Topics in Privacy, Security, Internal Audit and Forensics
Dec 21, 2015
Types of Investigations
Internal Fastest and most covert
investigation Company owns the resources
that are the target No need for subpoenas and
discovery orders Examiner can conduct
expediently with full access to relevant data
Suspect is typically an active employee Secrecy is a must
Technical process is similar to a civil examiner, and the case may ultimately go to civil court
Popularity 8 Simplicity 6 Impact 6 Risk Rating 7
Types of Investigations
Civil Similar to internal investigation An opposing firm owns the
resources that are the target There is need for subpoenas
and discovery orders (expensive, problematic)
Examiner may not have full access to relevant data
The investigation lives or dies based on what happens in court
Involves dispute between two companies Secrecy is mainly from media
Technical process is similar to an internal investigation
Popularity 10 Simplicity 8 Impact 7 Risk Rating 8
Types of Investigations
Criminal High stakes, risky investigation Suspect’s livelihood is on the
line Accuracy is paramount
Case may go on for months or years
With much rework of evidence Any problems are likely to
show up in the media E.g., the 6 o’clock news
Technical process is difficult Investigators must be good and
credible If you don’t have the proper
credentials, don’t try this
Popularity 8 Simplicity 10 Impact 10 Risk Rating 10
Role of the Investigator
What is involved in Computer Forensics Collecting evidence
What ever is needed for the chain of inference Cross-validation of findings Proper evidence handling Completeness of investigation Management of archives Technical competency (especially with computer / network
technology) Explicit definition and justification for the process (inference line) Legal compliance and knowledge Flexibility
Inference Network Analysis
Legal cases are proved through inferences. These inferences, built in chains, must lead logically
from point A to point B He strength (or weakness) of these inferences
determines the strength of the legal case
E v id en c e P r o o fI n f e r en c e
Chain of Inferences Processing of evidence is directed towards
step by step the inferential chain between the Perpetrator and Asset
This may also involve identifying a perpetrator And identifying specifically the breach of security involving the asset
Alleg ed o r C an d id a teP er p e tr a to r
E v id en c e
L in e o f I n f er en c eC o n n ec tin g P er p e tr a to r to
As s e tAs s e t
Control Process
Internal controls are processes and subsystems that assure that processing and output of an accounting
system is running ‘within specification’ Internal controls appear at three points in a
transaction processing cycle: Preventive controls anticipate problems and prevent them
from occurring Detective controls identify problems that have occurred Corrective controls are subsystems of the correction
process that assure that errors detected are corrected properly Because if an error is made once, it is likely to be made twice,
and even more times.
Identifying whether Asset users are or are not Authorized Detection of Authorization is perhaps the
most common and fundamental of all control processes As Preventive controls, they prevent a potential
accessor from any access unless they are properly identified by the system
As Detective controls, they assure an audit trail of all activity by an identified user
As Corrective controls, they identify who to go after in an investigation
Passwords for Authorization
Passwords have traditionally been the most commonly used tool for identifying a user to a computer system Though they may soon be overtaken by biometric tools
Through hashing and public key systems, they allow signatures and fingerprints to be left on information assets by the password holder
Through encryption systems, they allow the password holder to read and use information assets
Through access systems, they allow the password holder free access to the information assets
Evidence of AccessWhy Passwords are Important
One of the main pieces of evidence supporting any inferential link Is the record of accesses (with a password) to an asset,
etc. Since access authorization is controlled through
who has a password Password control is the first place we tend to look for
evidence And is also the first thing that is controlled in authorization
and logging systems … Let’s look at passwords and encryption more
closely
Hash Function
A hash function provides a way of creating a small digital "fingerprint" from any kind of data
The function chops and mixes (i.e., substitutes or transposes) the data to create the fingerprint
The fingerprint (formally “hash value”) is commonly represented in hexadecimal notation
A good hash function is one that yields few hash collisions in expected input domains
In hash tables and data processing, collisions inhibit the distinguishing of data, making records more costly to find.
Hash Function
A cryptographic hash function should behave as much as possible like a random function while still being deterministic and efficiently computable.
A cryptographic hash function is considered insecure if either of the following is computationally feasible:
finding a (previously unseen) message that matches a given digest finding "collisions", wherein two different messages have the same message digest.
