Electronic Theft Costing Companies More Than Physical Theft

Reuters reports that a recent study conducted by a risk consulting firm shows that, worldwide, electronic theft is now costing companies more than physical theft. While it’s a marginal difference, according to Kroll’s Global Fraud Report, electronic theft accounts for about 27.3-percent of fraud losses reported globally while physical theft accounts for about 27.2-percent of that total. Fraud in North America, both electronic or physical, remains low (87-percent of businesses are affected) in comparison to China, which boasts the highest level of fraud (98-percent).

Kroll’s Tommy Helsby told Reuters, “Much more work is done electronically, and that creates new opportunities for fraud. It takes time for companies to catch up with that.” Information-based industries, like finance, media and telecommunications, were the most common global targets of electronic theft because those businesses handle so much sensitive consumer data. This doesn’t mean you should panic and disable your online accounts. An increase in electronic fraud could mean that we’re doing a better job at detection.

Via: SWITCHED.COM

Thwarted Russian Spy Ring Communicated Using Steganography

The FBI investigation that led to the arrest of 11 Russian spies discovered that their method of communication involved the art of hiding text files within images “Steganography”. More than 100 text files were discovered after officials conducted a search and found the 27-character password being used with the steganography program. The password was located on a piece of paper in a suspect’s home, a rookie mistake by anyone’s account.

John Pironti, president of IP Architects, in his comments to Computer World explained that “Humans don’t really do well remembering passwords beyond six characters, so they write them down someplace,” he says. The real mistake was thinking that the home was secure enough to leave the password lying around.”
Another error made by the spies is the use of a steganography program that is not commercially available.

This program was allegedly developed in Moscow, thus linking the ‘illegals’ to Russia and the suspected Sluzhba Vneshney Razvedki (SVR), the Russian Foreign Intelligence Agency. The program was apparently accessed by pressing ‘Ctrl + Alt + E’ and then inputting the 27-character password.

This major incident brings with it a new interest in Steganographic techniques and already unnamed US agencies are funding research in steganography detection techniques. Steganography itself has a rich background stemming all the way from Ancient Greece. It was also used during World War II in the form of invisible inks.

Via: DFM

How to Strengthen Your Online Passwords

As computers, and specifically graphics cards, have gotten more powerful, our passwords have become increasingly vulnerable, and the days of eight characters being the standard password length are over. To be honest, they have been over for quite some time, but it’s only now that the rest of the world is coming to realize that those eight letters you use to protect your e-mail could be cracked by a mid-range PC and a couple of graphics cards — in less than two hours. Researchers recently found that eight-character passwords can be cracked in less time than it takes to watch most Hollywood movies. Merely jumping to 12 characters boosted that time to a whopping 17,134 years. Obviously, the solution is longer, more complex passwords, but where do you draw the line between convenience and security? Do you really need to have a separate password for every single account? The answers, plus solutions to data security, are after the jump.

Get a Password Manager

Many options exist for the password conundrum, but the best is a solution we suggested back in February: a simple password manager. Tools like KeePass and LastPass let you generate new random passwords for every account you have. You can use these tools to create nearly unbreakable random strings of numbers, letters (both upper and lower case) and symbols, and stretch them to unimaginable lengths (although 20 characters should be more than enough). Furthermore, the programs keep your complex codes nice and tidy, so you’ll never lose track of which password goes where.

Lengthen Your Password

Alternatively, simply lengthening your password will protect your accounts for the immediate future. Though expanding to 12 characters will suffice, we suggest 14 characters as the sweet spot for truly secure phrases that are also short enough to be memorized. These phrases should also abide by the general rules of password variation: use at least one upper- and one lower-case letter, and at least one number. We also suggest working in a special character, like ‘$’ or a punctuation mark, if the site you’re using allows it. While we don’t have access to the array of graphics cards programmed by the Georgia Institute of Technology, we did check with How Secure Is My Password (a site we covered earlier this year), and it claims that a 14-character password using lower and uppercase letters, as well as numbers, would take 39 billion years to crack. That’s perhaps a little generous, but you get the point; it ain’t easy.

