Basics of Digital forensics Procedure

The digital forensics is the acquisition of digital evidence from many sources such as Laptop, PC, digital cameras, mobile phones ,Routers… USB and SSD cards. The first step is to make a clear picture of the object. The pictures must contain elements such a serial numbers, damaged areas. Then unscrew the device to take the hard disk we want to image using a forensics software. The next step, connect the disk to a write blocker, in case it is an SSD device, just connect it to an adapter and the adapter connected to the write blocker. Use your best computer forensics software to acquire the data.Also a brand new formatted disk drive to store the acquiring image.This target drive has to have a bigger capacity than the source drive. My favorite is X-Ways forensics.It is a good idea to use a Linux forensics acquisition tool too.Screw delicately the disk drive back to its initial location and document the findings using the chain of custody.

Public key infrastructure (PKI)

A Public key infrastructure is a system that incorporates asymmetric encryption and certificate to provide security. There are two principals actors: The client and the certificate authority(CA). The Cryptographic Service Provider (CSP) on the client side generates the key pair. Once the key pair has been generated, the client will keep the private key and send the public key with the certificate request to the CA. The client will use its private key to digitally sign that message. At this stage, the CA will either approve or deny the request. The Registration authority (RA) is another entity that can proxy certificate request to the CA on behalf of the client. When a certificate has been compromised it is revoked in the CA and updated to the Certificate Revocation List (CRL). The disadvantages of a certificate being revoked are that client has to go to the full list of what they are looking for. With the Online Certificate Status Protocol (OSCP), we only check for the validity of individual certificate without going to the full list thus improving performance. The standard for the certificate is the X.509 standard.

Malware Information Sharing Platform-MISP

The Malware Information Sharing Platform is used to store ,share and collaborate on malware across organizations. The Indicators of Compromise (IoC) are used to detect and prevent Cyber attack. The MISP integrates many features :-Efficient Built-in database to store malwares, information on attackers and intelligence

-Data are stored and shared in a structured format.

-Data can be imported from OpenIOC and exported to integrating with Network IDS, Host IDS and other tools.

MISP is good tool to use by your CERT team.

event-view
Malware Information Sharing Platform web interface

A look at Verizon Data breach digest report

Verizon released  its data breach digest report. It is a resume of 500 Cybersecurity investigations  occurring in over 40 countries. All scenarios were drawn from real-world cyberinvestigation.It is a 84 pages document with 18 scenarios divided in 4 groups:

  •  The human element—five scenarios highlighting human threats
    or targets.
  • Conduit devices—five scenarios covering device misuse or tampering.
  •  Configuration exploitation—four scenarios focusing on reconfigured or
    misconfigured settings.
  •  Malicious software—four scenarios centering on sophisticated or
    special-purpose illicit software.

The steps of incident response are well documented: Detection,containment,remediation .recovery and lessons learned.The vulnerabilities used during these attack are referenced in a very high technical way as well as the methods used to bypass those. You can get the report here.

 

 

Cybersecurity Awareness Month

We welcome this month October in the security community, as the cybersecurity awareness month. There will be different topics everyday for cybersecurity awareness activities.  Phishing is the action of getting sensitive information from the victim without using force. Test yourself on how to recognise fake emails from legitimate ones by taking one of these test:

https://phishingquiz.mcafee.com/

http://www.sonicwall.com/furl/phishing/

https://www.opendns.com/phishing-quiz/

WIRELESS ENCRYPTION

Wireless networks are an easy way to connect our laptop, tablet or phone to the internet. Instead of using the traditional RJ45 cabling , the devices just needs to have a wireless card. There are three main types of encryption in wireless network:

Wired Equivalent Privacy(WEP) which is available in 64-bit and 128-bit . It uses RC4 encryption (stream cypher) with 40-bit key and 24-bit initialization vector for encryption. It supports the Open authentication method with the MAC address and the shared authentication method with pre-shared keys.

Wifi Protected Access (WPA) : It uses Temporal Key Integrity Protocol (TKIP) for encryption. It supports pre-shared key (WPA personal) and 802.1x (WPA Enterprise) authentication.

Wifi Protected Access 2 (WPA2) or 802.11i: It uses Advanced Encryption Standard with either TKIP or counter mode with cipher block chaining message authentication code (CBC-MAC). It also supports pre-shared key (WPA2 personal) and 802.1x (WPA2 Enterprise) authentication.

HOME DEPOT BREACH

homedepot
Home depot logo

HOME DEPOT is a big box retailer in the USA. It suffered from a security breach that affected 56 millions payment cards.

The malware used in the attack is most likely to have been used in others attack. Briankrebs who reported the attack suggests that the BlackPOS malware which was used againt  TARGET  was also used in this case. The hackers started by compromising a third-party supplier workstation  and manage to install the malware in the point-of-sale terminal. At this point the collection of credit card entry data was automated and sent to an offsite collection system.The malware was present between April and September 2014, though the incident was first reported in September 02, 2014.

By now, the malware elimination and enhanced encryption of  Payment data in all US stores have been completed.

Lesson learned: In this recent POS attack, Payment Card Industry (PCI) regime could improve this. Home Depot should look to UPSStore example to learn how to report a breach. Online merchants need to resist fraudulent use of credit cards : Verified by VISA, MASTERCARD SecureCode, Paypal, Apple Pay. Finally, Home Depot Customers must demand new account numbers.  Why on this earth aren’t you using white listing on PCs attached to payment devices?.


	

CNET Hacked, Remote Servers accessed

CNET the most popular review technology websites has been hacked. A twitter user going by the name of worm and the handle @rev-priv8 posted a photo of a remote access to CNET.com server . The exploit was done through a vulnerability in the content management system probably WordPress or Joomla. CNET is not saying much about the attack but claims that username and password were not accessed.According to Forbes, Worm has even sold a database of CNET.com at a price of one Bitcoin.
http://www.forbes.com/sites/thomasbrewster/2014/07/14/russian-hacker-breaches-cnet-servers/

1 million users affected by CNET.com hack

Malware Sample Sources

Malware researchers need to test their skills and develop defense with real specimen. They can collect malwares sample from honeypot or download those from URL sources. The following sites can be resourceful:

  1. Contagio Malware Dump (Mobile Malware)
  2. Kernelmode.info
  3. Malshare
  4. Malware.lu AVcaesar
  5. MalwareBlacklist
  6. Malwr
  7. Open Malware
  8. SecuBox Labs
  9. Virusign
  10. VirusShare
  11. TheZoo /Malware DB
  12. ZeuS Tracker
  13. MalwareBazaar