No, the blog isn’t dead, it was just resting for a period of time (admittedly a long one) while I was trying to put some semblance of an order to a rapidly-galloping-uncontrollably-away PhD.

So, after about a year of working frantically at various issues, solving (or attempting to solve) problems that should not have existed had I yelled when I needed to yell, changing supervisors and departments in exactly the middle of my PhD, gathering data that needed gathering (My most sincere thanks to Zapotek of segfault.gr for his assistance in this!), teaching a lovely and amazingly smart and perceptive bunch of 3rd & 2nd year BSc Digital Forensics students, getting taught the Forensic Way by some amazing Forensic Science lecturers, and making drastic changes to my PhD’s structure, content, design and implementation details, I’m finally where I should be!

So, with a PhD software prototype FINALLY written and evaluated, proceeding to the actual implementation of my PhD’s full software (more on that later, both here and in publications to be written), I now am starting to once again have the time and the disposition to concentrate on my pet projects, such as keeping this blog moving forward.

Stories and comments on stories exist and are in the process of being thought through and further investigated, so keep checking back, cause they’ll start cropping up over the next few days (worst case scenario: 1-2 weeks) once more!

Until then, stay safe out there and keep digitally forensicating!!

DarkSYN

Fish (the author of the said blog) reports that the GST stroke again, this time defacing a “I don’t know where the hell they found that”-type website, as reported in the following blog post and left a message in both the Greek and the English languages (with a rather helpful JavaScript button to point you to your preferred language).

The Greek language version of the text is surprisingly well-written, compared to the CERN one (different author, perhaps?). The English language version is written in the typical Just-out-of-highschool-Greeks-writing-in-the-English-language style.

In it, summarily stated, they rant and rave about the following: The “hack” of Greekhackers.gr by some lame Turkish group (and the lameness of the whole Greece vs Turkey thing (which I too think is too lame for the 21st century)), their previous defacement of one of the CERN’s LHC webservers and the media coverage (foreign and Greek) on the whole issue, followed by some standard “greets and shouts to” some site and the security scene.

I won’t translate, this time, as you have both versions at your disposal through the screenshots of the starting page, the Greek language page and the English language page.

My only comment is the following: Looking at the source code of the page, which I’m linking here, I can see that the GST logo was linked from the following address “http://www.cere.gr/upload/logoGST.png” ( where it appears as <img src=”http://www.cere.gr/upload/logoGST.png”>) which belongs to the Center for Russia and Eurasia (http://www.cere.gr/).

This possibly indicates that the attackers used CERE’s webserver as a possible staging area for at least part of their attack. Which would possibly mean that we’re dealing with two compromises. The one at http://www.aegeanportal.org and the one at http://www.cere.gr. I cannot, of course, in any way/shape/form confirm this is truly the case, as I do not have access to either of the said servers, but it seems a viable hypothesis to make. So, it might be prudent for the administrators of both web-sites to at the very least have a look at their webserver/hosting space logfiles for possible traces of the attackers. It might also be prudent to check the webserver logfiles for IP addresses accessing the info.html file in the first 5-10 minutes since the file was placed there (check filename timestamps for the exact dates/times/etc, and compensate for read/write/access times depending on the OS the servers are running).

I should note, here, that in my personal opinion, website defacement is nothing more than an act of vandalism (in the same way sprayed messages on busses etc are vandalism).

I should also note that, again in my personal opinion, the whole CERN LHC defacement was blown WAY out of proportion by the international media/press. This, and ONLY this, is why I stayed up half the night translating! And, to make matters worse, the Greek press/media further disgraced themselves by mistranslating the already mistranslated articles instead of reading the page which was, after all, written in the Greek language.

The “Get Safe Online” (http://www.getsafeonline.com) week-long campaign by the British government began this week…

The page (and campaign) itself supposedly deals with some rather interesting questions by providing rather simplified (but ones which I think even the PC-World-certified public in this country can somewhat understand) answers…

Don’t get me wrong, here…I really really think its a good idea and a lovely way to raise the UK public’s non-existent security consciousness, devoting a whole week (I mean, come on, JUST a week??!!) (and not advertising it) to security.

