Social Icons

Sunday, September 19, 2010

Browser Forensics - Not Simple

1.      Just read one book by Peter C.Hewitt on Browser Forensics.An eye opener for anyone....the amount of info that stands compromised whilst using any browser is astonishing.....

2.      Now in a normal routine maintenance when I used to clear my browser History,cookies and cache....when I used to remove unnecessary files using utilities like Glary Utilities,Cc Cleaner and Tuneup utilities....i used to think that there r no traces left...before I was introduced to Mandiant's Webhistory, Pasco, Galleta and IE Passview.

3.      I checked up first with Mandiant's Webhistory....an 8 MB file...simple to install,,,free.Web Historian is a program that allows an investigator to collect, display and analyze web history data using Mandiant Intelligent Response (MIR) technology. It seeks to provide a customizable yet simplistic interface to view and navigate voluminous amounts of web history data. Perhaps the most powerful feature is the ability to correlate and provide multiple views of the data (including graphical and timeline) through the Analyzer and Web Profiler tool, in the hopes that investigators can come to well-informed conclusions about the data quickly.

4.       So after I cleaned up my PC using every utility....and scanned the PC with this software....the result was like nothing has been removed...all what I had accessed in last few days stands out in a compiled tabulated form ready to be saved as a Excel file for record.So what exactly allows this info extraction in spite of assurances from utilities available.The most recent versions of Windows store information about the pages viewed by the browser in a file called index.dat. One of the index.dats, in turn, contains information pointing to other files used in the browsing session. Windows has 3 types of index.dat files, for the cache, history and cookie files, respectively.Obviously, viewing all 3 types will give us the best understanding of what browsing took place. So....its not simply erasing ur history that could save you at some time......there is much much more ........

Saturday, September 18, 2010

Root Kits : Hidden Undetected Threats

1. Malwares,trojans,adwares,spywares,virus,wormwares etc etc....protection vide Internet security editions by so many OEMs...and now rootkits(its not actually a recent development....)...has been in the threat making for about 10-12 years..but now the term is getting serious....so what actually are rootkits?


2. Rootkit is the term given to a group of utilities that hackers can misrepresent to keep access into a computer system once they have hacked into it. It gives them admission rights to find out usernames and passwords, allow strike against remote systems, remain hidden by erasing history from the system logs, and overabundance of various surreptitious tools.Rootkit is a combination of two words, “root” and “kit”. Root means supreme & Kit means a group of programs or utilities providing access to a user to retain a constant root-level contact to a terminal. The presence of rootkit ideally remains untraceable.

3. So more simply,they are a set of programs that can hide not only themselves but also other viruses, spyware, keyloggers and network traffic from normal antivirus and spyware removal software! Yes, a rootkit can infect your computer and take full control of it! You look inside a folder which contains rootkit files but you will see nothing. Why? Because the rootkit has told it to tell the user there are no files here. That is why, they are so dangerous and hard to detect......

4. BlackLight,RKDetector 2.0,RootkitBuster 1.6,RootkitRevealer 1.71 & Rootkit Unhooker 3.0A are few of the rootkit removal tools available...google for further details

ZERO DAY EXPLOIT : ???

1. While reading an article on Browser Forensics,came across this term "0-day" exploit....whats it all about?

2. A zero day exploit is a malevolent computer attack that takes capitalizes on a security hole before the vulnerability is known. This means the security issue is made known the same day as the computer attack is made. In other words, the software developer has zero days to prepare for the security breach and must work as quickly as possible to develop a patch or update that fixes the problem.This occurs on or before the first or "zeroth" day of developer awareness, meaning the developer has not had any opportunity to distribute a security fix to users of the software.

3. Zero day exploits may involve viruses, trojan horses, worms or other malicious code that can be run within a software program. While most programs do not allow unauthorized code to be executed, hackers can sometimes create files that will cause a program to perform functions unintended by the developer. Programs like Web browsers and media players are often targeted by hackers because they can receive files from the Internet and have access to system functions.While most zero day exploits may not cause serious damage to your system, some may be able to corrupt or delete files. Because the security hole is made known the same day the attack is released, zero day exploits are difficult to prevent, even if you have antivirus software installed on your computer. Therefore, it is always good to keep a backup of your data in a safe place so that no hacker attack can cause you to lose your data.

