Roger's Information Security Blog

I’m taking SEC508 at #sansforensicssummit in Washington DC through next Tuesday.
Day one covered basics of the file system. I had some serious flashbacks to dealing with hexadecimal in the JMU Masters level Infosec program. In that program we had plenty of classes using Internetworking with TCP/IP Vol.1 by Comer. Actually one of my worst courses was Forensics taught by Florian Buchholz. It was in the last semester, and we were checking out mentally (ready to graduate)
Its fun to take a week long conference on the subject. Hopefully it will stick better than the college course. I do fear that since I wont be doing forensics every day, I’ll lose a lot of this knowledge quickly.
A couple of interesting tidbits from today.
1. A single pass is good enough when disk wiping. That would save a lot of time for us if true. The instructor says the idea of wiping 7 times comes from a Guttman paper in the late 90s. It theorized an electron microscope could be used to recover if wiped less. This is purely theoretical. Never been done. Forensics people will call it a day if its been wiped once.
Of course what is technically correct isn’t always what auditors or policy requires. Trying to change that is difficult. The instructor says NIST recommends one pass. I’ve read the document he mentions. Apparently I need to re-read it because I dont recall one pass. I recall a preference for the UCSD Secure Erase which uses ATA commands to wipe. I recall degausing or destroying also preferred. I think for over right utilities they were still recommending 6+, but I will have to verify.
2. The second interesting thought had to do with “limited personal use” allowances in corporate policies. Companies don’t want to have policies they wont enforce, so they allow limited personal use. I thought the big danger in that was not defining exactly what that meant. According to the instructor, limited personal use is a forensic nightmare and a potential legal liability. The claim is that the limited personal use gives the user an expectation of privacy for that personal use. Since it is company policy it trumps the logon banner that says “no expectation of privacy”. Interesting thought, and one I’m going to have to run by legal. They took a year when I asked them to approve the login banner, so I expect to hear back from them around 2015.

http://www.washingtonpost.com/wp-dyn/content/article/2008/09/12/AR2008091201211.html?hpid=topnews
In 2004 Jeremy Jaynes was convicted under Virginia’s Anti-Spam law for sending 10 million spam emails through AOL servers located in Virginia.
Virginia’s Supreme Court has overturned that conviction and struck down the Anti-spam law.
“The court unanimously agreed with Jeremy Jaynes’ argument that the law violates the free-speech protections of the First Amendment because it does not just restrict commercial e-mails.”
The weak Federal CAN-SPAM law that has done nothing to stop spam remains in effect.
Here is a link to the ruling.

Russell Shaw blogging on the front page of zdnet finds it hard to believe that someone who hasn’t been on the Internet can be on a jury that finds someone guilty of illegally using Kazaa to share copywrite protected material.
I don’t know if Russell is starting with the default assumption that all music should be free. It certainly seems as if the anti-RIAA forces believe that at their heart. I do kind of wonder if he extends that thinking to other crimes. Should I not be allowed to be on a jury that convicts a thief unless I’ve stolen myself? I guess I just dont feel that thieving is all that different in cyberspace. Good for them for not falling for the specious argument that “it wasn’t me, it was my insecure wireless therefore I am blameless.”
I also think its kind of funny that Russell thinks funeral directors are supposed to be compassionate therefore they should give light penalties during the sentencing phase of a trial.

According to MSNBC new rules require corporations to keep track of all the e-mails, instant messages and other electronic documents generated by their employees thanks to new federal rules that go into effect Friday.
I am not a lawyer, but I dont read it the same way. Here’s the text. You’re required to know where relevant data is and disclose that. Further if you are in a suit, you may need to preserve data depending on the situation. I recall a case a while back in the news where the CEO got a new computer during the course of a lawsuit. As was standard practice the old computer was wiped. The ability to discover data on that computer was lost. I think these new rules will make that sort of trick more problematic.
So I dont agree with MSNBC that you need to run out and buy an archiving server for email and IM. You do need to know what you have and that is tough enough.

Remember that AOL “engineer” who sold the entire AOL user list to spammers? Today the hard hammer of justice came swinging down on him.
I use that term sarcastically. He got 15 months in prison. I suspect with good behavior he’ll be back online before Martha Stewart. Heck, he’ll probably get a pay raise and a job teaching people that they cant trust their own employees.
Here is a link to the Yahoo! story.
It seems our friend got a pleabargain even though he doesn’t have enough information to implicate anyone else. Way to send a message to the other would be criminals out there.

