On Q Professional Investigations

The Defense Department just got more mobile with its classified information.

Pentagon officials announced Wednesday a new Defense mobile capability has moved out of the pilot stage and will be incorporated into agency operations.

The new capability, created through a partnership between DOD’s IT arm, the Defense Information Systems Agency, and the National Security Agency, allows users to access classified voice and data up to the secret level from anywhere in the world.

The Pentagon plans to have 3,000 users by the second quarter of fiscal 2016.

The new mobile classified capability is one piece of the Pentagon’s Joint Information Environment plan, “where our war fighters and national-level leaders can access a secure infrastructure and applications from any device, anytime, anywhere,” said Kim Rice, DISA’s mobility portfolio manager, in a statement.

The new capability will replace the Secure Mobile Environment Portable Electronic Device system, which DISA will phase out July 30. The new program, Rice said, will improve call operability and offer a new mobile device management system expected to enhance security.

Importantly, the new capability offers “a new secure mobile device” with “enhanced graphics, improved sound quality and a longer battery life than earlier pilot devices.” In other words, Pentagon users will be carrying secure mobile devices akin to commercial smartphones with some of the same features, such as cameras, GPS and Bluetooth — although they’ll be disabled for DOD use.

“This release is a big step toward being able to deliver secure mobile capabilities faster than we have ever seen before,” Rice said.

DOD officials plan to triple the number of active users in the near future.

The Defense Department just got more mobile with its classified information.

Pentagon officials announced Wednesday a new Defense mobile capability has moved out of the pilot stage and will be incorporated into agency operations.

The new capability, created through a partnership between DOD’s IT arm, the Defense Information Systems Agency, and the National Security Agency, allows users to access classified voice and data up to the secret level from anywhere in the world.

The Pentagon plans to have 3,000 users by the second quarter of fiscal 2016.

The new mobile classified capability is one piece of the Pentagon’s Joint Information Environment plan, “where our war fighters and national-level leaders can access a secure infrastructure and applications from any device, anytime, anywhere,” said Kim Rice, DISA’s mobility portfolio manager, in a statement.

The new capability will replace the Secure Mobile Environment Portable Electronic Device system, which DISA will phase out July 30. The new program, Rice said, will improve call operability and offer a new mobile device management system expected to enhance security.

Importantly, the new capability offers “a new secure mobile device” with “enhanced graphics, improved sound quality and a longer battery life than earlier pilot devices.” In other words, Pentagon users will be carrying secure mobile devices akin to commercial smartphones with some of the same features, such as cameras, GPS and Bluetooth — although they’ll be disabled for DOD use.

“This release is a big step toward being able to deliver secure mobile capabilities faster than we have ever seen before,” Rice said.

DOD officials plan to triple the number of active users in the near future.
View Source

When you start your first day at Quartz, you get peppered with passwords.

There’s a password to log into your new Mac, which you are immediately prompted to change once you’re up-and-running. The new password allows you log into your email. Once there, you are invited to join our password protected—with double-authentication—CMS. It’s not much of an exaggeration to say your first Quartz workday consists largely of password management.

I had that in mind, as I helped a new hire settle in on Monday. So, I urged him—repeatedly—to take a moment and sign-up for a password client that I had used to help me beat my own long-standing struggle with password amnesia: LastPass. For months, the service, which essentially creates an encrypted vault of all your passwords and protects it with a master password, had made my life much better.

Until Tuesday morning. That’s when I received an opened an from LastPass indicating that the service had been compromised, and that some sensitive information—including email addresses, password reminders—had been taken. For its part, LastPass says its “vaults” where users keep their passwords to various sites and applications were not compromised.

“So no data stored in your vault is at risk,” officials said. But I still had to explain this to the guy I had convinced to use it less than 24 hours before.

A recent survey commissioned by Telesign—a company that sells two-step verification technology—found that roughly 70% of 2,000 people in the UK and US they surveyed don’t trust that their password will protect them. They shouldn’t. After all, it’s abundantly clear that we are living in an era of profound data insecurity.

