Industry Panel to Discuss Cybersecurity, Biometrics and Security Issues in the Public and Private Sector Ideas get bigger when you share them…    New York, NY – March 6, 2014 (www.investorideas.com newswire) Investorideas.com, an investor…
SOURCE: RightScale April 02, 2014 09:56 ET Public Cloud Adoption Nears 90 Percent on the Journey to Hybrid Cloud SANTA BARBARA, CA–(Marketwired – Apr 2, 2014) – RightScale® Inc., a demonstrated leader in enterprise cloud portfolio management, today…
SOURCE: Fortinet January 13, 2014 09:00 ET New UTM Appliances, WLAN Access Points, 3G/4G Wireless WAN Extender, and Ethernet Switches Connect and Extend High-Performance Network Security for Retail, Branch Offices and Other Distributed Enterprise Environments…
Assessing Cloud Computing Security – Risks against Reality It is evident that cloud computing is mounting all over the globe and in 2014 cloud computing is all set to emerge stronger. Growth of the cloud landscape will be huge and raging and will…
The DC Circuit Court of Appeals heard argument today in AF Holdings v. Does 1-1058, one of the few mass copyright cases to reach an appellate court, and the first to specifically raise the fundamental procedural problems that tilt the playing field…
its privacy terms and conditions, eroding a little more of its users’ privacy. Google is so far unapologetic about its changes, despite having created some controversy. The bulk of the responses worry that Google is now able to read users’ emails and…
John King, Julie Pace and Jonathan Martin discuss the Pulitzer prizes awarded for coverage of Edward Snowden.
SOURCE: SecuritySolutionsWatch.com March 06, 2014 00:01 ET RYE BROOK, NY–(Marketwired – Mar 6, 2014) – ImageWare Systems, Inc. (OTCQB: IWSY) and StrikeForce Technologies, Inc. (OTCBB: SFOR) ***** HP Enterprise Services Mr. Rob Wigley, Director, Cybersecurity…
Provides simple, comprehensive security across endpoints using cloud, hybrid or on-premise deployment DALLAS, April 15, 2014 /PRNewswire/ — Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global pioneer in security software, today announced major…
Oracle Corp.‘s plan to acquire session border controller (SBC) specialist Acme Packet Inc. looks like a way for the software giant to get some ready-made smarts in the key telco sectors of 4G packet core networking and network functions virtualization…
The Guardian and the Washington Post shared a Pulitzer Prize Monday for reporting on leaks from former National Security Agency contractor Edward Snowden that revealed a global surveillance network monitoring millions of Americans and foreigners. The…
While AT&T, Comcast, and Verizon have argued — with incredible message discipline — that network neutrality is “a solution in search of a problem,” that’s simply not true. There are many concrete examples of network neutrality violations around the…
New documents released by the FBI show that the Bureau is well on its way toward its goal of a fully operational face recognition database by this summer. EFF received these records in response to our Freedom of Information Act lawsuit for information…
While we’ve been disappointed that Senator Chuck Grassley appears to have a bit of a double standard with his staunch support for whistleblowers when it comes to Ed Snowden, it is true that he has fought for real whistleblower protections for quite…
The Guardian and the Washington Post won the Pulitzer Prize for public service journalism on Monday for their in-depth reporting on Edward Snowden’s revelations about the National Security Agency and its vast global surveillance network. The citations…
More than $380 million billings, 45 percent increase in Fortune 100 sales and Websense TRITON security effectiveness drives 2014 momentum SAN DIEGO, Feb. 19, 2014 /PRNewswire/ — Websense, a global leader in protecting organizations from the latest…
VASCO positioned as a leader for its ability to execute and completeness of vision OAKBROOK TERRACE, Illinois and ZURICH, Jan. 28, 2014 /PRNewswire/ — VASCO Data Security International, Inc. (www.vasco.com) (Nasdaq: VDSI), a leading software security…
Lo so non dovrei ne stupirmi ne arrabbiarmi, ma non ci posso fare nulla tutte le volte che ho a che fare con la burocrazia italica non osso fare a meno di avere un travaso di bile.
