Just when I thought I've seen everything when it comes to malware, I was wrong as a PC vendor is trying to desperately position itself as one offering a feeling of security with the idea to strip its product and lower the customer price. The other day I came across to a fancy ad featuring Lenovo's ThinkVantage Virus Recovery Button, and promoting its usefulness even when there's no AV solution in place :
"Rescue and Recovery is a one button recovery and restore solution that includes a set of self recovery tools to help users diagnose, get help and recover from a virus or other system crashes quickly, even if the primary operating system will not boot and you are remote from your support team."
The video ad is indeed fascinating, and while their Embedded Security Subsystem 2.0 "locks your sensitive data behind hardware-based encryption", you'd better take advantage of their utilities options and try to avoid such a weak positioning in respect to malware. The Virus Recovery Button seems to be directly targeting the masses and totaly removing the complexity issue by introducing a button-based solution to malware -- dangerous as backups and their idea could have proven useful during the first generations of malware.
Anti virus signatures, response time, and various other proactive malware prevention approaches such as, IPS, buffer overflow protection are among today's most widely discussed approaches when dealing with malware, and of course, the principle of least privilege to user accounts. But why the anti virus button when it can be an anti-hacker one? I feel they'd better stick to their OEM agreements and find other ways to achieve competive advantage in pricing than providing a false sense of security.
In my recent "Malware - future trends" research I mentioned on the fully realistic scenario of having your security solution turn into a security problem itself. While this is nothing new, in this case we have a misjudged security proposition, as recovering to a pre-infection state doesn't necessariry mean confidentiality of sensitive personal/financial information wouldn't be breached by the time the user is aware of the infection, if it ever happens of course.
Moreover, Lenovo was recently under scrutiny as "The U.S.-China Economic Security Review Commission (USCC) argues that a foreign intelligence like that of the Communist Party of China (CPC) can use its power to get Lenovo to equip its machines with espionage devices. Lenovo has strongly declined that it is involved in any such activities", and while they eventually reached a consensus on using the machines on unclassified systems only, it doesn't mean they aren't exposed to a wide variety of threats going beyond China backdooring them, such as Zotob over border-screening systems at airports.
As a matter of fact, the rival PC/notebook propositions might still be owned by U.S companies, but are mostly assembled in China these days -- too much hype for nothing.
UPDATE - Sites that picked up the post
LinuxSecurity.com
MalwareHelp.org
Technorati tags:
Security, Malware, Anti-virus, Lenovo, Data Recovery
Thursday, April 20, 2006
The anti virus industry's panacea - a virus recovery button
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Digital forensics - efficient data acquisition devices
Digital forensics have always been a hot market segment, whereas the need for a reliable network based forensics model given main Internet's insecurities such as source address spoofing and the lack of commonly accepted security events reporting practices is constantly growing as well. Information acqusition, analysis and interpretation in the most reliable and efficient way is often among the desired outcome -- and of course figure out what has been happenning at a given historical moment in time or in real-time if applicable.
In a previous post related to "Detecting intruders and where to look for" I mentioned lots of resources regarding the topic, and tools to take advantage of, if in need. In respect to cell phones and various related privacy issues, excluding the physical forensic analysis that could be successfully performed, there's a growing discussing on whether a "suspect's" physical location should be revealed though a mobile-phone carrier -- segmented requests are the most efficient and socially-conscious ones I think.
Today I came across to "Logicube CellDEK" a portable handset data extraction kit :
"The portable CellDEK® acquires data from over 160 of the most popular cell phones and PDA's. Built to perform in the field (not just in the lab), investigators can immediately gain acces to vital information. This saves days of waiting for crucial data to come back from a crime lab. The CellDEK software automatically performs forensic extraction of the following data: Handset Time and Date, Serial Numbers (IMEI, IMSI), Dialed Calls, Received Calls, Phonebook (both handset and SIM), SMS (both handset and SIM), Deleted SMS from SIM, Calendar, Memos, To Do Lists, Pictures, Video, and Audio."
