Attacked to the maxIn a recent Securities and Exchange Commission (SEC) filing, TJX Companies -- which runs T.J. Max, Marshall’s and other retail store chains

in the USA, Puerto Rico, Canada, Ireland, and the UK -- recently acknowledged 45.7 million accounts were compromised over nearly two-years.

“This is the largest security breach we’ve ever had worldwide,’ said Avivah Litan, an analyst with research firm Gartner. … In its filing, TJX noted cyber thieves first accessed its computer systems in July 2005 and installed soft-ware to harvest such sensitive customer information as account information, names and addresses, drivers’ license numbers and military and state identi-fication. The breach continued through mid-January 2007.” (CNET, 29/03/07)

Information age espionage, debriefing a real-world, top-class cyber sleuthRichard Power and Dario Forte

In our profession, we usually cannot speak directly about the cases we are investigating or the projects we are working on. But there are some stories available in open source that highlight some of the impor-tant issues that our clients face day in and day out, year after year.

Security of the logs themselves is obviously paramountBusinesses must limit access to log files, protect log files, store files and secure log generation and log transmission between log generation locations and log analysis and storage location. This is a business need and need to know basis only.

Turning security log management into a business enabler to increase security, reducing time to response for security incidents and to moni-tor staff activity within the frame-work of the law.Organizations should use reporting facili-ties to full potential by producing a mix of executive reports and technical reports. This should be based on robust filter-ing capabilities to filter out the “noise” which can be created by some logs. Most technical reports also provide remediation advice for identified issues/vulnerabilities. Relevant staff should be trained on how to use reporting capabilities. However, that assumes they have received security awareness training beforehand so as to be able to understand the meaning of secu-rity events when the log management tool alerts them. Understanding log context

and log meaning is key as is prioritisation of log entries for analysis. Similarly, it is very important to define who needs to see logs, who is responsible for collecting logs, who is responsible for analyzing logs which again, can be done through a mix-ture of policy and user awareness work.

In summary, it is advisable for organiza-tions to develop and implement a full secu-rity log strategy. Businesses should avoid randomly turning on logging on key sys-tems especially if the logging activity is not analyzed any further. It is best practice to collect, store and analyze logs with a view to being able to get complete, accurate and verifiable information. This will improve the organization’s ability to comply with key standards and legislation as regards e-evidence. It could save an organization from potential liability and repair costs and will give visibility over mission critical and security systems performance and usage. The main advice is to remain proactive so as to be able to respond to a security inci-dent and comply with legal requests should anything happen.

Recommended reading:www.secnology.com – SECnology pro-vides a fully comprehensive platform enabling you to see comprehensive

views of the entire security infrastruc-ture from a single console, with the ability to generate filtered security “views”. It provides a powerful drill-down capability for monitoring and actually observing an attack or intru-sion attempt which helps for forensic analysis.

www.nist.org - NIST-SP800-92 – The National Institute of Standards and Technology (US) Guide to Computer Security Log Management http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf

“Security Log Management: Identifying Patterns in the Chaos”, by Jacob Babbin, Dave Kleiman, Everett F. Carter Jr., Jeremy Faircloth, Mark Burnett, Esteban Gutierrez.

http://enterprisenetworksandservers.com/monthly/art.php?1501 – “Log manage-ment is the missing security performance ingredient”, by Drew Robb

About the authorMathieu Gorge is the Managing Director of Vigitrust – a security consultancy based in Ireland.

Dario ForteRichard Power

Computer Fraud & Security May 200710

WAR & PEACE IN CYBERSPACE

May 2007 Computer Fraud & Security11

TJX also put a $5 million cost on its investigation, security upgrade, and cus-tomer notification. But that’s not the end of it: “Thieves have been using the data to make fraudulent purchases in Florida and as far away as Sweden and Hong Kong, according to police and bank officials. … Banks, too, have reported fraudulent transactions linked to the stolen TJX data …” (Washington Post, 30/03/07)

In one series of related arrests in Florida, suspects were charged with using the data to commit $8 million worth of fraud.

The Washington Post continues: “The computer breach is significant not only because of its scope… but also because the hacker or hackers had access to the decryption tool used to decipher sensi-tive encrypted information and an abil-ity to intercept data as shoppers’ credit transactions were being approved.”

But compelling as the TJX story is, it was not the only blockbuster to hit in the last few weeks.

US Government targeted There is more bad news from the USA and the Taiwan Straits.

According to Ted Bridis of Associated Press: “a break-in targeting State Department computers worldwide last summer occurred after a department employee in Asia opened a mysteri-ous email that quietly allowed hackers inside the US Government’s network. …They used a secret break-in tech-nique that exploited a design flaw in Microsoft software. Consumers using the same software remained vulnerable until months afterward.”

