Friday, 11 January 2008

Finance System Security

Due to the storage of sensitive information on Financial servers, a company is not meeting the Tax File Number Guidelines issued under s.17 of the Privacy Act 1988 nor the provisions of NPP4 (National Privacy Principles) if it does not patch these systems and also take adequate care and dilligence to ensure the integrity of these systems.

The Guidelines are legally binding. A breach amounts to an interference with the privacy of an individual, who may complain to the Privacy Commissioner and, where appropriate, seek compensation. It is also possible that criminal charges could be laid in severe cases of a resulting breach.

A failure to adequately ensure the integrity of records and data of financial transactions is a breach of S286 of the Corporations Act (Cth) 2001.

The Electronic Transactions Act (Cth) 1999 defines integrity of information contained in a document to be maintained if, and only if, the information has remained complete and unaltered. The onus of proof is on the company that maintains these records. A failure to maintain data integrity is a subsequently a breach of S286 (prior) and is a Strict Liability Offence (see S 6.1 of the Cth Criminal Code).

Thursday, 10 January 2008

Texas P.I. FUD

The issue of PI Law for Digital Forensics in Tx is that people read the code in isolation.

Chapter 1702, Private Security, of the Texas Occupations Code does not mean that you need to have a PI license. It has exclusions. As an example, and being that I work for a Chartered Accounting firm (with a US office inTx) it is one I know well.

§1702.324. CERTAIN OCCUPATIONS states:

"(b) This chapter does not apply to: ...(6) a licensed engineer practicing engineering or directly supervising engineering practice under Chapter 1001, including forensic analysis, burglar alarm system engineering, and necessary data collection;...
(9) an attorney while engaged in the practice of law;
(10) a person who obtains a document for use in litigation under an authorization or subpoena issued for awritten or oral deposition;
(12) a person who on the person's own property or on property owned or managed by the person's employer:
(14) a person or firm licensed as an accountant or accounting firm under Chapter 901, an owner of an accounting firm, or an employee of an accountant or accounting firm while performing services regulated under Chapter 901;"

I limited this as I did not want to list them all.
Chapter 901, Accountants, of the Occupations Code covers BDO (and the other mid tiers), the Big 4, Mid Tier firms and the like.

I am also a professional engineer. A member of the IEEE and proud of it. This is also an exclusion under the code.

On top of this and what fits with the majority of people working as forensic analysts for court is that the exclusion "person who obtains a document for use in litigation under an authorization or subpoena issued for a written or oral deposition;" can be extrapolated to include CCE's and other that are operating under court orders.

Next, if you are working under the instruction of "an attorney while engaged in the practice of law", you are also excluded from this code. Most of us will be covered under one or more of these provisions and thus not need to be a PI. There is posturing and FUD that overrides the issue.

So if you see what I am saying now is not that you do not need to be licensed at all, but that you do not need to be a PI. A private investigator is not the ONLY licensed person able to do forensic work in Tx. A licensed Accountant, a licensed Engineer and many other professions all suffice. They are explictly excluded from chapter 1702 of the Tx occupations code.

I am not stating that the states can not license forensic collections, just that this (as some suggest) does not mean that it is restricted to only PI's. It includes ALL the occupations deemed acceptable. As an engineer, doing work for an accounting firm in the course of an engagement for a law firm I would have no issues at all not having a PI license.

Given a choice, I would (if I was not already one) become an engineer BEFORE thinking of being a PI (though to be honest I have my security diploma - but let the license lapse years ago).

I hope that this clears things up.


“Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993)”, and
Kumho Tire Co. v. Carmichael, 526 U.S. 137 (1999), from Kumho Tire Co., Ltd. et al. V. Carmichael,119 S.Ct. 1167 (1999)

The argument being proposed in SC in the paper ( sent is that analysis of the drive is consulting, but waking into the office and doing the copy requires a PI will fail. An expert is required to view the seen in some cases. This is mirrored in the Daubert Case. This opinion fails the Frye, Daubert and Kumo tests. As such it is invalid. Further, the opinion is not law and nor is it even considered influential to the courts.

There was disagreement as to if Daubert applied to "experience-based testimony" as against to testimony based on strict research methodologies. In Kumho, the Court addressed these questions and extended the Daubert analysis to all expert testimony.

Also check out;
Mason v. Home Depot, S07A1486

Next quote:
"In the view of evidence now entertained by the best authorities, it is settled that a jury should be allowed to have placed before them all the means of knowledge which can be had without involving the danger of leading them to form conclusions not based on solid truth and not reliable as reasonably certain
-Justice Campbell, Evans V. People, 12 Mich. 36 (1858).

Next there is the Frye rule;
"Just when a scientific principle or discovery crosses the line between the experimental and demonstrable stage is difficult to define. Somewhere in this twilight zone the evidential force of the principle must be recognized, and while the courts will go a long way in admitting expert testimony deduced from a well-reasoned scientific principle or discovery, the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in which it belongs."
Frye, 293 F. at 1014.

The Frye rule was fairly much shot down by Duabert, but some states still support it.

