Comments

Clive Robinson July 17, 2011 1:07 AM

OFF Topic.

The linked article asks the question

“When hackers break into systems, should CIOs and CISOs be blamed?”

http://blogs.govinfosecurity.com/posts.php?postID=1003

It raises the point that we rarely if ever hear about IT staff being punished when an organisation gets hacked and suggests the reasons are based on the press making hackers out to be super human, and thus allowing the excuse that “everybody” gets hacked including,

“organizations with some of the most sophisticated cyber defenses – the U.S. military”

And that more senior managers are actually more often to blaim by handing down ‘done deals’ that cannot be made secure for business reasons…

RobertT July 17, 2011 5:50 AM

OT Question about anti forensics:

I’m trying to understand how an individual can be guilty of destroying evidence if he has not been charged with anything at the time the evidence destruction took place. Especially if he had no reason to believe he was being investigated.

I remember that when my wife worked for a big accounting firm they had a policy of destroying all intermediate work product once the final report was issued. Because this was their policy and was done with every project they could claim that it was not evidence destruction but rather the correct implementation of their corporate policy. Interestingly this became policy after Enron…

Q2) Under US law, is the possession of Anti-forensic tools and the evidence of their use proof of anything beyond the paranoia of the user? Similarly to the above case if you can show that you routinely wipe your disk (say once a month)and completely reformat before reinstalling doesn’t this just become your work procedure and therefore evidence of nothing but correctly following your own information safety procedures?

Q3) If an anti forensic tool creates “false evidence” that regular reformatting and wiping is your standard operating procedure. Is this a valid defense for a case of intentional evidence destruction?

Clive Robinson July 17, 2011 12:49 PM

@ Robert T,

“I’m trying to understand how an individual can be guilty of destroying evidence if he has not been charged with anything at the time the evidence destruction took place.”

I don’t know what your jurisdiction says on the matter, but in the UK you are expected to be aware of what might constitute evidence at the time of destruction.

The real problem is actually recorded electronic communications. Back thirty years ago nearly all corespondance was either formal and recorded as a paper record or informal and not recorded as a paper document.

What has happened is that due to electronic storage costs and low cost electronic communications of typed information dropping to near zero cost nearly all informal communications are now sent by email or SMS and are thus “recorded” and can now be regarded / included as evidence (have a look at RIPA and ECA). Further changes to the Companies Act and other laws aimed at insider dealing make what where informal and non evidentiary communications evidence for both criminal prosecution and civil litigation, and guess what hearsay all of a sudden becomes admissible.

So from a business perspective every form of electronic communication that gets written to a hard disk becomes a “document” and thus should be treated as a recordable item of evidence even work chit chat that once would have been discussed over the water cooler or coffee perculator.

As far as I can gather in the US “requesting electronic evidence” is a new game of “begger thy neighbour”, in that judges are more than happy to be paid to order a defendent to go through their entire electronic record and make it available to the oposition in a form that is easy for them to use. And the cost of this falls on the defendant, and if the defendant cann’t produce it in all the detail required then they get an accusation of “destroying evidence” thrown at them just for the fun of it.

Now with regards civil cases and routine destruction of data, the trick the opposition pulls is “best practice” all they need to do is find just one or two organisations that “keep everything” to say to the judge that the defendent was not following “best practice” and had allowed evidence to be destroyed by their negligence…

This “best practice” stunt in it’s various forms is as old as the hills and often used by minority shareholders to gain advantage over an organisation that their shareholding would not otherwise give them. One such is where a shareholder claims that the organisation payed to much tax, thus denying them the dividend they would otherwise have received… so it can be a damed if you do damed if you don’t line you wobble along with your fingers crossed.

We also know that the politicos want show trials and higher conviction rates so they can look good to the electorate. So the legislators and those responsible for bringing prosecutions lobby for ever greater powers with ever wider scope to strip the citizens of their rights (have a look at the UK POCA). And judges with an eye on the future are making judgments about what is and is not on public display with regards electronic evidence.

I am fully expecting to see an LEO present to a judge a paper copy of an email and use that to say that the suspects computer hidden in the loft with no windows etc “was on public display” and thus fair game for warrantless search and seizure, and if the hard disk is encrypted to say this is evidence of criminal intent and the judge to buy it hook line and sinker to force the happless individual to show all or go to jail untill such time as they do.

