Computer Forensics Blog

Secure Flash Drives Hacked

2010-01-06T21:24:00Z

You would think that AES 256-bit hardware encryption would be pretty secure, especially if it met NIST standards for sensitive data. But you'd be wrong, especially if you had USB flash drives made by Verbatim, SanDisk, or Kingston.

SySS GmbH, a German company specializing in security issues including penetration testing and IT forensics, announced that it has cracked the hardware-based encryption resident on flash drives from the aforementioned manufacturers. Although the data is encrypted, SySS discovered that it is a simple matter to bypass the need to even enter a password. Under normal circumstances, when a user enters the correct password, the drive's authentication program passes a character string to decrypt the data. Unfortunately, the string is always the same, regardless of the user's password. SySS wrote a program that will always send the enabling string to the drive, making the encryption scheme more or less useless.

As an aside, "AES" stands for Advanced Encryption Standard and was announced by the National Institute of Standards and Technology (NIST) at the end of 2001. In 2003, the US Government announced that AES was strong enough to be used for protecting classified info up to SECRET level as long as the key was either 182 bits or 256 bits.

Kingston has issued a recall of their affected drives (not all of their secure USB drives are susceptible to the announced hack). Verbatim has made a couple of updates available (which run only on Window 2000 SP4, Server 2003, XP SP1, SP2, and Vista) that are intended to address the issue on susceptible drives it has made. SanDisk has also made an update available for its affected devices.

Nonetheless, one might wonder how much classified or otherwise sensitive data is and will continue to be floating around on USB sticks previously thought to be secure that can now be easily accessed through the means like the one written by SySS.

You may read more here

What's the Future of Computer Forensics?

2009-12-12T01:58:00Z

A student asked me an interesting question today, regarding what I foresee in the field of computer forensics in the coming years: 5, 10, & 50. Here's the question, my answer - and, dear reader, I’d love to hear your comments.

Mr. Burgess,

I would like to thank you again for taking the time to speak with me. I would like to ask you another question if you don't mind, it is regarding the future challenges and/or issues in the field of computer forensics. In your expert opinion, how do you see it 5, 10, and 50 years from now? I am looking forward to your response.

My response:

An interesting question!

First, let me say that I don't have an expert opinion about the future, just a personal and educated one. In my profession, I can only really have an expert opinion about stuff I've worked on and so can't have one about the future until I get my time machine fixed!

As for 5 years from now, I see three things continuing to advance at a rapid clip:

1: Hardware -The size of storage media & memory and the speed of processors.

I expect that in 5 years, computers will come standard with 5TB or more of storage and that portable media like flash drives will carry something like 250GB of data - what the average hard drive was holding one or two years ago. In 5 years, computers will probably be 7 or 8 times faster. So these things will hold lots and lots more data and people will fill them up with lots & lots more data.Therefore, each computer forensics job will require sorting through and analyzing many times more data than today.

2: Computer Forensic Tools - The capabilities, automated nature and cost of computer forensic tools.

I expect that in 5 years, computer forensic tools will be about 5 times as fast, and twice as sophisticated. That means that even with all the additional data, the average, non-automated job will take about the same effort as it does now.

However, a lot of automated tools for collection and initial processing are starting to be released. These tools can be used by less-trained people, so it may be that data collection and preliminary processing will be faster due to automation.

I expect that the cost of computer forensic tools will not go down in relative terms. However, more Open Source forensic tools will be available for free for those willing to learn to use them.

3: Bad guys - Anti-forensics tools & schemes, sophistication of hackers

There's always a race between how harmful software and cyber-marauders can be and the defenses against them. There is also software constantly being developed to stump investigation by erasing or scrambling traces of wrongdoing. This trend will continue to accelerate and there will continue to be an uneasy balance between the two sides, with lots of collateral damage. In most cases, people will continue to forget to hide or cover all of their tracks and there will still usually be evidence to find.

Ten Years.

Ten years from now is much harder to predict.

The field itself is not too much older than that.

Everything I said for the 5-year time frame will continue to be somewhat true.

Tiny storage devices weighing an ounce will hold multiple Terabytes of data; hard drives or their replacements will hold Petabytes and both kinds of devices will be very affordable.