Nothing surprising as there are many other freeware applications/ways to do cell phone forensics (full list can be found at Sergio Hernando's blog), but what made me an impression was its usefulness by covering over 160 models, portability due to its size and capabilities, and that up to 40 adapters may be stored in the system’s built-in rack. Some challenges I see to today's forensic investigators are the sophistication of publicly available encryption/steganographic tools, the Internet acting as a online HDD opening opportunities for dead-drop places, and communications that went over covert channels.
On my wislist however, has always been the company's Forensic MD5, as it basically "swallows" data in a timely manner -- a bad toy in the hands of a insider going beyond average types of removable media, and in moments where minutes count. As a matter of fact, a forensic investigator's sophistication and expertise doesn't really count when the Mafia is still catching up on how to encrypt. Still, I'm convinced how some of his "operatives" are into far more sophisticated methods of communication than he is.
Check out some more resources, and case studies on the topic as well :
How to Become a Cyber-Investigator
SANS Reading Room - Forensics
Digital Forensics Tool Testing Images
Computer Forensics for Lawyers
Forensic Analysis of the Windows Registry
Forensic Computing from a Computer Security perspective
Guidelines on PDA Forensics
Forensic Examination of a RIM (BlackBerry) Wireless Device
WebMail Forensics
iPod Forensics
Digital Music Device Forensics
Forensics and the GSM mobile telephone system
List of Printers Which Do or Don't Print Tracking Dots
Metasploit Anti-forensics homepage
UPDATE - Sites that picked up the story
LinuxSecurity.com
Technorati tags:
Security, Forensics, cyber-crime, Mobile Phone
In a previous post related to "Detecting intruders and where to look for" I mentioned lots of resources regarding the topic, and tools to take advantage of, if in need. In respect to cell phones and various related privacy issues, excluding the physical forensic analysis that could be successfully performed, there's a growing discussing on whether a "suspect's" physical location should be revealed though a mobile-phone carrier -- segmented requests are the most efficient and socially-conscious ones I think.
Today I came across to "Logicube CellDEK" a portable handset data extraction kit :
"The portable CellDEK® acquires data from over 160 of the most popular cell phones and PDA's. Built to perform in the field (not just in the lab), investigators can immediately gain acces to vital information. This saves days of waiting for crucial data to come back from a crime lab. The CellDEK software automatically performs forensic extraction of the following data: Handset Time and Date, Serial Numbers (IMEI, IMSI), Dialed Calls, Received Calls, Phonebook (both handset and SIM), SMS (both handset and SIM), Deleted SMS from SIM, Calendar, Memos, To Do Lists, Pictures, Video, and Audio."
Nothing surprising as there are many other freeware applications/ways to do cell phone forensics (full list can be found at Sergio Hernando's blog), but what made me an impression was its usefulness by covering over 160 models, portability due to its size and capabilities, and that up to 40 adapters may be stored in the system’s built-in rack. Some challenges I see to today's forensic investigators are the sophistication of publicly available encryption/steganographic tools, the Internet acting as a online HDD opening opportunities for dead-drop places, and communications that went over covert channels.
On my wislist however, has always been the company's Forensic MD5, as it basically "swallows" data in a timely manner -- a bad toy in the hands of a insider going beyond average types of removable media, and in moments where minutes count. As a matter of fact, a forensic investigator's sophistication and expertise doesn't really count when the Mafia is still catching up on how to encrypt. Still, I'm convinced how some of his "operatives" are into far more sophisticated methods of communication than he is.
Check out some more resources, and case studies on the topic as well :
How to Become a Cyber-Investigator
SANS Reading Room - Forensics
Digital Forensics Tool Testing Images
Computer Forensics for Lawyers
Forensic Analysis of the Windows Registry
Forensic Computing from a Computer Security perspective
Guidelines on PDA Forensics
Forensic Examination of a RIM (BlackBerry) Wireless Device
WebMail Forensics
iPod Forensics
Digital Music Device Forensics
Forensics and the GSM mobile telephone system
List of Printers Which Do or Don't Print Tracking Dots
Metasploit Anti-forensics homepage
UPDATE - Sites that picked up the story
LinuxSecurity.com
Technorati tags:
Security, Forensics, cyber-crime, Mobile Phone
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)