Recently in Cyber Security Category

There's a chance you could have a spy. Watching your every move, just waiting for the perfect time to attack and hijack your precious information.

A recent InfoWorld blog serves as a wake up call to those companies who have not taken the increasing threat of electronic espionage and network security seriously. According to the blog, a growing number of companies are being spied on electronically by sources in other countries. This isn't the first we've heard about this though, back in January, hackers from China had broken into several companies' computer networks including Google to steal information about Chinese dissidents as part of "Operation Aurora," which was one of the largest cyber-attacks ever.

These incidents keep occurring because companies believe that their current security software is good enough or they've just simply ignored the issue. The truth is that in order to have protection from these types of stealth spies you have to collect packet history within the network. And the only way to receive this information is by performing forensic analysis.

Network forensics is the capture, recording, and analysis of network events. All pertinent network traffic is collected in a single location, rather than scattered across the network. Data is captured in a common data format and does not need to be transferred or translated in any way for analysis. Using network forensics data mining tools, security teams can reconstruct the sequence of events that occurred at the time of a network breach or cyber attack and get the complete picture. Forensic analysis exposes attackers, methods, and damages. Lucky for us, new and more powerful network forensic products are out there to help defend against electronic spying threats. Even though there is a vast array of network forensic technologies to choose from, organizations should know that there are really only three basic elements to any general-purpose network forensic solution:

1. Data capture and record - This is the ability to capture and store multiple gigabytes of data at high network throughput (for example, 10 Gigabit) without dropping or missing any packets. Every network forensic solution has its limitations, including sustainable throughput, packets per second, data management, search functions, etc. These limitations can and should be determined through practical lab tests, and the results should be repeatable and documented. This includes both wired and wireless networks.

2. Data discovery - Once data are recorded on the storage media, the solution should provide a mechanism to filter particular items of interest, for example, by IP address, application, context, etc.

3. Data analysis - Finally, you want some built-in assistance for examining the patterns and anomalies found during the discovery process to help you determine what actions were recorded in the captured packets.

The information forensic analysis provides can lead to an informed and efficient security posture within an organization to deter similar attacks in the future. As criminals get smarter and savvier, being able to detect and characterize attacks is crucial. Information leakage not only results in monetary losses but also can be a serious threat to national security. Having the right network forensic solution in place can help to discover and eliminate possible threats in your network and to provide lawful interception capabilities when needed.

Keylogging tracks the keys struck on a keyboard in a discreet manner so that the person using the keyboard is unaware that their actions are being monitored. There are several keylogging methods, ranging from hardware and software-based approaches to electromagnetic and acoustic analysis.

A while back, I found evidence of a keylogger on a local government computer... hunting time.

Using Wildpackets Etherpeek (now included in Omnipeek) as my weapon of choice a live analysis was performed. It turned out that a "smoking gun" email had started it all by explaining how to install the keylogging software. This is obviously a concern, especially in a government setting where information is at high risk of being compromised.

So, what had been stolen? If no keystrokes were captured there wasn't much to worry about. I went to work.

A clone of the computer's hard drive was created to connect the machine to the Internet. Before plugging in the Ethernet cable, I made sure to limit the export of data.

The restored computer was allowed to connect to the Internet through a firewall, which only allowed it to get DNS information. By hacking the Windows hosts file connections were directed to a test machine that was set up with a fake SMTP server. The computer was turned on and text was typed into Notepad. 

If there was an active keylogger, this text would have likely been picked up and emailed off with previously recorded activity. Not long after plugging the Ethernet cable in, I saw activity. The test machine was monitored with a Peek-equipped PC. All the traffic between the restored computer and the test machine was recorded, thanks to Wildpackets.

The first intercepted traffic included the material below:

This information came from the keylogger report that was being sent to an offshore email account. The good thing was that classified reference related to staff categories was not secret government information.

Next came the text that I had typed on the restored machine keypad. This was confirmation that the keylogger was stealing information.  A bit more analysis defined the scope of the loss, allowing repair of the damage.... and identification of the person who installed the keylogger. RIP, keylogger.