RobertT July 17, 2011 5:12 PM

@Clive R
Believe me, in many of the jurisdictions that I work the prosecution has a 99.9% conviction rate, so smart defense lawyers are a much less valuable asset. Unfortunately the defenses that work well, in these jurisdictions, are often deemed illegal in other more liberal minded societies. Welcome to the Expats catch22 legal defense dilemma.

That said I’m once again traveling a lot, so I’m crossing a lot of borders where customs officials appear to have the right to inspect my PC and based on that inspection to charge me with any crimes they believe they can prove from my harddrive. My policy is to have two HD disks my travel disk, which is a fresh install that gets completely wiped after each trip, and my at home disk. Are there any areas in the US or Europe where my travel policy might result in a charge of destruction of evidence? or denying them evidence?

Actually we are also adding similar features to our smart-phones whereby the user data sections of the phone are encrypted, but the operation is transparent to the user. The decrypt key can be conveniently deleted and is only recoverable when the phone is back on it’s default network.

This feature is in especially high demand with Japanese businessmen traveling to the US. Kinda similar to private browsing mode…

Richard Steven Hack July 17, 2011 9:35 PM

RobertT: My guess is that latter bit about the cell phones being remote-wiped (or decrypting not under the control of the possessor) would probably be considered “destruction of evidence” – certainly if it’s wiped or the decrypt key is refused after being seized.

I don’t think having a clean hard drive would constitute that, especially if you don’t tell anyone that you have two different hard drives. Of course, forensics will show when the last time the drive was wiped and reinstalled – but your defense is easy: “It runs Windows, it got corrupted from a virus, I had to reinstall after a wipe as recommended by Microsoft.”

If you run Linux, that will be a harder sell… 🙂 Almost no one ever re-installs Linux short of a hard disk crash or a clean upgrade (which would be a better excuse.)

And of course, don’t let them ever search your home and find the second hard drive with all the incriminating stuff on it. I’d stash that hard drive somewhere not easily connected to you.

Clive Robinson July 18, 2011 8:25 AM

@ Robert T

“Actually we are also adding similar features to ou smart-phones whereby the user data sections of the phone are encrypted”

Reminded me about a “smart phone” comment from NASA with regards the “Nexus 5” phone that is the only smartphone certiffied for shuttle and ISS use currently.

Apparently NASA have put five soccer ball sized robots called SPHERES onto the ISS and have upgraded them with the smart phone,

http://www.nasa.gov/centers/ames/news/features/2011/spheres_smartphone.html

One of NASA’s engineers Mark Micire said,

“That little phone has enough horse power to fly a miniature spacecraft,”

Now if that is true and to be honest it’s quite likely then it is also more than sufficient to fly a home brew UAV made from a larger RC plane kit.

Which begs the question of what about a light aircraft stuffed full of unpleasantness to drop on the heads of the unsuspecting…

We know that some “Terrorist Organisations” had their own “Air force” ( http://en.m.wikipedia.org/wiki/Air_Tigers ) so how long before they have their own attack drones? or model plane smart weapon?

Clive Robinson July 18, 2011 9:33 AM

OFF Topic,

@ Bruce,

You are probably all to aware of the “phone hacking scandal” currently ripping into Rupert Murdoch’s Empire, and that the US part Fox news etc are starting to come under scrutiny.

Well Ross Anderson over at Cambridge labs has put up some background on just how “gumshoe journo’s&PI’s” get information on people including inocent victims barely old enough to understand the n.otion of privacy in an electronic world.

http://www.lightbluetouchpaper.org/2011/07/16/phone-hacking-technology-and-policy/

RobertT July 18, 2011 9:39 AM

@Clive R
“That little phone has enough horse power to fly a miniature spacecraft,”
Not sure what path led to this discussion but you are right, there is a lot of processing power in a smart-phone chipset.

A typical new 3G phone is a Quad core Arm9 with each core operating at around 500MIPS or the processing equivalent for a dual core. They obviously support 2G and 3G phone functionality (so real time compressed video download is no problem ) and the uplink is certainly fast enough to allow real time remote piloting commands. Especially if the plane is inherently stable Most chipsets directly support GPS so positional information and altitude is no problem. Oh and btw they are energy efficient and designed to run for up to 8 hours off a small phone battery. Should provide a long enough operations window.

I’m actually a little surprised that we have not seen any UAV’s/ drones using this approach, because it leverages the existing tower infrastructure and volume chip production. Who knows maybe they exist, its not my area of expertise.