An attacker who can do either of these things might, for example, use them to substitute an unauthorized message for an authorized one.
Ideally, it should not even be feasible to find two messages whose digests are substantially similar; nor would one want an attacker to be able to learn anything useful about a message
given only its digest besides the digest itself.
Common Commercial Hash Algorithms(note: The SHA hash functions are a series of functions developed by the NSA: SHA, also known as SHA-0, SHA-1 and four flavors of a function known as SHA-2. )
Algorithm Output size Internal state size Block size Length size Word size Collision
HAVAL 256/224/192/160/128 256 1024 64 32 Yes
MD2 128 384 128 No 8 Almost
MD4 128 128 512 64 32 Yes
MD5 128 128 512 64 32 Yes
PANAMA 256 8736 256 No 32 With flaws
RIPEMD 128 128 512 64 32 Yes
RIPEMD-128/256 128/256 128/256 512 64 32 No
RIPEMD-160/320 160/320 160/320 512 64 32 No
SHA-0 160 160 512 64 32 Yes
SHA-1 160 160 512 64 32 With flaws
SHA-256/224 256/224 256 512 64 32 No
SHA-512/384 512/384 512 1024 128 64 No
Tiger(2)-192/160/128 192/160/128 192 512 64 64 No
VEST-4/8 (hash mode) 160/256 176/304 8 80 1 No
VEST-16/32 (hash mode) 320/512 424/680 8 88 1 No
WHIRLPOOL 512 512 512 256 8 No
Password AttacksPasswords are the main identifier for establishing authorization for a task or access to an information asset.
Password Attacks are the main way of breaching computer security to commit a crime
Cracking
Recovering secret passwords from data that has been stored in or transmitted by a computer system
A common approach is to repeatedly try guesses for the password
The purpose of password cracking Might be to help a user recover a forgotten password
though installing an entirely new password is less of a security risk,but involves system administration privileges
To gain unauthorized access to a system,or As a preventive measure by system administrators to check
for easily crackable passwords.
Cracks: Principal attack methods
Weak encryption If a system uses a cryptographically weak function to hash or
encrypt passwords, exploiting that weakness can recover even 'well-chosen' passwords
Decryption need not be a quick operation, and can be conducted while not connected to the target system
Any 'cracking' technique of this kind is considered successful if it can decrypt the password in fewer operations than would be required by a brute force attack
The fewer operations required, the "weaker" the encryption is considered to be (for equivalently well chosen passwords)
Cracks: Principal attack methods
Guessing
Many users choose weak passwords, usually one related to themselves in some way
Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by programs
Examples of insecure choices include:
blank (none) the word "password", "passcode", "admin" and their derivates the user's name or login name the name of their significant other or another relative their birthplace or date of birth a pet's name automobile license plate number a simple modification of one of the preceding, such as suffixing a digit or reversing
the order of the letters. a row of letters from a standard keyboard layout (eg, the qwerty keyboard -- qwerty
itself, asdf, or qwertyuiop)
Guessing Some users even neglect to change the default password that came
with their account on the computer system. And some administrators neglect to change default account passwords
provided by the operating system vendor or hardware supplier.
A famous example is the use of FieldService as a user name with Guest as the password. If not changed at system configuration time, anyone familiar with such systems will have 'cracked' an important password, and such service accounts often have higher access privileges than a normal user account.
The determined cracker can easily develop a computer program that accepts personal information about the user being attacked and generates common variations for passwords suggested by that information.
Cracks: Principal attack methods
Dictionary attack
Password cracking programs usually come equipped with "dictionaries", or word lists, with thousands or even millions of entries of several kinds, including:
words in various languages names of people places commonly used passwords
Dictionary attack
The cracking program encrypts each word in the dictionary, and simple modifications of each word, and checks whether any match an encrypted password. This is feasible because the attack can be automated and, on inexpensive
modern computers, several thousand possibilities can be tried per second
Guessing, combined with dictionary attacks, have been repeatedly and consistently demonstrated for several decades to be sufficient to crack perhaps as many as 50% of all account passwords on production systems.