Computers themselves may be quite different than what we are used to, will probably understand human speech well and will probably be quite intelligent, speeding up the ability to use them.

Because computers will be so smart, the role of the computer forensics examiner may change. Testifying experts will need to have an even more sophisticated knowledge of the software /hardware /wetware interactions and may have to specialize further.

Malware may have gotten the upper hand by then, or may not have - it is very hard to say.

Fifty Years.

Just about impossible for me to say sitting where I am right now. Computers will be much smarter than humans by then. If human computer forensics experts still testify in court, they'll be computer augmented, but then again, we probably all will be.

Whatever replaces hard drives on your local device (if we have local devices) will store half a Zettabyte or more. We'll be carrying around 5 Exabytes in our pockets or dental fillings. That's if all storage isn't in the Cloud and is essentially unlimited. Although from where I sit, a Petabyte seems pretty limitless.

Fifty years from now, our adversarial legal system may not have changed much. On the other hand the capabilities of humans, computers, and hybrids of the two may be near unrecognizable, but still inevitable.

Best Regards,

Steve Burgess

Are You Being Cyber-Stalked...by the Feds?

2009-12-11T01:39:00Z

The Electronic Frontier Foundation (EFF) of San Francisco wants to know how government agencies are using data they have been collecting through social networking sites. Along with Samuelson Clinic at UC Berkeley (Samuelson Law, Technology, and Public Policy Clinic at the University of California, Berkeley, School of Law) the EFF has filed suit against the DOD, the CIA, the DOJ, Homeland Security, and the Office of the Director of National Intelligence. The action has been brought after requests through the Freedom of Information Act (FOIA) went unfulfilled, and was filed December 1, 2009.

The EFF points out that government use of information gathered from social networking sites has appeared in the news more and more of late. The FOIA suit wants to find out how the government uses private data that it collects on individuals through Facebook and other social networking sites and requests eight classes of documents. The suit was filed when government agencies were asked, through FOIA requests, how the aforementioned agencies were using such data. The documents requested included those describing how the government may instruct investigators to use fake identities, and other guides, manuals or instructions that the agencies provides for means of collecting data from social networking sites. The EFF says that said agencies did not respond to the requests.

From the filing: "Plaintiff Electronic Frontier Foundation is a not-for-profit corporation ... donor-supported membership organization that works to inform policymakers and the public about civil liberties issues related to technology, and to act as a defender of those liberties. In support of its mission, EFF uses the FOIA to obtain and disseminate information concerning the activities of federal agencies."

The suit specifically references several news stories, including the AP story, "Fraud Fugitive Busted After Unwise Friend Request," a Wired Magazine story, "FBI Investigated Coder for Liberating Paywalled Court Records," a NY Times story "Arrest Puts Focus on Protesters’ Texting," and others as evidence that government agencies are using social networking to conduct surveillance.

The full complaint is here, as a PDF.

Still more Sarah Palin "Hacker" news

2009-12-09T23:23:00Z

The latest defense for the individual charged with accessing Sarah Palin's email account in 2008 seems to be that he didn't do it; someone else planted a Trojan Horse on the computer and, remotely accessing the defendant's computer, did the dirty work from some place else. This, they say, is what made the defendant, David Kernell, look like the guilty party. Lawyers for the 21-year old son of a Tennessee State representative are approaching the case from multiple directions, but this is the first one that claims malware, not the student, is to blame.

In 2008 the FBI seized an Acer laptop from Kernell's apartment. The attorneys filing says that "The program, which was installed by an unknown method before the computer ever came into Mr. Kernell's possession, uses sophisticated technology to record and report personal information without the user's knowledge." They state that the software has been isolated and identified. The name of the software has not been disclosed publicly ostensibly in order to protect personal information.

The case revolves around an incident in September 2008 wherein Palin's personal email account was compromised, its contents posted on the Internet at the 4chan forum, and its password changed to "popcorn." The compromiser, whose 4chan handle was "Rubico," then posted a mea culpa of sorts on the web, saying he didn't quite realize the seriousness of his act until it was done. His note said he was particularly worried because he hid behind only one proxy server. He posted a screenshot of Palin's email account that revealed part of the URL of the proxy/anonymizer service, Ctunnel.