Non si tratta della cronica inefficienza, o della assoluta mancanza di professionalità di una classe manageriale pubblica inetta, ma proprio dello spirito con cui le cose vengono, nella pubblica amministrazione, gestite.
Esiste una profonda ipocrisia nella gestione della res publica e nei servizi al cittadino che basa la sua essenza sulla forma del regolamento e non nel suo spirito, quella stessa ipocrisia che permea da anni la parola dei politici di cui i dirigenti della cosa pubblica sono vassalli obbedienti.
Se sostituiamo “lo spirito” della legge con “la lettera” otteniamo due vantaggi notevoli:
Se poi consideriamo quale sia la pariteticità con cui tali regolamenti son applicati….
Forte con il debole debole con il forte
Nella volontaria scelta di servire lo stato il dipendente pubblico di più alto grado ha, evidentemente, fatto una scelta di campo, sto con chi comanda, alla faccia del popolo sovrano ed amenità varie. Infischiandosene allegramente del senso della nostra costituzione e giocando sottilmente sulla forma si è costruito uno scudo di immunità con cui allegramente affronta le più disparate sfide della decenza.
Tra Equitalia (mai nome fu più ironico) e l’agenzia delle entrate gli esempi si sprecano, esempi dove uno stato impositore affatto attento alle esigenze del popolo che sarebbe chiamato a servire e rappresentare si pone insensibile di fronte a qualsiasi lamento perseguendo stolidamente, sino alla fine, l’obiettivo anche se questo è causa di un danno molto superiore del torto, reale o presunto, che il cittadino ha commesso.
Cosi quando lo stato costringe sul lastrico una persona sequestrandogli beni essenziali e privandolo dei mezzi di sostentamento sta violando da un lato la nostra costituzione che afferma che ben altro è il compito dello stato e della repubblica, e dell’altro si fa scudo di una serie di regolamenti scritti e pensati proprio per proteggere il mandante in spregio al concetto di responsabilità.
Ovviamente tale rigore messianico viene adottato solo per quelli per cui la legge è uguale per tutti, per coloro, cioè, che non hanno ne la forza ne la possibilità di reagire, cosi evasioni milionarie vengono allegramente dilazionate a chi problemi di sopravvivenza non ne ha, mentre all’impiegato, imprenditore o libero professionista di turno vengono imposti vincoli tali da rendergli impossibile o il rispetto della ammenda o il prosieguo della attività.
Dura lex sed Lex? Purtroppo lo è solo nei termini in cui viene applicata,se sei abbastanza potente scatta di colpo la “comprensione”.
Un esempio classico sono le macchinette mangiasoldi, vi invito a cercare cosa disse Umberto Rapetto
al riguardo quando scoprì l’evasione plurimilionaria che era stata elegantemente insabbiata dalla nostre classe politica e che gli costo la “promozione” .
Ma come: 96 miliardi di evaso non si possono esigere perché significherebbe la chiusura della attività? Ed allora quando si fa chiudere un imprenditore o si manda per strada un cittadino sequestrandogli la casa?
Ora non nego che tutta la questione sia aperta e discutibile, e che potrebbe anche essere che tale evasione s “presunta” sia di entità inferiore, ma vorrei ricordare che il meccanismo con cui equitalia procede verso i normali cittadini è il seguente, almeno cosi è stato per me
non mi sembra che sia stato usato lo stesso metro nel caso slot machines, verrebbe da chiedersi perché….
L’ipocrisia del problema lavoro
Un alto esempio lampante di come si trattino ipocritamente in italia le questioni facendosi scudo dei regolamenti è la questione disoccupazione.
Per quanto grave sia la disoccupazione giovanile in italia, ben più grave, ed urgente, è la questione della disoccupazione di chi giovane non è più.