I mean, Russian hackers read President Obama’s unclassified email. And just to review, over the last few months alone we’ve learned that hackers have breached not only the White House, the but the IRS and the Federal government’s office of personnel management, where they perused—among other things—the form people fill out as they apply for security clearances.

What’s more, today we learned that the FBI is investigating front office officials from the St. Louis Cardinals in connection with hacking into the Houston Astros’ “baseball operations database.” The New York Times reports:

Investigators believe Cardinals officials, concerned that [former Cardinals executive, and current Astros general manager Jeff] Luhnow had taken their idea[s] and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

There’s a reason why hackers—whether they be associated Red China or the St. Louis red birds—aim for passwords. Long ago, we reached the human limits of our ability to remember them. The human mind has pretty strict limitations on remembering long sequences numbers and letters. (Essentially it’s about seven items, plus or minus two.) And they’re best remembered when they’re in familiar chunks, you know, like letters in words. This is why consumers have an average of 24 online accounts, but only about six unique passwords, according to the Telesign study.

In other words, passwords aren’t the problem. We are.

And humans will remain the problem until we get to the post-password era.

Over the next few years we’ll increasingly be authenticating ourselves not with passwords, but with our fingerprints, faces, irises, retinas, palm-prints and speech patterns. But humanity still presents profound engineering problem.

“Passwords or tokens are easy to change while it is compromised. But, biometric traits are inherent and fixed forever, that is, the biometric data is irrevocable,” wrote academics in a paper published in April.

If you think the resetting your password is a pain, trying resetting your fingerprint.

Engineers are addressing the problem, coming up technologies that enable cancelable crypto-versions of our biometric data that can be reset. But I can’t help but be overcome by the suspicion that that the digital world might just work a lot better if it didn’t have to put up with all these people.

View Source

Last week, millions of government employees were probably quite nervous to hear their personal data had been stolen by hackers (likely from China), who gained access to a trove of data from the Office of Personnel Management.

This week, the same office is opening up even more government employees to more risk, based on its response to the breach. OPM announced it will notify all impacted individuals by email, which makes not only the affected individuals, but also anyone else who is worried they might be affected now a ripe target for a phishing attack.

In its announcement, OPM said, “The email will come from opmcio@csid.com and it will contain information regarding credit monitoring and identity theft protection services being provided to those federal employees impacted by the data breach.”

OPM is using a third party, CSID, to manage this communication, and has now, in essence, provided phishers with a blueprint for creating an attack. Of note, CSID does at least use DMARC, which is one good step it has taken to see how others may be spoofing its domain.

Imagine you have had any kind of interaction with the OPM in the past five years or so. You may be wondering “was I one of the ones compromised?” Soon enough, an email shows up in your inbox, notifying you that you have indeed been breached, and offering credit monitoring and identity protection services. It directs you to a website, where you provide some basic information, including your name, email address, mailing address (and maybe more) and promises the credit and ID monitoring services will start immediately.

But what if you didn’t read the email closely enough? What if it came from opmcio@cdis.com, or from opmcio@cssid.com? What if you never saw the announcement to know exactly what email address you should be looking for?

Now each of these employees have willingly handed over this information to a second group of hackers (this time, through the phishing attack), who likely have different ambitions than China. These hackers can easily keep you placated by sending you false credit report info (hey, your credit still looks great, nothing to worry about here), while destroying your actual credit.

OPM is in a difficult situation, and is trying to respond as quickly and cost effectively as possible to a massive breach affecting millions of government employees. But it must take a step back and make sure it does not cause greater harm to these employees with its follow-on actions.

Instead, OPM should send notifications via physical mail, or secured Intranet communication. OPM should also provide education to all employees on the risk of phishing attacks.