Bloggers connected Rubico - the poster of the guilty note - to an email address belonging to Kernell, and made that information public. He said that 45 minutes worth of research online & a few guesses was enough to allow him to get past Yahoo's evidently weak security. It is at least weak for public figures who have relevant personal info all over the web, such as the 3 pieces of data Rubico used: Palin's birth date, zipcode, and where she met Todd. The owner of the Ctunnel service has cooperated with the FBI, saving and presumably revealing relevant portions of the service's traffic logs.

Defense moves have included the idea that Palin's emails were public record, that a felony charge was inappropriate for a misdemeanor offense, that use of the terms like "hacker" and "hack" would be prejudicial to the jury as the guesses made to access the emails required no sophisticated computer skill, and most recently that Kernell didn't do it anyway - it was an actual hacker using Kernell's computer via a Trojan.

The trial date has been moved to April 2010.

Microsoft denies update causes black screen of death

2009-12-03T20:01:00Z

In rapid succession, Microsoft was accused of, then denied & is now investigating a "Black screen of death" (BlSoD) purported to have been caused by recent security updates and reportedly has been affecting at least Windows versions XP, Vista and 7 since the November 10 Windows security update. Microsoft now suggests that customers "test and deploy" the november security updates. Got that all you end users with your personal IT departments at your beck and call?

Note that the "Black Screen of Death" is not the same as the classic BSOD or Blue Screen of Death, which results from a plethora of other causes.

A British security firm, Prevyx describes the symptoms: "After logging on there is no desktop, task bar, system tray or sidebar. Instead you are left with a totally black screen and a single My Computer Explorer window." Prevyx said that a variety of conditions have caused this symptom over the years but initially said that the most recent is caused by changes in how Windows registry keys are handled.

Prevyx has retracted its statement that this recent black screen was caused by Windows security updates KB976098 and KB915597. Prevyx is offering a free tool on its blog that it says will fix some of the affected systems. Microsoft says it suspects that some form of malware is to blame for the BlSoD.

Prevyx's blog page for the fix is here.

Spyware, Viruses and now...RansomWare!

2009-12-01T06:07:00Z

As if regular viruses were not enough, hackers are now literally holding their victims' data hostage.Ransomware works by encrypting the user's data and then demanding payment toprovide the decryption key.

The latest, which CA, Inc calls"Win32/RansomSMS.AH," is bundled inside an application called"uFast Download Manager." CA announced the discovery of the hack on November 30, 2009. The bundled software installs itself without input by the user and springs a message on the unsuspecting victim. The uninstaller included with the Ransomware does not function. The message appears in a semi-opaque window and is in Russian. The approximate English translation reads:

Internet access is blocked due to violation of the

license agreement schedules of uFast Download Manager

You must activate your copy

Get a registration code by sending an SMS with the following

code fw0004199 to number 7122

In response you will receive an activation message.

Enter the activation message received from the SMS response ________

CA has made available an activation code that unencrypts the affected user files.

Earlier this year Kaspersky Labs identified similar ransomware, called "Gpcode.ak" This nasty malware performs 1024-bit encryption on the user's data and demands money for the decryption code. It adds the extension "._CRYPT" to the affected files, and puts a text file named "!_READ_ME_!.txt " in the same folder as the encrypted user files. The readme file includes the following text:

Your files are encrypted with RSA-1024 algorithm.

To recovery your files you need to buy our decryptor.

To buy decrypting tool contact us at: ********@yahoo.com

A previous version of Gpcode wasr eleased two years before. It sported 660-bit encryption. This earlier version's encryption has been cracked, but the more recent 1024-bit encryption scheme apparently has not been. Fortunately, the "ak" version of Gpcodemakes a copy of the file, encrypts it, then deletes the original file. The unencrypted but deleted files may be recoverable.

3rd iPhone botnet malware making zombies in the wild

2009-11-24T01:07:00Z

A worm has been discovered that gives the hacker complete access to the victim's iPhone. While the third such attack discovered, it is the first one that does damage. The new work will offer the hacker any user data on the phone - photos, memos with other passwords, calendars, contacts and more.

Security firm Intego, the apparent discoverer of this worm, calls it the "iPhone/Privacy.A Virus." The address ranges this worm can affect are for ISPs in Australia, Hungary, the Netherlands and Portugal.

iPhones that are not jailbroken are not currently susceptible to this attack. Jailbroken iPhones are not susceptible if the default SSH password has been changed or if SSH is not installed on the phone.