Or, rather, it would be a good idea if the Computer Misuse Act had not been recently ammended to be a security-research-killer (good The Register coverage: http://www.theregister.co.uk/2008/11/14/dos_criminalised/).

So, other than criminalising DoS/DDoS attacks, which is pointless (since they can’t actually find the attackers, DUH! And if, in some miraculous way they do, they don’t have the firepower to take them on!!) in a knee-jerk-reaction sort of way, they’ve managed to also criminalise genuine and legitimate network security research and network security development.

From The Register’s article on the Computer Misuse Act ammendments: “The Computer Misuse Act has also been changed to make it an offence to make, adapt, supply or offer to supply any article which is “likely to be used to commit, or to assist in the commission of, [a hacking or unauthorised modification or DoS] offence”. It is also an offence to supply an article “believing that it is likely” to be used to commit such an offence.

The meaning of “article” includes any program or data. The provisions would cover the supply of DoS or virus toolkits. Anyone convicted of breaking this section of the Act could be jailed for up to two years.” (from http://www.theregister.co.uk/2008/11/14/dos_criminalised/)

But the Police and Justice Act 2006 (with the mods enabled) reads:

”

37 Making, supplying or obtaining articles for use in computer misuse offences

After section 3 of the 1990 Act there is inserted—

“3A Making, supplying or obtaining articles for use in offence under section 1 or 3

(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.

(2) A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.

(3) A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.

(4) In this section “article” includes any program or data held in electronic form.

(5) A person guilty of an offence under this section shall be liable—

(a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;

(b) on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both;

(c) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.”

” (http://www.opsi.gov.uk/Acts/acts2006/ukpga_20060048_en_7#pt5-pb2-l1g35)

So (and please correct me if I’m getting/reading this wrong!!), its not JUST about DoS/DDoS/Virii tools/toolkits (ummm….eg. the ping utility???!!).

And, of course, this can be easily, if converted into lawyerspeak (legalese) by the CPS (Crown Prosecution Service), be applied to pretty much everything under the sun, if my Legal Issues and Evidence Recovery and my CSI training taught me anything…

So, how would they actually trial it by fire (test the case in a court of law)? Easiest and by far the most productive way would be to nab some sort of newbie (of any age) who accidentally opened an e-mail attachment containing a virus or downloaded a bad bad security tool virus/DDoS toolkit to check their home network, villify them, find a technically illiterate jury (dead easy, in this country) take them through the painful experience of a trial, throw them with an Anti-Social Behavior Order (all the rage in the UK, nowadays) or some other “caution” for being a first offender (they wouldn’t actually dare to put them in prison, would they?), slap a fine on them, destroy their lives, and ZAPPO instant prior casework is established!!!

What this will do to legitimate security research conducted by people without the backing of big security software houses? Most likely either drive them underground (VERY deep underground) or drive them off this country… What this would do to academic research? Gods only know!

And, just as a reminder, these lone and unbacked legitimate security researchers are the ones who actually invent the algorithms, write the code, and test and debug the code that ultimately finds its way to the big security firms’ labs and thus products… Without them, how will the public “Get safe online”? Buy a copy of a big-name brand internet security suit, install it on their Windows XP/Vista hole-ridden computers (after cleaning them up from the 999*10^100 different types of virii they contain) and be made to feel safe in their little snake-oil secure environment.

If my PhD wasn’t on the line, I’d sit back and have a good laugh about it. Since it is, and since I’d have to (as a DF Scientist/Investigator?) shift through legitimate security researchers’ stuff to find the bad bad security tool virus or DoS/DDoS toolkit sometime in the future…. I will just sit back, pray to my deity it all starts happening AFTER I get my PhD, and watch the steady and unavoidable death of Network Security Research in this country I’ve up till now chosen to live and work in….

As always, flames > /dev/null !

