http://www.cio.com/article/114550 By Scott Berinato CSO May 31, 2007 Forensic investigations start at the end. Think of it: You wouldnt start using science and technology to establish facts (thats the dictionary definition of forensics) unless you had some reason to establish facts in the first place. But by that time, the crime has already happened. So while requisite, forensics is ultimately unrewarding. A clear illustration of this fact comes from the field investigations manager for a major credit services company. Sometime last year, he noticed a clutch of fraudulent purchases on cards that all traced back to the same aquarium. He learned quite a bit through forensics. He learned, for example, that an aquarium employee had downloaded an audio file while eating a sandwich on her lunch break. He learned that when she played the song, a rootkit hidden inside the song installed itself on her computer. That rootkit allowed the hacker whod planted it to establish a secure tunnel so he could work undetected and get root?administrators access to the aquarium network. Sounds like a successful investigation. But the investigator was underwhelmed by the results. Why? Because he hadnt caught the perpetrator and he knew he never would. Whats worse, that lunch break with the sandwich and the song download had occurred some time before he got there. In fact, the hacker had captured every card transaction at the aquarium for two years. The investigator (who could only speak anonymously) wonders aloud what other networks are right now being controlled by criminal enterprises whose presence is entirely concealed. Computer crime has shifted from a game of disruption to one of access. The hackers focus has shifted too, from developing destructive payloads to circumventing detection. Now, for every tool forensic investigators have come to rely on to discover and prosecute electronic crimes, criminals have a corresponding tool to baffle the investigation. This is antiforensics. It is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you. The concept is neither new nor foolproof, but in the past 12 months, forensic investigators have noticed a significant uptick in the use of antiforensics. This is not because hackers are making more sophisticated antiforensic tools, though some are. Rather, its because antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. Whats more, this transition is taking place right when (or perhaps because of) a growing number of criminals, technically unsophisticated, want in on all the cash moving around online and they need antiforensics to protect their illicit enterprises. Five years ago, you could count on one hand the number of people who could do a lot of these things, says the investigator. Now its hobby level. Researcher Bryan Sartin of Cybertrust says antiforensic tools have gotten so easy to use that recently hes noticed the hacks themselves are barely disguised. I can pick up a network diagram and see where the breach occurred in a second, says Sartin. Thats the boring part of my job now. Theyll use FTP and they dont care if it logs the transfer, because they know I have no idea who they are or how they got there. Veteran forensic investigator Paul Henry, who works for a vendor called Secure Computing, says, Weve got ourselves in a bit of a fix. From a purely forensic standpoint, its real ugly out there. Vincent Liu, partner at Stach & Liu, has developed antiforensic tools. But he stopped because the evidence exists that we cant rely on forensic tools anymore. It was no longer necessary to drive the point home. There was no point rubbing salt in the wound, he says. The investigator in the aquarium case says, Antiforensics are part of my everyday life now. As this article is being written, details of the TJX breachcalled the biggest data heist in history, with more than 45 million credit card records compromisedstrongly suggest that the criminals used antiforensics to maintain undetected access to the systems for months or years and capture data in real time. In fact, the TJX case, from the sparse details made public, sounds remarkably like the aquarium case on a massive scale. Several experts said it would be surprising if antiforensics werent used. Who knows how many databases containing how many millions of identities are out there being compromised? asks the investigator. That is the unspoken nightmare. [...] _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jun 04 2007 - 22:21:23 PDT