offers a window into the depravity and viciousness that motivates so many online intrusions.
The perpetrators often succeed not through any technical skill but rather by making fraudulent phone calls that carefully exploit weakness in various companies' customer support services.
It's not the first time social engineering has exacted such a high price, and sadly, it likely won't be the last.
When you can get a seriously full-featured, security-conscious password manager for free, what would entice you to pay? How about even more features, and no limits on existing features? LogMeOnce Password Management Suite Ultimate 5.2 pulls out all the stops, removing limits on the number of shares and beneficiaries, and adding advanced features that include anti-theft and an unusual selfie-based two-factor authentication system. A few quirks in its mobile editions are still being ironed out, but overall, it's a feature-packed password powerhouse.
At $39 per year, LogMeOnce Ultimate costs the same as Dashlane 4.0. Sticky Password goes for $29.99 per year, and LastPass for just $12. But this big, sprawling utility has a ton of features, including some I haven't seen in any competing product.
The free edition doesn't impose any limits on the number of saved passwords, or of synced devices. If you're interested in the product but not sure if you want to pay for it, go ahead and install the free edition, and familiarize yourself with its impressive capabilities. You can upgrade to Ultimate any time the free edition's limits begin to chafe.
The free LogMeOnce Password Management Suite Premium 5.2 is loaded with features, enough that it outperforms many competing products that aren't free. I'll summarize its capabilities here, or you can read my full review of the free edition for more details.
LogMeOnce runs strictly as a browser extension, so it's not limited to a specific platform. If your browser supports extensions, you can use it on Windows, macOS, or even Linux. There are also apps for Android and iOS.
Just about every password manager starts off by asking you to define a strong master password, something that you can remember but that nobody could guess. LogMeOnce now offers password-less authentication as its default. To set this up, you pair your smartphone or mobile device with your LogMeOnce account. Now when you log in on your desktop, you verify when prompted on the mobile device, using a PIN, a fingerprint, or what the company calls PhotoLogin.
Those who've upgraded to Ultimate get more information along with the request for PIN, fingerprint, or PhotoLogin. Swipe left to see the requester's email address, GPS location, IP address, and more, or swipe right to view the location on a map. If you get an unexpected login request, this data may help you figure out who's trolling you.
For PhotoLogin, LogMeOnce snaps a photo with the webcam and sends it to the device. You simply verify that the photo is what you expected. If the computer has no webcam, you can compare a visual one-time password that's sent along with the photo. It's also possible to use PhotoLogin on the mobile device itself, but this isn't quite as secure. It involves you verifying that you are seeing the photo you just snapped; it's a bit self-referential. When I mentioned this to the developers, they quickly modified on-device PhotoLogin to also require entering a PIN.
The free edition captures logins (which it calls applications) as you enter them, and offers to play back your saved credentials when you revisit the site. It also includes a catalog of almost 4,500 known websites. Choose one of these and you can be sure that LogMeOnce will handle it, even if it uses a non-standard login page. However, if you somehow manage to find an oddball login that's not in the catalog, you can't just capture all form fields the way you do with LastPass or Sticky Password Premium. Clicking the browser toolbar button displays all your saved websites. Clicking one of them navigates to the site and logs in.
The password generator defaults to creating 15-character passwords, using all character sets, which yields a very tough password. It also rates any password you type, estimating how long it would take to crack. By default, you must change your master password every three months, without re-using previous passwords. Those using Ultimate can change the password expiry time, in a range from one month to one year.
You can use Google Authenticator, or a workalike such as Duo Mobile or Twilio Authy, for two-factor authentication. Other options in the free edition include receiving a one-time passcode via email, SMS, or voice call. In an unusual move, LogMeOnce charges two credits for each SMS authentication and four credits for each voice call. Those using Ultimate get an allowance of 50 credits per month, with the option to purchase more, $10 for 1,000 credits. I'll cover the Ultimate edition's additional two-factor options below.
An interesting feature called Mugshot gives you a look at anyone who tries to log in on a lost or stolen phone. On any failed login attempt, it snaps photos with the front and rear cameras and sends them to your online dashboard, along with the device's GPS location and IP address. Using this information, you may be able to locate and recover the device. Upgrading to Ultimate gets you a more complete anti-theft system.