Cracks: Principal attack methods
Brute force attack
A last resort is to try every possible password, known as a brute force attack
In theory, a brute force attack will always be successful since the rules for acceptable passwords must be publicly known, but as the length of the password increases, so does the number of possible passwords
This method is unlikely to be practical unless the password is relatively small But with expanding computing power, and the possibility of
massively parallel systems with cheap desktops ‘small’ is not that small any more.
Precomputation
Precomputation involves hashing each word in the dictionary or any search space of candidate passwords and storing the <plaintext, ciphertext> pairs in a way that enables
lookup on the ciphertext field This way, when a new encrypted password or is obtained, password
recovery is instantaneous
There exist advanced precomputation methods that are even more effective. By applying a time-memory tradeoff, a middle ground can be reached a search space of size N can be turned into an encrypted database of
size O(N2/3) in which searching for an encrypted password takes time O(N2/3).
The theory has recently been refined into a practical technique, and the online implementation at http://passcracking.com/ achieves impressive results on 8 character alphanumeric MD5 hashes.
Salting (a remedy)
The benefits of precomputation and memoization can be nullified by randomizing the hashing process
This is known as salting
When the user sets a password, a short string called the salt is suffixed to the password before
encrypting it; the salt is stored along with the encrypted password so that it can be
used during verification Since the salt is different for each user,
the attacker can no longer use a single encrypted version of each candidate password.
If the salt is long enough, the attacker must repeat the encryption of every guess for each user, and this can only be done after obtaining the encrypted password
record for that user.
Programs for password crackingJohn the Ripper John the Ripper is password cracking software. Initially developed
for the UNIX operating system, It currently runs on fifteen different platforms.
It is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects, and includes a customisable cracker.
The encrypted password formats which it can be run against include various DES formats, MD4, MD5, Kerberos AFS, and Windows LM hash. Additional modules have extended its ability to include passwords stored in LDAP, MySQL and others.
John is designed to discover weak passwords from the encrypted information in system files. It operates by taking text strings (usually from a file containing words found in a dictionary), encrypting it in the same format as the password being examined, and comparing the output to the encrypted string. It also offers a brute force mode.
Programs for password cracking L0phtCrack L0phtCrack is a password auditing and
recovery application (now called LC5), originally produced by L0pht Heavy Industries (later
produced by @stake and now by Symantec, which acquired @stake in 2004)
It is used to test password strength and to recover lost Microsoft Windows passwords,
by using dictionary, brute-force, and hybrid attacks. It is one of the crackers' tools of choice
Ways of obtaining passwords illicitly(without cracking) social engineering, wiretapping, keystroke logging, login spoofing, dumpster diving, phishing, shoulder surfing, timing attack, acoustic cryptanalysis, identity management system attacks and compromising host security
Social engineeringThe most common and effective way of illicitly obtaining passwords A collection of techniques used to manipulate people into
performing actions or divulging confidential information. While similar to a confidence trick or simple fraud,
the term typically applies to trickery for information gathering or computer system access and in most (but not all) cases the attacker never comes face-to-face with the victim.
Computer criminal and security consultant Kevin Mitnick points out
…that it's much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in
He claims it to be the single most effective method in his arsenal
Social engineering
Pretexting
The act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an
action It is usually done over the telephone
It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information e.g., For impersonation: Birthday, Social Security Number,
last bill amount to establish legitimacy in the mind of the target.
Social engineering
Phishing
Phishing applies to email appearing to come from a legitimate business e.g., a bank, or credit card company requesting "verification" of information and warning of
some dire consequence if it is not done The letter usually contains a link to a fradulent web
page that looks legitimate with company logos and content and has a form requesting everything from a home
address to an ATM card's PIN.
Social engineering
Pretexting
The act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an
action It is usually done over the telephone
It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information e.g., For impersonation: Birthday, Social Security Number,
last bill amount to establish legitimacy in the mind of the target.
Social engineering
Pretexting
The act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an
action It is usually done over the telephone
It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information e.g., For impersonation: Birthday, Social Security Number,
last bill amount to establish legitimacy in the mind of the target.
Social engineering
Pretexting
The act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an
action It is usually done over the telephone
It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information e.g., For impersonation: Birthday, Social Security Number,
last bill amount to establish legitimacy in the mind of the target.
