Blog review

What topics did I write on?

I wrote on a wide range of topics and tested a number of different tools. I wrote about general security issues such as NSA spying, concerns about Cyberwarfare, effects of the government shut down, and privacy issues. I did study password breaking methods. I did an overview of emerging new threats. I did another review of the most common causes of security breaches. I did study penetration testing and focused on the many features of BackTrack Linux. I did use BackTrack Linux to do a MITM attack and managed to steal session cookies. I also test drove Metasploit and the Social Engineering Toolkit. I also experimented in WIFI monitoring tools. I reviewed the “Art of Deception” to learn about social engineering. I tested a few encryption tools. I reviewed solutions to the future problem of Quantum Computing breaking today's encryption methods. I returned to BackTrack Linux to review its forensics tools. 

What sources did I use?

I used a wide variety of sources. This included online magazines, blogs, tuturials, and software support sites. I did find Bruce Scheier's blog to be interesting and useful. I also used the Dark Reading Blog. It had some useful postings to some valuable white papers. I also used Security Week several times. I looked at tutorials and videos on Metasploit and the Social Engineering Toolkit. I reviewed the pdf version of Kevin Mitnick's book “The Art of Deception.”

Is this type of blog useful? What lessons can be learned?

Since the security environment is constantly changing, blogs can often give information that is not as readily available elsewhere. I found the blogs can have helpful tips and how to instructions. I found a great deal of information on the use of BackTrack linux on blogs. Blogs often give a more honest evaluation of software and hardware products than the manufacture's websites. If I am having an issue, I am probably not the only one. It answer is likely out there somewhere on someone's blog. For example, I was trying to install a Linux distribution for a class next term. I could not get it to pick of my WIFI adapter. But I found the answer on someone's blog. One thing I blogged about was the use of different tools. I would recommend that students experiment with different tools. It is a great way to learn. I am impressed with BackTrack Linux and recommend students try it. I plan to experiment with it more.  

Using BackTrack Linux for Forensics

http://www.linuxforu.com/2011/03/digital-forensic-analysis-using-backtrack-part-1/

http://www.linuxforu.com/2011/03/digital-forensic-analysis-using-backtrack-part-2/

http://www.ubuntubuzz.com/2010/07/introduction-backtrack-for-digital.html

http://www.ubuntubuzz.com/2010/07/introduction-of-backtrack-for.html

http://fuzzexp.org/the-backtrack-forensics-the-howto.html

For this week’s blog I decided to go back to BackTrack Linux and take a look at what sort of forensic tools are available. When booting into BackTrack Linux it is important select forensics mode. This mode does not use a swap disk on the hard drive and does not allow the user to mount the hard drive. This way the hard drive is preserved in its original condition. BackTrack has dozens of tools available for forensics. I will only look at a few. Backtrack has a number of image capture tools. A main one is called dd. This allows a disk image to be saved for forensic analysis. Dd_rescue is a utility for rescuing failing media. I would be useful for general data recovery and not just forensics. Aimage is an advanced recovery tool that allows the user to save image data and metadata in a standard forensic format. AIR imager is a GUI front end of DD. These tools can recover data from temporary and deleted files. Several hashing tools are included to insure the integrity of the image file.

Once the image is saved, tools are available to recover data from the drive. One tool is Foremost. It can recover data for many common file types. Other tools are Scalpel and Magic Rescue. PhotoRec is a GUI tool for rescuing common file types. Autopsy is a graphical suite of recovery tools that is available for download.

PTK is a RAM dump and analysis tool. It can extract most common file types from memory. Volatility is a tool for analyzing RAM dumps. There are also some specialize recovery tools. PDGmail recovers Gmail from memory. PDFbook extracts Facebook information for memory.

RKhunter is a tool for discovering rootkits.  

There are several tools for recovering metadata. One example is Vinetta, which recovers thumbnails of pictures stored in metadata. PDFparser recovers data from PDF files. There are also several tools for reading and analyzing log files.