LogMeOnce stores personal, address, phone, and company data, for use in filling Web forms. You can save multiple instances of each data type. New since my last review, it also saves and fills credit card data. Like Dashlane, it helpfully displays the saved cards as images, using the color and bank name you specified. It doesn't have the flexibility of form-filling whiz RoboForm Everywhere 7, but it does the job.
Like LastPass and Dashlane, LogMeOnce can display a list of all your passwords, with a strength rating for each, and a flag for any duplicates. In addition, its report page offers several other views on your security, some of which aren't functional in the free edition. If you find you've got weak or duplicate passwords, just click the link next to each one to go change it. For many popular websites, LogMeOnce can even automate the password change process, something few competing products manage.
LogMeOnce includes the ability to securely share passwords with other users. You can choose whether the recipient gets to see the shared password, or just to use it for logging in. There's also an option to define a beneficiary who will receive either your whole account or a specific password in the event of your death. The free edition allows one whole-account beneficiary, five password beneficiaries, and five shared passwords. In the Ultimate edition, there are no such limits.
A productivity dock along the bottom of the screen displays a baker's dozen of live icons that expand when you mouse over them. You can use these icons to quickly reach important features like mugshot or security scorecard. That is, you can if you've paid for the product. Those using the free edition just get a reminder that the productivity dock is only for paid users.
Selfie Two-Factor Authentication
Upgrading to Ultimate unlocks several additional options for two-factor authentication, the most unusual of which is Selfie-2FA. It works like this. You log in to the browser extension, either with the default password-less authentication or a master password. LogMeOnce snaps a webcam photo and sends it to the mobile device you've specified for Selfie-2FA. If the received photo matches what you expected, you simply tap to authorize. MasterCard is exploring a similar type of selfie-based authentication.
What if you're using a desktop device with no webcam? In this case, LogMeOnce sends a generic image with a visual one-time password at the bottom. If the OTP on your mobile device matches the one on your browser, you simply tap to authorize. It's less tech-sexy than using a selfie, but it totally works.
My LogMeOnce contact pointed out that you can make it even harder for an attacker to beat this system by being unpredictable. Just keep changing which of your devices is the one authorized to respond to Selfie-2FA.
Those who've paid for the program can prepare a USB flash drive for use as a physical second authentication factor. There's also an option to add an X.509 Certificate as an authentication factor, but this is more logical in a business setting.
You can enable as many of the two-factor options as you wish, and log in using whichever is logical at the time. For example, if you logging in on a mobile device with no socket for your USB authentication key, you could opt to receive a code via SMS or email, or get a code from Google Authenticator. True Key by Intel Security also offers multiple authentication options, but goes further by letting you require more than just two of them for authentication.
Device Management and Anti-Theft
The free edition receives the GPS location of any failed login attempt, but the paid edition lets you check device location whenever you like. The Device Map page in the Security section displays the location of all your registered devices. Clicking on a device gets you more information, along with a button that remotely logs out of any active LogMeOnce session on the device.
The separate Device Management page lists all the devices you've configured for use with LogMeOnce. If you've lost or replaced a device, you can remove it from the list, thereby disconnecting it from your account. You can flip a switch to define whether each mobile device can accept password-less login requests.
When you select a device from the list, other actions become available. You can send a request to locate a mobile device. A Details tab displays a huge amount of information for iOS devices, quite a bit less for Android devices. However, for Android devices only, you can view a list of installed apps.
The Commands tab appears for both Android and iOS devices, but the available commands differ. You can remotely cause an Android smartphone to ring at top volume, handy in case you've simply misplaced it, and you can lock it remotely using the system lockscreen. You can even change the lockscreen password remotely before locking it down.
On both Android and iOS, you can send a message, perhaps something like, "I've seen your mugshot, phone thief, and I'm coming for you!" But don't get too excited about this feature. Unless you've enabled viewing notifications on the device's lockscreen, the only way a phone thief could read the message would be by logging in to LogMeOnce, which shouldn't be possible.
That brings me to the final command, available on iOS and Android, the Kill-Pill. This dramatically named feature simply wipes all personal LogMeOnce data. I sent the Kill-Pill command to my Apple iPad Air and watched as LogMeOnce reverted to the initial setup screen, with no sign of my email address or any other configuration data. Oddly, sending the same command to my Nexus 9 never worked; it timed out repeatedly in my testing. My company contact confirmed that while the feature works on most Android devices, it doesn't yet work on a Nexus 9. Gotta love Android fragmentation!