Cerchiamo di capirci: non dico che la disoccupazione giovanile sia un problema minore, ma sostengo che occorrerebbe presentare i numeri contestualizzati.
A fronte di un alto tasso di disoccupazione giovanile, che correttamente deve essere affrontata e risolta, nessuno parla del problema dei disoccupati ultra-quarantenni quadri o dirigenti che hanno di fronte la seguente situazione:
Il problema è che mentre parliamo della disoccupazione giovanile e di come porvi rimedio ci dimentichiamo di persone che, invece, hanno urgenza immediata e non possono aspettare “soluzioni strutturali” a medio termine.
Ancora una volta ci si fa scudo della lettera per non vedere o applicare il senso, e cosi frotte di ligi pubblici ufficiali tratteranno un esercito di partite IVA di “sopravvivenza” alla stregua di velleitari imprenditori che scialacquando i beni si sono ridotti per loro insipienza sul lastrico, e non come persone costrette dagli eventi a prendere azione per sopravvivere. ma si sa, non è colpa del prode funzionario, lui ha fatto il suo dovere perché cosi dice la legge o il regolamento.
Pensiamoci quando gridiamo al disgusto di fronte a quello che facevano i soldati nazisti e al loro “eseguivamo gli ordini”. Pensiamoci quando sentiamo di un compagno di sventura caduto sotto le fauci di uno stato iniquo e persecutore.
Se, secondo la nostra costituzione, tutti devono concorrere al progresso ed al benessere della repubblica in funzione delle proprie capacità ed aspirazioni come può essere giustificabile un tale comportamento? Può un regolamento essere prevaricante rispetto al senso della nostra costituzione?
E come può uno stato il cui scopo costituzionale è promuovere questo sviluppo e rimuovere gli eventuali ostacoli comportarsi in tale maniera?
E poi dicono che l’Italia è il Belpaese, la vedo grigia sempre più grigia.
Antonio
Intro
Making a forensic analysis means to be able to collect and analyze data in order to find out evidence that could led you to a specific break.
Although is usually considered a post-mortem activity in the IT realm this aspect is less marked than in other forensic environment. If we are running an investigation on a homicide, as an example, we will be present when everything is already done, and we just have to collect cold evidence. On the other end when we are running a forensic IT investigation we cannot be sure that the event has occurred in the past, some traces and some events related to the break could still be alive and running as the break itself.
When performing an IT forensic investigation we should be able to collect cold evidences as hard disks, logs and whatever we could need, as well as live “warm” data.
This part of the job require, among other abilities, to be able to sniff and analyze your network, collect packet capture and deep inspect the content in order to find out what is unusual or clearly symptom of a breach.
Through the history, we have seen a great development of forensic instruments and branches: from pathology to entomology, from engineering to psychology several branches develop and we see new coming out as science and technology evolve.
No matter what branch or technique we are using, the aim is always the same: to be able to analyze in detail a crime scene in order to find the truth using any physical available evidence.
Since this is a quite new science definition and rules are not well defined for any field, some areas are still in development, as for the computer and digital forensic, while other are in an advanced stage of development, as pathology for example.
Computer Forensic is still a new branch of the Forensic world we have to face some aspects:
Working in the Cyber area require, nevertheless a quite standard approach, common to every forensic investigation. There are some “simple” rules that should be followed by any forensic investigator:
If there is no crime there is no need of a Forensic investigation, although it is always possible to use a forensic approach to proactively find possible areas where a crime can be pursued.
In any case, either if proactive or reactive, an investigation has to start with an object, a target, this is necessary in order to define instruments and tools that have to be used. Is quite different to suspect a database manipulation than a use of pornographic material in the work environment and so different will be the tools used to gather evidences.
This is the core of any forensic activity, evidences are what we will work on, but in Computer Forensic those evidences are partially physical and mostly digital. This require an extra effort in order to no pollute evidences due to our gathering.
