.: Sarah's Blog :.

UK Digital Forensics Conferences 2012

05/02/2012 02:17PM

Last year I did a post with the symposiums and conferences I found relating to digital forensics for the coming year as I could not find an authoritative source. Here is the 2012 list. Please add any more conferences as a comment or email me and I'll add them in. I'm sure there will be at least one more entry from Napier Uni 's fantastic Cybercrime Symposium series!

Event	Date	Website	Location
Cyber Defence & Network Security	24 – 27 January	http://www.cdans.org/Event.aspx?id=598092	London, England
ACPO National Cyber Crime Conference	8 – 9 February	http://www.corporateitforum.com/activities-and-events/details/948-acpo-national-cyber-crime-conference	Sheffield, England
Cyber Security and Data Protection	10 Feb	http://cybersecurity.holyrood.com/	Edinburgh, Scotland
Information Security Executive Summit 2012	28 - 29 February	http://www.informationsecuritysummit.com/conference-programme.html	Richmond Upn Thames, Endland
e-crime congress	13 – 14 March	http://www.e-crimecongress.org/congress	London, England
11th European Security Conference & Exhibition	15 – 17 April	http://www.sourcesecurity.com/events/free-event-listing/11th-european-security-conference-and-exhibition-2012.html	London, England
InfoSecurity Europe	24 – 26 April	http://www.infosec.co.uk/	London, England
The 2nd International Conference on Cybercrime, Security and Digital Forensics	14-15 May	http://www.cyberforensics.org.uk/	London, England
National Informarion Security Conference	13 – 15 June	http://www.nisc.org.uk/	Cumbernauld, Scotland
CFET 2012 : Cybercrime Forensics Education & Training.	September (TBA)	http://www.canterbury.ac.uk/social-applied-sciences/computing/conferences/CFET2012/home.aspx	Canterbury, England
19th International Computer Security Symposium	30 Sept – 4 Oct	http://www.cosac.net/default.html	Naas, Ireland
The 7th International Conference for Internet Technology and Secured Transactions	10 – 12 December	http://www.icitst.org/	London, England

I shall be attending the ACPO National Cyber Crime Conference next week in Sheffield. See some of you there!

Thoughts on the UK Cyber Security Strategy

07/12/2011 09:29PM

In November the UK government released the “UK Cyber Security Strategy” which can be downloaded here. There are four main objectives which will be funded by £650million over 4 years under the “National Cyber Security Programme” (NCSP). The objectives are:

To tackle cybercrime and be of the most secure places to do e-business
To be more resilient to cybercrime
To help shape an "open, stable and vibrant cyberspace"
To have knowledge, skills and capacity to carry out all cyber security objectives

The paper goes on to describe cyberspace, what the current and emerging threats are and an expansion of the four objectives listed above. Finally, in "Annex A", is a table outlying the actual implementation of the objectives. This is perhaps the most interesting bit, so if you don’t feel like reading all 42 pages, just skip to the Annex.

I was at the Symposium on Security Risk, Cybercrime and Critical Infrastructure yesterday (more in a future post) and a number of speakers spoke about this paper and what their thoughts were on it. The thing that struck me first was the number of different organisations mentioned in the paper that would be created, involved, consulted or partnered with. The main section doesn’t really talk much of a person or group who will be in charge of the coordination of this multi-organisational effort, but tucked away in the Annex on the very last page is action 6: “put in place clear leadership of cyber across Government, with a dedicated minister and oversight at the highest levels of Government”. I think this merited a little bit more of a mention, but it will be interesting to see who this is and how they can steer the direction of the NCSP, as the gist seems to be about collaborating with the right groups to get the right information to the right people at the right times. The groups mentioned in the report are (in no particular order of importance, and perhaps I’ve missed some out):

Cabinet office

Office of Cyber Security and Information Assurance

National Crime Agency
The Serious Organised Crime Agency (SOCA)
GCHQ

Joint Cyber Unit

Ministry of Defence

Joint Forces Command
Defence Cyber Operations Group
Global Operations and Security Control Centre

Home office
Department for business, Innovation and Skills
Government ICT
Single Intelligence Account
United Nations

Group of Governmental Experts

European Commission
External Action service
Organisation for Security and Cooperation in Europe
Centre for the Protection of National Infrastructure (CPNI)
Government Office for Science
Metropolitan Police Central e-crime Unit
UK Council for child Internet Safety
National Fraud Intelligence Bureau
British Retail Consortium
The Technology Strategy Board
The Engineering and Physical Science research Council
UK Trade and Investment
Broadband Stakeholder Group
International Telecommunications Union

Now that’s a lot of organisations or subgroups! Another one of the problems I see is the lack of clear solutions to how they will educate the general public. It mentions quite frequently that 80% of the cybercrime today can be solved using antivirus/security software, keeping up to date with the news of cybercrime and being vigilant. It’s basically down to the individuals to do this – I think if the general public could follow this advice we won’t be in the state we are in now! It mentions that by March 2012 they will have conducted research how to educate people, including in higher education, but I don’t think they are doing or will do enough for the average middle aged non tech-savvy person like my parents, who certainly aren’t going to get much out of the dull getsafeonline.org which is currently all that really exists.