Bridis reports: “a limited amount of US Government data was stolen by the hackers until tripwires severed all the State Department’s Internet connec-tions throughout Eastern Asia. … The mysterious State Department email appeared to be legitimate and included a Microsoft Word document with material from a congressional speech related to Asian diplomacy… By opening the document, the employee activated hidden software commands establishing what Reid described as

backdoor communications with the hackers.”

Taiwanese minister accuses China of hackingAnd now, on to the Taiwan Straits, Wendell Minnick of Defense News reports that the People’s Republic of China “used a computer virus to steal files from a Taiwanese colonel’s home computer.”

Lin Chong-Pin, former vice minister of defense, argues that the recent hacker incident is part of a larger effort to sub-due Taiwan.

“China has established a massive ‘net army’ by recruiting young talent,” said Lin, now president of the Foundation on International and Cross-Strait Studies, based here. “This is a proactive implementation of Beijing’s concept on information warfare. It materialises the spirit of ‘the three wars,’ which the People’s Liberation Army enunciated in December 2003 in its ‘decree on the political work.’ They are psychological war, the legal war and the media war.” (Defense News, 23/04/07)

Espionage – trade secrets and politicsAs we have noted in previous columns, espionage, whether it is focused on eco-nomic or military targets, is no longer predicated on the turning of insiders or the physical theft of information. Industrial espionage and Cold War cloak and dagger have both been eclipsed by

information age espionage. Of course, information age espionage still has use for the turning of insiders and the physi-cal theft of information, it simply adds a third dimension - cyber attack.

Those in the private sector who think that hackers are only after sport or petty commercial crimes, rather than trade secrets, and those in the government sector who think that geopolitical adver-saries are still playing by the old rules, rather than using the most sophisticated cyber techniques, are going to have a rude awakening sooner or later (prob-ably sooner). Indeed, they have probably already been significantly compromised, whether they ever detect it or not.

Introducing Jim ChristyMulling over these three recent block-buster stories of cybercrime and cyber war, we thought we would ask some questions of Jim Christy, one of the preeminent sleuths at work in the deep, dark labyrinth of cyberspace in the 21st Century.

At the end of 2006, Christy retired after more than 20 years as a special agent specializing in cybercrime investi-gations and digital evidence and 35 years worth of federal service. Jim is currently the Director of Futures Exploration for the Defense Cyber Crime Center (DC3) For three years prior to retirement, Supervisory Special Agent Jim Christy, was the Director of the Defense Cyber Crime Institute (DCCI), DC3. The DCCI is responsible for the research and development and test and evaluation of forensic and investigative tools for the Department of Defence law enforcement and counterintelligence organizations. The Institute is also charged with intel-ligence analysis, outreach, and policy for DC3.

Now that Christy is on his own, he is a little freer to talk openly about the real-world challenges of cybersecurity on the national and global level.

Our questions for Christy focus on how lessons he has learned in his years of government and military service could be applied to information age espionage as a weapon in economic warfare.

WAR & PEACE IN CYBERSPACE

“ Evidence today

is only anecdotal

because private

sector doesn’t

report losses”

Computer Fraud & Security May 200712

War & Peace in Cyberspace:What impact do economic espionage and intellectual property thefts have on the economic and national security of the USA? What is at risk? How high are the stakes? What are some of the indicators that we can see around us? Are whole sectors being gutted? Is our leadership in technology and scientific research slipping away? How bad is it? And what direction is it all going? What is government’s role? What is it doing? What does it need to do? And is it just the USA that is targeted, or is the threat as dire for other developed economies, e.g., Japan and in EU states?

Christy: There is absolutely no measure of the loss for many reasons. Economic espio-nage and intellectual property theft is usually covered up for many good and cogent reasons by the private sector victims. I have seen entire corporate networks of over 100,000 systems com-pletely compromised and hundreds of thousands of files exfiltrated. The only reason the government knows about it is because much of the information com-promised and exfiltrated was government data and the companies couldn’t stop the hemorrhaging on their own. Evidence today is only anecdotal because [the]

private sector doesn’t report losses or compromises if in fact they even know about them.

War & Peace in Cyberspace:Consider the business life style of the 21st century road warrior involving laptops, PDAs, wireless, VOIP, working on planes, etc. How has it changed the nature of attacks and countermeasures related to economic espionage and intel-lectual property theft? What opportuni-ties has it opened up for the attacker? What specific countermeasures and con-trols should be implemented?