Today’s topic? Uberdatabases: State/Country-wide government databases storing phonecall-related information (and conversations), texts, e-mail, IM messages, web browsing histories etc to protect their citizens from the threat of the T-word and all those other lesser evils which governments believe they can cure out of society through monitoring and witch-hunting.

Recently, a study by the National Research Council in the US (http://news.cnet.com/8301-13578_3-10059987-38.html?part=rss&subj=news&tag=2547-1_3-0-20 and http://www.theregister.co.uk/2008/10/08/us_gov_data_mining_report/) essentially stated what a large number of people in the NetSec community have been saying for a number of years: Pattern-matching/data mining to spot T-word people will not really work.

This comes at the same time that the UK government is making yet another big push for the full-scale interception of pretty much everything in the way of communication and storing it in an uberdatabase, as reported in TheRegister (http://www.theregister.co.uk/2008/10/07/detica_interception_modernisation/), after deciding it will not do it (http://www.theregister.co.uk/2008/09/25/interception_modernisation_bill/) after all.

The problem? The rate of false-positives and false-negatives, otherwise known (in statistics) as Type I and Type II errors. This wikipedia article (http://en.wikipedia.org/wiki/Type_I_and_type_II_errors) explains the whole concept rather nicely, and has a most informative research literature backing it.

Essentially: Type I errors refer to the improper rejection of the null hypothesis, and Type II errors refer to the improper acceptance of the null hypothesis (http://en.wikipedia.org/wiki/Null_hypothesis).

So, then, trying not to turn this into either a statistics lecture or a conference paper while at the same time trying to pass on the gist of the whole process, in order to create a model that will fit the data in a reasonable fashion and will then be able to infer relationships and forecast future trends based on past experience (data), we need to understand the subject, formulate a sound and reasonable null hypothesis, and then sit down, study the data and the subject area and remove all non-explanatory variables (the variables which do not help us explain what we see), which will leave us with a simplified model which SHOULD (but might not, in which case its “back to the drawing board”) fit the data to some degree.

Problem in this instance is: What on earth is the null hypothesis? And what can we consider to be the explanatory variables in the model that we cannot as yet have because we don’t know the null hypothesis OR the subject area?

Oh, I’ll grant you, there’s any number of “experts” in the subject area we are considering, and a search in Amazon will give us a distressingly large number of “books” on the subject area…All of which are a rather complete and utter waste of time and money for those of us who have been educated and trained to sit down and work with data.

In his paper on the base-rate fallacy and the difficulty of intrusion detection (http://portal.acm.org/citation.cfm?id=357849), Axelsson S. compares anomaly and signature detection Intrusion Detection Systems against a Bayesian base-rate fallacy model which models the rate of occurence of false positives/negatives. While his conclusions deal with Intrusion Detection Systems, his Bayesian base-race fallacy model is a more-than-acceptable standard through which we can determine the effectiveness of an Intrusion Detection System, and the standards this paper sets can and should be adaptable to the current problem with regards to data mining and pattern analysis, and it can and should form the basis of a standard against which all these different “solutions” that aim to find the perfect model of what consists a t-word activity should be like.

But to do that we need to properly and SCIENTIFICALLY (and I MEAN mathematically and statistically) define the subject area!!! And the problem here, of course, is that we really really cannot do that, because the subject area is by far too abstract to be defined.

Result: These uberdatabases will do pretty much nothing to detect occurences related to the subject area. Ahhh, but they (these uberdatabases) CAN & WILL find other uses, extending the surveillance capabilities to include any number of extraneous things and thus do other interesting things.

Any network administrator of moderate intellect knows that putting all of your eggs in one basket just creates a single point of failure. So, not only will these UK and US Uberdatabases will do pretty much nothing to infer and forecast T-word occurences, but they would be so badly succeptible to abuse, and so invitingly a target for the real bad-guys to get at.

Note: All those with a maths and stats background, please forgive my oversimplified explanations of Type I & II problems and the statistical analysis process, but I found no better way of reducing the complexity of the subject area to allow the public to understand the whole concept without turning this into a conference paper.