Switch Letters and Numbers

Changing letters to numbers is another quick and easy way to add complexity to a password. Turning your “e”s into “3″s and your “s”s in to “5″s introduces a layer of randomness that makes your password harder to guess. This is an especially handy way to obscure dictionary words (which most security experts suggest avoiding).

Use Full Phrases

Another password tip is to use full sentences and phrases. While many sites will not let you create a password long enough, famous quotes or personal mantras can work as incredibly secure passwords. For example, “ask not what your country can do for you” would take an almost immeasurable amount of time to crack with a desktop PC. Change the “o”s to “0″s, and the spaces to underscores (“_”), and you’ve got a password that might make a super computer choke.

Ideally, you should have a different, random password for every account, but we realize that a password manager is not for everyone (and might not even be an option for some). But, with a few tricks, it’s not impossible to keep your accounts at least somewhat safe from the newest and most powerful tech out there.

SOURCE: SWITCHED

Intel’s 50Gbps Silicon Photonics Link shines a light on future computers (video)

Using copper cables to transfer data around a computer? Get your head out of the sand, Grandpa! Intel thinks that’s on the outs and is touting its recent accomplishments with Silicon Photonics and integrated lasers, using light pulses to move data at 50Gbps (last time we heard Intel tout the tech was when it hit 40Gbps speeds in 2007). The emphasis is on low-cost, high-speed fiber optics, the removal of cable clutter, and with the speed boost, the ability to try new system designs by being able to space chips and components farther apart from one another without as much hit on speed — all theoretical at this point, of course. Researchers hopes to hit terabit per second speeds further down the line. As for John Q. Consumer, enjoy the progress from afar but don’t count on seeing this technology hit Newegg anytime soon.

Via: Engadget

Sony working to make Blu-ray obselete with discs that hold 25 times more data

SONY, in partnership with Tohoku University, said it has developed a new laser technology that will allow it to encode discs with 25 times more data then a standard Blu-ray disc.

Each of the new discs will have a total capacity of one terabyte, or 1024 gigabytes.

The all-semiconductor laser technology uses an extremely condensed wavelength of 405 nanometres and generates high-powered optical pulses at three picoseconds, or three-trillionths of a second.

Technical details aside, this ultimately could mean big things for a next-generation disc format, particular for high definition films, television and video games.

Currently a standard dual-layer Blu-ray disc provides 50 gigabytes of maximum data capacity, which is rarely ever reached by games or movies.

However, with up to one terabyte of data at their disposal, publishers could pack multiple titles – up to 50 hi-def movies or entire seasons of television series – on a single disc.

The potential applications for video games are also substantial.

With more space comes more capacity for more elaborate graphics, longer games, uncompressed multi-channel audio, more elaborate gameplay, or multiple games on a single disc.

Via: www.news.com.au

Processing iPhone / iPod Touch Backup Files on a Computer by Selena Ley

There are numerous reasons why it’s important to analyze iPhone / iPod Touch backup files.  This list below is not meant to be an exhaustive list but as forensic examiners, sometimes you need to fall back on the backup files because:

• the iPhone / Touch is a mini-computer.  The original evidence may be deleted from the iPhone / Touch and you don’t have a method to conduct a traditional forensic exam for deleted on the device.
• the iPhone / Touch is locked and you need to get into the actual device.
• you’re conducting an exam on a computer and come across some iPhone backup files and the device was not delivered for examination.

Creating Backups
By utilizing the backup files, we may be able to gather additional information that we didn’t have before.  So how are these backup files generated on the computer?  Well, when the device is first connected to a computer, iTunes will automatically create a backup. If the device is locked with a user pass-code, iTunes will require the user to enter the pass-code before the contents is backed up. From there on, each time the device is connected to the same computer in the same user account, iTunes will not require the user to enter in the password.