Thursday, September 16, 2010

Cyber Warfare : It has started

1. I have been recently digging deep into reading "Tracking Ghostnet" & "Shadows in the cloud".Crisp,to the point,full of information,a must read for all IT Security savvy personnels.This is where I got to read about "The May 2007 DoS Attacks on ESTONIA".Brief about this Estonia Case below :

2. Subject attacks on Estonia capitallyy known as Estonian Cyberwar or Web War 1, refers to a series of cyber aggresses that began April 27, 2007 and deluged websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's row with Russia on some relocation issue of the Bronze Soldier of Tallinn.Most of the attacks that had any influence on the general public were distributed denial of service type attacks ranging from single individuals using various low-tech methods like ping floods to expensive rentals of botnets usually used for spam distribution. Spamming of bigger news portals commentaries and defacements including that of the Estonian Reform Party website also occurred.

3. Subsequent to the incident, a criminal investigation was conducted and On 24 January 2008, Dmitri Galushkevich, a student living in Tallinn, was found guilty of participating in the attacks. He was fined 17,500 kroons (approximately US$1,640) for attacking the website of the Estonian Reform Party.So surprisingly,after so much of damge had been done,so much of ministeries websites were defaced,the followup resulted in a single conviction of a Russian Living in ESTONIA.Imagine....one single person from Russia was found responsible for the cyber havoc that Estonia had to face.

4. The net and the cyber world is still in the stage of nascency and there is lots coming ahead for sure in future...like the events surfaced in the movie "Live Free or Die Hard".Every one across the globe today has realized the potential of Cyber warfare.....and the power is immense....anyone who is clear....stands as ONE MAN ARMY.....as cited through one eg above.

Wednesday, September 15, 2010

ORDER OF VOLATILITY OF DIGITAL EVIDENCE

1. Not all information-based evidence is the same! Evidence can be organized into an “order of volatility” meaning how long it will stick around for you to collect until it automatically is lost.

2. Dan Farmer & Wietse Venema created the below table of evidence volatility, which is commonly referenced by forensic professionals. For example, information stored on a CD-R or some optical storage media can last for about 10-100 years depending on the brand used. Information stored in a computer’s main memory, by contrast, will last for only tens of nanoseconds before it is wiped out by the computer’s normal processing.

TYPE OF DATA

LIFESPAN

Registers, peripheral memory, caches, etc.

Nanoseconds or less

Main memory

Ten nanoseconds

Network state

Milliseconds

Running processes

Seconds

Disk

Minutes

Floppies, backup media, etc.

Years

CD-ROMs, printouts, etc.

Tens of years

3. Very critical from forensics point of view.....most people would want to turn a computer off (or at the very least unplug it from the network) when they realize an incident has occurred. However, as noted in the chart above, one will lose evidence in main memory and “network state” information (which other systems the computer is connected with and what information they are exchanging) with such an approach. Even shutting down a computer the “normal” way (Start / Turn Off Computer / Turn Off in Windows XP) can delete evidence, as Windows performs a number of housekeeping tasks in the shutdown process, such as closing opened files and clearing out the temporary disk cache.

4. Thanks Peter C. Hewitt (Read from Browser Forensics).

Monday, September 13, 2010

New Gen BIOMETRICS : PALMSECURE from FUJITSU

1. Quiet often we seen biometrics fingers,palm,eyes,retina being chopped off in Hollywood movies for gaining illegal access to control rooms and secure areas by the bad man...so we used to think like there is no end and no permanent solution to this....now comes a solution to this problem wherein not the fingerprint or the palm print is taken as authentication model....it is the veins inside that exist inside the palm that matter and should match...now these veins should also be flowing blood to authenticate the logger.

2. Fujitsu provides a highly reliable biometric authentication system based on palm vein pattern recognition technology. PalmSecure™ features industry-leading authentication accuracy with extremely low false rates, and the non-intrusive and contactless reader device provides ease of use with virtually no physiological restriction for all users.Applications include :

  • Physical access control / Time and Attendance
  • User authentication to PCs or server systems
  • Government / Commercial identity management systems
  • OEM terminal devices (POS, ATMs or information kiosks)
  • Other industry-specific applications

3. More about this here.


Monday, September 06, 2010

E-Waste & Indian Policy

1. In my earlier blog posts at here,here & here ,issues of e-waste and its repurcussions were mentioned.....now seems like Indian govt has attempted to wake herself up and find a solution.In a recent development,Directorate of Revenue Intelligence (DRI) seized some containers in Chennai containing large quantity of such waste. The imports were made despite a prohibitory order in this regard. The containers were full of outdated computers and electrical waste. On further investigation, it was found that containers carried hundreds of tonnes of e-waste sourced from Australia, Canada, Korea and Brunei in violation of norms.

