Increasing Risk by Using Encryption

Most companies are implementing (or already have) encryption of local data to prevent loss from a compromise of security.  There are two obvious concerns when thinking about using data encryption.

First, is it reducing your real risk?  Most encryption starts out as a defense against physical compromise.  For example, a hard drive walking out the door.  Well and good, but what is your risk of physical compromise?  Do you even know your ALE?  Because it’s become policy, most companies don’t even bother with the cost/benefit, but it’s always good to know the real value of an effort, if for no other reason, than to understand how reasonable the regulatory burden is.

The real problems start once encryption is in place and executives know the language, but don’t comprehend the true functionality.  In several situations, senior management has looked at a network security incident and expressed little concern thinking that encryption protected them from harm when encryption did no such thing, and the intruders would have been free to pilfer online data had they desired to do so.  Encryption methods vary, but be sure management is clear on what risks are or aren’t mitigated, to prevent a false sense of security.

The other added risk that typically goes unremarked is the risk of data loss.  Encryption is a harsh mathematical reality, and when it goes wrong, there’s typically nothing we can do except go to backups and restore the data.  In some instances, encryption can add mandatory operational steps that seriously complicate data integrity efforts, requiring extensive procedural compensation to reduce risk to acceptable levels.  This can add significant costs to an encryption program.  Worst of all, failure to identify these preventable loss risks up front may mean a serious data loss incident down the road.  Meticulous processing, planning, and testing is not usually within a business budget, yet is required when dealing with encryption.  Vendors will never bring up the difficulties of using their software, so using it safely requires thoroughly understanding how it works and how it fits into the business.

Encryption is a good tool, but it’s just one of many, and like any tool, can be a good thing or a bad thing.  It’s good when it saves the company from data loss, and it’s bad when you lose the password and can’t recover 3TB of image data.

Education Session on Consulting Practices

Digital Trust’s founder is going to be presenting a short how-to on building a consulting business over at on January 10th at 1200EST. Please join us for an informative talk and for questions after. If you can’t make the time, the talk will be taped and available via the concise-courses website.

If you’re at shmoo in Feb, catch up with us then for more in depth discussions about running the business.

Bsides DE 2012

So, admitting for the nonce that our graphics abilities are limited to ms-paint, we’ll opt not to post any of the action shots until we figure out how to layer xparent gifs onto jpgs.  Hey, we’re an ePreservation and analysis shop, primarily, give us a break.

The show was a kick and we had at least 30 people pop their first lock at the key impressioning rig.  We were lucky enough to get some input from Deviant and now we’ve got a better pathway for key impressioning training which means the contest next year at Hack3rcon & BsidesDE (primary) should be capital.

We did teach impressioning to at least a dozen people, and by teach, we mean convey the rudimentary understanding necessary to achieve complete frustration in 15 minutes on a normal 5 pin lock.  But it’s a start.  Impressioning is *hard*.

There’s no next show for the rig to attend until next year’s Hack3rcon, but if by some miracle we make it into shmoocon as a vendor (our fallback plan for not getting a talk accepted or sponging a ticket) we’ll bring the rig for the table as well as our awesome espresso machine (srsly, shmoogroup, an espresso machine on the vendor floor, what more could you want?

But back to BsidesDE.  Since we were manning the booth, there wasn’t a lot we could see, but there were some cool things going on in the hallway, with discussions on class 3 trusts (something we’ve demonstrated interest in previously) and inheritance, courtroom testimony, fraudsters, and how the hell we were going to get shmoo tickets.

The most exciting part of the show for us was the live auction to benefit Hackers For Charity.  We nicked a pair of coins that escaped our grasp at hcon in October, to the dismay of several.

Backtrack Challenge Coin

NSA Front

Sorry guys, no hard feelings.

What really got the auction wound up was the offer of a shmoocon ticket.  Being rather interested, we jacked up the bidding into insipid zone, and there was nobody else interested at that level.  But this was for HFC, after all, so we sweetened the deal by tossing in a bottle of absynthe owned by @JadedSecurity (we drank the last one, so we owed him one), special absynthe you can’t get in the US, and the price jumped another $100  which made us happy enough to let it go at that price.