“the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, expertise, training, or education, may testify thereto in the form of an opinion or otherwise”. Fed R. Evid. 702.

Among other things, the judge may consider:
“1. Whether the scientific theory or technique can be and has been tested;
2. Whether it has been subject to publication and/or peer review;
3. The known or potential rate of error:
4. The existence and maintenance of standards controlling the technique's operation; and
5. General acceptance in the scientific community”.
Daubert V. Merrell Dow Pharmaceuticals. 113 S.Ct. 2728, 125 L.Ed. 2d 469, 482-485 (1993).

Most US states have either adopted or based their own evidentiary rules on the Federal Rules of Evidence and/or the Frye rule.

Cavallo v. Star Enterprises, et al., 892 F.Supp.756 (E.D. Va. 1995)., the District Court for the Eastern District of Virginia applied the Daubert standards.

Aparicio v. Norfolk & Western Railway Co., 874 ESupp. 154 (N.D. Ohio 1994)., the District Court for the Northern District of Ohio granted the defendant's motion for a directed verdict after finding the plaintiff's experts were insufficient.

The District Court for the Middle District of Florida applied the Daubert criteria to an electromagnetic field (EMF) case in Reynard v. NEC Corporation, 887 F.Supp. 1500 (M.D. Fla. 1995).

Some US States are still applying the Frye rule:
Alaska, Arizona, California, Florida, Illinois, Kansas, Massachusetts (Daubert factors as a guide to application of Frye rule), Maryland, Michigan, Minnesota, Mississippi, Missouri, Nebraska, New Hampshire, New Jersey, New Mexico, New York, Pennsylvania,

States adopting Daubert outright:
Connecticut, Delaware, Georgia, Indiana, Kentucky, Louisiana, North Carolina, Ohio, Oklahoma, Oregon, Rhode Island, South Dakota, Tennessee, Vermont, Washington, West Virginia, Wyoming

States that have adopted rules similar to Daubert:
Alabama, Arkansas, Colorado, Hawaii, Idaho, Iowa, Maine, Montana (only to "novel" evidence), Nevada, Texas, Utah

State evidence law in Tx is based fairly closely to Daubert and reflects Fed evidence law in Rule 702.

The issue is- (from both Daubert and Kumo) whether the process used in forensic capture is a “testable theory or technique?”.

In such a case, the jurists need to warrant that an expert, whether formulating testimony derived from professional studies and research or their personal experience and history, pays an equal intensity of intellectual rigor in the process of bearing witness that s/he would do in the process of performing a task that is irrelevant to the litigation.

In the situation where the expert's data, principles, methodology, or application are satisfactorily brought into question, the jurist is required to conclude that the testimony has a dependable foundation in the understanding and knowledge of the pertinent scientific discipline and that the expert's methodology is consistent when applied to the explicit subject to be determined in the case. (Kumo expanded this to certain non-scientific disciplines as well).

I know what I do is. I can replicate my data and processes. SANS with the GCFA, ISFCE with the CCE and various other methodologies are a systematic process.

So now that I am not responding from the phone, I will again state that the PI rules are positioning and FUD. There are over 100 current cases involving “computer investigations” in Texas alone occurring at the moment. Most involve personal who are not trained in digital forensics at all.

In the cases throughout the US, there is not a single case of a conviction for not being a PI. There are convictions for fraud for individuals who have lied as to their skills. This means that there is just FUD as to the requirement to be a PI.

So the question is not if you need to be a PI, but are you a professional of some type at best. I would prefer to see qualified engineers and scientists doing this work over CFE’s (accountants effectively) with no training (or at least get the CFE’s trained).

Dr Craig Wright (GSE-Compliance)

Wednesday, 9 January 2008

More investigation needed...

Investigations into Active Directory Replication Using RPC
Just a quickie...

I have been running Windows 2003 AD and GC (Global Replication) traffic through protocol analysers. The results so far:

  1. General replication data is not encrypted. Though the data looks scrambled in a protocol analyser, it is just compressed.
  2. Password data is poorly encrypted. It seems to be using a 56bit RC4 key (and it is possible that it is only 40bit).
  3. Site replication send sensitive user data in the clear (compressed).
  4. Statistical data paterns clearly show the data to not be encrypted. There are clear distributions that match the original data distributions.
  5. This includes SYSVOL data.
All the more reason for IPSec Tunnels between DC's.

More to follow...

Tuesday, 8 January 2008

Quantitative Risk models in Malware Research

Research into antivirus and Malware incidents have demonstrated a significant increase in both the prevalence of computer virus varietals as well as a continued increase in the number of viruses found "in the wild". The use of time based statistical models aid in the prediction of computer systems vulnerabilities and malware based attacks.

To effectively protect against attacks to the computers systems and network architecture, we need to understand the threats and to be able to create predictive models for them. Viruses, worms, malware and represent a staple in the Information Security Professional’s daily routine. So far, little emphasis has been placed on the formal quantitative analysis of the intelligence for the purpose of risk and threat management.

The creation of Quantitative Risk models in Information Systems Security is a field in its infancy. The prediction of threats is oft touted as being too difficult due to a shortage of data and the costs associated with collecting an analysing data for a site.