After the initial backup is completed, then each time the device is connected, the iTunes settings will dictate what information will be synchronized. By default, iTunes will automatically sync the device to the computer unless the user chooses not to do so. Below is a screenshot of the iTunes sync settings in version 9.0.2. Note that different versions may have different tabs.

iTunes v9 Devices Tab

Now, when the user has selected the “Disable automatic syncing for all iPhones and iPods”, then the next time the user connects the device the program will not automatically sync the information onto the computer.  So what types of information can be sync’d? Contacts, Emails, Internet Bookmarks, Pictures, etc. Click here for a detailed list of items that can be synchronized using iTunes.
The user may still elect to run a backup process to push the contents of the iPhone/Touch to the computer.  To do so, the user will need to right on the device name within iTunes and select “backup”.

iTunes v9 “Back Up” Option for iPhone and iPod Touch

Locating Backup Files
If you suspect that a computer may contain iPhone or iPod backup files but you are unsure where to look, you can use these methods to quickly determine if they exist on the suspect computer.

• Search for Backup Files – A quick method is to run a search for the file extension “mddata” and/or “mdbackup”.  The results are the backup files generated using iTunes.
• Manually Navigate to the folder

By default, iTunes will place the backup files to the following path: Windows XP:  Documents & Settings\\Application Data\Apple Computer\MobileSync\Backup Windows Vista:  Users\\AppData\Roaming\Apple Computer\MobileSync\Backup Mac OS X: Users//Library/Application Support/MobileSync/Backup

Understanding the Backup Files
When the device is first connected to iTunes and it was never previously connected, iTunes will generate a 40 character alphanumeric identifier for the device. This identifier, also known as the UDID (Unique Device Identifier), is also the subfolder name designated for this device within the Backup folder. Once that folder is created, then each time the device is connected to the computer, it will recognize that folder and will only update that folder. (For those that are interested – if you scan the registry, the device’s serial number and the UDID is an actual subkey within the HARDWARE registry file.) Depending upon the iTunes settings, if the user chooses to sync the device with the computer, then the first time the iPhone/Touch is connected, it will create a backup of the contents of the device.

When a backup is first created, a subfolder is first created where the name is an alpha-numeric GUID value assigned to the apple device.  Each time your device is connected to iTunes and a sync or backup process is kicked off, the contents of this folder may be updated.  If there are any deltas, then the existing files will be updated and/or new ones created (such as in the case where you install a new app on your device). Note that if automatic sync is turned OFF in iTunes, then when the iPhone/Touch is connected, the sync progress may not actually update any files. However, if the user chooses to force a backup of the device, then the contents of the folder will be updated for any deltas. This is why you will see files within the UDID folder that may have differing modification timestamps. If the user upgraded the firmware version, then a full backup may be issued as part of the upgrade process. In that case, then all the files are re-written.

Within this UDID folder are files with four types of file extensions:

• plist
• mdbackup
• mddata
• mdinfo

So what’s so important about these files?

1. If you don’t have the iPhone but you have the backup files, you need to determine the make/model/serial# as well as phone number of the device.
2. Some of the default parsing tools may NOT handle all the different kinds of apps that can be installed on an iPhone/Touch. (I have a simple example below about Skype backup files.)
3. As always, you should always validate your software.

.plist Files
The plist files are informational files where the content is written using XML.  On a Windows machine, it can easily be viewed using Internet Explorer or any text editor. On a Mac OS machine, you can use the default viewer by highlighting the file and pressing the spacebar. There are a lot of free and commercial tools. I’ve included a link to a tool called iPod Robot in the Reference section.

There are 3 main plist files generated as part of the backup process – Info.plist, Status.plist, and Manifest.plist.

If you are triaging a case, the most important plist file is the Info.plist file since it contains basic information about the device, including the serial #, user assigned device name, and phone number in the case of an iPhone — perhaps key items in a case. If you have an iPhone/Touch that you suspect may have been connected to this computer, then you can verify that by using the serial number.  The Info.plist will also indicate the last date/time when the device was backed up onto the computer.