Jaded’s bottle will be going to shmoo with or without him, and into the hands of stranger.  Lucky for us we’ve got *another* bottle of even better absynthe to bring for Jaded, provided we get a ticket somehow.


So next BsidesDE will have the new and improved locks rig, with 24 distinct locks of varying difficulty, and we will be a 5 year running sponsor!!!  Speaking of which, AWESOME
, gang! (pic coming)  Thanks for the honor of letting us help sponsor the show.  We’ll try to line up something special contest wise to make it exciting.  Hmm.  How about a forensics challenge AND a locks challenge!  MINIONS!!!  Make it so!

Excellent job, DD and KF, see you next year after the “merger”.  😉

Badges came from @MakeItUrz, and you can see the rest of the con badges here, eventually.

Hack3rcon 3

Hack3rcon 3 was a success, at least as far as we’re concerned.  The lock wall and impressioning contests were a lot of fun and drew quite a bit of traffic.  We’ll definitely be doing that again.  Congratulations to PunkAB for winning the contest, and thanks again to Front Sight for providing prizes.  We can’t wait to get back to both hack3rcon and Front Sight for more valuable training.

The 3 day event was full of great lectures, discussions, and food.  Charleston did not disappoint with a bunch of new or remodeled restaurants.  You’re a cool city, Charleston, stay classy.  Thanks to the 304geeks for awesome support, and IronGeek for his usual outstanding video support.  Full blown corporate sponsorship was a treat, so thanks to all of you, especially

Highlights from the show would have to include rel1c breaking a key in a lock, PunkAB mangling one of the locks, and 40 or so geeks descending on a sports bar.  One of them with a TV remote controller.  We had at least a dozen people pop their first locks, and taught impressioning to a dozen more, and even some bump key theory.  Thanks to DEFCON and Jos Weyers for the inspiration for the contest.  Notably, we finished the weekend with all tools accounted for, proving once again that although hackers engage in the same activities as criminals, they are generally some of the most trustworthy people on the planet.

The party, in case nobody mentions it elsewhere, was fantastic.  When all you need is good friends, the addition of strange new forms of music, pool tables, and good food and drink make it that much more fun.

In addition, Digital Trust would like to thank our supporting partners, BodyTeeze and PostUpStand.

Finally, we promise *promise* to do something technical next year, assuming the world doesn’t end on 12/21.

Disgusting Sales Tactics

We’ve belabored the morality of sales previously, but something has arisen prompting an additional emphasis on slimy sales tactics and the scum that practice such disgusting habits.

It was brought to our attention that one of the top vendors in the forensic market, and we mean top, had contacted non-clients under the guise that they were existing customers in an attempt to upsell them products based on product they didn’t own. This is a tactic used by copier fraudsters and not something that we should see from a respected forensic vendor. It’s disturbing. If you work at one of the top vendors of forensic software, I urge you to contact your sales managers and emphasize to them the moral hazard in such tactics before they attract charges of fraud. If it’s not stopped, and we continue to see it used, we will publish the emails of the scumbags and disclose the company involved. Get your business together, gentlemen, or we will clean it up for you.

Professional Certifications

Are certifications necessary for eDiscovery and eForensics experts and technicians?  While the strict answer is “no”, because we’re managing okay at the moment, as a profession, the long term answer is “yes”, because of the number of mistakes made by ignorant parties, wether it be the collector, the processor, the lawyer, the client, or the opposition.  The only person paying the prices for screw-ups is the legal client.  Worse, the technical people screwing up (who aren’t really all that technical) usually don’t carry insurance, because they have no idea what they are doing to begin with.  While any bar to entering a field is a last resort, here, as in law enforcement, medicine, and law, it appears necessary.

