topics in privacy, security, internal audit and forensics

Topics in Privacy, Security, Internal Audit and Forensics

The Forensics Process

Focus on Internal and Civil Lawsuit Investigations

Types of Investigations

Internal Fastest and most covert

investigation Company owns the resources

that are the target No need for subpoenas and

discovery orders Examiner can conduct

expediently with full access to relevant data

Suspect is typically an active employee Secrecy is a must

Technical process is similar to a civil examiner, and the case may ultimately go to civil court

Popularity 8 Simplicity 6 Impact 6 Risk Rating 7


Civil Similar to internal investigation An opposing firm owns the

resources that are the target There is need for subpoenas

and discovery orders (expensive, problematic)

Examiner may not have full access to relevant data

The investigation lives or dies based on what happens in court

Involves dispute between two companies Secrecy is mainly from media

Technical process is similar to an internal investigation



Criminal High stakes, risky investigation Suspect’s livelihood is on the

line Accuracy is paramount

Case may go on for months or years

With much rework of evidence Any problems are likely to

show up in the media E.g., the 6 o’clock news

Technical process is difficult Investigators must be good and

credible If you don’t have the proper

credentials, don’t try this


Role of the Investigator

What is involved in Computer Forensics Collecting evidence

What ever is needed for the chain of inference Cross-validation of findings Proper evidence handling Completeness of investigation Management of archives Technical competency (especially with computer / network

technology) Explicit definition and justification for the process (inference line) Legal compliance and knowledge Flexibility

Steps in Processing Evidence

Assessment Acquisition Authentication Analysis Articulation Archival

Inference Network Analysis

Legal cases are proved through inferences. These inferences, built in chains, must lead logically

from point A to point B He strength (or weakness) of these inferences

determines the strength of the legal case

E v id en c e P r o o fI n f e r en c e

Chain of Inferences Processing of evidence is directed towards

step by step the inferential chain between the Perpetrator and Asset

This may also involve identifying a perpetrator And identifying specifically the breach of security involving the asset

Alleg ed o r C an d id a teP er p e tr a to r

E v id en c e

L in e o f I n f er en c eC o n n ec tin g P er p e tr a to r to

As s e tAs s e t

Some Key Concepts in Controls

And why as auditors, we look where we do

Control Process

Internal controls are processes and subsystems that assure that processing and output of an accounting

system is running ‘within specification’ Internal controls appear at three points in a

transaction processing cycle: Preventive controls anticipate problems and prevent them

from occurring Detective controls identify problems that have occurred Corrective controls are subsystems of the correction

process that assure that errors detected are corrected properly Because if an error is made once, it is likely to be made twice,

and even more times.

Identifying whether Asset users are or are not Authorized Detection of Authorization is perhaps the

most common and fundamental of all control processes As Preventive controls, they prevent a potential

accessor from any access unless they are properly identified by the system

As Detective controls, they assure an audit trail of all activity by an identified user

As Corrective controls, they identify who to go after in an investigation

Passwords for Authorization

Passwords have traditionally been the most commonly used tool for identifying a user to a computer system Though they may soon be overtaken by biometric tools

Through hashing and public key systems, they allow signatures and fingerprints to be left on information assets by the password holder

Through encryption systems, they allow the password holder to read and use information assets

Through access systems, they allow the password holder free access to the information assets

Evidence of AccessWhy Passwords are Important

One of the main pieces of evidence supporting any inferential link Is the record of accesses (with a password) to an asset,

etc. Since access authorization is controlled through

who has a password Password control is the first place we tend to look for

evidence And is also the first thing that is controlled in authorization

and logging systems … Let’s look at passwords and encryption more

closely

Hash Function

A hash function provides a way of creating a small digital "fingerprint" from any kind of data

The function chops and mixes (i.e., substitutes or transposes) the data to create the fingerprint

The fingerprint (formally “hash value”) is commonly represented in hexadecimal notation

A good hash function is one that yields few hash collisions in expected input domains

In hash tables and data processing, collisions inhibit the distinguishing of data, making records more costly to find.

What you get

Hash Function

A cryptographic hash function should behave as much as possible like a random function while still being deterministic and efficiently computable.