The process should be non-destructive and should preserve the data collected and the environment we are working on.
There are several good reason to be cautious: usually we will work in working environment and the evidence could be stored on production systems. Stopping or harming those environments would be sometimes worse than the crime itself, so it is strongly suggested to not bring home the entire database and related servers of an e-commerce company making them stop the activity, would not be appreciated. Clearly, we will have to find the best tradeoff between the collection of data and the preservation of the work environment.
Another good reason to be cautious is due to the fact that
Digital data can be easily modified and this could invalidate our effort, trying to not change, modify the evidence is always necessary, but here we need to be extra cautious.
We should also consider that sometimes law requirements force us to respect specific policy and rules, we can think of the privacy EU set of laws that makes difficult to handle properly sensitive and personal data even during a forensic investigation.
If it is possible we should use as less as possible the original evidences, trying to use when possible duplicate.
Forensic data usually need to be moved from the crime scene to a safer location where the forensic expert can analyze it. The chain of custody is fundamental when we’re moving digital data both if they are physical evidence, think of an HDD or USB keys, and digital as logs, scan reports or files. We have to be sure that nobody can tamper our evidences.
Finally we can analyze the evidence we gathered. Again most of the consideration of the previous points should be followed; we should never modify the original data, any modification should be reported in detail with any change of status, the analysis should be non-destructive when possible, we should use the appropriate tool and course of action considering the data we’re analyzing.
The 3 A’s
Computer forensic evidences can be collected form a multitude of sources, data can be found in HDD’s , USB keys, CD\DVD rom, Ram, Rom and Cmos memory and so on. We should also consider that data can be presented in raw form (think of a stream of byte in a drive), as files, as metadata, as process (sql queries for example) and so on. But the complex network environment can present other sources as protocols and the network itself.
If the Network can be itself analyzed for a forensic investigation, why we should do this and what can we could find?
The network is the communication backbone where our data flow, and thus can be used in a crime to modify, access, copy, tamper data and systems . Being able to analyze this backbone is mandatory in any forensic investigation.
To be able to do so we should be able to understand network protocols and the various objects we can find in a network as:
But we have also to relate them with network protocols at the various level, the operating systems used, application environment, authentication environment, management and security platforms and so on.
This is a quite complicated effort since, usually, there is not a complete and clear documentation nor a single source of information. We, as Forensic Investigators, need to create ourselves a map of the environment where we will perform our investigation.
Activities like listing all the active process on a machine or all the port currently used are commonly performed with tools or internal command of the various OS and are fundamental to understand and design the environment.
Network analysis is fundamental to trails the whole incident how the attack begins, which are the intermediate devices through which it pass and who was the victim.
In order to obtain this goal we should collect evidences from log, firewalls, internetworking devices and files, and being able to make a network scan that can depict location and status of every device present on the network itself.
Once collected the data we should also be able to analyze that in detail, using the appropriated tools.
The first type of analysis is at the physical layer where we usually use:
Sniffers collect traffic from the network and transport layers other than the physical and data-link layer.
Investigators should configure sniffers for the size of frames to be captured, the default size of frame that most sniffers capture by default is 68 bytes of Ethernet frame, It is advisable to configure sniffers to collect Ethernet frames of size 65535 bytes
The de facto standard of saving the gathered data from the network is in a tcpdump file with “*.dump” extension
At the Data-Link Layer we usually check
At the Network and transport layer we usually collect:
Authentication logs:
Application logs :
Operating System logs:
But before enable logging one should bear in mind: what to log otherwise, it can result in over-collection of data making it difficult to trace the critical event
Network device logs:
The logs from network devices can be used as evidence for particular investigation on that network
Some of those data requires administrative privileges to be collected, some other rely on tools able to help to gather read and analyze data. Since we will have to correlate data coming from different sources in order to reconstruct a process is mandatory to align all timestamps. So if this is not done we should collect all the time setting for each device providing a log and considerate eventual time gaps in order to normalize all the references.
