September 2nd, 2011 by peter.bassill

Update 2

I now have processed 20 drives from a reasonable spread of reclamation businesses and private individuals and thus far only three drives have failed to give up the previous owners information. That is a good return for me, and a very poor display for information security practises. The home users I am not too surprised with, but still the corporates are getting this wrong. I am certain that the business entities engaging these reclamation organizations who are reselling this equipment on ebay would be shocked that in many cases the drives were just formatted.

Of course, all of these drives have now undergone a DoD 7 pass wipe to make sure they are completely erased, but the top 5 data sets recovered are:

1. Email
2. Corporate documents
3. iTunes collections
4. Personal photo’s
5. Personal Identifiable Information

July 17th, 2011 by peter.bassill

Update 1

Project Ebay is moving along very nicely. To date 10 drives have been purchased across a reasonable spread of reclamation businesses and private individuals and thus far each and every drive has given up the previous owners information. That is a 100% success rate at recovering previous owners data.

Of course, all of these drives have now undergone a DoD 7 pass wipe to make sure they are completely erased, but I have pulled back:

• Email
• Banking records
• iTunes collections
• Personal photo’s
• Very very personal photos
• University assignments
• Source code
• CAD images

The home users I am not too surprised with, but the corporates? I am certain that the business entities engaging these reclamation organizations would be shocked that in many cases the drives were just formatted, and in one case the all I needed to do was hook the drive up and mount it.

May 7th, 2011 by peter.bassill

Sometimes you just need to keep the forensics skilled honed. This series of posts will be around a number of drives obtained from ebay.

Imaging

Using an ubuntu 11.04 system with a pair of 1TB drivers as a base, we issue the following command to image the first drive:

dcfldd if=/dev/sdb conv=noerror,sync hashwindow=1M hash=md5 hashconv=after hashlog=/opt/forensics/hashlog.log split=640M splitformat=aa of=/opt/forensics/image.dd

January 12th, 2010 by peter.bassill

Having spent some time during the evening creating a script to map the attackers from the logs within Splunk, the end result was a moderate success.

Combining some perl and GeoIP.dat

 Making a bit more use of this, suppose I had a list of countries who were not supposed to be accessing my systems. Having an image such as the one below makes log analysis a lot easier.

January 10th, 2010 by peter.bassill

Often, within the corporate role of an Information Security Officer, you will come across auditors who really know what they are talking about. Recently, I had the joy to experiance one of those rare moments when I crossed swords with a technical financial auditor. Over a couple of excellent coffees, we discussed PCI compliance in the cloud.

There has been a lot of hype over the whole use of the “cloud” buzzword, but in this case, “cloud” was being used to describe a server that is not on your premises that you are able to access the terminal remotely via IP.

The basis of the server must be security robust. This we agreed on. Where we disagreed was the level of security robustness required and the practicality of level of the security.

Looking at the foundation build, we both agreed on the OpenBSD model of building a server. Only build what you actually require. For example, you need a web server then make sure that is the only service compiled.  Another area we agreed on was the need to remove all non required binaries. With the intial build in mind, my thoughts lead to encryption. Should you encrypt the disk, the swap space, and the memory? While the auditor thought that it was overkill and I agree that there would be a performance impact, when you dont physically possess the machine is it prudent?

When we talked about terminal access, we both agreed that two factor authentication to the terminal was essential as was reducing the number of terminal sessions available to two and it was only natural that we then looked at the process of user management. Linking the cloud server to a centrally management user management system such as Active Directory has many advantages and allows easy management of articles such as password lifecycles.

In all, we agreed that encryption is good, two factor authentication against an offboard user management system is a definate and off system logging is essential. The server footprint should be as small as possible and internal integrity monitoring, firewalling, malware/rootkit checking are very important.

Now, to build the server…