People who have never gone through a grueling evidence deposition cannot comprehend what they are up against.  In some cases, they may be backing up data using “”, while in others, they may be skipping deleted files.  The opportunity for mistakes that end up costing the client the case is nearly endless, and now that lawyers are beginning to get acclimated to the new materials, negative outcomes are going to increase if the integrity of the profession isn’t maintained.

Those of us in the field for a time have seen how it’s evolved.  We know that we do things differently now.  We’ve been educating legal teams since the beginning, and now they’re starting to ask really good questions.

We can’t allow some tech-school dropout with a boot disk to take on clients.  While there is room for error and room for a wide variety of techniques, we all know that there’s some people who are doing it wrong, and the client pays the price.

So certification becomes necessity.  Or perhaps voluntary.  Although any attorney who voluntarily worked with an untested, uncertified technician might be skirting professional misconduct.  We all have a duty here.

The certifications can be from multiple sources, and should be, to keep the market competitive.  In every market where a single standard has come to dominate, pricing becomes fixed and quality suffers.  There are quite a few, sometimes called paper tigers, sometimes called barriers, but they all lower the quality of work in those areas.

The certifications shouldn’t be long or overly burdensome.  It’s okay to assume a baseline knowledge and to test based on that.  Computer science isn’t a bad place to start, although there are specialty degrees now.  Assuming at least a college level education is warranted, since these experts need to document and testify.  Could be law, law enforcement, or other related disciplines with additional experience and/or training.

One thing it shouldn’t require is PI licensing.  This should be optional, but required for experts working aside law enforcement.  Or an LE background.  For non-criminal legal cases, it’s completely unnecessary.  Digital Trust’s entire practice is civil litigation and compliance issues, what good will a PI license do us, other than create a barrier to work?  So don’t mandate PI licensing.

But some certification is warranted, and it needs to be beyond vendor specific certification.  While nVendor might include some non-technical topics in their training, it would be better if tool vendors stuck with tool training and left legal training to outside agencies.  Unless they enjoy the liability that follows along.

While certification may be a pain for professionals, it does provide the client with a reasonable assurance that they are being assisted by adequate technical experts and not some person who’s going to cost them the case.  And without the client, what’s the point?  So let’s get this certification thing figured out right, and not just throw PI at it.

Travelling Tips for Wonks

This post is for the INFOSEC people that we know, and especially for the ones we haven’t met yet, as it’s about traveling, meeting fellow professionals, and maybe getting leads and/or valuable new contacts.

This profession, more than any other, seems to thrive on ‘cons (conventions), but sometimes, you want to travel someplace that doesn’t have a ‘con or just doesn’t have one going on at the right time.  In these cases, there are places you can turn to, to make the best of a bad situation.

First, do you have friends there from con’s that you can visit?  If so, Bob’s your uncle.

Second, while there might not be an INFOSEC show of any sort, there are plenty of other options.

There are local user groups, in particular, chapters for the ISC2, ISACA, and AITP.  While it might not be as much fun as hack3rcon, it’s a business connection you can use.

There are local hacking groups, as well as maker groups.  Any of these can usually be reached out to for a get together.

A good source of event lists is here:  Just plug in your city, and it should give you a list of possibilities.

So if you need to travel, you can usually tie it to business.  You get to write off the trip, and you get to meet new folks in the industry.


Why Your Company Must Do Something

Must is such a charged word.  So when someone tells you, you must do something, it needs to be something worthy of the grand imperative.

If you’re a large company, especially a publicly held company, and you are providing remote access for internal users, either email, or VPN, or anything really, and you’re not using a secondary form of incident detection, you are (in our opinion, which is not legal advice) a negligent fool, putting the entire company at risk of catastrophic loss.  There’s a list of things you *should* be doing.

That’s pretty strong language.  Put another way, if you’re not operating (and testing, and verifying) a detection system for evil access attempts, you’re an idiot.  And if it comes out in some sort of court case, you’re going to get slaughtered.  Unless opposing counsel is equally dim (we’re available  for consult in such situations).