A cryptographic hash function is considered insecure if either of the following is computationally feasible:

finding a (previously unseen) message that matches a given digest finding "collisions", wherein two different messages have the same message digest.

An attacker who can do either of these things might, for example, use them to substitute an unauthorized message for an authorized one.

Ideally, it should not even be feasible to find two messages whose digests are substantially similar; nor would one want an attacker to be able to learn anything useful about a message

given only its digest besides the digest itself.

Common Commercial Hash Algorithms(note: The SHA hash functions are a series of functions developed by the NSA: SHA, also known as SHA-0, SHA-1 and four flavors of a function known as SHA-2. )

Algorithm Output size Internal state size Block size Length size Word size Collision

HAVAL 256/224/192/160/128 256 1024 64 32 Yes

MD2 128 384 128 No 8 Almost

MD4 128 128 512 64 32 Yes

MD5 128 128 512 64 32 Yes

PANAMA 256 8736 256 No 32 With flaws

RIPEMD 128 128 512 64 32 Yes

RIPEMD-128/256 128/256 128/256 512 64 32 No

RIPEMD-160/320 160/320 160/320 512 64 32 No

SHA-0 160 160 512 64 32 Yes

SHA-1 160 160 512 64 32 With flaws

SHA-256/224 256/224 256 512 64 32 No

SHA-512/384 512/384 512 1024 128 64 No

Tiger(2)-192/160/128 192/160/128 192 512 64 64 No

VEST-4/8 (hash mode) 160/256 176/304 8 80 1 No

VEST-16/32 (hash mode) 320/512 424/680 8 88 1 No

WHIRLPOOL 512 512 512 256 8 No

Password AttacksPasswords are the main identifier for establishing authorization for a task or access to an information asset.

Password Attacks are the main way of breaching computer security to commit a crime

Cracking

Recovering secret passwords from data that has been stored in or transmitted by a computer system

A common approach is to repeatedly try guesses for the password

The purpose of password cracking Might be to help a user recover a forgotten password

though installing an entirely new password is less of a security risk,but involves system administration privileges

To gain unauthorized access to a system,or As a preventive measure by system administrators to check

for easily crackable passwords.

Cracks: Principal attack methods

Weak encryption If a system uses a cryptographically weak function to hash or

encrypt passwords, exploiting that weakness can recover even 'well-chosen' passwords

Decryption need not be a quick operation, and can be conducted while not connected to the target system

Any 'cracking' technique of this kind is considered successful if it can decrypt the password in fewer operations than would be required by a brute force attack

The fewer operations required, the "weaker" the encryption is considered to be (for equivalently well chosen passwords)


Guessing

Many users choose weak passwords, usually one related to themselves in some way

Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by programs

Examples of insecure choices include:

blank (none) the word "password", "passcode", "admin" and their derivates the user's name or login name the name of their significant other or another relative their birthplace or date of birth a pet's name automobile license plate number a simple modification of one of the preceding, such as suffixing a digit or reversing

the order of the letters. a row of letters from a standard keyboard layout (eg, the qwerty keyboard -- qwerty

itself, asdf, or qwertyuiop)

Guessing Some users even neglect to change the default password that came

with their account on the computer system. And some administrators neglect to change default account passwords

provided by the operating system vendor or hardware supplier.

A famous example is the use of FieldService as a user name with Guest as the password. If not changed at system configuration time, anyone familiar with such systems will have 'cracked' an important password, and such service accounts often have higher access privileges than a normal user account.

The determined cracker can easily develop a computer program that accepts personal information about the user being attacked and generates common variations for passwords suggested by that information.


Dictionary attack

Password cracking programs usually come equipped with "dictionaries", or word lists, with thousands or even millions of entries of several kinds, including:

words in various languages names of people places commonly used passwords

Dictionary attack

The cracking program encrypts each word in the dictionary, and simple modifications of each word, and checks whether any match an encrypted password. This is feasible because the attack can be automated and, on inexpensive

modern computers, several thousand possibilities can be tried per second

Guessing, combined with dictionary attacks, have been repeatedly and consistently demonstrated for several decades to be sufficient to crack perhaps as many as 50% of all account passwords on production systems.