And finally, OPM should conduct thorough penetration testing of the third-party provider, CSID, to ensure that by handing this project off to another party, it’s not opening up its employees to yet another attack.

View Source

CHICAGO–The Chicago Department of Aviation (CDA) and U.S. Customs and Border Protection (CBP) today announced the expansion of Mobile Passport Control (MPC) to Chicago O’Hare International Airport. MPC is the first authorized app to expedite a traveler’s arrival into the United States.

Eligible travelers submit their passport information and customs declaration form to CBP via a smartphone and tablet app prior to arrival. Android and iPhone users can download the Mobile Passport app for free from the Google Play Store and Apple App Store.

“On behalf of Mayor Rahm Emanuel, the CDA is very pleased to partner with CBP to offer this innovative technology at our global gateway, O’Hare International Airport,” said Michael Boland, Acting Commissioner, CDA. “Mobile Passport Control is the latest of many new initiatives we have implemented at Chicago O’Hare that create a faster and more efficient CBP processing experience.”

“CBP is pleased to offer Mobile Passport Control as an option to expedite travelers’ entry into the United States at four of the country’s busiest international airports,” said Assistant Commissioner for Office of Field Operations Todd C. Owen. “CBP remains committed to making the international arrivals experience as traveler-friendly as possible through innovation and collaboration with stakeholders while maintaining the highest security standards.”

MPC currently offers U.S. citizens and Canadian visitors a more secure and efficient in-person inspection between the CBP officer and the traveler upon arrival in the United States. Much like Automated Passport Control (APC), the app does not require pre-approval, is free to use and does not collect any new information from travelers.

Travelers opting to use the app will no longer have to complete a paper customs declaration form and will have access to a designated MPC lane to clear customs instead of entering the traditional CBP processing lanes. As a result, travelers will experience shorter wait times, less congestion and faster processing.

Read More

The controversy surrounding former Secretary of State Hillary Clinton’s email has brought data destruction to the forefront of the national conversation. Clinton used a server housed at her New York residence for her personal and official emails and online communications while she was at Foggy Bottom Lawmakers investigating the 2012 death of an ambassador in Libya have been concerned that official government emails from Clinton that might assist in the investigation were deleted despite assurances from Clinton that she turned over all emails pertaining to government work to the State Department.

Now reports say Clinton “wiped the server,” deleting all emails. But how easy is it to permanently wipe data from servers or storage media? According to experts who were interviewed recently by the Washington Post, the congressional committee charged with investigating the U.S. ambassador’s death in Benghazi might still be able to obtain Clinton’s deleted emails – in the event they can access the server.

Provided Clinton simply hit the delete button on her emails, they probably still exist. Files are not permanently deleted when a user hits the delete button. “Instead, the pointer the computer uses to find the file is removed, and the computer treats the space on your hard drive as reusable,” explained the Post. Though, depending on the amount of activity one performs on a device, data that is randomly stored could replace deleted items as it needs the space. Typically, additional steps must be taken in order to permanently delete items from a server.

If experienced experts were able to access Clinton’s server with the intention of retrieving emails, they might create a “physical forensic image,” which “creates an ‘identical, bit-by-bit, zero-by-zero copy of the original hard drive,’” the Post reported. This step is used to view the emails as they would appear in a read-only format preventing alterations. Following the physical forensic image, experts might attempt to locate and extract databases that house emails and then conduct a forensic analysis of unallocated spaces within those databases.

Read More

(Reuters) - CIA researchers have worked for nearly a decade to break the security protecting Apple (AAPL.O) phones and tablets, investigative news site The Intercept reported on Tuesday, citing documents obtained from NSA whistleblower Edward Snowden.

The report cites top-secret U.S. documents that suggest U.S. government researchers had created a version of XCode, Apple’s software application development tool, to create surveillance backdoors into programs distributed on Apple’s App Store.

The Intercept has in the past published a number of reports from documents released by whistleblower Snowden. The site’s editors include Glenn Greenwald, who won a Pulitzer Prize for his work in reporting on Snowden’s revelations, and by Oscar-winning documentary maker Laura Poitras.