One of the things a speaker at yesterday’s conference said was that the paper lacks support for self started schemes by businesses and academia. It has plenty of Government funded initiatives, but doesn’t mention helping anything else. Businesses won’t use their own initiative if they don’t think they will get the support of the NCSP, and if the groups mentioned in the report are slow to collaborate then I see this proposal taking a very long time to get its feet off the ground.

Christmas Gift Wrapping

27/11/2011 04:36PM

I usually make my Christmas present wrapping paper themed, and this year's is very homemade and red. They look really nice and are very simple to do (and quite cheap if you have lots of arts & crafts material lying around).

My Christmas presents so far (I'm far too organised..)

A close-up of one of the presents.

For the very basic wrap you will need brown packaging wrapping paper and red ribbon. I then accessoried mine by adding Bakers twine (red and white string) with the red ribbon, and threading through a little wooden Christmas tree button. I added some red bobble-type things from Hobbycraft and stuck on some stencils of snowflakes using my snowflakes cutter. Finally, I stamped the person's name on the gift rather than using traditional tags.

The materials you will need (top left to bottom): bakers twine, snowflake stencil punch, red & white tags, red bobble decoration things and wooden buttons

My alphabet stamp set. I use the large ones for big presents, and the smaller stamps for small presents.

Kilimanjaro: Day 7

16/10/2011 04:27PM

Day 7: Another 5 hour walk down to the Mweke gate. The path turned hideously muddy and steep downhill, so the pace was very slow so we wouldn’t fall over and get absolutely covered in mud. Going downhill was more painful than uphill; your knees, toes, thighs ache with every steep, slippery step. We saw a lot of cute monkeys with very bushy tails, called Colobus monkeys.

Colobus monkey!

Finally, after what seemed like an eternity – the gate appeared. Many locals were along the path collecting twigs, logs and leaves. We registered our departure with the gatekeepers and then waited for Silvano to arrange a bus back. We expected a small bus like the one that took us to the gate, but Silvano managed to find one hell of a Jeep which ended up bumpier than Mr Bump in a ball pen.

The ride back to the hotel.

It was sad leaving the beautiful mountain behind, but to be honest all I was thinking out was a nice hot lunch at the hotel, and more importantly, a hot shower. Due to being a bit late getting to the gate, we arrived at the hotel with only 30mins left for lunch, so had to eat immediately or risk not getting any food until 7pm. So we exhaustedly sat and ate the buffet looking like total wrecks. We were both covered in dirt, our hair not washed for 7 days (I hadn’t even taken out my plaits I’d done one day 1) and our clothes brown. We sat next to 4 female middle-aged Canadians who had permed hair, beautiful manicured pink nails and plenty of make-up. One looked horrified to see our appearances. After asking a few questions they told us they hired a porter to bring a portable toilet with them, and would “pay someone” to put up their tents as one had “a bad knee”. Hmm, not sure they really prepared for this. One even commented at dinner when I had had a shower that I looked “more normal now”. Geez, thanks old lady.

After a wonderful shower and a change into fresh clothes we sat out in the gardens and discussed tipping of the porters with Taryn and Lorena. The company gave out a guide to roughly what they should all get, and we ended up giving $200 each towards the tip. Silvano, Abell, the chef and the assistant chef Hatibo gathered together to hand over the tip, and discuss how we thought the trip went. This was awkward, us Brits don’t like sharing feedback so openly! In all honesty, they were amazing. The team were a great bunch of people and Silvano was especially helpful when I felt really quite ill. It was sad leaving, but I don’t think I’ll be back trying to get to the peak. Camping is not my strong point, and altitude sickness is really quite horrible. However, Tanzania is an amazing country. I would definitely go back to do a safari.

Goodbye Kilimanjaro, asante sana kwa ukarimu wako!!

Kilimanjaro from the taxi ride back to the airport.

Unicode making malware easier

16/10/2011 04:09PM

I recently discovered a wonderful unicode character that makes the following text reverse called right-to-left-override. For example: print "Hello[U+202E]World", produces the output: Hello dlroW. I'm not sure of what legitimate reason you would use the unicode character, but several blogs have warned that it can be used by malware writers to get people to click on files. Most people are wary that .exe files might be harmful, but extensions like JPG and other images are generally not. You can 'trick' a user into thinking a file is a JPG by using this special unicode character. If you named your malware executable ClickHer[U+202E]gpj.exe for example, you'd end up with a file called ClickHerexe.jpg.