SSH stands for Secure Shell (or sometimes Secure Sockets Shell) and is a program that allows for two remote devices on a network (such as an iPhone and a computer) to exchange data. It's generally designed to make the exchange of data more secure and is commonly used by system administrators to remotely control servers.

A "jailbroken" iPhone is one that has been modified by the user to allow other cell phone providers besides the authorized AT&T activate on the phone.

A botnet is a series of Internet-connected devices that can be used, usually without the owner's knowledge, to send spam, viruses or other malware, or to be used in other attacks, commonly known as becoming a "zombie".

While not a current worry to those whose phones are not jailbroken, who are in the US, UK, or other countries not as yet affected, or who have remembered to change the default SSH password on their jailbroken phones, it can be highly damaging to those susceptible to the worm.

Other exploits for a wider range of iPhones are surely just around the corner.

Health Net loses medical records of 1.5 million customers

2009-11-20T20:42:00Z

Health Net, a $15 Billion health insurance company with more than six and a half million clients somehow let data for more than 20% of that number slip from its control about six months ago - possibly in May, 2009 - and only informed the government and the public about it this week.

A portable external hard disk in Health Net's Northeast HQ in Connecticut seems to have disappeared about six months ago. The company opted not to inform those potentially affected while it performed an internal review and conducted computer forensic reviews in order to find out what might have been on the missing hard drive.

What they discovered was that information including Social Security numbers. medical records and health information for about 1.5 million customers from Arizona, Connecticut, New Jersey and New York was on the drive. The data was in the form of images and was not encrypted. It went unmentioned whether the images included photographic images of client, x-rays, or simply imaged text or other such data. The data apparently dates from 2002 to May 2009.

Connecticut's Attorney General Richard Blumenthal said, "Health Net's incomprehensible foot-dragging demonstrates shocking disregard for patients' financial security, as well as loss of their highly sensitive and confidential personal health information." AG Blumenthal and CT Insurance Commissioner Thomas Sullivan are both planning investigations into the incident and why it took so long for Health Net to come forth with the information.

Sullivan is requiring the insurance company provide to contract credit protection services for the affected customers. Health Net has hired Debix to provide these services for a period of two years. Health Net is now in the process of sending letters to affected customers.

It is notable that multiple articles on the subject report that Health Net's spokespeople say that the data is "in an image format that cannot be read without special software". They do not mention to what special software they are referring. The author notes that Microsoft Word documents, for instance, are also in a format that requires special software (most any word processing program) to read them.

Health Net's statement is here and you may read more on the story here.

Pennsylvania sets out considerations for balance in E-Discovery Requests

2009-11-19T19:29:00Z

While there are fairly clear rules governing electronic discovery in federal civil cases, not all states have set out such guidance in their own rules of civil procedure. Pennsylvania has gotten closer with findings in the case of Brooks v. Fratroll.

Plaintiff bought a $37,500 classic car through a website operated by the defendant. The plaintiff alleged that the car's Vehiicle Identification NUmber (VIN) had been forged and demanded access to a broad range of electronically stored information (ESI).

Pennsylvania civil law has little guidance on cases involving electronic evidence. The Judge in the case, Common Pleas Judge Bradford H. Charles, set forth five factors to guide decisions for ESI discovery requests. His findings will likely act as precedent in future PA civil cases.

Those five factors are:

1) The scope of the request: are the requests too broad? In this case, the court found the ESI discovery requests to be overly broad as they included all metadata, all internet queries/transmissions/website/auction sites, all deleted files and all stored files.

2) Confidentiality/privacy: are there legitimate interests in maintaining privacy? The court found that the defendant's business documents unrelated to the case and personal communications ought to be allowed to remain private.

3) History of discovery: has the producing party given an adequate response to previous discovery requests? The court found that the defendant had not been adequately responsive.

4) Costs: would the producing parties costs be inordinately expensive? The court found that that the defendant would have to hire an expert of its own.

5) The type of case involved. This case, being a fraud case, suggested that plaintiff should have access to metadata, presumably in order to allow authentication - or demonstrate falsification - of the documents and materials produced.