2. E-waste is being dumped in the country by developing nations using loopholes in domestic rules which allow NGOs and educational institutions to import such gadgets freely on the pretext of donations. onscious of the fact that huge shipments of e-waste generated in developing countries are finding convenient burial ground in India, the government had through a public notice on May 13, 2010 prohibited educational and other institutions from importing second hand computers, laptops and computer peripherals, including printers, plotters, scanners, monitors, keyboards and storage units. The step was short of a complete ban on such imports.

3. The government is now looking at banning the import of used computers and other electronic waste - coming primarily from developed nations such as US, Australia, Canada and parts of Europe - after several cases of e-waste smuggling came to light recently. A decision is likely to be taken at the Economic Intelligence Council meeting scheduled for this month to be chaired by finance minister Pranab Mukherjee.

Thursday, September 02, 2010

TABNAPPING : A new generation Cyber Crime

1. Another new term in the cyber crime is "Tabnapping" a combination of "tab" and "kidnapping" that could be used by phishers to dupe users into giving up passwords by secretly changing already-open browser tabs. All browsers on Windows and Mac OS X are vulnerable.It is thus a computer exploit,a kind of phishing attack, which persuades users to submit their login details and passwords to popular Web sites by impersonating those sites and convincing the user that the site is genuine. Eg . An open tab of Facebook for instance may be a false window. But very few of us may notice. As a result, we readily log in our username and password when prompted, only to fall to phishers.

2. Aza Raskin is the person behind coining this term,this 1984 born genius is an active phishing researcher.It is unlikely that Browser makers will patch this up soon the risk does not emanate from security vulnerabilities per se.

3. However, every major browser has a filter of some kind designed to weed out malicious sites and sites suspected of being infected with attack code. Those filters, assuming the blacklists underlying them are current and accurate, would block tabnapping attacks.


ScareWare : One more WAREior in the family

1. Adware,spyware,malware....and now one SCAREWARE.Imagine this...u r surfing innocently(???) on the web via your home/office PC,an advertisement appears on the web-page, trying to convince you that your computer is at risk and you must download the anti-virus to clean it. Once you click on the advertisement, a software trigger gets activated and you get caught in an unnerving loop impossible to abort. A scanner window will appear with red-letter warnings listing viruses purportedly infesting your hard drive. A series of dialogue boxes will follow giving you choices that all lead to the same screen: a sales pitch. Make the purchase, and you get a bogus inoculation. Try to cancel it, and you'll get repeated offers. It's like stepping into quicksand. The more you try to get out of it, the deeper you sink.....this is Scareware..the latest new generation way to get ur PC infected...although its first origin dates to sometime in 2004...its now that this is getting firm roots via increased strength of web surfers who are naive about security.

2. In brief, the scareware trickery ensnares internet users in the following steps:
  • Criminals buy blocks of advertisement space on websites, intermittently slipping in a tainted advertisement.
  • Just visiting a webpage with a tainted ad causes a fake warning box to appear.
  • Clicking "OK" or "Cancel" launches the same thing: a "free scan."
After you've been lured into a fake "free" scan of your PC:
  • The bogus scan will purport to find a virus infestation.
  • Ensuing boxes steer the user to activate "Personal Antivirus," on left.
  • The activation prompts take the user to a shopping cart.
  • Declining to place an order triggers endless fake scans.

Man in the Browser Attack : New dimension of cyber attack

1. The name is interesting though and so is the working behind....MITB (Man in the Browser) attacks are designed by fraudsters to infect a web browser with malware which can result in mmodified web pages and transactions that are largely transparent to both the user and the host application.Trojans incl Silent Banker,Sinowal etc are pre programmed by fraudsters to activate when the user browser accesses a specific website such as their online banking portal.The activated trojan can then track the online session and perform real time interception etc that can lead to illegal money transfers,identity theft and further compromise on the users personal info.

2. The Man-in-the-Browser attack is the same approach as Man-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the browser and its security mechanisms or libraries in real time.A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place.