There are tools for extracting SAM files so that they can be loaded into a password cracker.  CMOSpwd is a utility designed to crack BIOS passwords. Fcrackzip breaks password protected zip files.

Network analyzers such as Wireshark are classed as forensic tools since they can give valuable clues to attacks over a network. Xplico is a tool for recovering common data types from a Wireshark capture.

There is even one tool that is classed as Anti-Forensics, TrueCrypt a powerful disk encryption tool.

Although there are a number of excellent commercial forensic suites available most are priced out of the range of many smaller businesses. BackTrack Linux gives a powerful suite of tools that is comparable to the commercial suite in a free package. I intend to spend more time over winter break learning how to use the power tools available in BackTrack. If I was running a business, I might let employees know that if they do something wrong in the digital realm, there are ways that they can be caught. People may be less likely to try stuff if they know that they could be held accountable. 

GPG4Win

I also looked at GPG4Win. This is a front end for GPG for the Windows environment. It seems to have much of the same functionality as PGP and is compatible with it. It does give users a freeware option if they need PGP capability. The main drawback I see is that GPG4Win has it functionality split into different tools while everything is available in one tool in PGP. This makes GPG4Win a little more clunky and difficult to figure out. Certificates management is done by Kleopatra. This program can also is used to encrypted and decrypt programs. Keys are managed by a tool called GPA. This tool also can do encryption of files as well as from the clipboard. The GPA tool was not included in the default installation. Still it wasn't too bad and is a viable alternative to PGP.

http://www.gpg4win.org/

Mailvelop

Many people use web based mail programs. I wanted to see if there was an easy to use encryption program for working with these programs. I found a convenient and very easy to use open source tool called Mailvelop. This program works with common mail programs such as Yahoo, Gmail, and Outlook. Other mail programs can be added. It is available as an add on to the Firefox or Chrome browsers. It works as a front end to GPG. When composing an email an icon appears in the writing window. When clicked a box appears that allows a message to be created. This box functions as a sandbox to separate the text from the mail program. Click a lock to encode. A box appears to chose a key. Select the key and it encrypts the message. Hit transfer and the message is sent to the email program. There is also an option that can be selected to allow encryption to be done in the email editor. This is easier but less secure since drafts can be saved unencrypted.

Decrypting is also very easy. Mailvelop detects when an encrypted message is sent. A lock appears. Click on the lock. A sandbox appears. Enter the pass phrase and the message appears in the sand box. There is also an option to cache the password but this is not recommend.

A lock icon in the browser corner allows confirmation of Mailvelop, and key creation and management. It has some limits. It does not encrypted attachments. Nor is it able to do signatures. Other programs will have to be used for that.