Given the balance of factors in favor of and against allowing discovery requested, the judge told the plaintiff to come back with a more focused request.

You can read more about the case here.

Landmark NY Case: E-Discovery Sanctions

2009-11-17T18:39:00Z

The New York State Supreme Court has sanctioned a real estate brokerage firm, The Corcoran Group, for willfully providing misleading information to a Brooklyn couple along the way to buying a $1.3 million apartment with many defects, and then damaging and/or failing to protect email evidence.

The couple, parents of two young children, was forced to move out of the apartment when it had severe flooding after each rainstorm. Mold in the rec room ensued. The couple is suing Corcaran for $5 million.

The violations Corocran, its IT Director and its lawyers were charged with included failing to stop routine document destruction, failure to produce potentially damaging electronically stored information (ESI), failure of counsel to tell Corcoran to stop deleting relevant ESI. Adding to the malfeasance, Corcoran preserved emails that were helpful to its case while destroying those that were damaging.

Court sanctions include informing the jury that its members could reasonably conclude that "at least some of the deleted e-mails were relevant to this litigation and favorable to the Plaintiffs" that at least one open house was canceled by the brokers due to heavy rain, and that plaintiffs were entitle to costs associated with reviewing the hard disks containing the evidence and fees for counsel to investigate and bring motions in favor of the sanctions and additional discovery. These fees were estimated by Jay B. Itkowitz, of prevailing law firm Itkowitz & Harwood at about $100,000

Manhattan Supreme Court Justice Charles E. Ramos noted that state courts in New York had not until now addressed attorney and party obligations to preserve ESI evidence, making this a landmark case for New York. The author notes that the Southern District has addressed such concerns and such guidance has made it into the Federal Rules of Civil Procedure (FRCP).

The short version:even before the case is finished, the judge awarded about $100,000 in costs to the plaintiff & informed the jury in advance of its decision about what bad guys the defendants are.

The moral? Spoil electronic evidence - pay substantial consequences.

Firms Bringing E-Discovery In-House

2009-11-16T19:48:00Z

Almost 80% of respondents reported that 2009 brought more lawsuits and regulatory inquiries than the year previous, and most believe that 2010 will see another 20% increase in such actions. Possibly as a result, nearly half are in the process of bringing at least part e-discovery in-house and a third will be doing so within the coming year. This according to a study entitled "Trends in Electronic Discovery: A Market Perspective," performed by the Enterprise Strategy Group, of MIlford, MA. The study resulted from a survey of 100+ Fortune 2000 enterprises & government agencies.

Of those bringing some e-discovery in-house, about two thirds will be bringing in processing, analysis, identification and collection. About a third will be internalizing preservation, litigation hold management, review and production.

One surprising stat (the blog owner finds it personally surprising, anyhow) that three times as many respondents expect to bring processing in-house as will bring in review.

Aside from the survey results, the report states that e-discovery is involved in almost all lawsuits and regulatory inquiries this year. This is unsurprising as discovery is likely to include documents and nearly all documents start on a computer.

The study was sponsored by Clearwell Systems and can be downloaded here:

COFEE brewed in near-record time

2009-11-08T00:54:00Z

At the beginning of September, 2009, Microsoft released a Law Enforcement-only data collection tool called Computer Online Forensic Evidence Extractor, or "COFEE". The tool was given free to law enforcement agencies, ostensibly to help fight cybercrime.

The function of the tool, once configured, is to allow law enforcement personnel to securely download live data, including system processes and network data. One option is to install the tools onto a USB stick./flash drive, stick it into a suspect's running computer, and collect desired data on the fly.

Microsoft gave the apps to INTERPOL and the National White Collar Crime Center (NW3C) - to law enforcement in 187 different countries.

With such wide distributon, is it surprising that two months after release, on November 6, 2009 the tool (actually purported to be a collection of tools) was widely reported as having been released into the wild by someone? On the other hand, COFEE is intended to be an evolving tool, so whatever was being spread around the Internet in November may not be the same set of tools that will be being used in December.

This blog won't be the only place interested persons read this news. As of 5 PM November 7, a Google search for mentions of "COFEE" in the previous 24 hours yielded 47,200 results.