It said the latest documents, which covered a period from 2006 to 2013, stop short of proving whether U.S. intelligence researchers had succeeded in breaking Apple’s encryption coding, which secures user data and communications.

Efforts to break into Apple products by government security researchers started as early as 2006, a year before Apple introduced its first iPhone and continued through the launch of the iPad in 2010 and beyond, The Intercept said.

Breaching Apple security was part of a top-secret program by the U.S. government, aided by British intelligence researchers, to hack “secure communications products, both foreign and domestic” including Google Android phones, it said.

Silicon Valley technology companies have in recent months sought to restore trust among consumers around the world that their products have not become tools for widespread government surveillance of citizens.

Last September, Apple strengthened encryption methods for data stored on iPhones, saying the changes meant the company no longer had any way to extract customer data on the devices, even if a government ordered it to with a search warrant. Silicon Valley rival Google Inc (GOOGL.O) said shortly afterward that it also planned to increase the use of stronger encryption tools.

Read More

Most people know not to click on suspicious links from strangers, but suspicious links from friends are more of a marginal case. Malefactors are currently using Steam, Valve’s popular PC gaming platform, to spread malware by hiding a nasty program in a supposedly innocuous screenshot that looks like it is coming from a trusted friend.

Security expert Graham Cluley shared the story, which one of his readers brought to his attention. The malware comes via Steam’s built-in chat client and, in all likelihood, will appear to come from someone you know.

If you receive a message on Steam that reads “WTF?????” and links to a JPEG image called “screenshot,” steer clear and inform your friend that he or she needs to run a virus scan posthaste. The link leads not to a strange picture, but rather to an executable SCR file.

Once clicked, the file will download and install automatically. This particular SCR file targets Steam, meaning it may be able to steal your login and financial information. At the very least, it compromises your Friends list and sends the malware-ridden “WTF” message to all of your contacts.

Worse still, only about half of antivirus programs seem capable of detecting the malware. While AVG, Malwarebytes, Kaspersky, Sophos and Symantec users are in the clear, those who rely on Microsoft, TrendMicro, Kingsoft or AegisLab are out of luck. The best solution for them would be to download the free version of AVG or Malwarebytes and run it with extreme prejudice.

This is not the first time that malware has targeted Steam users, suggesting that the platform is still not perhaps as secure as it could be. PC gamers should double-check with their friends before clicking on links that look out-of-the-ordinary.

Read More

It’s rare. On an average day, only nine in 1 million accounts gets stolen. But when it happens, the operation is swift. These are professional criminals at work, looking through your email to steal your bank account information.

The criminals are concentrated in five countries. Most of them live in China, Ivory Coast, Malaysia, Nigeria and South Africa. But they attack people worldwide, duping them into handing over Gmail usernames and passwords.

Google has effective scans to block them and emergency options to get your account back. But criminals still manage to pull off the attacks.
Here’s some more of what Google found in its three-year study.

In the mind of a hacker

Effective scams work 45% of the time. This number sounds huge, but well-crafted scams can be convincing. They send official-looking emails requesting your login credentials. And sometimes they redirect you to a page that looks like a Google login, but it’s not.

Safety tip: Don’t ever email your username or password — anywhere. And always check the Internet address in the URL above to ensure you’re at the actual Gmail site.

They usually steal your account in less than a day. Once they have your login credentials, the average criminal hijacks your account within seven hours. For an unlucky 20%, the bad guys do it in just 30 minutes. Then they change your password to lock you out.

Read More

It’s as if a robber were to break into a bank today and stay there until Christmas before someone noticed.

That’s how long hackers had access to JPMorgan Chase’s computer system, The New York Times reported this week. If two months seems like an eternity for cyberthieves to wander through the computers of the country’s largest bank, consider that hackers have had free rein for even longer at several major retailers this past year.