Christy: Due to the power and the capacities of portable and wireless devices today, when there is a loss or compromise, you could lose everything. So the possibility of a catastrophic loss is far greater since these devices are being employed by more and more employees and the capacities are far greater. Couple in with non-secure wireless communication between these devices and the mother ship, the poten-tial is more devastating.

War & Peace in Cyberspace:Similarly, the paperless office, telecom-muting and corporate intranets, have all changed the information environment

in profound ways. Secrets that were once on a mainframe or in a safe are now held on networked servers and accessed via remote workstations and even home computers, etc. How has it changed the nature of attacks and countermeasures related to economic espionage and intel-lectual property theft? What opportuni-ties has it opened up for the attacker? What specific countermeasures and con-trols should be implemented?

Christy:In the old days, information deemed not to be too sensitive was stored in file cabinets in an office in a locked build-ing. Today, all of this information is now stored online and accessible. If a single document in one file cabinet, in one particular office was compromised, it didn’t have an impact. Today, thieves can now access all of the file cabinets in multiple offices, in multiple buildings in multiple physical localities, and aggregate the information, compromising entire projects. Each individual piece of infor-mation if compromised wouldn’t have an impact, but putting all of the disparate pieces together can.

War & Peace in Cyberspace:If you were to conduct a penetration test that emphasized attacks related to

Some of Jim Christy’s notable firsts in cybercrime investigation:

• 1st civilian computer crime investi-gator in the US Government.

• 1st computer espionage investiga-tion (Hanover Hacker Case), case agent.

• 1st electronic surveillance of a stand-alone colour PC.

• 1st DoD investigator to go under-cover on paedophile bulletin boards.

• 1st to distribute wanted poster on the Internet (triple homicide case).

• 1st to develop forensic technique to recover data from cutup diskette (homicide investigation).

• 1st psychological profiling study of computer criminals program (Project Slammer).

WAR & PEACE IN CYBERSPACE

World of shadows - Evidence today is only anecdotal because the private sector doesn’t report losses

May 2007 Computer Fraud & Security13

WAR & PEACE IN CYBERSPACE

economic espionage and intellectual property theft in this 21st century infor-mation environment, how would you go after the client’s secrets? What would be some of the traditional ways, related to physical security (e.g. dumpster diving), which are still relevant? What would be some of the more cutting edge methods, related to recent technological advances (e.g. war-driving)?

Christy: All of the old techniques still work as well as they ever have. Social engineering is the easiest and least risky. Employees are generally unwilling to challenge strangers and are usually eager to brag about what they do. Most are naïve that they would even become a target and most are very trusting. I went to the building manager of a very well known DoD facility and gave them a business card and said I was performing a vulner-ability study for a requesting DoD agen-cy that processed highly classified infor-mation. I told the building manager that we ran the assessment in two phases; a covert phase for one week, and an overt phase for two weeks. All of that was true, but the building manager didn’t ask for credentials and didn’t call anyone to check out my claim. I told the building manager that I wanted to observe the employees of this organization in their day-to-day operations. I asked if there was a way to get into the facility as a janitor. He wanted to help so bad that he offered me two building maintenance uniforms, equipment to measure airflow from the HVAC, a light meter, and an industrial thermometer. He then wrote a backstopping letter that said we were doing an environmental study and that we didn’t have any clearances. He then put a closing paragraph that told the reader that if they had any questions to call him directly. He made this decision solely based on a business card.My partner and I donned the mainte-nance uniforms and showed up at the facility during lunch. I told my partner that once we entered the facility, he should go in one direction and I would go in the opposite direction and steal

top-secret material out of the burn bags because those documents wouldn’t be missed. The escort should make us stay together. We hit the buzzer and the lone person left in this 10-person facility let us in. We explained what we were doing and gave him a copy of the backstopping letter from the building manager. We told him we would be there for a couple of hours. He sug-gested we work out of a vacant cube they had that was behind a partition. My partner then went one way and I went the other. The escort didn’t want to challenge us so he walked down the hall and spent two or three minutes with my partner and then walked down and spent a couple of minutes with me. Whichever one of us that wasn’t being watched was pilfering the top secret trash from the burn bags, putting it in our clipboards until we had a chance to go back to our cube and unloading in it into our toolbox.When the rest of the crew came back from lunch, they fired up their classified com-puters. One put on a set of headphones and started working on a secret document, while I stood behind him writing down the classified information while my partner distracted his office mate.

It all goes back to human nature. People don’t want to be seen as aggressive and challenge others.

War & Peace in Cyberspace:What are some of the issues involved in forensic evidence – both cyber and physical? How could an organization better prepare itself for the gathering and preservation of such evidence? What are some of the technological and legal chal-lenges involved?