Using a trusted mobile device as part of the authentication process is becoming more and more common. Like LogMeOnce in password-less mode, oneID skips the master password in favor of device-based authentication. You can configure True Key to use other forms of authentication, including a trusted device, in place of a master password. But LogMeOnce is the only product I've seen that adds anti-theft features to protect the security of that trusted device. It's a smart move.
Even the free edition of LogMeOnce lists all your passwords ordered by strength, rates your total security status, and displays what it calls a hybrid identity score. If you've paid, you also get an overall password strength rating, with a breakdown of statistics such as the number of passwords of at least 15 characters, and the number that contain at least one of each character type.
The Live PasswordTracker chart is another paid-only feature. It takes two weeks to get a baseline for reporting, so I didn't see its full capabilities. For starters, it charts a solid line that's your overall password strength each day. If you're using the product correctly, that line should only go up. It also charts what the company calls a heartbeat line. Solid line segments represent days that you used LogMeOnce, dotted segments days that you did not. The line's height above the axis is based on the strength of the passwords you used on that day. The purpose of the chart is to encourage you in proper password hygiene, replacing weak passwords with strong ones and always relying on the password manager to keep track.
A Few Oddities
In testing the free edition, I glossed over the few little quirks I ran into, given the fantastic features that you get for free. Running into those same quirks—and a few new ones—in the paid edition, I'm slightly less forgiving.
LogMeOnce is a work in progress, in a good way. While working on this review, I confused the PhotoLogin feature with what was then called Photo-2FA. Overnight, the developers renamed it to Selfie-2FA, to avoid confusion. Because I mused about the possibility of an unauthorized person picking up a phone that was left unlocked, they changed the local-only PhotoLogin to also require PIN entry. This is an agile team, indeed.
On the other hand, I also ran into some oddities that aren't yet fixed. I couldn't make the Kill-Pill personal data erasure work on my Android device. To use Selfie-2FA from my all-in-one desktop PC, I had to crank the webcam brightness to the max, so high that Skype images appeared washed out. On an iPad, the iOS edition runs in the dated 2x mode, just a blown-up version of the iPhone edition. And even though a paid account should be ad-free, the "Go ad-free" link still appears, and I saw ads on some mobile screens. Pending updates for the Android and iOS apps should fix at least some of these oddities. Overall, though, this utility's breadth of features and its inclusion of innovative, security-focused features overshadows these few quirks.
LogMeOnce Password Management Suite Ultimate takes the vast feature set of the free LogMeOnce password manager and kicks it up to the next level. I haven't seen another product offering selfie-based two-factor authentication, or a built in anti-theft system. It lacks the ability to manage password for applications, but it checks just about every other box. On the flip side, you get almost all of these features in the free edition, and for some the vast array of features may prove off-putting.
LastPass Premium comes the closest to matching LogMeOnce's breadth of functionality, though with the latest edition LogMeOnce has taken a significant lead. For those who are more into simplicity and ease than a prodigious number of features, Dashlane 4 does everything you could want, with flair. LogMeOnce joins these two as an Editors' Choice for commercial password managers.
To expedite the sale, Gautreaux had documents already approving him for a loan for the vehicle stored on his smartphone, and claims the salesman asked to show the device to his manager. The phone was out of the couple's sight for about five minutes, they say, but when the pastor got it back he saw that an image was on the top screen – one of a couple of sexy snaps he'd taken of his wife as she was getting into and out of the bath. Subsequent investigation showed that the pictures had been emailed to an account at a website for swingers, the couple claims, and they called the police. Matthew Luke Thomas, the dealership's sales director, was arrested last month and charged with allegedly breaching a computer's security, a class B misdemeanor. Thomas is out on bail. Meanwhile, the Gautreauxs have now hired high-powered human rights lawyer Gloria Allred and are suing Thomas, Texas Toyota of Grapevine and Toyota Motor North America, claiming [PDF] breach of contract, intrusion, negligence and public disclosure of private facts.
The couple took their case to the Dallas County court on December 1, claiming the photos were swiped in January 2015, and have asked for more than a million bucks in relief. "Undoubtable this is not the first time that this has happened," Allred claimed during a news conference on Thursday, the Dallas Morning News reports. "But we hope the public awareness will help to put a stop to it." ® Sponsored: Customer Identity and Access Management
This time around, we’ve chosen to focus on attribution in APT research, its methods and complications, and how intermediate-to-advanced attackers are already manipulating attribution indicators in an attempt to mislead researchers and squander limited incident response resources.
