Digital Cyber Forensics: Conference related info

The Internet has made it easier to perpetrate crimes by providing criminals an avenue for launching attacks with relative anonymity. It is evident that  illegal activities are more often buried into large volumes of data which calls for extensive analysis in order to detect crimes and collect evidence. Most of the time the investigations are of cross-border in nature, requiring coordinated policing  efforts in heterogeneous jurisdictions.

ICDFE2C - 4th International Conference on Digital Forensics & Cyber Crime is organized out of US. Details are available at the conference site.

Security: Know your APT

Advanced Persistent Threats (APTs) has been estimated to grow faster than other technologies. APT is a a part of the classified category of cyber crime directed at  business at large and / or political targets. They are built with a high degree of stealithiness over a prolonged duration of operation in order to be successful. APTs are built with a fixed goal of remaining invisible as long as possible. As such, tahe APT operators tend to focus on “low volume” attacks and over time they would have covered a large area,  stealthily crawling from one host to the next as it is being compromised., and ensuring to avoid generating regular or predictable network traffic. Damballa predicts that the volume of persistent attacks directed at large corporations will continue to increase and the victims will continue to feel as though they have been specifically targeted in the year 2012. McaFee is clear in commenting that the solutions in silos don’t enrich each other with relevant data and introduce greater complexity to analysis and remediation, giving the advantage to the perpetrators of the APT. 

Security: Know your DNS

The Domain Name System (DNS), has been defined by RFCs 1034 and 1035. It is a  hierarchical, and distributed database used for providing a service to resolve names for various Internet applications. A zone as understood by everybody is a collection of nodes, forming a contiguous tree structure, with  the start of authority, or SOA. The purpose of SOA is to delegate the naming authority downward, to delegation points, terminating with leaf nodes. The elements of the SOA are made available from the DNS authority servers to recursive DNS servers.

Whenever DNS is queried, a resolver will traverse the DNS hierarchy and locates the appropriate authoritative DNS server and gets an answer. The resolver executes recursive queries through the hierarchical tree, and eventually reaches the nameserver that is authoritative for the specified query. Once that server is identified, the answer to the query is retrieved by the resolver, completing its query. The deployed DNS infrastructure supports the query,  of which Address (A) and Pointer (PTR) are the most common deployed queries.

DNS security as a generic term is used to address the following three functions:

• Zone Transfer Security.
• Dynamic DNS (DDNS) Security. .
• Zone Integrity

Of late there appears to be the start of a different  form of attack: the subversion of a host’s correct resolution path. In this attack, the client is directed to use a rogue DNS server, which provides incorrect answers to queries or selective manipulation of answers for the purposes of commercial gain, phishing or other abuse. In most cases, the users have no indication that the DNS answers are not what the correct authoritative DNS servers would provide. A classical example is the Ghost Click described in this blog.

Cyber Operations - Ghost Click

The largest internet cyber sting operation taken by FBI was named as Ghost click. Since 2007, a group of cyber group had deployed a special class of malware called DNSChanger. It is understood that the FBI had arrested six Estonians accused of running a botnet that controlled more than 4 million computers in 100 countries equating  the infections to approximately 4 million computers. It is estimated that there were more than 500,000 infections in the U.S. alone, in a composition of computers belonging to individuals, businesses, and government agencies such as NASA.

The actual system worked by distributing malware that when installed would change the user's DNS settings to point to the crime ring's rogue DNS network. This  malware ensures that cyber surfer visits the URL specified by the cyber criminal. By changing the DNS settings of infected computers, the crooks were redirecting the mouse clicks intended for site A to site B instead. They were converting the advertisements meant for service C into advertisement for service D. When an infected computer clicks the link, the user's computer would go to the criminal's nameserver who would send them to the wrong computer.

Under a court order, expiring July 9, the Internet Systems Consortium is operating replacement DNS servers for the Rove Digital network. A separate  DNS Changer Working Group has been formed to handle the situation and clear the machines. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines.   It is understood that the efforts to clear the DNS changer malware from the millions of infected PCs has taken a lot longer than expected. Official announcement  defines that data of closure of the rogue DNS network to July 9, 2012.

Digital Warfare - Use of struxnet is a test run or failed mission? Speculations are ON?

The birth of struxnet has opened up an New era of  discussions in the security community. Since its discovery earlier this year, the sophisticated Stuxnet worm has infected at least 15 industrial plants in a variety of countries. Security experts have universally accepted that the the worm had the ability to target a  specific computer and inflict damage to controls equipment at industrial facilities.