The Status.plist file indicates the status of the previous sync process or backup. If the sync or backup process completed successfully, then the content would indicate the following:

Backup Success

If the previous sync process failed, it will note this and you can review attempt to review the other folders within the “Apple Computer” folder.

The Manifest.plist file is created by iTunes. The Data element within this file is an actual binary plist file of the backup files along with the digital signature. Generally this file is not of forensic significance.

.mdbackup Files
The mdbackup files will contain the meat of your data. The filename itself is an alphanumeric hex value. There are plenty of free and commercial tools available that will parse these files for you. However, it’s important to understand how to view the contents and parse them if there are no tools available.

If you view just the first few bytes of each file, you will notice that it gives a description of the contents of the file as well as the file format. For example, the following is a sample mdbackup file that indicates which picture the user chose as the background for the device. If you know the JPEG header format and carve from the header, you will get the picture.

JPEG Picture from mdbackup file example Some files such as the Contacts or Address Book entries are stored as a SQLite database. The database itself is embedded within that file and while you can view the contents of the file, it’s easier to read using a SQLite parser. The following screenshots of the mdbackup file relating to the Contacts stored on the device as well as the carved SQLite database as viewed using SQLite Browser.

Hex view and Database views of SQLite data for Contacts Other mdbackup files that may store preferences and other information, such as wireless access points and Cookies, are in XML format. These can be easily viewed using any editor or you can strip the first few bytes of data so that the XML can be parsed properly using your web browser. The following is a sample mdbackup file relating to web browser Cookies:

mdbackup file for Cookies

.mddata and .mdinfo Files
In the newer firmware versions for the iPhone/Touch, the .mdbackup files are replaced with the .mddata and .mdinfo files. More specifically, when the user upgrades from version 1.x (which coincides with the .mdbackup files) to any higher version, the file extensions will differ. Unlike the mdbackup files where the entire file contains both the metadata as well as the file content, the new firmware version will create two files – one with the mddata extension and the other with the mdinfo extension. The .mdinfo and .mddata act as a pair and therefore, they have the same file name but different file extensions.

The .mdinfo will contain the metadata info about the file such as what category or type of information (i.e., Address Book, SMS, Call History, etc). The .mddata will contain the actual content for that file. Note that in firmware 3.x, the user has the ability to encrypt their data if the user chooses this option in iTunes. Should the user select this, then the user will need to select a password in iTunes. This password is different from the user’s pass-code on the device. If encryption is selected, then the .mddata files will be encrypted whereas the .mdinfo files will be stored in plain text. Note that each time the user switches between encrypted and unencrypted, iTunes will force a backup of the device. This will cause all the files to be rewritten.

Below is a screenshot of the .mddata file for the AddressBook in firmware 3.1.2 unencrypted and then with encryption turned on.

mddata AddressBook Unencrypted

mddata AddressBook Encrypted

Although there are a lot of free and commercial parsers to parse the backup files, it is important to note that some will not handle apps that the user may install. This may require you to take a look at the .mddata and .mdinfo file in order to determine how to parse it. For example, I installed Skype on my device and ran a full backup. I ran a search for “Skype” across the .mdinfo files and then viewed the .mddata file for the actual data. Viewing the .mddata file, I was able to locate my skype account (blurred out in the picture).

mddata showing Skype Information

PLIST file showing Skype Information

Bypassing the Passcode and Other Considerations
If an iPhone/Touch is locked with a user passcode, there are some avenues we can explore to get to the data. One option is to send the device to Apple with a search warrant to unlock the device. Another option is if the computer was seized, then determine if the device was once connected to the computer and issue a backup. (Remember the Info.plist file!) This will force the contents of the device to be backed up to the computer, and you can parse the contents. Please note that if the passcode has changed since the last time of the sync, then this option will not work. If the backup was generated before the security feature was enabled on the device, it will also not work. There are other options available to bypass the passcode such as Zdziarski’s method.