Note: I may be a Digital Forensic researcher, but I am ALSO a Network Security researcher. As such, its my job and responsibility to know these things.

Such is the case of this interesting bit of news which came to surface only today, but which I’ve been told about a few hours after it happened…

Apparently, then, a Greek hacking group calling themselves Greek Security Team defaced the lxplus.cern.ch web server (mode of entry unknown at present time) and replaced the main page with a statement in the Greek language.

Although the IT Pro website and the Daily Telegraph posted articles on this, which can be found in http://www.itpro.co.uk/606150/cerns-lhc-network-hit-by-greek-hackers and http://www.telegraph.co.uk/earth/main.jhtml?xml=/earth/2008/09/12/scicern312.xml , they contain quite a few inaccuracies with regards to the content of the speech and the purpose of the hack.

GST's CERN LHC hack

So, given that I despise misinformation, lets see what they ACTUALLY said in there!!

Line-by-line translation:

————————————

10/09/08

At this time an experiment attempt is being performed in CERN.

The reason we chose this page is to remind you of some things.

It [the deface] did not happen due to a conflict between us and CERN’s system administration team but because of the expected increase in number of visitors in the page in the next few days.

Some data from the base:

[...a c/p of the process listing follows...]

and some e-mails:

[...a c/p of e-mails follows...]

The ** have simply been placed so that we don’t expose people who has done nothing to anger us.

As we stated in the preamble, we do not want to destroy either the [operating] system or the website… Our purpose is to show, through action, our reaction to a lot of “active” members of the GHS [Greek Hacking Scene] which has become arrogant (litteral translation of the phrase “Καβαλήσει το καλάμι”, riding the stick) without offering anything…

Stupid cliques get created simply to insult and cause trouble (translated from “τραμπούκος”, insulting troublemaker, “τραμπουκίζω”, cause insult & trouble) through either words or IRC channel banning people who are not considered, by them or their flunkies, worthy of their knowlege and their image.

Some others, the 1337 (leet, elite) of the “scene”, only chat over cups of coffee and don’t do anything practical, as they are good at gossiping…but of “security”…what is that? we are 2600…don’t mess with us.

IRRELEVANT AND QUAINT!

Stop salivating and licking and start keyboarding! But, of course, criticising is easy especially when you have many 20year-olds around whispering “2600″-”2600″. Get yourselves in insomnia.gr and start gossiping (litteral translation of “θάβετε με μεγάλο φτυάρι”, burrying people through gossiping with a big shovel)…But it will also bear the seal of GST.

We are everywhere…because unlike you we don’t spend our nights writing songs or “rapping” away in public squares…nor do we laugh at what we cannot touch…

We don’t publicly expose you (translated from “ξεβρακώνουμε”, pulling your underpants down, Greek expression) because we don’t want to see you all running like mad and naked trying to find a hiding place and because we are not like you. You should, however, expect the response when you were laughing at things you had never considered doing…but we have spent enough time dealing with a bunch of schoolkids who learned about hacking through Hollywood movies and their dumb American culture of the neo-geek who reads hacking magazines while trying to crack his girlfriend’s e-mail account to see if she’s being unfaithful and has Linux on dual-boot to pose (translated from “ψαρώνει”, Greek expression) to his mates who also read neo-hacking mania-inspired magazines.

The entire Greek Internet is riddled with holes…some of the biggest government sites don’t even know the term “security”…since they assign the design of their sites to irrelevant companies.

SECURITY IS NOT CONDUCTED BY PAY-OFFS.

We are everywhere…

We salute the real hobbyists and the fanciers of the art of computers. Some old ones who stopped because they were bored and tired not with this art but with the stuck-up attitude (translated from “κόμπλεξ”) of all those “specialists” in the field!! And the young ones who don’t say many words but work with their heads down because what they care about is knowledge, and only knowledge!!

Dear CERN admins we patched the biggest BUG in your webpage so it doesn’t turn into a Dork and gets defaced every day with the silliness of every wannabe hacker.

Don’t try to find us…We will find you…pretty soon!!!