This detection stuff is IN ADDITION to any sort of strong or secondary authentication scheme.  Strong authentication only gets you so far.  It knocks off the low end evil-doers.  It does nothing to stop the more sinister, serious bad guys.

What makes it truly damning as a failure to execute by management, is that detection is such a simple addition.  It’s not expensive, it’s not complicated.  It can be done with a tiny outdated computer, freeware linux, and a couple of shell scripts.  Which is why, if you’re not doing it, you deserve to be hung by the thumbs at the shareholder’s liesure.  Or your customers.  Whoever will be most angry that hackers broke into your company and stole your precious data.

It’s not even hacking, really, since a monkey could be trained to do it.  Still criminal, though.

Without detection apparatus, you are so far off base as to be playing a different game.  Tiddlywinks, maybe.  Ball and jacks.  The disdain that should be leveled at such companies in the here-and-now is extreme.  You may as well just resign in disgrace now, and save us all the trouble of a court case down the road.  This is negligence.  Gross negligence, in the disgusting sense, not the legal sense; that’s for a jury to decide.  [update] Here’s an excellent current legal example of negligence in action and the legal implications.  If you fail to do something so obvious that an average person would think it should have been done, you are negligent.  Ask a lawyer to explain negligence law, we’re just geeks.

And if you’re not a large company, take a second look at that part above where we describe how easy it is to set up monitoring.  Do it.  You don’t need $100,000 custom supercomputers with lots of shiny  blinking lights.  They have some neat bells and whistles, but the fundamentals are available for less than $1000.  So do it.

If you’re a tiny company, you shouldn’t be providing that sort of remote access.  Use gotomypc.

ftp, smtp, http, https, smb, rdp, etc…: we see these things too often still, publicly accessible, with no secondary level of security.  Shame on you.  3rd graders can break into your company undetected using smart phones.  It’s 2012, and it’s high time we started holding people accountable for lax security.


Fixing Omissions in 5 Questions

In a recent issue of a leading security magazine was published an “advertorial” with a few missing pieces, we aim to correct the lapse, or at least make a few tweaks that might improve the result.

The main change in data since computers entered the business scene, is the density and ubiquity.  That’s correct in our opinion, but neglects to explain why it’s important, which was part of the question.  It’s important to enterprise IT for one reason, competitive advantage.  That’s business 101, and we’re surprised something that fundamental got overlooked.  So that’s fixed.  C/A, for anyone not familiar with the term, is simply some advantage one company has over another.  It can be technology, funding, personnel, knowledge, IP, or anything that differentiates one company from another.  In simple terms, one could claim that Coke has a competitive advantage over Pepsi because it tastes better.  Or vice versa.  That one’s a holy war, like vi vs any other pathetic excuse for an editor.  C/A is what usually lets one company win, unless it has disadvantages that counteract that advantage.  Like Sony and Betamax.  And  competitive advantage degrades over time, which means ongoing development is necessary.

New examples of types of data breaches are kind of problematic.  O-day, in particular, is something that’s been around since the dawn of hacking.  O-day isn’t really a type of breach, whereas PHI exposure is, but that’s not new either.   A better answer would have been blended threat, but that’s not entirely new, or the Lollable APT buzzword.  The best answer, in our opinion, is not the technique employed but the crimes, since we’re asking about a form of breach.  In which case, massive parallel bank fraud comes to mind.  That’s new.  Not too long ago, less than 10 years, it would have been very, very difficult to pull off a heist using 1000 fake credit cards.  It’s a hell of a lot easier now.  Are the credit card numbers the actual breach, or is draining the accounts the breach?  Meh.  Here’s a solid “new” example, exposing 10,000,000 patient records in a single breach.  Hasn’t happened yet, but it will.  We’ve come close, so I’ll stick with that as a “new” breach.  To do that 10 years ago we’d have needed to raid multiple hospitals EMR applications or an insurer.  Still do, but it doesn’t pay as well as the credit card scams.  Come to think of it, there really isn’t any form of breach that is new, they’re all old hats, matched with shiny new technology.  They just happen bigger, better, faster.

