Last week, revelation of yet another NSA surveillance effort against the American people has rekindled the privacy debate. Those in favor of these programs have trotted out the same rhetorical question we hear every time privacy advocates oppose ID checks, video cameras, massive databases, data mining, and other wholesale surveillance measures: “If you aren’t doing anything wrong, what do you have to hide?”
Some clever answers: “If I’m not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what’s wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these — as right as they are — is that they accept the premise that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.
Two proverbs say it best: Quis custodiet custodes ipsos? (“Who watches the watchers?”) and “Absolute power corrupts absolutely.” From Bruce Schneier’s blog
1. Any software backdoor and ‘phone home’ keylogger would be wiped out when the machine is re-imaged. If they don’t re-image machines that come from hardware vendors than the brand is the least of our worries.
2. Any hardware spying mechanism that would remain after an imaging would still need a way to ‘phone home’ to China for them to obtain the data. Any ‘secured U.S. network’ should have egress firewalling. So not only would ‘phone home’ attempts be blocked, but also logged and provide REAL evidence that we should be concerned.
I believe this just boils down to yet another case of someone being uninformed and uneducated making big decisions that they are not qualified to do. Either that or its a more sinister attempt to curve the amount of Chinese goods purchased by the U.S. Either case doesn’t win our government any more brownie points.
It seems all too often that when uninstalling Symantec Antivirus you are stuck with a partially uninstalled product. In some cases bits linger in add/remove programs, in other cases MS Word stops working. Whenever it happens its a big pain to fix.
A colleague of mine has received this tool direct from the Symantec technicians. Here are some details of it from its PDF documentation.
Symantec Enterprise customers have expressed a need for a way to uninstall Norton AntiVirus Corporate Edition (NAVCE) or Symantec AntiVirus Corporate Edition (SAVCE) when normal uninstall procedures do not work.
Symantec Enterprise Support has created a standalone application / utility to fill this need. This utility will uninstall NAVCE or SAVCE Parent Servers and Clients through registry and file system deletions.
MSU just got a site license agreement with Eset for Nod32. This was at a time when the collective frustrations with Norton/Symantec Antivirus where at all time high. I have noticed over the years a few very prevalent problems with Symantec’s antivirus solution.
1. The updates don’t come as quickly and often as I would like.
2. Norton is slow to release fixes for already infected machines. In some cases I find myself writing an in house fix to mitigate the damage.
3. It’s a resource hog. It’s just heavy. It drastically affects performance when real time scan is enabled (which it should be to be effective) because it’s running all disk writes and reads through its filters.
4. Anyone who has had to use their server component knows that I don’t even need to continue this sentence.
Given these sins I decided to buy a few licenses for Nod32 and keep it on my key chain flash drive ready to install on the next machine I see with a virus related issue.
On Jan 27 the Brepibot.L took a couple of my users by surprise. It was too early in its life to be detected by the campuses clamav and a few users ran the exe before I could send out my warning to the distro lists.
Norton didn’t have a def that would fix it for a couple of days. In that time Nod32 got it with no problem, and even cleaned it on a guinea pig machine.
The next day a faculty member was having issues with random word doc corruption and suspected it to be virus related. I removed Norton and installed nod32 and then updated its defs. I ran a complete system scan and oddly enough it found four infected files that Norton had not previously detected. Two of these files where OLD viruses (one was my doom and another was sober). The problem ended up being a failing usb flash drive that he had the documents on.
At work it is fairly common for hard drives to die, machines to become infected with a virus, trojan or worm and the occasional compromise. It just happens when you have so many machines; the odds are against you.
Empty removable drive bays for the drive you want to image, analyze or restore.
Conveniently accessible ports for every imaginable type of peripheral.
A large storage disk for storing images of drives, case files and VMWare images, etc.
And of course, load it with every imaginable forensic and security tool you could ever need.
Here are the parts and reason for their selection:
I used the SunBeamTech 20-in-1 5.25 Multi-function Panel. This little unit is awesome! It occupies one 5.25″ drive slot and contains USB, Firewire, SATA, Composite Video, Audio Jacks, a -TON- of card readers, two internal thermometers that display their respective temperatures on an LCD display on the front and two fan speeds controllers. This unit has a LOT of cables that really clutter up the interior of the computer. If your totally anal you may be able to zip and twist tie them up, but man; it is a LOT of cables.
5.25″ Storage Drawer
I use this to store adapters screws for the drive trays. As well as a couple of my commonly used adapters; the 2.5″ Laptop hard drive to 3.5″ IDE hard drive converter and the dual PS2 to USB.
Hardware Write Blocker
If you want your evidence to be admissible in court a write blocker is going to be a necessity. This ensures that the data isn’t altered in anyway (inadvertently or otherwise) during your investigation. I went with the MyKey NoWrite FPU. It comes recommended from the forensic’s community and is accredited for forensic investigation. It also supports both IDE and SATA and is relative inexpensive compared to other write blockers.
Removable Drive Bays
I have 3 SATA and 2 IDE. These particular removable drive bays have built in silent fans, with a nice digital temperature readout.
10 Bay ATX Case
I went with the Aerocool Masstige, mainly because it had all of the 5.25″ bays I needed in a mid-tower-ish size. Anything else with that many bays was a beast of a full-tower. It also turned out to be a strange coincidence that this case looks strikingly similar to the one used on the FRED.
You’re going to need a great deal of juice to power all of these drives and devices. I went with a 500w PSU.
SATA Controller Card
I used a generic PCI IDE/SATA combo. Anything will do.