Some other considerations you might also consider are:

1. If a Mac was also seized with the iPhone/Touch, determine if Time Machine was enabled. If so, then there may be older copies of the data that may be of value. This may be helpful if you are looking for older versions of files relating to the SMS database, Call History, etc.
2. If a Vista box was also seized with the iPhone/Touch, then consider going after the shadow copies. Like Time Machine, if it’s enabled then there may be older versions of the file that you can target for deleted content.
3. If you only have the iPhone, then remember you can determine the phone number by popping out the SIM Card and analyzing the card.
4. The user has the option to delete backup files via iTunes. If this is chosen, then it will delete the subfolder within MobileSync\Backup folder. In that case, you can try to recover files and/or carve based on header signatures. Some useful ones include bplist00 as well as SQLite.

UPDATE:

if you have PC with windows 7 installed, you can get the plist files that contain the passcode from “C:\ProgramData\Apple\Lockdown”

Google Slammed For Wi-Fi Breach of Lawmakers’ Home Networks

Google has been accused of drive-by spying on members of Congress, including those involved with homeland security, by uploading e-mail or Website viewing information while mapping for its Google Street View. According to a government watchdog group several members of Congress have unsecured wireless networks, including Rep. Jane Harman, D-CA, who heads the intelligence subcommittee for the House Homeland Security committee, and whose home was discovered to house unsecured networks named “harmanmbr” and “harmantheater.”

Google previously admitted that it had accidentally collected “samples of payload data” information in a rather innocuous update to a month-old press release last month and released a report on the breach June 10.  However, a advocacy group called Consumer Watchdog decided there needed to be more publicity to expose the “WiSpying” and the group decided to conduct its own experiment by sniffing out unsecured networks at Congress members’ homes. Sure enough, they hit paydirt. From the report:

Between June 27 and July 6, SNS Global LLC conducted a program to determine what networks could be identified near the residences of several members of Congress whose Washington-area homes are pictured in Google’s Street View database. The residences surveyed included those of House Energy and Commerce Committee Chairman Henry Waxman, Chairman Emeritus John Dingell, and Reps. Edward J. Markey, Rick Boucher, and Jane Harman.

The equipment used was two laptops running the Linux operating system and the Kismet wireless network detector, sniffer, and intrusion detection system.1 Kismet is an open source program used by Google to collect information about residential wireless networks in the United States and more than two dozen other countries.

The experiment reportedly showed the information Google inadvertently collected and kept on the congress members (and broadly hinted this happened to many others around the world.) In a letter to Harman, both Jamie Court and John Simpson of Consumer Watchdog urged a call to action:

This leaves little question that Google is currently in possession of sensitive data from the information networks used by members of Congress in their residences.

Because of your position, we believe this is not just an invasion of privacy but an unwarranted intrusion by Google into legislative branch matters. In our view, you have the right to demand that Google disclose to you any information it has collected regarding your home wireless networks.

In addition we urge the Energy and Commerce Committee to, at its earliest convenience, hold a hearing on Google’s WiSpying and data gathering practices.

What Google did was likely innocent since it claims its code accidentally collected all publicly broadcast WiFi data, but what was stupid was being unaware they were doing it at least for several months. If just a piece of unsupervised code can create such security havoc, what else does Google create and collect without anyone but a single engineer’s knowledge? (Google says it kept the information, segregated it and would dispose of it with the consent of interested parties.) Bad Google, and you deserve a slap on the server.

VIA: NetworkWorld

Wireless presentation controllers prove juicy targets for hackers

Researchers say any USB peripheral could steal your data, even a coffee-cup warmer

ARE you sure that the keyboard or mouse you are using today is the one that was attached to your computer yesterday? It might have been swapped for a compromised device that could transmit data to a snooper.