One of the biggest problems would be developing the support programs within the availability life time of the chipset, these days a 3G chipset will be superseded within 2 years. However if you purchased enough devices you could certainly stock pile the chips and use them for many years to come (costs even in small quantities is under $20 per chipset). (RF + GPS+ Control + 3G phone + CMOS video camera (up to 8Mpixels) + video compression, all for under $20) it is probably cheaper than a dedicated hobby RF control link.

Dilbert July 18, 2011 9:43 AM

I’d suggest removing the post by “Andy” with a link to a “compression tool”. It definitely falls into the JDLR (Just Doesn’t Look Right) category

Andy July 18, 2011 4:54 PM

@Dilbert, why so you can pass it of as your own, theifs and all, now just need to find your home address.

Clive Robinson July 20, 2011 3:46 AM

OFF Topic,

@ Bruce,

Last week a couple of reports came out about security of systems by “patching”.

The conclusions suggest that even with the best patching strategy you would at best get only 80% of the vulnerabilities on any given PC.

Further they sugest that even if you have very few packages and you use a more normal patching aproach you may only getting 30% of the vulnerabilities addressed.

Worse that most vulnerabilities are in apps and that in many cases each app is from a different supplier and thus each has a different patch tool and methodology. All of which makes an admins job more complicated and expensive than many organisations / entities can afford.

But they also draw attention to “fringe attacks” by criminals. That is the criminals find vulnerabilities in non main stream apps as even with a relativly small market share with the number of users world wide this can give millions of potential victims.

Such fringe apps may not even get patched by the average user thus the window of oportunity for the criminal might actually be considerably more favourable with fringe apps…

This is important as the life of a vulnarability makes a signifcant difference to the return on resources commited by an attacker, not the bulk vulnarability at any given time.

This considerably distorts the attack surface as popularly percevied by many users and admins. When this “popular perception” is translated to resource utilisation in a resource limited organisation can leave over 70% of vulnerabilites unpatched indefinatly (ie many users are using Adobe PDF reader that is two or more major revisons old that have never been patched).

Thus in a resource limited environment a patch stratagy that ensures fring app patching that attackers are actually using would reduce the current attack surface.

Obviously this requires developing real intel on what attackers are currently focusing on which is the difficult asspect.

But the significant differences in there perceived vulnerabilities to actual attacks and the actual risk suggests an intelligence based patch strategy is most definatly the best way to go in a resource limited environment.

http://secunia.com/company/half_year_report/

Clive Robinson July 20, 2011 6:32 AM

OFF topic,

@ Robert T,

I have been having a further thought on your “destroying evidence” dilemma, and I suspect the solution is not to destroy evidence but not have it available at the point of inspection.

First however you realy need to decide what data / evidence you are talking about as we know there is,

1, The raw data (bits and integers stored in a file).
2, The meta-data (data structures and ranges) that turn the raw data into usable information.
3, The meta-meta-data (file system entry) that puts the file into a time frame and place.
4, And the various meta-meta-meta-data (file system strata) that points indirectly to a file’s previous storage at some previous time and place.
5, Subsiduary or “smoking gun” information (in other files) that point to the existance of a file.

From a very narow legal view point deleting any of the above could be considered “destruction of evidence”, but you then have “reasonable behaviour”. Afterall in files systems terms copying a file destroys some of the evidence whilst moving and changing other evidence, very much dependent on the way the App / OS / File system behave.

For instance a custom application and data files are two seperate but necessary components to make the information available. However normal usage would have a different strategy for both storage location and backup policy. Thus an application stored on a laptop hard drive may well point to data files stored on a files system that is not attached to the laptop when inspected. That is the normal data storage location is on a network files system or removable drive.

Likewise it is unreasonable to accuse some one of destroying evidence in the last three cases as they rapidly age under normal usage of the technology, and as with any limited resource you cannot be expected to maintain “cruft” indefinatly.

Of interest is some work activites (ie software development) as part of normal activity they can rapidly age file system evidence. Likewise software testing would frequently involve compleate reformating and re-instalation of an OS and other applications. Thus activities that would appear unreasonable for an accountant’s PC would be normal on a an almost daily basis for a software tester or journalist (or other) reviewing new software.

Thus in many circumstances not having a data file or it’s corresponding application on the hard drive is quite normal and thus “reasonable”. Importantly the data / application file level “evidence” is not in anyway destroyed it is just not available at the point of inspection.