Hackers resided on the computers of Neiman Marcus for five months, Home Depot for five months, arts and crafts store Michaels for eight months and Goodwill, the thrift store, for a year and a half.

That hackers were able to roam through JPMorgan’s computer network for two months is another sign that companies are struggling not only with keeping cybercriminals out, but with spotting them once they get in.

A spokesman for JPMorgan did not respond to a request for comment. The bank said earlier this month that hackers had compromised the data of 76 million households, but that no money or Social Security numbers were stolen and the bank hadn’t seen any unusual customer fraud.

The length of time that hackers reside on a computer system doesn’t always correlate to the number of people affected. The size of the company’s customer base also makes a difference. Target, for example, said 40 million customers had their payment card data compromised during an attack last fall that lasted just two weeks, while Michaels said that a much smaller number — 3 million people — were affected during its eight-month attack.

Still, the length of time of a data breach matters. Unlike real-life bank robbers who escape in minutes, digital bank robbers can take weeks or months before they gain access to the data they’re after.

“A lot of people think hacking happens overnight and the the bad guys break into the network and they’re done,” said Aleksandr Yampolskiy, chief executive officer of SecurityScorecard, a cybersecurity firm. “The reality is it takes a long time.”

Hackers are able to go undetected for so long because they use numerous techniques to disguise their activities. For one, they often attack computers using malicious software that doesn’t set off alarms with anti-virus programs. And once inside, they route the data they steal through a series of intermediary computers, for example at a church or a public school, according to Yampolskiy. Such computers seem innocent to security teams and avoid raising red flags by communicating directly with computers in Russia, where many hackers are based, he said.

Read More

In 2012, DFI News published an article called “Why SSD Drives Destroy Court Evidence, and What Can Be Done About It”. Back then SSD self-corrosion, TRIM, and garbage collection were little known and poorly understood phenomena. In 2014, the situation looks different. Having handled numerous cases involving the use of SSD drives and gathered a lot of statistical data, we now know things about SSD drives that allow forensic specialists to obtain information from them despite the obstacles.

SSD Self-Corrosion
The effect of SSD self-corrosion, as well as the root cause, is well covered by existing publications, including our own 2012 paper on SSD forensics. The evidence self-destruction process is triggered by the TRIM command issued by the operating system to the SSD controller at the time the user either deletes a file, formats a disk, or deletes a partition. The data destruction process is only triggered by the TRIM command; the data destruction itself is carried out by the separtate process of background garbage collection.

In many cases the TRIM command is not issued at all. This article discusses these exclusions to gain a better understanding of the situations when deleted data can still be recovered from an SSD drive.

Deterministic Read After Trim
Experiences recovering information from SSD drives vary greatly among SSD users.

“I ran a test on my SSD drive, deleting 1,000 files and running a data recovery tool five minutes later. The tool discovered several hundred files, but an attempt to recover them returned a bunch of empty files filled with zeroes,” said one Belkasoft customer.

“We analyzed an SSD drive obtained from a suspect’s laptop and were able to recover 80% of deleted files several hours after they’ve been deleted,” said another user.

Why such inconsistency in user experiences? The answer lies in the way the different SSD drives handle trimmed data pages.

Some SSD drives implement what is called Deterministic Read After Trim (DRAT) and Deterministic Zeroes After Trim (DZAT), returning all-zeroes immediately after the TRIM command releases a certain data block, while others do not implement this protocol and will return the original data until it’s physically erased with the garbage collection algorithm.

With non-deterministic TRIM, each read command after a Trim may return different data, while with both DRAT and DZAT, all read commands after a TRIM return the same data.

As we can see, in some cases the SSD will return non-original data (all zeroes, all ones, or some other non-original data) not because the physical blocks have been cleaned immediately following the TRIM command, but because the SSD controller says that there is no valid data held at the trimmed address on a logical level previously associated with the trimmed physical block.

Read More