Brute force attack

A last resort is to try every possible password, known as a brute force attack

In theory, a brute force attack will always be successful since the rules for acceptable passwords must be publicly known, but as the length of the password increases, so does the number of possible passwords

This method is unlikely to be practical unless the password is relatively small But with expanding computing power, and the possibility of

massively parallel systems with cheap desktops ‘small’ is not that small any more.

Precomputation

Precomputation involves hashing each word in the dictionary or any search space of candidate passwords and storing the <plaintext, ciphertext> pairs in a way that enables

lookup on the ciphertext field This way, when a new encrypted password or is obtained, password

recovery is instantaneous

There exist advanced precomputation methods that are even more effective. By applying a time-memory tradeoff, a middle ground can be reached a search space of size N can be turned into an encrypted database of

size O(N2/3) in which searching for an encrypted password takes time O(N2/3).

The theory has recently been refined into a practical technique, and the online implementation at http://passcracking.com/ achieves impressive results on 8 character alphanumeric MD5 hashes.

Salting (a remedy)

The benefits of precomputation and memoization can be nullified by randomizing the hashing process

This is known as salting

When the user sets a password, a short string called the salt is suffixed to the password before

encrypting it; the salt is stored along with the encrypted password so that it can be

used during verification Since the salt is different for each user,

the attacker can no longer use a single encrypted version of each candidate password.

If the salt is long enough, the attacker must repeat the encryption of every guess for each user, and this can only be done after obtaining the encrypted password

record for that user.

Programs for password crackingJohn the Ripper John the Ripper is password cracking software. Initially developed

for the UNIX operating system, It currently runs on fifteen different platforms.

It is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects, and includes a customisable cracker.

The encrypted password formats which it can be run against include various DES formats, MD4, MD5, Kerberos AFS, and Windows LM hash. Additional modules have extended its ability to include passwords stored in LDAP, MySQL and others.

John is designed to discover weak passwords from the encrypted information in system files. It operates by taking text strings (usually from a file containing words found in a dictionary), encrypting it in the same format as the password being examined, and comparing the output to the encrypted string. It also offers a brute force mode.

Programs for password cracking L0phtCrack L0phtCrack is a password auditing and

recovery application (now called LC5), originally produced by L0pht Heavy Industries (later

produced by @stake and now by Symantec, which acquired @stake in 2004)

It is used to test password strength and to recover lost Microsoft Windows passwords,

by using dictionary, brute-force, and hybrid attacks. It is one of the crackers' tools of choice

Ways of obtaining passwords illicitly(without cracking) social engineering, wiretapping, keystroke logging, login spoofing, dumpster diving, phishing, shoulder surfing, timing attack, acoustic cryptanalysis, identity management system attacks and compromising host security

Social engineeringThe most common and effective way of illicitly obtaining passwords A collection of techniques used to manipulate people into

performing actions or divulging confidential information. While similar to a confidence trick or simple fraud,

the term typically applies to trickery for information gathering or computer system access and in most (but not all) cases the attacker never comes face-to-face with the victim.

Computer criminal and security consultant Kevin Mitnick points out

…that it's much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in

He claims it to be the single most effective method in his arsenal

Social engineering

Pretexting

The act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an

action It is usually done over the telephone

It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information e.g., For impersonation: Birthday, Social Security Number,

last bill amount to establish legitimacy in the mind of the target.

Social engineering

Phishing

Phishing applies to email appearing to come from a legitimate business e.g., a bank, or credit card company requesting "verification" of information and warning of

some dire consequence if it is not done The letter usually contains a link to a fradulent web

page that looks legitimate with company logos and content and has a form requesting everything from a home

address to an ATM card's PIN.

Social engineering

Pretexting

The act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an

action It is usually done over the telephone

It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information e.g., For impersonation: Birthday, Social Security Number,

last bill amount to establish legitimacy in the mind of the target.