False flags and deception tactics have always been discussed as possibilities in this space, but we wanted to put out a wealth of examples to advance the conversation. Our hope is that we can further the dialogue regarding attribution to involve more nuanced and daunting questions that have yet to be conclusively addressed. When reading some of the examples, keep in mind that this was written back in February to submit to the VirusBulletin call for papers.
At the time, deception techniques were a topic discussed in private between researchers, but never publicly substantiated.
Since then, events over the summer have made this topic commonplace to the infosec community, if still a matter of contention and skepticism.
The paper is extensive (but not exhaustive) and we hope that those of you interested in the subject will take some time to go through the reasoning and examples.
The following are some takeaways we hope will pique your interest and get a dialogue going regarding the nuances of attribution as it’s currently being done: There’s nothing straightforward about ‘whodunnit’ From the perspective of threat intelligence producers, there exist complications regarding attribution and its practical purpose.
As any honest anti-malware company should admit, no institution has complete or perfect visibility into the activities of any threat actor.
Different companies see different fragments; different types of service providers compliment that visibility with other types of data.
This is a research space rewarded by cooperation and data exchanges.
As such, when attempting to describe the activities of a threat actor, it’s difficult to suggest that a single threat intelligence product can stand as the exhaustive final chapter on any of the threat actors we investigate. Much less, provide a definitive picture of their identity, activities, and resources. The true value of a threat intelligence product is its actionable potential, its ability to help detect and mitigate attacks, to provide clear avenues for proactive defense and improved defensive posture against a persistent and shadowy adversary, and to provide understanding to institutions and individuals outmatched and outwitted by the topdogs of the cyber espionage space.
And even then, we have to consider that when it comes to wide dissemination of this information for the benefit of the public, it’s not just victims that are reading threat intelligence products.
As our paper sets out to demonstrate, attackers too are keenly consuming threat intelligence research, learning from researcher methods as well as other APT groups and incorporating that information to better their own operations. What can attribution do for you? Threat Intelligence has come a long way in the last five years or so, and with that, more and more attribution is being done publicly by companies selling this as a product.
Before that, attribution was only really done within governments and kept private or classified.
These days, journalists and commentators are after the ‘sexy’ part of the story and are heavily focused on the “who” and not the “why”. While we are not arguing for or against companies performing attribution and publicly sharing their discoveries, we do pose some questions around how deep attribution really needs to go based on the role of the organization defended and its ability to take action.
For governments, the most fidelity is justifiably needed, especially when the outcome of the attribution results in diplomatic sanctions, offensive operations, or demarches.
But for a private company consuming threat intelligence is that level of attribution really needed to protect that organization against these attacks? We hope the paper proves thought-provoking to threat intelligence producers and consumers alike, aligning needs and expectations, and preparing the infosec community for increasingly deceptive and manipulative interactions with our adversaries.
EDR provides visibility where most organizations are blind.
In our network-centric world, EDR provides a fast path to endpoint context, enabling rapid identification of false positives or the origin of attacks. To illustrate this point, I created a litmus test to review common limitations in security information and event management (SIEM) and threat monitoring today.
Because most SIEM have insufficient endpoint data, threat analysts struggle to answer even the most fundamental questions, such as: Is the attack targeting a critical, sensitive, or regulated asset? Does the identified exploit target the right operating system or application? Nor the more complex questions such as: What process executed a connection to the known malicious IP or URL? What occurred following the successful inbound attack? Life without EDR For organizations without EDR, researching and responding to threats is a maddening exercise. With limited access to endpoints or endpoint context, threat analysts -- particularly in large enterprise or managed security service provider (MSSP) -- have few choices other than to open a ticket and delegate the research to others with access to the targeted machine. The stakeholder could be in another department or region.
For MSSPs, this is the heartbeat of communication between the SOC and customers under attack.
Tickets may be answered quickly but a large majority take days and weeks.
Some aren’t answered at all.
In fact, due to the substantial delays incurred, special tools have been created to address the hold up. One such tool is called alert suppression. Using alert suppression, mature SOCs can hide repetitive alerts waiting for information requested from stakeholders. Another technique is to auto notify and close tickets without response. Last but not least, it’s often easier to simply re-image the machine than to investigate root cause. This is the average day to day of threat analysts in the SOC.