Research has been conducted by a number of parties such as ICSA laboratories and the numerous antivirus vendors. Many researchers have commented on the apparent seasonality of the data. Banes (2001) reported that there exists "increased levels of virus and worm activity around Easter time". Coulthard and Vuori (2002) support assertions by the antivirus software vendor McAfee that states there are associations between an increased number of incidents and the winter months of the northern hemisphere.

In particular the IEEE (Spectrum) has recently published a paper on the use of Chaos (entropy) for the detection of network based/distributed malware. More effort and study into the mathematical properties of an attack are needed.

  • Chen, Z., Gao, L. & Kwiat. K, (2003) “Modeling the spread of active worms”. In IEEE INFOCOM
  • Coulthard, A. Vuori, T. A. (2002) “Computer Viruses: a quantitative analysis” Logistics Information Management, Volume 15, Number 5/96, 2002 pp 400-409

Monday, 7 January 2008

Denial of Service (DoS)

Denial of Service (DoS) and Checkpoint Application Intelligence
A Denial of Service (DoS) attack is intended to interrupt the normal functioning of a system, site or service. This disruption is characteristically achieved either by overpowering the target with forged packets until it may no longer answer legitimate requests or to exploit operating systems, application and system vulnerabilities in order to crash the system remotely. Dos attacks are commonly used in order to remove hosts in order for an attacker to start a MITM attack (Monkey in the Middle).

Checkpoint SmartDefense provides reinforcement capabilities that aid in defending against many common classes of DoS attacks.

Aggressive Aging
Aggressive Aging manages the connections table capacity and the memory consumption of the firewall in to order to increase durability and stability. Aggressive Aging uses a new set of short timeouts called aggressive timeouts. When a connection is idle for longer than its defined aggressive timeout, it is marked as eligible for deletion. When the connections table or memory consumption reaches a certain user defined threshold (highwater mark), Aggressive Aging begins to operate. Aggressive Aging timeouts are also configurable per service.

Once the defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the eligible for deletion list. An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below a certain low watermark.

If there are no "eligible for deletion" connections, no connections are deleted at that time but the list is checked after each subsequent connection that exceeds the highwater mark. Timeout settings are a key factor in memory consumption configuration. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently. When memory consumption exceeds its threshold, it is best to work with shorter timeouts that can maintain the connectivity of the vast majority of the traffic.

The major benefit of Aggressive aging is that is starts to operate when the machine still has available memory and the connections table is not entirely full. This way, it reduces the chance to encounter connectivity problems that might have occurred under low resources conditions.
Aggressive Aging allows the gateway machine to handle large amounts of unexpected traffic, especially during a DoS attack.

In implementing the TCP/IP protocol stack, a number of systems fail to correctly deal with the reassembly of overlapping IP fragments (see for details).
Conveying multiple IP fragments to the target that are created with overlapping fragment offsets where one fragment is completely enclosed inside the offset of the other can result in the host incorrectly allocating memory. This would remotely crash the vulnerable system that received the packets. TearDrop is a widely available attack tool that exploits this vulnerability. TearDrop is closely related to "syndrop", a modified version that exploits an Microsoft SYN sequence bug.

SmartDefense blocks attacks that rely on overlapping IP fragment offsets. The default action is to block attacks and log these as as “Virtual defragmentation error: Overlapping fragments”. Checkpoint SmartDefense blocks this attack by default and provides the administrator with the capability to construct alerts, e-mail notices, SNMP traps, and user-defined actions when these attacks occur.

Ping of Death
The “Ping of Death” is a malformed PING request that is sent in a series of fragment packets, which when reassembled by the target exceeds the maximum IP packet size (65,535 octets). This results in the system that is vulnerable crashing (see for details).

SmartDefense blocks this attack by default. Blocked attacks are logged by the firewall with “Virtual defragmentation error: Packet too big”. SmartDefense provides the administrator with the capability to construct alerts, e-mail notices, SNMP traps, and user-defined actions when these attacks occur.

The LAND attack involves the attacker sending a TCP SYN packet (a connection initiation), giving the target with both the both source and destination addresses set as the targets address. It also uses the same port on the target host as both source and destination. Land.c is an easily obtainable attack tool designed to exploit this vulnerability (see for further information).

Checkpoint SmartDefense blocks this attack by default and provides the administrator with the capability to construct alerts, e-mail notices, SNMP traps, and user-defined actions when these attacks occur.

Non-TCP Flooding
An attacker will sometimes directly target security devices like firewalls. In advanced firewalls, state information about connections is maintained in a state table. The state table includes connection-oriented TCP and connectionless non-TCP protocols. Hackers can send high volumes of non-TCP traffic in an effort to fill up a firewall’s state table. This results in a Denial of Service by preventing the firewall from accepting new connections. Unlike TCP, non-TCP traffic does not provide mechanisms to “reset” or clear a connection.

SmartDefense can restrict non-TCP traffic from occupying more than a pre-defined percentage of a CheckPoint enforcement point’s state table. This eliminates the possibility of this type of attack.