Importantly if you do not have access at the time of inspection it is not possible to determin if the file exists or not, it is simply (and quite reasonably) “unavailable” which is as far as I’m aware is not of it’s self a crime (it comes down to intent).

In this respect it is a little like documents stored in a security box keyed by a biometric in a bank vault. Whilst at the point of inspection because it is not in the same geophysical location it is not possible to provide access to the contents of the security box, because you have to be where the box is for it to be opened. It is after all quite reasonable to not be able to be in two different places at the same time.

The usuall solution is for the person trying access to get a judge to provide access either by warrant or by compulsion order.

However judges have a limited domain that is they are limited to their jurisdiction, and have no power to compel those outside their jurisdiction to do anything.

Thus the judge has a catch22 if the information or access to it is outside of their jurisdiction, they can order a person inside their jurisdiction to produce the information but if the person can provably not comply within the judges jurisdiction an impass is reached.

The impass resolution available is,

1, Imprison you indefinatly.
2, Alow you to leave the juresdiction.
3, Use an extrajurisdictional intermediary.

Whilst the first is quite likley in many parts of the world including the UK (see RIPA), and the second unlikly in a number of cases, the third case is the real one of interest.

Who is the intermediary and under who’s control are they. Clearly they are out of the judges juresdiction and unless there is some treaty the control options are limited.

Thus the intermeduary if not controled by the judge has three basic options,

1, Ignore any “requests” from the judge.
2, Fully comply with the judge’s request.
3, Respond with usless information.

This third option has two basic forms which are send false information and send encrypted information without the decryption key.

As we know some forms of encryption (OTP) are “decrypt to what you want” and some encrypted files can actually be archives or containers of other encrypted files…

Thus what happens if the file is stored in an encrypted form in one jurisdiction and the key held in another jurisdiction?

Belive it or not this is one upside of the “cloud” 😉

With “cloud storage” this is rapidly becoming normal and thus quite reasonable behaviour.

But as indicated the intermediary does not have to supply the actual file just something that looks like the file, neither the judge nor the person requesting the information via the judge can tell unless they have a known point of refrence to work against.

So when you think on this not unknown issue you end up with a number of scenarios. One of which is for a software development and test engineer who frequently trials / reviews new development tools,

It is quite reasonable for them to have a series of basic OS and application images stored for use on their laptop stored on a server in the cloud.

Which for the purpose of contractual confidentiality and licence compliance are stored encrypted with secure keys held on a key server controled by another person in the organisation with the appropriate administrator rights.

As the developer works from a field office and the Admin works at head office in another country they have never met, as often happens with personnel who work in large organisations that trade in multiple countries.

Because of this lack of contact the admin provideds the developer with a private key for key managment and and administrative purposes.

However as the developer works in many locations in many different places and on projects for different customers who may well be competitors of each other, all documents and other work are encrypted on a project by project basis and stored on different “cloud storage” providers for secure availability.

Because of this the developer does not carry data files in transit nor project related keys, only theeir administrative public/private keys as these enable them to get the required disk image with custom application, keys and files etc via the respective project administrator and cloud storage server.

Now as they always work through the custom application they have no need to know and therefore no idea what is stored on which of many cloud storage servers.

Is it the developers fault if the administrator they have never met, under direction from senior managment (guided by their insurance providers) implements as standard a duress system such that if the organisation has any reason to belive the developer is under duress of any kind then they are automaticaly supplied with a “duress application” that only accesses files striped of any usefull content… Again due to the requirments of the insurance company the developer is of course compleatly unaware of this duress system. As is the representative who had been sent to meet the developer on the landside of the airport to take them to their hotel, and has reported back to the company that the developer “did not show as expected”. The company now assumes the developer has been taken hostage and is now under duress and thus compleatly untrust worthy.

Even quite repressive regimes have been known to recognise the futility of trying to extract information by hostage taking and thus after an interval kick them out of the country. This is because it is fairly well known that fairly large companies have proceadures in place similar to those described just in case their representatives get taken hostage by terrorist or criminal organisations. There are even specialsied security companies who will set up such systems for those with sufficient money to afford their services.

If you come over to the UK at the appropriate time with an invitation to a specialised arms / security exhibition you will get to see such organisations touting for business. Unfortunatly the event in question is “invitation only” and getting an invitation can be difficult, the easiest way is to be an exhibitor there…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.