SANS – APT Forensics Challenge

The 2010 Digital Forensics and Incident Response Summit’s focus this year is examining and advancing the digital forensic professional to deal with advanced threats such as the APT and organized crime.  Understanding how many of these crimes take place is crucial to creating lethal forensicators armed with the knowledge and skills to analyze complex cases.  I asked Jonathan Ham and Sherri Davidoff (who co-authored the sell-out Forensics 558: Network Forensics course and created many successful contests at – to create a contest based partially on how the APT might try and trigger a compromise to steal intellectual property via a targeted attack via spear phishing.

Jonathan and Sherri have created a contest that will challenge your skillset and help you see the types of attacks that could be infecting your networks today. Using published information based on the Aurora attacks they set out to recreate a sequence of events that demonstrate the challenge investigators will face when examining compromises of clicking on links via a targeted spear phishing attack.  This contest is a step in the right direction to help educate and challenge forensic professionals around the country. 

It also provides a good example of some of the discussions we will cover at the 2010 Forensic Summit: Malware analysis, Network Forensics, and the Advanced Persistent Threat.  Jonathan and Sherri will announce the winners at the Forensic Summit on July 8.  We hope you win the challenge and will attend the 2010 Forensic Summit, July 8, 9 in Washington D.C. ”

The contest itself is available over a the SANS Computer Forensics Blog.

Reminder: Win2k End-Of-Life in July

Just a reminder that Windows 2000 in all of its forms is slated for E-O-L in July of 2010. It will no longer be available with systems, as a product, and patches and service packs will stop being made avaialble for it.  If you happen to have w2k kicking around in your business or home-office, you had better get to planning an upgrade, post-haste.

On the topic of Microsoft LifeCycles, Windows XP users will be happy to hear that support for the O/S has been extended into 2014.  Watch this data closely, as dates in the future are closer than they appear.

NASA Shifts Focus From C&A To Security Monitroing

NASA deputy CIO Jerry Davis has issued a memo instructing NASA CIOs and CISOs to shift focus and contracts “away from cumbersome and expensive C&A [certification and accreditation] paperwork processes, in favor of a value-driven, risk-based approach to system security.”

 The Federal Information Security Management Act (FISMA) was a good idea with good intentions, but it should have been considered a stepping stone to a semi or fully-automated process.  The mechanisms and processes for assessment and output delivery have been badly flawed since inception.  FISMA has been facing increasing criticism for being a paperwork black-hole, requiring agencies to commit time and money to create reports that assess compliance, but not requiring any actions to secure systems.  C&As are still required before new systems are authorized for operations, but the 3-year C&A updates that consume 85% of the C&A budgets are no longer allowed.  Davis took his lead from a list of security requirements released by the Office of Management and Budget (OMB).  Last year NIST took the lead in updating 800-53 and 800-37 to require more continuous monitoring.  OMB is requiring that the output from the continuous monitoring be submitted through a tool called “Cyberscope” which simplifies the top level compilation of agency submissions.  

Beware Fraudulent Anti-ID Theft Organizations

Todd Davis’s identity has been stolen at least 13 times.  Davis is CEO of LifeLock, a company that sells anti-identity-theft services, and their ads prominantly feature Davis’s real Social Security Number (the service works so well he can publicize it without compromise). Collection agencies across the US are trying to squeeze him for debts other people have racked up using the SSN they gleaned from the ad.

LifeLock’s co-founders, Richard Todd Davis and Robert J. Maynard Jr., claim that Maynard had once spent a week in the Maricopa County jail, falsely accused of crimes because his identity had been stolen.  The 2003 incident was the inspiration for the company.  Official records and interviews with authorities in Nevada proved the details of the story to be false.  Maynard had been arrested and jailed in Nevada, all right — he’d failed to pay back a $16,000 gambling marker at the Mirage casino in Las Vegas.  That’s a crime, just like bouncing a check.  Authorities dropped the charges after Maynard managed to scrape together the cash from inside of his cell.

LifeLock has already been fined $12,000,000 by the FTC for deceptive advertising.  The Phoenix New Times has a long story on LifeLock’s questionable business practices and services.  It’s a pretty comprehensive look at how to build something that doesn’t work very well, and then compound that with really bad business practices.  Maynard, the Valley businessman principally behind LifeLock during its inception, was banned for life in the 1990s from the credit-repair industry.  Maynard’s father, optometrist Robert Maynard Sr., has accused him of identity theft.  Oy!


Canadian Computers Vulnerable

The threat of cyberattacks is “one of the fastest growing and most complicated issues,” the report said. “In addition to being virtually unattributable, these remotely operated attacks offer a productive, secure and low-risk means to conduct espionage.”


BUSTED HK Policeman Gets 4 Years For Fraud

A former Hong Kong policeman began a 4-year jail sentence Tuesday for his part in a global 10 million US dollar scam using cloned credit cards.  Cheung Hoi-wing, 40, was recruited as one of five Hong Kong ‘cashers’ in the international plot masterminded by a gang of Russian and Eastern European computer hackers in November 2008.  The cashers stole 4.2 million Hong Kong dollars (538,000 US dollars) from Hong Kong branches of RBS WorldPay, a division of the Royal Bank of Scotland Group Plc, using cloned debit cards provided by the hackers.  Cheung appeared in court Monday for sentencing after pleading guilty to possessing false documents and conspiracy to steal, the South China Morning Post reported.

Court heard Cheung had withdrawn 1.25 million Hong Kong dollars that he gave to an accomplice in return for 20,000 Hong Kong dollars.  A total of 44 cloned cards were used worldwide in the scam to withdraw cash worth about 10 million US dollars in 280 cities around the world in countries including the US, Japan and Russia.  All took place over a 12-hour period on November 8 and 9, 2008.

RBS WorldPay noticed the large withdrawals and lauched an investigation.  Cheung was arrested after police identified him from surveillance camera footage. His accomplices in Hong Kong are still being sought.  The gang who masterminded the plot hacked into the RBS WorldPay computer system, stealing details of cards and accounts and then increasing the allowed withdrawal amount on those accounts.  A number of the hackers have been arrested in the scam, which has been described by US prosecutors as ‘perhaps the most sophisticated and organized computer fraud attack ever conducted.’