FireWire/USB Controller Card
Once again, I purchased a generic PCI card for this purpose. The one I got has one firewire and one usb port on the inside. On the outside it has 2 firewire and 4 usb ports. In my case, most of those ports were taken up by my multifunction panel.
Be sure to use a modern motherboard with about 4+ PCI slots. These will fill quick as you add device capabilities.
The more RAM the better. If you plan on doing viral research or virtual honey nets you will want to run VMWare. The more virtual machines you have running the more RAM you need.
Drive images, case files, evidence collection bin; you will be using the storage on this machine for many many purposes. It would be best to run a large RAID5 array in addition to your boot drive. Your array will be fairly static as far as physical drive additions and subtractions so its not necessary for it to be in removable drive bays, however keeping your OS drive in the bays is a good idea so you can switch OS by swapping in a new drive.
Once you put all of these pieces together you will have a very useful multipurpose machine. You will find that it will come in handy for so much more than forensic analysis.
The software I chose to install and why, will be outlined in a later article.
I frequently get asked what I do to secure the operating systems I use. Specifically from a nuts and bolts, configuration stand point.
When I tell them I use the NSA Security Configuration Guides they are a generally surprised to learn that such guides exist. Not only do they exist; they are an incredibly helpful resource and combines a huge amount of no-nonsense tweaks that NSA uses to secure their own machines.
I just received an email that looks fairly legit at first glance. It states
that a rape occurred on campus (being that I work at a university this makes sense) and that attached you will find an image of
the suspect as captured from campus CCTV. The attached file (suspect
image.exe) very well may be a virus (im sure as heck not going to run it to
find out). My university ‘s clamav did not pick it up nor did NAV10 with dats
I am not able to pull much useful information from the exe via the unix
strings command or ida pro. If anyone has any more experience then I do
with virus disassembly I would be happy to forward the idapro file.
What I am able to pull from ida ‘s hex view is some registry writing, file
deletion, file creation and process manipulation, but no details.
The contents of the email are attached bellow, you may want to warn your
users on this (although I ‘m not sure how prevalent it is yet).
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
X-Spam-Status: No, score=1.7 required=5.0 tests=DATE_IN_FUTURE_06_12,
MIME_BOUND_NEXTPART autolearn=disabled version=3.1.0
Delivery-date: Fri, 27 Jan 2006 12:00:45 -0500
Received: from client-82-19-18-185.mant.adsl.ntlworld.com ([184.108.40.206]
by sys21.mail.msu.edu with smtp (Exim 4.52 #1)
for XXXXXXX@msu.edu; Fri, 27 Jan 2006 12:00:45 -0500
From: “Mr Robert Atkins”
Subject: Rape on Campus
Date: Fri, 27 Jan 2006 17:00:03 -0800
X-Virus: None found by Clam AV
During the early morning of January 25 2006, a campus student was the victim
of a horrific sexual assault within college grounds. Eyewitnesses report a
tall black man in grey pants running away from the scene. Campus CCTV has
caught this man on camera and are looking for ways to identify him. If
anyone recognises the attached picture could they inform administraion
All information contained within this e-mail, including any attachment, is
confidential. If you have received this e-mail in error, please delete it
immediately. Do not use, disclose or spread the information in any way and
notify the sender immediately. Any views and opinions expressed in this
e-mail may not represent those of Business Monthly
I received an email the other day from ISC2 informing me that I had successfully passed the CISSP (Certified Information Systems Security Professional) exam.
This was a gigantic load off my mind. Me and 60 other candidates took the exam December 10th in Troy, MI. I finished in 4 and a half hours and left thinking that it covered far more material than I had studied. I had always heard that some of the material was dated and that ISC2 didn ‘t keep the test updated with recent and relevant technologies. I think these people literally took a different test than I did. Some of the questions where worded and formated unlike any that I had seen in all of the practice tests including Transcender and Boson. I think this is a brand new test.
If you keep to studying the 10 domains as they have been presented in the past and also keep a close eye on tech news you should do just fine.
It seems like they have found a way to test more on accumulated knowledge instead of a bunch of drab memorization that is common in a lot of vendor certs.
In many recent interviews Microsoft has vowed their firm commitment to security all the wile demonstrating the exact opposite.
Case in point: On December 28th US-CERT issued security advisory VU#181038 pertaining to all versions of Microsoft operating systems. This is a 0-day vulnerability.
We all know that US-CERT generally issues advisories (at least) a few days after the initial discovery. In this case the vulnerability and corresponding incidents where first discovered on December 27th according to McAfee.
Upon examining the Microsoft security bulletin 912840 associated with this vulnerability you will notice that it was Published December 28th. The same day as the US-CERT announcement and one day after its initial discovery. A serious vulnerability that effects ALL versions of the number one most used operating system in the world, and they wait a day to even post an advisory on their web site?
Even this isn’t what bothers me the most. What really got me was when I visited Microsoft.com trying t to find more information. At current they have a giant flash animation (it takes up about 75% of the page) that contains a sun flower set against the recognizable windows “blue sky, green grass” backdrop wearing sunglasses with the heading “start having fun”. So this vulnerability isn’t being displayed prominently. Lets look closer at the front page and see if we can find a link to information on this vulnerability. Look all you want, its not there. No mention on the home page at all.
So lets click on security. Its sure to be listed there. Once again, look all you like. You won’t find it.
No patch exists, it results in a remote code execution on a fully patched Windows XP, 2003 server, etc and Microsoft makes no mention of it on both their home page and their security page.
I think its time Microsoft stop jawing about this commitment to security and start demonstrating it.