Tnx Mr Server [lxplus.cern.ch]

_Greek Security Team_ – [.GST]

——————————–

IMPORTANT NOTE 1: This was simply a Greek-to-English language translation of the statement. DO NOT shoot the messenger (me)!!!!

IMPORTANT NOTE 2: I neither condone nor share GST’s sentiments. Nor am I in the job of publishing defaced websites (eg like zone-h). I am only writing this because the ITPro and Daily Telegraph articles were, in my honest opinion, mistaken about what this whole defacement represented.

So, then…. This was not about the GST warning CERN, there was no altruism involved….

What I can safely say (without it getting a PG rating) is that they just wanted to impress the Greek underground scene with a “high profile” hack. For the love of whichever deity you wish to name, they wrote the whole thing in the Greek language!!! Their ONLY target audience was, therefore the Greek skiddies (script kiddies).

Furthermore, you will notice references to purely Greek websites and IRC servers and channels. Which leads us to the conclusion that there were simply venting spleen at their opponents, whoever those people are.

Clearly, then, Mr Highfield and Mr Wattanajantra, the GST group didn’t actually describe CERN’s technicians as high-school kids (I don’t remember seeing that word in the text, but I do remember GST saying they had nothing against the aforementioned technicians!). Nor did they refrain from pulling CERN’s technicians pants down. Nor was there any political, religious, fear-filled or whatever of this sort meaning in what they said. Nor did they target internal servers. It was a web server they defaced.

A couple of comments with regards to what those people (the GST) said, and I’m done for the night.

During the last few years, the Greek Hacking Underground has been plagued by what I would call “turf wars” between rival script kiddie groups/crews waged on GRNet IRC (http://www.irc.gr) channels and Greek Hacking and Security-related discussion forums. The reasons for those wars are, as always, who’s the cooler of the lot. Furthermore, these “turf wars” managed to anger the old-school generation, which ultimately resulted in bigger chaos, as all sides started fighting with each other. The old-schools told the skiddies they were lamers, the skiddies told the old-schools they were a whole lot of bad things. Some of this spilled into the outside world in the form of speech-oriented defacements.

It is, thus, unfortunate that CERN’s LHC webserver got hacked as a result of the aforementioned “turf wars”, but they too are responsible for the mess they found themselves in. I sincerely hope they learn from this incident and make sure to, in future, secure and patch even those servers which are at the outside tier of their network and thus visible to the public.

As I keep telling my students, Security and Forensics ones alike, servers on the outside of a DMZ may be less important but they too require TLC (Tender Loving Care)!!!

So, summer holidays: Sun, Sea, other-things-beginning-with-the-S-letter and some interesting bits of news from Greece.

For the interesting bit of news now: According to information published in the Eleftherotypia newspaper, data contained on hard drives NOT connected to the internet are now NOT considered to be personal information and therefore are NOT protected by the Greek equivalent of the Data Protection Act.

Mr Karoutsos, assistant judge of the high court of Greece, and responsible for the introduction of the above law, further states that (translated) “the hard drive of a computer, components and parts [of a computer] as well as electronic sound evidence found on a computer are not considered to be communication mediums”. (Article in the Greek language: http://www.enet.gr/online/online_text/c=112,id=90609728)

So, what can one make of this law, then? A deliberate violation of the constitutional free speech rights, or someone’s stupid idea based on lack of proper advice on technology issues? Or both?

First of all, exactly HOW can one ascertain without the shadow of doubt (Greece has a non-adversarial justice system), or even with an error margin lower than 50%, that a storage medium has not been at any point in its lifetime connected to the internet or to a Local Area Network that is itself connected to the Internet?

Given that all motherboards nowadays contain either a network card or a modem+network card (laptops) by default, how do we determine it has not been used, automatically placing the hard-drive within the bounds of the DPA?

And what of USB drives and memory cards? If the digital camera (with the memory card inside) is connected at any point in time to a computer (thereby automatically mounting itself as a seperate DISK DRIVE) that has been at any point in time connected to the Internet itself, the memory card is itself “tainted” and thereby it too falls within the bounds of the DPA. USB drives are even worse as there can be NO conclusive proof that they have not been used on an Internet-connected computer.