The problem stems from a shortcoming in the way the Universal Serial Bus (USB) works. This allows almost all USB-connected devices, such as mice and printers, to be turned into tools for data theft, says a team that has exploited the flaw.

Welcome to the murky world of the “hardware trojan”. Until now, hardware trojans were considered to be modified circuits. For example, if hackers manage to get hold of a microchip when it is still in the factory, they could introduce subtle changes allowing them to crash the device that the chip gets built into (New Scientist, 1 July 2009, p 18).

Computer engineers John Clark, Sylvain Leblanc and Scott Knight at the Royal Military College of Canada in Kingston, Ontario, wondered if a hardware trojan attack could be carried out by other means. They calculated that the easiest way to introduce a hardware trojan might be via a computer’s USB ports.

The trio found they could exploit a weakness in USB’s plug-and-play functionality. The USB protocol trusts any device being plugged in to report its identity correctly. But find out the make and model of a target user’s keyboard, say, swap it with a compromised device that reports the same information – and that doesn’t even have to be a keyboard – and the computer won’t realise.
Swap a USB keyboard for a device that reports the same model number, and the computer won’t know

The team designed a USB keyboard containing a circuit that successfully stole data from the hard drive and transmitted it in two ways: by flashing an LED, Morse-code style, and by encoding data as a subtle warbling output from the sound card (Future Generation Computer Systems, DOI: 10.1016/j.future.2010.04.008). They could have chosen more efficient methods to transmit the data, such as email, but Leblanc says their main goal was to see if they could steal data without anyone noticing.

“We’ve shown any USB device could contain a hardware trojan,” he says. Security software, if it checks USB devices at all, tends to look only for malware on USB memory sticks.

“This work opens many cans of worms,” says Vasilios Katos, a computer scientist at the Democritus University of Thrace in Greece. “A USB device cannot now be trusted – it may have hidden processing capabilities.”

He’s right, says Leblanc. “You could mount a hardware trojan attack with a USB coffee-cup warmer.”

Via: Engadget
Source: New Scientist

Copiers Can Be A Digital Time Bomb (video)

Photocopiers are a “digital time bomb” packed with highly sensitive personal and company data that could fall into the wrong hands, according to leading forensic accountants Vincents Chartered Accountants.

 Vincents Director of Forensic Technology Daniel Hains said information processed on digital copying machines roughly manufactured post-2000 can be retrieved after the machine has been sold or otherwise disposed of.

 Mr Hains said individuals or companies replacing photocopiers should ensure they remove data on the hard-drive’s of old machine’s or risk having their sensitive information retrieved by outside interests.

 ”Often tens of thousands of documents that have been photocopied are still available to be retrieved by forensic acquisition,” he said.

 ”The hard drive on a copier is just like the one on your personal computer and can and usually does store every document printed, copied, scanned or emailed by the machine.

 ”It’s a massive digital time bomb where items such as medical documents, bank statements and tax records can be retrieved by whoever gets their hands on the old machine.”

 Mr Hains said he had found that many companies were unaware of the potential dangers posed by digital copiers.

 ”Companies should take responsibility for ensuring images from the hard drive are erased before the copier is sold, leased out or disposed of,” he said.

 ”We have found that a lot of businesses and consumers simply have no idea that copiers store images on the hard drive.

 ”But there is potential here for serious breaches of privacy.”

 Mr Hains said all major photocopier manufacturers offered security or encryption packages on their products, but they can be expensive.

 ”Due to the cost of these packages, many businesses are unwilling to pay for such protection and this can result in thousands of copying machines retaining their secrets,” he said.

 ”The machine itself may have an inbuilt function to remove all data so check the operating instructions. In most cases the original supplier may provide a qualified technician to assist with this process.”

 Established more than 20 years ago, Vincents specialises in forensic accounting, forensic technology, insolvency and reconstruction, corporate advisory, taxation and business solutions, financial advisory and executive search and selection.

Watch CBS News Videos Online