Christy:We all know digital media and devices are becoming increasing prevalent in our world. Beyond personal computers, laptops, cell phones, PDAs, digital music players, flash media, game consoles, CDs, and DVDs are a part of everyday life.I don’t have to tell you that such items are commonly being found to have direct relevance in criminal cases. And, it is clear that the rising trend in the amount and importance of digital evidence in counter-intelligence and law enforcement opera-tions will not abate soon.

I believe it is vitally important that we increase the dialogue between law enforcement personnel confronted with

Jim Christy is the first investigator to develop a technique to uncover forensic data from a cut-up diskette

Computer Fraud & Security May 200714

Network security has evolved dra-matically in the last few years not only concerning the tools at our dis-posal or the threats to which we are subjected, but in the approach itself, which must be adopted to secure a network.

In 2000, a robust stateful firewall working at layer 4 (in ISO/OSI par-lance) was considered a good defence in most situations. Indeed by select-ing the TCP/IP addresses, ports (i.e. services) and the direction of the connections (that is of the first packet requesting the service), it was possible to prevent most attacks and reduce quite considerably the risks of unwanted network connections. To be effective this approach required that:

1. TCP/IP ports identified clearly the protocols and the kind of data, which is transported through them.

2. It was possible to trust IP addresses to identify the source/destination of the network traffic to distinguish the trusted peers from the untrusted or the unknown.

Stateful firewalls are still in use today, and will be in the future. They are a fundamental building block of network security - very little can be done without them. But today their efficacy is very limited and this has come about in part thanks to their success.

Indeed the diffusion of stateful fire-walls in public and private companies in 2000 has forced application developers to find ways to bypass them. Very often a new application would be installed in a company and it would be discovered that it required a modification of the ruleset of the firewall to be able to send or receive communications through it. But the modification of the ruleset of

the firewall often requires management approval and security checks of the application itself etc. From the applica-tion point of view, in many situations, it is easier if there is no need to modify the security rules or to add new rules, but is sufficient to just apply security rules already in place.

Since access to Web browsing on the Internet is usually allowed through fire-walls, almost all applications today offer the possibility to tunnel their commu-nication as if it was Web traffic. Some applications just use port 80, the port reserved for Web servers (httpd). Other applications tunnel their data communi-cation in the http protocol and appear as a browser connecting to a Web server.

If most network traffic uses Web ports and looks like Web traffic, a layer 4 stateful firewall, which filters traf-fic based only on TCP/IP addresseses and ports, has very little possibility of enforcing the company security policies. Moreover, if a few years ago authentica-tion by IP addresses could have been acceptable for very low security services, today it is totally unacceptable. With the extensive deployment of Network Access Translation (NAT), Virtual Private Networks (VPN) and tunnels, the pres-

From network security to content filteringAndrea Pasquinucci

NETWORK SECURITY

digital evidence issues and digital foren-sic examiners skilled in the art of extract-ing information from digital media and devices.

Digital media is extremely susceptible to environmental conditions. Data mod-ification or loss can result from exposure to such elements as heat, humidity, dust, or electromagnetic waves.

This potential change in or loss of information is a vitally important issue that can have a direct impact on the out-come of a case.

Digital evidence deterioration will have significant effect on the ability of the forensic examiner to extract information and obtain matching hash values that verify the accuracy of a copied image.

Federal and military rules of evidence require that evidence introduced at trial be in the same condition as when it was seized. Although there are legal

ways to admit damaged evidence at trial, the perceptions of the judge and jury could complicate the prosecutor’s case. Additionally, the defense may be prompted to claim incompetence, negli-gence, tampering, or assert that the lost evidence proved the defendant’s inno-cence.

Following correct handling procedures and maintaining proper evidence room conditions are the most effective means to protect digital evidence from adverse environmental factors. Some best prac-tices include:

• Preserve digital evidence in anti-static bags.

• Protect digital devices from extreme environmental conditions during transport to storage facilities.

• Inspect evidence room conditions for heat, humidity, and cleanliness.

• When poor evidence room condi-tions can not be corrected, consult with superiors and the legal office on a separate storage location for digital media and devices.

About the authorsDario Forte (www.dflabs.com) is one of the world’s leading experts on incident manage-ment and digital forensics. A former police officer, he was a keynote at the BlackHat conference and lecturer at many worldwide recognized conferences. He is also Professor at Milan University at Crema.

Richard Power (www.wordsofpower.net) is an internationally recognized authority on cybercrime, terrorism, espionage, and so on. He speaks and consults worldwide. Power created the CSI/FBI survey and his book, Tangled Web, is considered a must.