Social engineering Trojan Horse / Gimmes
Gimmes take advantage of curiosity or greed to deliver malware Also known as a Trojan Horse, gimmes can arrive as an email
attachment promising anything from a cool or sexy screen saver, an important anti-virus or system upgrade, or even the latest dirt on an employee
The recipient is expected to give in to the need to see the program and open the attachment
In addition, many users will blindly click on any attachments they receive that seem even mildly legitimate
Social engineering Quid pro QuoSomething for something An attacker calls random numbers at a
company claiming to be calling back from technical support
Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them
The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access and/or launch malware.
Keystroke logging (keylogging) A diagnostic hardware device (see right) used in
software development that captures the user's keystrokes
It can be useful to determine sources of error in computer systems and is sometimes used to measure employee productivity on certain clerical tasks
Such systems are also highly useful for law enforcement and espionage for instance, providing a means to obtain
passwords or encryption keys and thus bypassing other security measures
Keyloggers are widely available on the internet and can be used by anyone for the same purposes.
Wiretapping (telephone tapping ; wire tapping)
Monitoring of telephone and Internet conversations by a third party, often by covert means
The telephone tap or wire tap received its name because historically the monitoring connection was applied
to the wires of the telephone line of the person who was being monitored and drew off or tapped a small amount of the electrical signal carrying the conversation
Illegal in most countries without a court order
Login spoofing
Technique used to obtain a user's password The user is presented with an ordinary
looking login prompt for username and password, which is actually a malicious program under the
control of the attacker When the username and password are
entered, this information is logged or in some way passed
along to the attacker, breaching security.
Dumpster diving also called dumpstering, binning, trashing, garbing, or garbage gleaning; in the UK binning or skipping
Rummaging through commercial or residential trash to find useful free items that have been discarded. The term originates from the
fanciful image of someone leaping into large rubbish bins
Files, letters, memos, photographs, IDs, passwords, credit cards and more can be found in dumpsters
This is a result of the fact that many people never consider that sensitive items they throw in the trash may be recovered
Such information, when recovered, is sometimes usable for fraudulent purposes like "identity theft"
Shoulder surfing
A direct observation technique for acquiring sensitive data such as looking over someone's shoulder, to get information.
Shoulder surfing is particularly effective in crowded places because it's relatively easy to stand next to someone and watch
as they fill out a form, enter their PIN at an automated teller machine, use a calling card at a public pay phone, or enter passwords at a cybercafe, public and university libraries, or airport kiosks
Shoulder surfing can also be done at a distance with the aid of binoculars or other vision-enhancing devices Inexpensive, miniature closed-circuit television cameras can be
concealed in ceilings, walls or fixtures to observe data entry To prevent shoulder surfing, experts recommend that you shield
paperwork or your keypad from view by using your body or cupping your hand
Timing attack
A side channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms The attack exploits the fact that every operation in a computer takes time to
execute.
Information can leak from a system through measurement of the time it takes respond to certain queries How much such information can help an attacker depends on many
variables: crypto system design, the CPU running the system, the algorithms used, assorted
implementation details, timing attack countermeasures, the accuracy of the timing measurements, etc.
Timing attacks are generally overlooked in the design phase of security algorithms because they are so dependent on the implementation.
Acoustic cryptanalysis
A side channel attack which exploits sounds, audible or not, produced during a computation or input-output operation.
In 2004, Dmitri Asonov and Rakesh Agrawal of the IBM Almaden Research Center announced that computer keyboards and keypads used on telephones and automated teller machines (ATMs) are vulnerable to attacks based on differentiating the sound produced by different keys.
Their attack employed a neural network to recognize the key being pressed.
By analyzing recorded sounds, they were able to recover the text of data being entered.
These techniques allow an attacker using covert listening devices to obtain passwords, passphrases, personal identification numbers (PINs) and other security information.
Identity management system attacks Typically users who have forgotten their password launch a self-
service application from an extension to their workstation login prompt, using their own or another user's web browser, or through a telephone call
Users establish their identity, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token, responding to a password notification e-mail or, less often, by providing a biometric sample
Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided.
Social engineering attacks can occur where an intruder calls the help desk, pretends to be the intended victim user, claims that he has forgotten his password, and asks for a new password.