Not bad for news less than a day old. Read more on the subject here

$100 million lost to ACH “spear-phishing” cyber-scams

2009-11-05T19:13:00Z

ACH, or AutomatedClearinghouse Fraud is causing small and medium sized businesses king-sizedheadaches. The FBI currently averages a new case every week and the numbers aregrowing.

Thieves send emails with attachments posing as Microsoft software patches or other legitimate software to a company’s financial officer or bookkeeper in hopes that the software will be opened and downloaded - resulting in keylogging software being installed on the victim’s computer.

The FBI’s Internet Crime Complaint Center (IC3) says that this “spear-phishing” (a targeted form of phishing where the email looks like it comes from a colleague or one’s employer) targets smaller companies using smaller banks that may not have stringent fraud detection in place. The intention is to capture logins and passwords to the company’s bank accounts. Once the information is gathered, the perpetrators transfer money to the account of an unknowing “money mule” – acomputer user who believes he or she is doing “work from home” payroll processing, for instance – who then transfers the ill-gotten gains to an international account, out of the country and out of reach of US laws.

The IC3 says that each transaction tends to be in increments of less than $10,000 but have added up to about $100 million so far.

Recommended reading:

The United States Computer Emergency Readiness Team (US-CERT) has a seven-page guide to banking securely online available at http://www.us-cert.gov/reading_room/Banking_Securely_Online07102006.pdf

Read more about this scam here: www.ic3.gov/media/2009/091103-1.aspx

The Case of the Teacher and the Trickster

2009-11-01T05:14:00Z

It was a grey October day, the kind of day when a guy likes to cozy up next to a bank of servers to keep warm, when the Teacher first called me. "They think I'm nuts" were the words emanating from the phone. Well, just because you're paranoid doesn't mean they're not out to get you. I sat up and went to my desk, away from the noisy fans cooling off all those Gigahertzes. "What's the problem, Miss?"

The young woman explained that she was a not-yet-tenured teacher in a New England (greyer there than here) high school with a problem. Seems that a student in one of her classes was repeating things in the classroom that she had uttered only the night before in the apparently illusory privacy of her own living room.

Read the rest of "CSI Computer Forensics - Real Cases From Burgess Forensics #9 - The Case of the Teacher and the Trickster"

North Korea Blamed (again) for July Web Assaults

2009-11-01T04:53:00Z

Widespread cyber attacks on US computers that caused many outages in July of this year (as reported in this blog at the time) came from IP addresses that have been definitively traced back to North Korea's Ministry of Post and Telecommunications, according to South Korea's National Intelligence Service (NIS). The National Intelligence Service is S. Korea's main spy agency. The outages included computers in the US White House and S. Korea's Blue House. The attribution to the NIS was made by the JoongAng Ilbo newspaper and the Yonhap news agency, both South Korean news sources, as reported by the AP.

At the time, South Korean reports stated that North Korea has from 500 to 1,000 hacking specialists and that the country has an Internet warfare unit that tries to hack both U.S. and South Korean military networks in order to stall computers, disrupt service, and to gather secrets.

The former head of the National Cybersecurity Center, Rod Beckstrom, stated that such attacks are not particularly difficult and that anyone with one or two hundred million dollars could hire talent to pull off such attacks.

This blog wonders: are such attacks expensive malicious mischief, felonious assualts, or an act of war? Or something else. We invite your comments.

National Cybersecurity and Communications Integration Center Opens

2009-11-01T04:08:00Z

On October 30, Secretary of Homeland Security, Janet Napolitano, announced the opening of the National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, VA. Said Napolitano, "Consolidating our cyber and communications operations centers within the NCCIC will enhance our ability to effectively mitigate risks and respond to threats."

Opened to great fanfare and media attention, the 61 workstations currently installed in the NCCIC are intended to bring together intelligence to help secure the country's cyber infrastructure.

With current attacks reported as coming from China and North Korea, securing the "cyber-borders" is of great interest and this facility combines the highly respected U.S. Computer Emergency Readiness Team (US-CERT), which leads a public-private partnership to protect and defend the nation's cyber infrastructure; and the National Coordinating Center for Telecommunications.

This author's personal perception is that the NCIC could have been opened one day later but then the headlines would have to read something about enabling the spooks. That just wouldn't do!

