Secure at any price?

I was doing my daily scan of Slashdot this morning when I came across the following article - The Failure of Information Security written by Noam Eppel. Embedded within all that doom and gloom is the following premise - security professionals have failed because our computers and networks are still not “secure.” Noam Eppel has shown us all exactly what is wrong our profession – Noam believes that we can actually achieve security.

Unfortunately, life isn’t that simple.

Secure: free from danger or risk

As every parent knows life is all about risk. No matter how hard you try, no matter what products you buy; your children will still get their share of scrapes, bruises, sniffles, and broken hearts. The wise parent knows that it’s worse to be overprotective than to let the child learn the important lesson behind that bruise – be more careful in the future. Parents understand the fundamental concept that Noam keeps on missing: Life is about living with and managing risk.

“The man who trades freedom for security does not deserve nor will he ever receive either.” -Benjamin Franklin

So as Information Risk Managers our guiding principle is to help our clients manage risk. Do car manufactures make cars that are safe? No. Around 40,000 people die every year in the US in car accidents – yet as a society we have determined that the ability to travel is worth the risk. We as individuals decide every time we get in a car that the reward out ways the risk. Car manufacturers attempt to design cars that are survivable in accidents – they don’t promise that you won’t get hurt.

When consultants sell “security,” clients go about designing applications thinking that the computer and network are “secure” – because security professionals fail to accurately assess and present the risks in basic business language that non-security professionals understand, design decisions that would make the system resilient when exposed to the risk are not made – and then some security professionals choose to blame the business for the "failure".

Web hacks are a great example. How many millions of dollars each year are spent by companies to protect against these “attacks”? How much money was spent by these very same companies to protect their buildings against spray paint? If your web site gets defaced do you really care? Well if you knew the risks up front and designed your web application to protect the customer’s information in spite of the web server being hacked then not really. A simple automated integrity check can trigger a scripted reload of the effected web server kicking out the script kiddy and restoring service – or even redirecting customers to non effected web servers while the reload happens. What can strike fear into the heart of the security consultant more then being replaced by a very small shell script.

Stuff happens. Our job is to help our clients deal with it.

Forensic analysis of Microsoft Hotmail

I was talking with a friend the other day about how malware uses email to hack into computers. What’s malware? Read my previous article: Adware and Spyware – are they really consensual? Anyway, my friend responds back that he uses Hotmail to protect his identity and to avoid malware. Instead of getting into Internet Explorer or Microsoft bashing, I instead chose to focus on his comment of protecting his identity. Used properly, a web email address is great as a spam trap for all the products and web sites that require an email address to register. Create a fictitious web email address and use that as the spam catcher saving your “real” email address for friends and family. Unfortunately, my friend believed that a web email address couldn’t be traced back if used at work or other public computer such as a coffee shop kiosk. I plan to show both my friend and you just how exposed your private emails are.

A forensic analysis of a computer shows everything that exists on the hard drive – files, folders, deleted text and images, etc. The truth is that nothing is ever really deleted only eventually overwritten. The dirty joke you deleted last month can come back to embarrass you tomorrow. Let’s do a hypothetical forensic analysis of a computer where someone accessed a hotmail email account using Internet Explorer.

Internet explorer tracks the web actvity of each user in a file named index.dat. If you look at the text in the bottom right panel you will see hotmail.msn.com. Now that we know this user uses hotmail its time to see if there are any old messages to discover.

All hotmail emails opened on a system create a file named getmsg[#].htm, where the '#' is an incremented number. So a quick scan for getmsg*.htm finds the first email message. If only we could clean up this ugly html and see the email the same way the user did ...

That’s much better. Hmm I wonder what other messages were in his inbox ...

Similar to the getmsg*.htm files, all hotmail inbox web pages are named hotmail[#].htm. A simple search for hotmail*.htm finds another ugly html page. Let’s clean it up a bit.