http://www.mailvelope.com

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: Mailvelope v0.7.0

Comment: Email security by Mailvelope - http://www.mailvelope.com

xsBNBFKQK5EBB/911JJrX8A+2NxVhWaF8h6ves9bktShz0tcv7zpC3+eFnk8

vMIJf4bTUzIydcJhapnS4TO5OYdGXFIJqE03njM3OjZMCElv2AVso0Ykt68j

x2G5B6IwdJtRaoAzJas1fA0tQ/TlXIjtHQcYEmc/MjLUnxwcU7Bzly1jW92E

T4ZCMEbJcifEBscPk7cHuvhhUonJ9miHelSmbObGSQFSkq7I8Asm3QwdReiH

cLlvYoA4ugP2ymnpW/NeotTMaJAJyGOLYOuQqtv+I1otMouHgolYZVu9UU3/

tusyc/BukiAebXaS0OX2h1aqSPY+AA9qG2rJzWtA2YSuBUGl637pqCyXABEB

AAHNKSJEYXZpZCBTLiBCYWtlciIgPGRiYWtlcl85NzAxNUB5YWhvby5jb20+

wsBcBBABCAAQBQJSkCuaCRBhVOJO7h1kwAAAk9AH/0oDfN5q283b/m1DPmQT

ykb95u0yreFMsRpUc7li9cIhcOXtfYImPZSpe2Ezo1QpSc9VoisIyxAWVbeI

T0KsoWfV6ZVSSZIS132HIIJEAb3GBlayXfBuIX1Q9FAnTYXi/44dQ475pxXY

TcAqNFxODliMlPnTyFFE8Dg5N56Nhgo9cIPz691eqBnTY7EHFiN5sCzifAqv

4Ac1e4l+QB9hmmaOQN1ZGxikS12ARb9xLUiUwaROsDzSdn82yeqSnx/kiIG9

EcEZP6YdXA77yk13yPNKwRxqv4p08gNZDU/lAFidfIHp0lHnWd/XJexXavEX

S2TzbEO5tp//cilf9AQVjr4=

=hXvV

-----END PGP PUBLIC KEY BLOCK-----

TrueCrypt

For this week’s blog I looked at some different encryption tools. To encourage people to actually use encryption, it has to be easy to use. One tool I looked at was TrueCrypt. TrueCrypt is an opensource free encryption tool that has many of the same features as Microsoft’s Bitlocker. It can encrypt folders and drives. There is a portable version that works with USB drives. It is quite easy to use. The TrueCrypt folder acts like a drive. Normal folder operations can be used and it will automatically handle the encryption and decryption. Data in the encrypted folder is never stored in an unencrypted form on the drive but only in memory. It works with Windows, Linux, and Apple. BitLocker only works with the professional version of Windows, which limits its use. TrueCrypt has a boot loading feature that allows the system to boot from an encrypted disk. TrueCrypt has several strong encryption methods available including AES. TrueCrypt has a stenographic method available which create a hidden volume or even a hidden boot drive. If I were in a work situation where people were doing work on personal devices or taking work out on USB drives, I would encourage the use of TrueCrypt.

http://www.truecrypt.org/

The end of encryption?

Post-Quantum Cryptography

Daniel J. Bernstein

http://www.e-reading.biz/bookreader.php/135832/Post_Quantum_Cryptography.pdf

The textbook expressed concern that quantum computing will someday end encryption. If this is true, there will be a major security crisis if and when quantum computers become generally available. This made me wonder if alternatives would be developed to provide secure encryption in the quantum computing age? I reviewed a pdf book on the topic. Much of the book is highly technical and way over my head. But the answer is no, quantum computing will not end encryption. A great deal of research is being done to come up with quantum proof encryption methods. Most secret key methods such as AES should be still secure. But public key methods such as RSA and ECC will be vulnerable. A number of alternative methods of public key encryption are being researched. Lattice based methods such as NTRUencrypt look promising. There are many alternatives that are available but not all have been thoroughly tested for security. Others methods have been been proven very secure but they are very inefficient or use very long keys. More work has to be done to create practical alternatives.  

Escaping CryptoLocker hell

Businesses offer best practices for escaping CryptoLocker hell

By Ellen Messmer,

Nov. 18, 2012

This article gives advice on dealing with the CryptoLocker malware. This malware encrypts user data and holds it ransom until the user pays the attackers for a key to unlock the data. Sometimes the key isn't even delivered when the victim pays. The ransom is typically $300 paid in Bitcoin. Often the only effective way to deal with the attack without paying the ransom is to do a full restore from a backup. The article recommends having frequent backups and backups of the backups. CryptoLocker is dynamic since its creators are continually finding ways to have it get past spam and anti-malware filters. CryptoLocker attacks are growing. The attackers use botnets and managed to hit 10,000 victims between Oct. 27 and Nov. 1. The attackers are relying solely on phishing emails to trick the users into installing the malware. From there it can spread through the network infecting other computers. The phishing emails often contain information seeming to come from FedEx or U.P.S. CryptoLocker not the only ransomware. There is a new version of the FBI virus going around. This ransonware states that it has the victim's criminal record and will delete it for a fee. The article suggests to use virus removal for the FBI virus instead of paying the ransom.