About Me

My photo
Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Thursday, March 24, 2011

Digital forensics and search warrants

Laws always lag far behind the pace of technology, and the laws surrounding computer security issues are no exceptions. It took several major data breaches before we began getting breach notification laws. Now, courts are trying to figure out how search warrants should work in computer crime cases. Ars Technica has a good overview of the current state of things.

NOTE: I am not a lawyer. This is not legal advice or recommendations. If you want legal advice, ask your lawyer.

It's a sticky issue because on one hand modern computers can have vast amounts of highly personal information on them: thousands of emails, journals, legal pornography, address books, etc. It can feel like an unreasonable invasion of privacy for law enforcement officers to go pawing through all of that to look for evidence of a crime, particularly if it's the victim's computer being investigated. Search warrants are supposed to specify what exactly is being looked for (stolen intellectual property, for example), and law enforcement officers are only supposed to look in places where the object of the warrant could reasonably be ... so no searching an office desk if the warrant is for a stolen car.

On the other hand, search warrants allow officers to search anything that could be hiding the object being searched for. There are plenty of videos of drug searches that show how ingeniously things can be hidden and how thorough searches can get in the physical world. The same principles apply in the digital world as well. Just as a packet of drugs can be hidden in a jar of flour, a contraband file can be hidden inside another file without too much difficulty or technical skills.

Furthermore, if evidence of illegal activity is seen on a computer, sometimes the accused will claim that either a hacker or malware is responsible, not the accused. It's perfectly possible for malware or hackers to take control of a computer and use it for illegal activity. That sort of activity can be detected, but digital evidence can be lost if not seized in time. This means that if we restrict our search to only looking for the illegal file mentioned in the search warrant, we could lose the opportunity to determine if someone other than the owner of the computer could be responsible for the illegal activity. A computer search that's too narrow in scope could result in the loss of evidence that could show the suspect's innocence.

Like many legal issues, this is a complex one with multiple legitimate concerns acting at cross purposes. Hopefully, the legislature and courts will come up with a solution that provides reasonable privacy protection, is practical, and does not place too heavy burdens on law enforcement.

Tuesday, March 22, 2011

Future trends in computer security

These are exciting and fascinating times we live in, particularly for computer security. There's so much change going on that frequently it can be difficult to keep track of what's going on and what's coming before it hits you in the face. I rely on a wide selection of blogs (see the sidebar) to keep me informed of current trends.

Frequently I find the same "hot topic" being discussed simultaneously by a wide range of sources, rehashing the same limited information (e.g., Stuxnet or HBGary). Once in a while, though, I find a little nugget of information that startles me and really makes me wonder why no one else has noticed it.

Strategic Studies Quarterly is not normally in my reading list, but the spring issue is devoted in large part to cyberwar. As you know from my blog, normally I'm skeptical about claims of cyberwar, but this is the military's view of cyberwar instead of reporters or politicians, so I think it's worth reading. Some of the articles are more interesting than others, of course. For example, I think the article Rise of a Cybered[sic] Westphalian Age is fundamentally impractical due to the rapidly changing nature of malicious code. On the other hand, the feature article An Air Force Strategic Vision for 2020-2030 has some very interesting revelations for the computer security field.

In particular, they are very interested in integrating "cyber operations" (hacking) into their battle plans as a component of warfare. For example, this quote from page 12:
Fourth, offensive and defensive cyber capabilities must be fused into air and space platforms. By 2030 cyber capabilities may become the greatest power-projection tools in the Air Force arsenal, serving as both force multipliers and an Achilles’ heel.
Later in the article, the authors address some specific challenges for the US military in computer security, including a lack of trained personnel. However, I think the really interesting bit is here:

In the future, cyber will evolve into a weapon of preference, replacing many of the kinetic choices in today’s arsenal. The reduction in aircraft numbers and the ranges required for power projection, particularly in the Pacific, will drive cyberspace to the forefront of Air Force operations. Suppression of enemy air defenses and the ability to corrupt the software of an adversary’s aircraft will become a reality, not just science fiction.
At first glance, the idea of an Air Force aircraft that can hack targets seems like a futuristic daydream, but in actuality it's not as bizarre as one might think. Take a look at the WiFi Arial Surveillance Platform (WASP), a WiFi-hacking UAV that was built by a couple of enthusiasts in their garage. Take a look at it's capabilities:
the operator can "control the payload from anywhere in the world -- including mobile devices. It also allows for processor-intensive applications, such as WPA attacks and password cracking, to be offloaded securely in real-time to a remote computing powerhouse utilizing CUDA technology, for mind-blowing performance."
This is just a WiFi penetrator, but the possibilities of what Boeing or Lockheed could do with their gigantic budgets is mind-boggling. Fortunately, we don't have to imagine what it might look like. It's already here in the Next Generation Jammer (found via Wired.com)

For military targets, the hacker of tomorrow could be an F/A-18 Growler.

(Public domain Growler image obtained from Wikipedia)

The Aviation Week article is obviously short on details, but if air defense systems use wireless connections to launch their missiles then they would obviously be vulnerable to disruption. There's some evidence that this has actually been done in combat by Israel as early as 2007. More details on Israel's airstrike on Syria can be found here.

This doesn't mean much for civilian computer security folks yet (except for defense contractors), but military technology has a way of working its way down to other uses, such as law enforcement, corporate or criminal. We'll have to wait and see what the future brings, and in the meantime it's simply amazing to know it's possible and actually being done.

Friday, March 4, 2011

On the Internet, you're not as anonymous as you think you are

One of the big issues with computer crime is the belief that because the internet is anonymous, the criminals will never be identified. A recent intellectual property case shows that's not always the case.  Despite the user creating the site with a pseudonym and PO box, the government was able to track it back to the real person involved.

It's unusual for us to get this clear of a view about how a person can be tracked across the internet. The exact methods used here by the government require the cooperation of the ISPs involved, but it would theoretically be possible to accomplish the same thing by hacking or using social networking connections.

Because internet anonymity is only skin-deep I try to act as if everything I post online is under my real name. I suggest everyone do the same.