Digital Warfare - Duqu: Struxnet family of BOTS

Stuxnet, the first military-grade cyberweapon known to the world.  Stuxnet was believed to have been released in late 2009 and millions of computers were infected as the worm though there are other references which claim that it was release as early as 2007. Stuxnet was designed to cripple control systems. The list of modules built as a part of Struxnet provide different kinds of permutations and combinations to reassemble the code with variations. One such example was the birth of Duqu.
Duqu, acts as a Trojan, stealing data, potentially acting in the planning stages of an attack. It can be said that DuQu was used as an intelligence gathering tool, possibly  aiming to prepare the ground for future attacks.  According to Alex Gostev, the main module consists of three components:

• a driver that injects a DLL into system processes;
• a DLL that has an additional module and works with the C&C; and
• a configuration file.

Digital Warfare & Struxnet - Where are we in security?

Enisa has come up with a statement that Stuxnet is a specialized malware targeting SCADA systems running Siemens SIMATIC® WinCC or SIMATIC® Siemens STEP 7 software for process visualization and system control.  The software consists of a series of software block, which are combined into a project.Some of the blocks include Function blocks, Operational blocks, and Data blocks. These software system command the components that control speed in gas-enrichment centrifuges, used for separating radioactive isotopes by spinning at supersonic speeds.

Cyber threat Stuxnet & Big data analysis

Cyber threat to national economy is an emerging menace. Countries world wide have started realizing this and have taken their stand. What was once a war on the land is getting shadowed as history.  The new sophisticated warfare has opted for cyber weapons as their gadgets. For example the same blog has mentioned about Federal Trojan and its capabilities. The Trojan was used to intercept skype transactions and other such online transactions. 

The emergence of Stuxnet  as repainted the domain with cyber warfare capabilities. Stuxnet by the way has been named as one of the dead least cyber weapon with classical capabilities. It was first reported some where in mid-June by VirusBlokAda, a small security firm based out of Belarus, The worm dubbed as one of the groundbreaking piece of malware, spreads through  windows vulnerabilities targeting large-scale industrial control systems. Tireless efforts of various antivirus vendors helped in establishing the fact that Struxnet was in fact holding about four numbers (4) of Zero day threat and were very specific in targeting SCADA machines of a specific make. Craig (McAFee) defines Zero day threat as the availability of an exploit with in the same day of the disclosure of a vulnerability.

With the advent of Struxnet, the world has entered the era of cyber warfare empowering the countries to manage the war from within the four walls of the command control center.

-----Understand your network and baseline it

(Introduction to High Performance Network, TMH)

Shift in Customer management cycle

An interesting phenomenon is emerging across the business verticals. A care full eye would definitely observe this shift. Customer perceptions has paved the way for the observed shift. It is essential to understand a couple of scenarios.

A paradigm change in underway to handle customer. The concept of picking and handing over the goods has vanished and the customer is allowed to pick and choose his goods. Everybody would have observed the operations of a super market. A customer wheels his trolly through the supermarket, to pick up goods. He is taken through an experience of ambiance and esthetics with permissions to select his goods.

BigData & Digital footprint

Big-data is painting the data canvas with novel techniques and methods to handle new forms of business built on predictive intelligence. Going by the statement”Nothing is free in this world” organizations provide certain e-services to capitalize on the fact that  if a customer is not paying for service, then he is the product who can be used to leverage the existing business. Customers at large including free users have chiseled their digital footprints which were hitherto ignored. Thanks to the emergence of big data; the values of such digital footprints have been recognized. Going by the law of survival, when left in wild, there is a need to establish and track the digital footprints in order to profile the customer base. Big data analytic is emerging as a digital foot print tracker and modeler to provide the razor sharp strategic edge for organizations to leverage their existing business and cross pollinate.

Federal Trojan

Federal Trojan aka R2D2 is considered to be one of the SKYPE interceptors as understood from the register. This trojon is also called by other names "0zapftis" or "Bundestrojaner",This trojan has the capability of running on 32 bit systems; with support for 64 bit versions of Windows. The technology works via a local installation of malware on the clients computer. BOTs and Trojans are  classified generally under Malware.

According to Chaos Computer Club the specific Trojan has the capability to establish a backdoor on compromised machines supported by keystroke logging.  The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs says CCC. R2D2 has the capability of recording Skype conversations.As understood it has the capability to eavesdrop into MSN Messenger and Yahoo Messenger chat clients with the power of key logging  on browsers such as Firefox, Opera, Internet Explorer and SeaMonkey. Code injection into target processes is carried out by the dropper, through the use of different dll injection methods

--
Dr.B.M