And, of course, there is that further statement of Mr. Karoutsos….the one I quoted… Ummm, as I recall, every standard high-school textbook on Computing clearly explains how the different components of a computer “communicate”, not to mention the definition of a hard-drive, its relationship to the software called an Operating System and its role as both a transient and non-transient storage of information as a result of the act of communication.

Thus, exactly HOW does one PROVE a storage medium has NEVER been connected to the Internet?

To some degree I understand a bit of what they are trying to achieve, here, and I commend them on wanting to achieve it, given the CP cases that have cropped up and all.

What I do NOT understand and therefore DO NOT commend or condone is their use of such twisted logic resulting from their lack of knowledge of technology!

The trip was lovely, the conference bag not so lovely but acceptable, the accomodation (student halls of residence) acceptable but painful (there IS a reason I haven’t stayed in a hall of residence for the last 8 years!!) the schedule interesting, the other presentations equally interesting, the conversations VERY VERY interesting.

What was more interesting, however, was the whole experience and the thoughts it evoked.

Naturally, the conference (being criminology-oriented) was attended by non-geeks, specifically sociologists, psychologists, social sciences people, lawyers, police/police-related people and a whole host of others who are naught directly to do with either Digital Forensics or Network Security. I was alone in the role of a Digital Forensic Scientist untill the rest of my team showed up on Thursday, and again alone in that role after they left the same day.

The numerous parallel sessions had little to do with Digital Forensics, with the exception of my panel, the ID theft panel and the small cybercrime/hypercrime panel.

Okay, enough with the descriptions, on with the thoughts.

Perhaps the wisest thing I was told in that conference came from someone I spoke to in the conference dinner…I was saying that my background was computer science-oriented so I could not be called a criminologist. But this gentleman told me that criminology also involves the issues I am dealing with in my PhD, namely the study of network attacks, network attackers and their impact on the Net and society in general, therefore to them I am also considered to be a criminologist.

Interesting, as I’ve never thought of it from this perspective. Here I was, thinking I was the sole non-criminologist there, and yet I was not.

So, for the bad now…

I am NOT a politically correct person, as I consider this lip-service political correctness we have nowadays to be hypocritical and deceitful. As such, the notion of Ethics Committees annoys me. Perhaps I will get used to them as time passes, but I know I still won’t like them.

It was also both extremely funny and scary to see and hear how and what some people think about Digital Forensics and Network Security in there. The T-word dominated some of the presentations and discussions (either directly or by association) and that tells a story in and by itself.

So, all in all the conference was a success. Presentation performed superbly, exchanged ideas, made friends and found acceptance in a field I didn’t I guess fully realise I was a part of as well, had long discussions, and even drank beer and wine(an achievement, to be sure!).

It continued with the same PhD research student, a year later, doing a PhD in Digital Forensics & Network Security, fully commiting himself to the change from Network Security to Digital Forensics, a change that, he was told, was going to be difficult as Network Security and Digital Forensics crowds don’t mix. The courageous (insert_laugh_here) student hoped, however, to use and integrate both schools of thought to better himself and his knowledge.

And here we are. The PhD research student survived thus far, started publishing papers and doing presentations on Digital Forensics. The PhD is going very well, the research student is hale and hearty and the world continues revolving around itself and the sun.

And this blog is where the PhD research student who moved from Network Security to Digital Forensics wishes to speak his mind (within limits (0<x<1 for the Bayesians out there)) about the funny and sad, strange, weird, “tales from the crypt”-like scary and downright ludicrous things he finds in his journey to become a Digital Forensic AND Network Security scientist/researcher/investigator.

The title, GrayHat Forensics, denotes the blogged journey of this gray-hat network security researcher in the world of cyber-crime, fraud, courtrooms, and infinite cups of coffee while waiting for bespoke digital forensics toolkits to finish doing an index search! Enjoy!!