I had a go at making a simple executable (don't worry, it's just some ASCII art). In true malwaresque style, I have named it something enticing (see screenshot below). You can download the Python code to make the 'malware' here. Essentially I made a batch file, and then used Bat To Exe Convertor to change this into an exe file. I then opened this up into a hex editor, copied out the hex and then used Python to recreate the file with the dodgy name. I didn't have any luck just renaming the file, Windows was being awkward when I tried to paste in the unicode character. I know this is a very roundabout way of doing it, but I leant a bit about exe files and Python's hex capabilities. Python has a very easy way to convert pure hex into a file:

import binascii
hex = '4D5A90' # shrunk massively to be an example. 
# Note that the first two characters are 4D5A, which is MZ: the standard .exe header.

hb = binascii.a2b_hex(hex)
filename = u'EmmaWatsonS\u202Egpj.exe'	# unicode characters in Python start with \u

with open(filename, 'wb') as malware:
    malware.write(hb)

Note that Windows still thinks it is an application and not an image, so the tuned-in user should spot something is awry when the default icon is not of a JPG (and of course no mini preview of the image is available) but of an application.

Screenshot of my example executable disguised as a JPG.

Kilimanjaro: Day 6

09/10/2011 06:48PM

Day 6: Down to Mweke Gate. Since there was no longer a rush to get to the camps at a certain time, day 6 was much more relaxed. Taryn and Lorena slept on a bit, so we set off before them to Mweke camp. My altitude sickness went away very quickly, I felt completely different to the day before.

The walk was about 5 hours in total, and all the different types of landscape we’d seen over the last 5 days appeared at once since it was so steeply downhill. A few minutes after we set off the clouds came in and it became bitterly cold and windy. I can only compare it to the top of Ben Nevis on a dreich day. Once they cleared we had already entered the alpine shrubbery moorlands, and after another few hours we were back into the jungle.

Mweke was a massive camp – most of the routes take this route downhill, so it has to cater for a lot of people. The toilets again were horrific, so I went into the dense jungle behind them, where I found a beautiful red hot poker. Must be all that fertilizer around ;)

A Red Hot Poker

Kilimanjaro: Day 5

09/10/2011 06:01PM

Day 5: summit day. In the morning my nausea was worse, and managed just tea for breakfast. At this point I knew I wouldn’t be able to make the peak, so made it my challenge to reach the base camp, Barafu, 4633m. Although the walk here was only 4 hours – again to reach the camp by lunchtime – this was an exceptionally tough 4 hours. The start was almost rock climbing – scrambling up very steep rocks with hands. Being quite short, I needed quite a few pushes to get up some of them! Once the first steep part was done, it was fairly flat until the final steep hurdle to the base camp. Every step was harder for me as I was totally exhausted and still not eating much; I managed a piece of toast with peanut butter on it for snack, and some soup for lunch when we eventually got there. I think this was the only day that I didn’t enjoy myself.

Whilst eating lunch I noticed movement from under the food tent floor – and saw a small mouse scuttle from one side to the other, and then under the tarpaulin. Steven then came bounding in saying a mouse was in his bag and was munching a bag of open peanuts! Turns out to be a four-striped grass mouse. Amazing considering the total lack of wildlife and vegetation up there!

Taryn and Lorena slept after lunch for a bit before having dinner and heading off at midnight to do the summit. The managed to get to the peak and returned around 9am. A lot of people didn’t go to the summit – Silvano reckoned about 20 people stayed at the camp that night. I read when we got back that the statistics that the tour providers give are usually vastly overestimated. Zara gave a 95% success rate, but realistically it’s more like 30% according to the records they keep at the camps. Although I’d’ve liked to get to the top I’m pretty proud of where I got to.

I slept on and off from about 3pm until the next morning when we set off down the mountain. Ironically the main thing that woke me was Silvano checking up on how I was...including him waking us up at 6am to tell us he’d wake us up at 7am instead (What kind of logic is that?!). Unfortunately both our cameras were dying at this point, and we didn’t get any decent photos at the camp. We brought along a solar powered battery charger, however that took all day to charge, so cameras where only ready the following day.

Windows cookies

28/09/2011 05:43PM

Windows released a security update on the 9^th August which means that cookies are no longer stored in the usual <username>@<service>.txt, but are now a random set of 8 alphanumeric characters, e.g. A1B2C3D4.txt. It seems this has broken a lot of software, especially those than delete cookies as they probably rely on the fact that cookies had a very conventional naming method. Old cookies stay the same as you can see from the below screen shot of my cookies folder.