It’s not sexy, nor is it cost effective. Repeated tens (if not hundreds) of times on a daily or weekly basis drives up organizational costs to an unsupportable level. When I hear people say: “I can’t afford to build or staff a SOC,” it’s not surprising given the status quo. Manual and human intensive tasks give security a bad name.
This is life without EDR. Life with EDR The introduction of EDR is a major evolution in SOC effectiveness.
Threat analysts no longer need to ask others to validate threats, the data is available to real-time query. With immediate access to the data, three incredible things happen: The SOC Analyst can research and respond to alerts in rapid succession, dramatically increasing their workload. Armed with endpoint context, Tier 1 threat analysts can perform more sophisticated analysis, encroaching on the role typically assigned to Tier 2. By eliminating the high volume of tickets requesting context, MSSP customers or stakeholders of large enterprise are relieved of the deluge of inquiries. Inevitably, a breach will occur. When that does happen, utilizing a best-in-class EDR vendor that includes continuous and centralized recording takes the guesswork out of incident response.
The attacker may have erased their tracks, but EDR recorded the attackers every move with an endpoint DVR, the cyber equivalent to a surveillance camera. With a complete historical recording of an attacker and their actions, incident responders don’t need to fly to the scene of the crime, scrape RAM, or image machines to look for clues.
The full recorded history of the attack enables on the spot incident response. EDR is much more than an endpoint security product; it’s causing an evolution in the people and process utilized within security operation centers globally.
And for individual corporations or customers who rely on MSSPs to deliver skills and expertise, EDR is a fundamental technology that is not optional. It’s a foundational requirement of the next generation security operation center and primary reason we’ll collapse the average ~250 day gap between attack initiation and discovery. John Markott is a Director of Product Management at Carbon Black. His mission is to help managed security service providers and incident-response firms ride the wave and reap the rewards of next-generation endpoint security. With nearly two decades of experience in InfoSec, ...
View Full Bio More Insights
It found third-party updating tools installed by default threatened customers of Dell, HP, Lenovo, Acer, and Asus.
The updaters frequently expose their programming interfaces, making them easy to reverse engineer.
Even worse, the updaters frequently fail to use transport layer security encryption properly, if at all.
As a result, PCs from all five makers are vulnerable to exploits that allow attackers to install malware. "Hacking in practice means taking the path of least resistance, and OEM software is often a weak link in the chain," the Duo Security report stated. "All of the sexy exploit mitigations, desktop firewalls, and safe browsing enhancements can't protect you when an OEM vendor cripples them with pre-installed software." In short, every single manufacturer was found to use pre-installed updaters that allowed someone with the ability to monitor a PC's network traffic—say someone on the same unsecured Wi-Fi network or a rogue employee at an ISP or VPN provider—to execute code of their choice that runs with System-level privileges.
The updaters are mostly used to deliver new versions of software and bloatware that come pre-installed on new PCs and are separate from Microsoft's Windows Update, which is widely believed to be secure.
The report provides a strong reason why it's a good idea to wipe newly purchased machines and reinstall Windows minus all the custom crapware.
At a minimum, third-party software should be uninstalled or blocked using a firewall.
They’ll learn of breakthroughs made in discovering new varieties of evidence left when users and software interact with the OS. This almost-naturally occurring residue exists without monitoring software present, and is far more comprehensive than log file data. Yet, despite its promise of new visibility into security breaches and the privacy implications of a forensic trail on our PCs and phones, it will receive little publicity. Unlike new malware and vulnerability research, there’s no financial incentive for forensic researchers to shout findings from the mountain tops.
Vendors typically pay bounties for vulnerabilities; for new forensic “artifacts,” they generally do not. Years ago, Apple was “Slashdotted” for tracking user GPS coordinates, and Facebook for not stripping GPS data from images. Yet outside these two cases of vendors “patching” away GPS artifacts, most have seemingly resigned themselves to the fact that forensic tools will learn an uncomfortable amount about us. Little Publicity for Shocking Forensic Discoveries Outside of the GPS tracking stories, little media attention has been paid to forensics. Possibly the research has been ignored because it’s not as sexy as stories of hacked planes or lawsuits over vulnerability disclosure.
In the media’s defense, the forensic privacy onslaught has occurred in tiny increments, and with a technical subtlety few would appreciate. Take several years ago, someone decoded .bmc files left when users remotely performed a login to a Windows system.
Encoded in these files were partial screen images, sent tile-by-tile during a Windows session.