Social engineering Trojan Horse / Gimmes

Gimmes take advantage of curiosity or greed to deliver malware Also known as a Trojan Horse, gimmes can arrive as an email

attachment promising anything from a cool or sexy screen saver, an important anti-virus or system upgrade, or even the latest dirt on an employee

The recipient is expected to give in to the need to see the program and open the attachment

In addition, many users will blindly click on any attachments they receive that seem even mildly legitimate

Social engineering Quid pro QuoSomething for something An attacker calls random numbers at a

company claiming to be calling back from technical support

Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them

The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access and/or launch malware.

Keystroke logging (keylogging) A diagnostic hardware device (see right) used in

software development that captures the user's keystrokes

It can be useful to determine sources of error in computer systems and is sometimes used to measure employee productivity on certain clerical tasks

Such systems are also highly useful for law enforcement and espionage for instance, providing a means to obtain

passwords or encryption keys and thus bypassing other security measures

Keyloggers are widely available on the internet and can be used by anyone for the same purposes.

Wiretapping (telephone tapping ; wire tapping)

Monitoring of telephone and Internet conversations by a third party, often by covert means

The telephone tap or wire tap received its name because historically the monitoring connection was applied

to the wires of the telephone line of the person who was being monitored and drew off or tapped a small amount of the electrical signal carrying the conversation

Illegal in most countries without a court order

Login spoofing

Technique used to obtain a user's password The user is presented with an ordinary

looking login prompt for username and password, which is actually a malicious program under the

control of the attacker When the username and password are

entered, this information is logged or in some way passed

along to the attacker, breaching security.

Dumpster diving also called dumpstering, binning, trashing, garbing, or garbage gleaning; in the UK binning or skipping

Rummaging through commercial or residential trash to find useful free items that have been discarded. The term originates from the

fanciful image of someone leaping into large rubbish bins

Files, letters, memos, photographs, IDs, passwords, credit cards and more can be found in dumpsters

This is a result of the fact that many people never consider that sensitive items they throw in the trash may be recovered

Such information, when recovered, is sometimes usable for fraudulent purposes like "identity theft"

Shoulder surfing

A direct observation technique for acquiring sensitive data such as looking over someone's shoulder, to get information.

Shoulder surfing is particularly effective in crowded places because it's relatively easy to stand next to someone and watch

as they fill out a form, enter their PIN at an automated teller machine, use a calling card at a public pay phone, or enter passwords at a cybercafe, public and university libraries, or airport kiosks

Shoulder surfing can also be done at a distance with the aid of binoculars or other vision-enhancing devices Inexpensive, miniature closed-circuit television cameras can be

concealed in ceilings, walls or fixtures to observe data entry To prevent shoulder surfing, experts recommend that you shield

paperwork or your keypad from view by using your body or cupping your hand

Timing attack

A side channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms The attack exploits the fact that every operation in a computer takes time to

execute.

Information can leak from a system through measurement of the time it takes respond to certain queries How much such information can help an attacker depends on many

variables: crypto system design, the CPU running the system, the algorithms used, assorted

implementation details, timing attack countermeasures, the accuracy of the timing measurements, etc.

Timing attacks are generally overlooked in the design phase of security algorithms because they are so dependent on the implementation.

Acoustic cryptanalysis

A side channel attack which exploits sounds, audible or not, produced during a computation or input-output operation.

In 2004, Dmitri Asonov and Rakesh Agrawal of the IBM Almaden Research Center announced that computer keyboards and keypads used on telephones and automated teller machines (ATMs) are vulnerable to attacks based on differentiating the sound produced by different keys.

Their attack employed a neural network to recognize the key being pressed.

By analyzing recorded sounds, they were able to recover the text of data being entered.

These techniques allow an attacker using covert listening devices to obtain passwords, passphrases, personal identification numbers (PINs) and other security information.

Identity management system attacks Typically users who have forgotten their password launch a self-

service application from an extension to their workstation login prompt, using their own or another user's web browser, or through a telephone call

Users establish their identity, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token, responding to a password notification e-mail or, less often, by providing a biometric sample

Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided.

Social engineering attacks can occur where an intruder calls the help desk, pretends to be the intended victim user, claims that he has forgotten his password, and asks for a new password.

topics in privacy, security, internal audit and forensics

Documents

asset slide

legal case slide

knowledge flexibility

media technical process

internal audit

correction process

forensics process focus

investigation lives