Into The Boxes: Issue 0×1
It is time for the second edition of Into The Boxes – Digital Forensics and Incident Response Magazine.
This time we have contributions from Scott Burkhart and Chris Pogue. This is another diverse issue covering a wide range of digital forensic and incident response topics. More specifically:
MAC Box: Introduction to Plist Files by Scott Burkhart
Want to know how OSX maintains its configurations? Scott Burkhart breaks down the .plist configuration files and how they can be used during data analysis.
Squawk Box: The Simple Truth – Chris Pogue
Chris Pogue provides us some insights into the world of PCI breach incident response.
Software Box: Poorcase: Split Image Reconstruction – Don C. Weber
Richard Harman has released a new tool for combining split images for data analysis with tools that cannot inherently handle split images.
Windows Box: Registry Analysis and Geolocation – Harlan Carvey
Harlan Carvey explains how Windows Registry analysis can be leveraged to perform geolocation and establish information about the different physical locations a system has been used.
Hardware Box: Super DriveLock Review – Don C. Weber
Don C. Weber reviews Intelligent Computer Solutions’ Super DriveLock, a multi-interface write blocker which can be used in a digital forensic tower or taken on the road.
As always, please let us know how you feel and provide us with recommendations and article submittals for future ITB efforts. We look forward to your comments and blog posts about these subjects.
Go forth and do good things,
Don C. Weber
April 5, 2010 at 5:51 pm
I stumbled here through a response on one of the NetworkWorld articles on the Heartland data breach. Still reading through the issue, but of course jumped to Chris’s article on PCI. While I understand the basic scope of the article was to point out the simple “oversights” of many end-user companies, I am glad that it pointed out that PCI does not impose fines on Level 4 companies, as well as the non-chalant attitude from many of these vendors that if there is no penalty, then “why bother?”. I would be interested articles actually digging into PCI and even the PA-QSA certified partners/company on why there are not penalties in place, and what the future holds for these companies who are not compliant. Furthermore, I’d like to see PCI and QSA’s take a more proactive stance on security in their audits.
For example, I know of one software that is quite exloitable locally (I have not tried remote execution), in which a simple connection to the database and a couple keystrokes invalidates their encryption. After this, it takes a few minutes to grab hundreds of unencrypted card numbers along with expiration dates. Upon notification to PCI, they presented the attitude that if the software is not storing magnetic/track data, or CVM codes, then who cares. This software repeatedly passes PCI Assesment (via Trustwave, ironically), as well as PABP.
It just seems that this “Who Cares” attitude is from the top-to-bottom when it comes to security in this industry. It also seems that the decision makers always seem to be the guys that don’t really know about computers, programming or security (as Chris points out in the article), but rather the guys that care about the bottom dollar. And if they can make the buck and sweep something under the rug, then go for it.
While I agree that PCI is a good thing, it’s merely a start … that’s taking way too much time evolving in a fast-paced technological world. I’d like to see more pressure on them starting with some real security standards from the top, and passing it on to the QSA’s. If a company wants to be a processing software vendor, they need to pass security and maintain an updated technology as well as the few simple rules that started out as CISP. And this responsibility should continue on to POS integrators and end-users as well. Non-compliance should warrant a severe suspension, and if repeated, revoked priviledge of using of electronic payments, indefinitely.
Just my thoughts. I am enjoying the issue so far and will continue to follow it. Keep up the good work!
Cheers,
–D
April 7, 2010 at 6:17 pm
The footer still says Issue 0×00 in issue 0×01.
April 7, 2010 at 7:13 pm
@Patrick,
Yes, thank you. Perhaps this typo will make the issue more valuable in the future. Now that I have two issues out I can start a “pre-release checklist.”
Go forth and do good things,
Don C. Weber
April 8, 2010 at 4:59 pm
@Donny – It’s really a sad state. Like I pointed out and you discussed, there is really no impetus for anyone to change anything within their organizations until there is a problem. At which time, they grumble to their IT folks and ask them why they haven’t done anything until now. I see it all of the time and it irritates me to no end. You can’t help but feel sorry for these poor IT folks who are treated as the scape goat for senior management’s lack of understanding and lack of decision making (Wait…they DID make a decision didn’t they? They chose to do NOTHING about it).
The only part that seems to need correction is that there ARE indeed fines assessed on level 4 merchants. Granted they are much lower, but they still get fined. If I misrepresented that in my article, I apologize. The point is that the fines can and usually are not anywhere near those imposed on larger organizations, and that often the Merchant bank or processor steps in and helps out. But I think anyone who has done PCI forensics in the past few years has seen some of these smaller shops literally close their doors because the cost of business is simply too great.
Very sad.