Read more about it here: http://www.dhs.gov/ynews/releases/pr_1256914923094.shtm

North Korea Blamed for Knocking out US, Korean Government Websites.

2009-07-08T21:45:00Z

Ongoing computer attacks that began on July 4 took down the websites of several U.S. agencies, including the Treasury Department, the Secret Service, the Federal Trade Commission and the Department of Transportation. South Korean government websites including their Defense Ministry and the Blue House (Office of the President of South Korea) sites were also brought down. Commercial sites in both countries, including South Korean banking sites and the Washington Post in the US were successfully targeted as well.

South Korean National Intelligence Service says that North Korean forces, or those in South Korea sympathetic to the North, carried out the attacks. U.S. officials have not as yet commented publicly on the source of the attacks or on the attacks themselves. The attacks were apparently distributed denial of service (DoS) attacks.

Keynote Systems, a mobile & Web monitoring company based in San Mateo, CA said that the attack on Transportation lasted from Saturday to Monday and brought the site down completely, while the FTC site was down on Sunday and Monday, and still had problems on Tuesday, July 8.

More here: http://snurl.com/mdz68 [government_zdnet_com] and here: http://snurl.com/me4m7 [www_google_com]

Obama addresses Cybersecurity

2009-07-07T15:47:00Z

The first Presidential address focusing on cybersecurity was made by President Obama recently. It is anticipated that a Cybersecurity Coordinator (called by many the "Cyber Czar") will be named to encourage synergy rather than walls between agencies dealing with the burgeoning threats.

The cybersecurity review itself was a joint effort of Homeland Security and the National Security Council (NSC), and recommended the appointment of a Coordinator to update existing and develop new strategy for making the information and communications infrastructure in the US secure. The plan does not exist in a vacuum, coming as it does on the heels of the Comprehensive National Cybersecurity Initiative in 2007, the National Strategy to Secure Cyberspace in 2003 and Presidential Decision Directive 63 in 1998, all of which have been evolving the national response to cybercrime and security. The new review acknowledges for the first time the importance of private industry as stakeholders and players in cybersecurity.

Responses have generally been positive, but some are concerned that the NSC will take charge, infringing on privacy rights while others worry that the "cyber czar" will not be high enough in the President's Cabinet to be properly heard.

More here: [www_wileyrein_com] and here: [www_govinfosecurity_com]

Internet Access Shut Down for ISP Pricewert: Company Protests

2009-06-12T20:55:00Z

The Federal Trade Commission (FTC) pulled the plug on San Jose-based webhosting ISP, Pricewert, and froze its assets. The company stands accused of shielding companies said to be engaged in nefarious and illegal conduct, such as child pornography, botnet servers and phishing activities.

The FTC had help from Symantec and the investigation included NASA's Office of the Inspector General. Additional aid came from University of Alabama in Birmingham; The National Center for Missing and Exploited Children; The Shadowserver foundation and the Spamhaus Project.

Pricwert suggests that the investigation was unfair and the company was targeted based in part on the Ukrainian nationality of its founder, and that the company can't be responsible for the bad habits of its customers. The company's spokesman, Max Christopher said that investigative data could be flawed due to difficulties in understanding documents written in Russian, that Internet access was interrupted without notice, and that the FTC has ruined the company's reputation.

More on the subject in the Network World / PCWorld article, "ISP Pricewert Protests Shutdown", by Ellen Messmer

IT Downsizing Can Create Orphaned Data

2009-06-12T20:53:00Z

There's no question that we live in a time of enormous layoffs and firings. When an employee leaves, essential data may reside on a never-backed-up laptop or be otherwise lost or forgotten. Chris Winter, of TechNews World suggests that organizations should centralize control over all potentially orphaned data. More than half of data for businesses resides on laptops that may be in motion or otherwise away from the company network.

Understaffed IT departments may simply pull and stack – or worse – reformat and reuse disk drives from these devices without regard to the data that may reside therein. There may be data backup policies in place, but the author suggests that IT needs to be responsible for centralizing control of backups, so that they actually happen and data is retained. Best operating practices, including regulated, centralized backups, can avoid downtime and lost data not only in times of corporate layoffs, but during natural disasters and inevitable hardware failures.

See "Picking Up the Pieces After Downsizing: Avoid Orphaned Data".