I’m seeing more email with disclaimers at the bottom.
This e-mail and any files transmitted with it are the property of $companyname, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at xxx-xxx-xxxx and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited.
Lawyers gone wild. As Information Security Professionals we are supposed to yield to the domain experts. The problem is often the legal guys are in their own world.
This seems like an example of doing SOMETHING in the name of security, but not being sure of actually accomplishing anything. I feel like I should immediately delete the email, scrub my exchange server, reboot the routers to remove any possible remnants, call my lawyer and my company contracts office, and just in case stop accepting any new mail.
Do disclaimers at the bottom carry any legal weight? Its kind of doubtful. I mean to have a contract dont both sides need to have consideration? I have heard of one case where it was important for the disclaimer footer to warn that email traffic is monitored at company X. that way if Joe@companyX sends email to Jane@companyY she knows not to be sending illegal material back to Joe@companyX.

According to an article at Security Focus, a judge has thrown out the case against an employee that placed a hardware keystroke logger on his employers computer system. The judge ruled that the Federal Wiretap statute is in regard to interstate transmissions and this was a local logger. Since the keystroke logger collected everything including emails, I’m a bit surprised the judge wasn’t willing to go along with the Federal case. It will be interesting to read the case writeup on this one.

Symantec is being sued for labeling a product as spyware according to a news.com article. It says that Symantec has labeled TrackEight’s product “Spyware Nuker” as adware and as such they have lost business. The SARC writeup is linked here.
SpywareNuker is on the list of rogue/suspect spyware applications maintained by spywarewarrior.com. It seems that TrackEights parent company includes adware in most of the products they release. Earlier versions of spyware nuker were ripped off of adaware and spybot search and destroy. This earlier version is still being distributed.
Although the current version is reported to not have these same problems, their sibling companies are responsible for Bargain Buddy, WhenU and MySearch crapware. Do you really want to be using software to remove adware/spyware from the same company that put it there in the first place?
I couldn’t wade through this thread but it remains pretty clear to me that TrackEight are not reputable people.
It will be interesting to see how this plays out assuming the results become public knowledge.

I posted back in May about the legal problems security professionals may find themselves in. There is an interesting article over at Yahoo! News! that relates to this.
Mark Rasch was head of the US Justice Departments Cybercrime Unit. He prosecuted Robert Morris, author of the Morris Worm as well as the Hanover Hackers (see Clifford Stoll, The Cuckoo’s Egg). Currently he is a VP at some company and makes money scaring people about cybersecurity.
He makes some good points to ponder:
Computer Crime is written too broadly such that any unauthorized access is a crime. Then when your company has a policy that employees routinely violate that opens your employees to a felony computer crime charge of unauthorized computer use.
His main admonition is that your routine efforts at security could blow up in your face in court. Lets say you have a memo listing necessary security steps to take. Then you don’t take all of them. That will not look good at trial!
For something to be protectable as a trade secret, you must have made some reasonable effort to secure it. If you didn’t do the items on your list, then you may lose when you try to get someone prosecuted for stealing trade secrets.

I’m beginning my summer class in the Infosec program at James Madison University. The class is on Policy Ethics and the Law in Cyberspace. I’m sure over the upcoming weeks my opinions will change on this. But since I saw a related article over at CSO Online, I figured I’d post this article this week. I can always post updates later on.
One of our assigned readings for this week is on the TJ Hooper trial of 1931. Basically two tug boats were hauling barges of coal from Hampton Roads, Virginia to New York. During the trip a storm came up and the last barge in each barge train sunk. The otherside said that 90% of tugboats were equipped with radios to receive the weather forecast and if these operators had gotten the forecast then they would have taken refuge. The trial judge held that although a weather radio was not required by law or by maritime code that it was a best practice for the industry. Since the operator failed to follow best practices the tugboat was culpable.
You might ask why we are studying maritime law in a cyberlaw class. I suspect part of it has to do with the professors predilection for sailing. If we can be found at fault for incidents caused by our failure to follow industry best practices, we need to be able to prove the steps that we have taken to protect our systems.
In the context of reading this Hooper case, I found an article over at CSO Online called A Foreseeable Future. The article states that in cases related to 9/11 courts have held terrorism to be a foreseeable threat. I would imagine that the level of applicability of that decision is related to your companies exposure to terroristic concerns. An airline clearly knows it is exposed to terroristic threats. Why else do we have screenings. The World Trade Center was clearly on notice after the first attack with the truck bomb. Where I work, probably doesn’t have the same mandate.
However, this is still an important decision for us I.T. folk. CSOOnline states “typically a criminal act severs the liability of the defendant, but that doctrine has no application when the [action] is foreseeable.”
The article shows this in a case involving Verizon and the Maine Public Utilities Commission. Verizon felt that it was ok to violate their SLA because they were victimized by SLAMMER. It was ruled that
1. Security patches are foreseeable, they occur every month.
2. A reasonable man patches their systems (the competitors in ATT and Worldcom did patch successfully)
3. Verizon is accountable for the damage caused by their failure to patch.
I always wonder just who it is who establishes these best practices. To protect ourselves from judgment, we need to be able to prove in court that we follow best practice. The second recommendation of the article is that we pursue cyberinsurance (which will likely involve first proving that your company follows best practices).