If you search on Google for a network sniffer or protocol analyzer, one of the first hits will be Wireshark (www.wireshark.org).
Wireshark is an open source network packet analyzer. Without any special hardware or reconfiguration, it can capture live data going in and out over any of your box’s network interfaces: Ethernet, WiFi, PPP, loopback, even USB. Typically it’s used as a forensics tool for troubleshooting network problems like congestion, high latency, or protocol errors — but you don’t want to wait until your network is in trouble to learn how to use it.
Wireshark has some features not found in many of the other free sniffers that are available, such as conversation reassembly and a capture display/filter, syntax that is more advanced than most.
Wireshark does require the WinPCap drivers, which are very simple to set up.WinPcap can be downloaded from www.winpcap.org. The WinPcap drivers enable a greater degree of access and control to the network communications at the packet level than is available by going through the Windows network drivers. For this reason, many third-party utilities that do heavy packet manipulation make use of WinPcap.
Profile normal network traffic is not the goal of Wireshark — it is a tool to help you recognize aberrant behavior when you are trying to track down the source of a problem. Unfortunately, there is no quick-and-easy path to tracing down the root cause of high latency or slow throughput.
Sure, if there is a zombie machine on your network infected by a trojan, you may easily flag it as an infected spam bot when you see it initiate thousands of SMTP connections per hour — and detecting viruses and malware is an important forensic task. But tracking down why one of your database servers is always a little bit slower than the other could involve quite a bit more digging and analysis.
That’s why taking some time to profile your network traffic under what we’ll assume are normal operating conditions is valuable. You can get a feel for how often WiFi clients see TCP retransmissions; if the rate doubles or triples, and you have not added any more machines, then you may need to look to see whether any one client is behaving differently than the others, or if you are simply seeing signal degradation. When diagnosing bandwidth woes, if one of your local servers is consistently timing out and dropping connections, it could be an application-level problem. But if Wireshark’s logs reveal that it is the remote server resetting connections, then you need to make a phone call.
Here, the tutorials at the Wireshark site are an invaluable aid. The wiki has some basic network troubleshooting pages, as well as links to resources hosted elsewhere.
Wireshark includes a lot of features that will help you analyze your network when you are tracking down the source of your problem. For example, you can run statistical comparisons between two saved packet captures; this allows you to perform a capture when you are experiencing the problem, and compare it against a data set you collect as a control group when things are running smooth. Likewise, you can collect and compare captures from two different machines — say, on different network segments or with different configurations.
This is also why it is so helpful that there are builds of Wireshark available for the proprietary operating systems: when chasing down a performance problem, you may need to collect data from every source. Last but not least, although Wireshark is always referred to as a network analyzer, the truth is it can analyze other things as well, including USB traffic and even Unix socket connections between applications. So even if you master your TCP/IP traffic this weekend, you may still have room to explore.
Capturing wireless control traffic can be done with Wireshark. To capture the control frames, the system must support the monitor mode on the card.
Its availablity are platform, driver and libpcap dependent, on most Linux systems it is possible to get the card into monitor mode with iwconfig or more easy with the airmon-ng script, for example, airmon-ng start wlan0, on windows, the AirPcap adapters from Riverbed allows the capture of full raw wireless traffic
NOTE
Wireshark is packet-centric (not data-centric)
Wireshark doesn’t work well with large network capture files (you can turn all packet coloring rules off to increase performance).
Since Wireshark is so powerful we can wonder if it can do everything we need. The answer is “Almost”. Where wireshark is limited we can find or write expansion in order to allow deeper and further analisys.
There are several plugin or addon on the internet related to wireshark, of course the very first can be found on the wireshark site, and are the ones crafted by reverbed technology, main sponsor of the wireshark project.