In forensic circles, many were shocked: they’re leaving behind images of all our remote Windows sessions, really? Outside forensic circles, no one noticed.
By itself this is not a headline, yet it adds another piece to the puzzle, allowing investigators to take a machine and travel back in time to see almost all prior activity. It’s not just about what users leave behind; there is a wealth of evidence left when malware runs, but the user trail is increasingly helpful during security breaches.
Consequently, since the InfoSec group can’t patch employees, social engineering attacks are today’s most common entry point -- and they leave plentiful evidence. The forensic motherlode accrues during the command-and-control phase of a breach, which occurs over many months.
Bad actors own boxes, steal credentials, and hijack user accounts early in yearlong breaches.
In many cases, user accounts are used to remotely log into new machines and search for sensitive data.
These breadcrumbs are remarkably similar to those of whistleblowers or disgruntled insiders.
As a matter of fact, it often takes a forensic investigation to distinguish between internal and external threats. Forensic Professionals Are Paid for Discretion I think another reason forensics falls under the radar is its culture of discretion, which stems from the circumstances of a forensic examiner’s job. Within corporations, they may work with InfoSec, compliance, HR, or even legal departments.
They might read your work email, or -- having investigated intellectual property cases -- might be one of the few knowing all 11 of KFC’s herbs and spices. Hell, they’ve even seen your CEO’s browsing history.
Think about how personal that might be, especially in the BYOD era, where business and personal mix within our phones and tablets. I’ve heard a forensic examiner call one’s browsing history a “window into the soul.” Browsing history is apparently interesting for even the most bland user. “Everyone has a dark side, or different personality on the Internet,” the examiner said.
But, again, while forensic visibility into our browsing habits might be a concern for our individual privacy, it also allows forensic security professionals to investigate links clicked in phishing emails, or activity related to malicious “watering hole” sites. Forensics’ culture of discretion runs even deeper outside corporate circles.
There’s a good chance an examiner may have spent time in law enforcement, or done forensics for the military or intelligence agencies.
At a conference like HTCIA or EnFuse, be careful discussing work over a few beers.
Internal filters are often broken, as yours would be if you’d seen the disturbing crimes they’ve seen.
For instance, I learned what it sounds like when an estranged wife dissolves her unconscious husband in a giant barrel of acid.
Don’t worry, I won’t tell the serial killer stories here. From Law Enforcement to Cyber War Simon Key, who develops training curriculum for a leading forensic security company and presents original research every few years, is an example of one such colorful fellow.
Simon was a sergeant in the UK’s Northamptonshire Police. His forensic work related to cases of stolen property, drug trafficking, and a murder or two, but the majority of his work involved child abuse images.
Simon Key was part of “Operation Avalanche,” one of the larger child pornography investigations, which saw 100 arrests and 144 suspects. While forensics provides visibility into computers which convict bad guys, the truth can also set men free. Mr. Key was able to examine old cached Web pages to determine which users were actual pedophiles versus those visiting in the context of a payment gateway for a legitimate adult site. As a forensic researcher, Mr. Key is most well-known for a nifty trick to locate long deleted file fragments by hashing pieces of files called blocks, allowing identification of partial files. He has also reverse-engineered numerous Mac OS X artifacts, including QuickLook images, which can contain the rendered content of files.
Sorry, Mr. Mac user, regarding that private file you took painstaking steps to encrypt: it’s possible the OS grabbed some of its content in QuickLook artifacts and will reside on your disk for years.
A privacy annoyance for sure, yet when Macs are hacked and sensitive data is encrypted before exfiltration, this artifact can help assess the damage. Forensic Research Matters Traditionally, the security industry has focused on malware, email filters, and patching machines. Yet, we must look at the bigger picture.
The promise of perimeter defense is gone.
Breaches are now fought inside our walls, over many months, and across many endpoints. We should start looking at where breaches intersect user accounts -- initially, during delivery of social engineering attacks against employees, and then in the many-month campaigns of lateral movement, and exploration of sensitive data, which often involves remote sessions from compromised accounts. In an age where so much of our lives is touched by the Web and mobile computing, and where our hidden personal lives leave forensic residue everywhere, society should pay more attention to this summer’s digital forensic discoveries. Related Content: Paul Shomo is a senior technical manager at Guidance Software, Inc. He first joined Guidance's new product research group in 2006, which launched the industry's first incident response solution.
For years Paul managed and architected cybersecurity and forensic products, and ...
View Full BioMore Insights