Screen shot of my cookies folder. The cookies now have a different naming convention.

The change came about as a solution to a 'Drag and Drop Information Disclosure Vulnerability'. From the Microsoft Security Bulletin page, this vulnerability means that:

An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page and performed a drag-and-drop operation. An attacker who successfully exploited this vulnerability could gain access to cookie files stored in the local machine.

The update addresses the vulnerability by modifying the way that Internet Explorer accesses files stored in the local machine and manages cookie files. This includes a change in the way that Internet Explorer sets file names for cookie files to help make cookie file names less predictable.

Read more about the vulnerability here. So in terms of forensics, AFAIK nothing has changed in terms of the contents of the cookies, but some pieces of software might break when trying to identify them.

Kilimanjaro: Day 4

18/09/2011 01:40PM

Having opted for the 7 day route, we used 2 days to get the base camp instead of 1. Normally today would be the day to reach Barafu camp at 4600m, however we went half way and stopped at Karanga camp at 3963m. Whilst again not being much higher than the previous camp, the walk started off with a steep climb, followed by flat/downhill to the camp. It was a short walk, so we arrived at the camp for lunch at 1.30pm. Other groups continued to Barafu – another 4 hours away. They would then do the summit (another 8 hours) this evening, followed by another 5 hours down the following day…21 hours of climbing in a 36 hour period. No thanks!

In the morning I had woken up with terrible nausea and no appetite for breakfast - altitude sickness. I threw up, and then felt a bit better, but I could only manage the porridge for breakfast and no toast or fruit. As we climbed in the morning the nausea went away, but the headaches came back. I’m glad it was a short walk as lunch was difficult: I knew I had to eat to keep up my energy, but I was completely put off food. We had lots of glucose tablets with us, so I tried to eat those when I felt weak.

The view from the camp was amazing – looking up we had Kibo right next to us, and looking down we had wonderful cloud formations.

Clouds like waves of an ocean

The Kibo peak

That afternoon was the first afternoon we had off for a while. Usually we’d only arrive at camp sites at 4-6pm and wash, eat and sleep. But now we had about 4 hours before dinner. It was perfect – warm, sunny and a beautiful view. I sat with my Kindle and mug of tea and read. The sunset was beautiful too – you could just see Mount Meru (a smaller sister volcanic mountain – 4566m) popping up from the clouds. The night sky was always just unbelievable. I’d never been in a place with no artificial light at all, and the amount of stars and the Milky Way was just breathtaking.

Me relaxing at Karanga camp

The sun setting near Mount Meru

Kilimanjaro: Day 3

18/09/2011 12:55PM

Day 3 and when we opened up the tent, we found a scary vulture-raptor staring at us. Despite being told they were only big white-necked ravens, these were quite intimidating with their massive beaks. Later on in the day, when we had a snack break, Taryn managed to coo one of the ravens over, and had a 10 minute conversation of crowing and hooting, much to the amusement of our guides, who by now thought we already a rather strange group of people.

White-necked Raven outside our tent in the morning

Our walk today was to Barranco camp at 3950m. Although this is only 150m higher than were we were at Shira camp, we went via the Lava tower at 4620m. This is an excellent way to acclimatize – higher during the day, and sleep lower at night. Lava tower was very impressive, a massive tower made from lava which has now turned to black stone. The moorland was no more (haha!), and the higher we went up to the Lava tower, the rockier it got. The rocks were surprisingly varied – lots of black lava rocks, massive boulders that had been moved by previous glaciers, and shale. I started getting altitude headaches at about 4200m, but painkillers helped and once we got to the Lava tower it was just a dull ache rather than feeling like my brain was in a vice and being slowly squeezed.

The Lava tower at 4620m

When descending from the Lava tower it snowed very lightly and briefly, and the landscape changed again to incredibly weird trees, Senecio kilimanjari - named so as they are totally unique to the mountain. They looked like pineapples that had their main part turned into the trunk of a tree. We also got a lot of streams and mini waterfalls. The headache never really went away fully until after dinner, but despite being told that high altitude affects your sleep, I slept like a baby every night. The only problem was the huge amounts of water I drunk. Water is very good to help with altitude sickness, so we were advised to drink as much as possible. This of course meant we stopped for a toilet break every 30minutes. This was especially awkward at night time, as it got much colder than at Machame camp – probably down to -5°. Getting out of your comfortable and warm sleeping bag to go outside and pee was one of the worst parts of the trip. Luckily I had a female urination device (basically a funnel so you can pee standing up like a man) so didn’t need to expose my arse to the freezing conditions.

Crazy pineapple-like trees - Senecio kilimanjari