Plugin, addon and collateral software allow the forensic analyst to deep analyze data presented by wireshark. There are, actually, several needs to implement further wireshark astonishing capability.
Let’s present some.
Although the standard version of wireshark is able to process the most used protocols, there could be some specific areas that are not covered, or where the feature provided by wireshark could not be exhaustive.
The basic way to look into this kind of necessity is to find or build a component able to analyze the specific protocol you need.
Wireshark is able to capture raw network data and then show you the several component of single packet, it allow you also to create your specific component to read data, those components are called dissector.
A dissector is able to read a specific sequence inside your frame and define the type of protocol with its components. Then is able to send the eventual incapsulated protocol to the appropriated dissector to further analyze.
Each dissector decodes its part of the protocol, and then hands off decoding to subsequent dissectors for an encapsulated protocol.
Every dissection starts with the Frame dissector, which dissects the packet details of the capture file itself (e.g. timestamps). From there it passes the data on to the lowest-level data dissector, e.g. the Ethernet dissector for the Ethernet header. The payload is then passed on to the next dissector (e.g. IP) and so on. At each stage, details of the packet will be decoded and displayed.
Dissection can be implemented in two possible ways. One is to have a dissector module compiled into the main program, which means it’s always available. Another way is to make a plugin (a shared library or DLL) that registers itself to handle dissection.
There is little difference in having your dissector as either a plugin or built-in. On the Windows platform you have limited function access through the ABI exposed in libwireshark.def, but that is mostly complete.
The big plus is that your rebuild cycle for a plugin is much shorter than for a built-in one. So starting with a plugin makes initial development simpler, while the finished code may make more sense as a built-in dissector.
The following tools can process the libpcap-format files that Wireshark and TShark produce or can perform network traffic capture and analysis functions complementary to those performed by Wireshark. Some of them are useful for very specific needs or task, sometimes the same results are available with some digging and working by wireshark itself but some of those tools will make your life easier.
In brackets you will find the program license and the supported operating systems, in bold the ones we can’t live without.
We should remember that Wireshark could analyze, in a switched environment, only the traffic presented to the sniffed network interface (direct traffic and broadcast type). To check all the traffic we should use a span-port or use tools like ettercap or hunt to make a classic poison mac sniffing.
Both those tools can do a lot of damage on the network so it is strongly suggested to pay a lot of attention mainly if you are collecting data in a live production environment. Although could be of some use to use the router mac address to explore the incoming\outgoing internet traffic, probably the performance of the network would decrease to an unacceptable low rate.
This tool is particularly useful when data need to be presented and explained to people that is not so found on the forensic analysis we are performing.
P0f is a tool that utilizes an array of passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).
Some of p0f’s capabilities include:
Highly scalable and extremely fast identification of the operating system and software on both endpoints of a vanilla TCP connection – especially in settings where NMap probes are blocked, too slow, unreliable, or would simply set off alarms.
Measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on.
Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups.
Detection of clients and servers that forge declarative statements such as X-Mailer or User-Agent.
The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to.
Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellanous forensics.
These tools will either generate traffic and transmit it, retransmit traffic from a capture file, perhaps with changes, or permit you to edit traffic in a capture file and retransmit it.
A more exaustive collection of traffic generators can be found at:
These tools can be used to “anonymize” capture files, replacing fields such as IP addresses with randomized values. This is a mandatory requirement when presenting data to not authorized people. We should consider that IP address in many countries are considered “sensitive” data and so processing and showing those data could be ruled by privacy legislation.
There’s a categorized list of anonymization tools at the CAIDA site http://www.caida.org/tools/taxonomy/anontaxonomy.xml
These tools attempt to repair damaged capture files as much as can be done.
[1] We should remember that Wireshark could analyze, in a switched environment, only the traffic presented to the sniffed network interface (direct traffic and broadcast type). To check all the traffic we should use a span-port or use tools like ettercap or hunt to make a classic poison mac sniffing.