As for why the traditional approach of data protection work, this question is poorly constructed.  For starters, by what definition?   According to a couple famous sources, the traditional approach is to flush money down the  toilet on a bunch of useless vendor solutions that don’t really secure anything, which we agree with.

Moats as defensive measures is sort of traditional, if we’re in the year 1217 fighting the Germans and Estonians.  The analogy of moats is about 30 years behind the times, but its workable, although we’re still looking for “smart screen filters” and keep getting this new Micro$oft thing, which couldn’t be considered a “traditional” approach.  The biggest failure in classical security (in IT, the real world has known this bit since at least the time of Pharaoh),  is the lack of detection to supplement the use of access controls.  Alarms are wonderful things.  Locks are wonderful things.  Locks without alarms aren’t really that useful.  Security, and here is the 100% best definition ever, is a time based system (Schwartau).  So if  4 hour locks, 10 hour firewalls, and 20 hour social engineering education sessions fail, without alarms, you won’t know until you detect it by the article on page 1 of The Post.  And the bad guys win.  That, more than anything else, contributed to a lot of #fail in the past.  Why?  It’s difficult sometimes to write or build alarm systems.  And difficult, in the business world, frequently becomes “not done”.  Here’s a thought, consider it a “competitive advantage” while your competition is getting raided by foreign spies and you’re detecting the attempts and countering.

Encryption is a nice solution for security, although it doesn’t really a solve anything, especially if we’re trading information across a border, which everyone is, and our partners are not encrypting.  Furthermore, claiming that encryption prevents data loss in a breach is absurd, it’s just another bit of time-based security like everything else.  Every data breach we’ve ever worked on or with involved compromised passwords and user accounts, and if you have the credentials, you have the encryption.  Unless they did a really bang up job on the encryption, in which case we’ll just go with screen shots or SE to get what we want.  Without detection, encryption has a reduced impact.  Without monitoring and oversight, it may actually hurt a company, since it creates a blind spot in the risk profile.  Companies should invest in a detection system way before investing in an encryption system.  Otherwise how will they know when someone didn’t encrypt something?

Look, if you want security, you need only a few things, and most of them can be had for free or for much lower costs than vendor solutions.  Follow the SANS Top 20, and invest in detection and alerting infrastructures.   And quality security personnel.  Stop trying to cheap out on security.  It’s just another business center, so treat it like one, and make your business partners treat it like one.



Espionage, Corporate or Government?

Recently, the comment was made in a SANS newsletter (awesome job guys, keep it up) that US government/commercial relations (Patriot Act or no) affect who does business in the US.

Editor’s Note (Pescatore): Of course, this is very much a two-way
street. Many non-US companies see the Patriot Act as meaning that
US-based technology services are government influenced and would put
customer data at risk.

Let’s get real for a moment.  If you think that any sizable nation, say G20, isn’t abusing it’s ability at both the government and corporate level to obtain advantage of some sort, you are sadly out of touch with reality.  The commingling of commercial and government interests goes back to the dawn of spying.  While the majority of business and government goes unmolested (in our humble opinion) anything of “strategic” value, as defined by people with little or no oversight, is likely polluted and pilfered at will.  I’m sure it’s all done in a very professional manner, or companies would shutter their doors, but it’s done.

So when “some unnamed large company” comes to town, they are both target and suspect.  If you have intellectual property you’d like to keep secret, you’d better do a good job of it.  And if you want to business in their home turf, you’d better do a good job of it.

While the spooks would love to be the ones holding the “no more secrets” card, as of today, we’re all still safe, provided we use quality encryption, and don’t screw up our practices.  If you send your sales people to a foreign land with all your pricing and customer data on an unencrypted laptop, you don’t deserve what you’ll get, but you sure deserve a swift kick in the profit centers.

Encryption and travel protocols are just part of the game now.  Keep up or get out.