Now we have his entire inbox in all its glory along with all the people who emailed him. I wonder what a search for those names would turn up. Well, maybe some other time. This is just a sample of how exposed web email is to discovery on any system you use to access your email. But wait, there's more! The emails fly across the Internet for all to see. Now I cheated and sniffed the email as it went across the Internet using a tool called Ethereal, which is available for anyone to download and use.

Ethereal is a good example of a protocol analyzer and one of my favorites. It is an open and free to use product with a good community support network that maintains a valuable User’s Guide online.

Getting back to our hypothetical analysis; let’s look at what we captured.

This is what anyone on the Internet *could* see – your coworker in the next office, the weird dude next to you in the coffee shop, anyone. Yes, you probably have to be a geek to understand what this stuff means, however, Ethereal has a feature near and dear to my heart. It’s called “follow TCP stream” that reassembles the network packets into something a human can read.

Ok maybe not that screenshot but how about we scroll down some ...

Hey look there is that all so secure and untraceable webmail message! Hmm, I guess my friends and family won’t ever let me borrow their computers again – darn. Now imagine you're in some coffee shop or airport with your wireless Internet connection chatting away and reading your email. Now look over and see the fella just staring at his screen – he looks up and makes eye contact and smiles. Now imagine the above screen shots are on his computer and that’s your email making him smile.

Now I hear you, “I empty my Internet cache! That protects me right?” Wrong.

Clearing history …. Deleting files ...

All those files ...

And I can still find them. See the nice red symbol in front of the file name? That means its “deleted”. Remember: Nothing is deleted on a computer - only overwritten. If you're using Microsoft Windows XP then you have some help from a tool called cipher.exe.

What cipher.exe can do, beyond encrypting your files (see my article Microsoft Encrypted File System – Digital forensic analysis) is to wipe or overwrite all the deleted files on the computer.

After a long while the content of all those deleted emails will be purged and non recoverable.

So is webmail more secure or untraceable that normal email? Depends on what you use it for. If you’re using a fake account to trap spam; the answer is yes. Are you using webmail because it’s available from anywhere? Well, let’s just hope that I’ve scared you off a little. Well till next time - see you at the coffee shop!

Forensic analysis of Microsoft Word documents

Microsoft Word documents are stored in a proprietary binary file format that records additional information, known as metadata, beyond just the text of the document in it. Some of the information contained in the documents that you create and distribute may be embarrassing or private in nature and has shown up in several news stories much to the sources embarrassment. A forensic analysis of these documents can recover this metadata. There are several easy to use tools to discover and clean metadata from Microsoft Word documents.

As several news stories highlight, sharing word documents with others may reveal more then you bargained for such as:

• Your name
• Your Initials
• Your company name
• Your computer name
• The name of the server where you saved the file
• File properties and summary information.
• Names of previous authors
• Document revisions
• Template information
• Hidden, delete text
• Editing comments

Knowing the information may be in a document is fine, however, seeing is believing. Let’s create a test Microsoft word document.

Using EnCase, a commercial forensic analysis program available from Guidance Software, it is possible to see just how messy Word documents are. Notice below that editing the document created three documents. One, ~$tadata document.doc, is the deleted backup file that gets created while a file is being edited. It stores the previous version which as highlighted below was empty.

Now let’s edit the document and add some text to discover.

Forensic analysis of the end of the file clearly shows that I was the user that edited the document, that the template I used was Normal.dot, and that I was using Microsoft Word 10.

While using a commercial forensic product like EnCase can show the raw metadata, it is much easier to use one of several commercially available products that can show and even remove metadata from Word documents. On such product is Metadata Assistant from Payne Consulting Group.

Using this program anyone can easily discover and clean the metadata from Word and other Microsoft Office documents. Simply start the program, select the document to analyze, and click analyze.

The program will display all the hidden metadata in the document.

If this is a document you are sending to others it is a simple click on clean to save a metadata free version of the document.