Re: Forensics on PDAs, notes from the field
Quoth Thomas Shaddack [EMAIL PROTECTED] Obvious lesson: Steganography tool authors, your programs should use the worm/HIV trick of changing their signatures with every invocation. Much harder for the forensic fedz to recognize your tools. (As suspicious, of course). It should be enough to do that at the installation time. The adversary in this model gets to analyze the file only once, and we want to make sure that nobody tampered with the file as a protection against other, more active threat models. What we want is to have a file and its hash, so we can make sure the file content is unchanged, but the hash has to be as globally-unique as possible. The NIST CDROM also doesn't seem to include source code amongst its sigs, so if you compile yourself, you may avoid their easy glance. A cool thing for this purpose could be a patch for gcc to produce unique code every time, perhaps using some of the polymorphic methods used by viruses. Just adding a chunk of data to make the hash unique will work against the current generation of the described tools. But we should plan to the future, what moves the adversary can do to counter this step. Dear TS: you have very good ideas.
Re: Forensics on PDAs, notes from the field
On Fri, 13 Aug 2004, Morlock Elloi wrote: The purpose would be that they do not figure out that you are using some security program, so they don't suspect that noise in the file or look for stego, right? The last time I checked the total number of PDA programs ever offered to public in some way was around 10,000 (5,000 ? 100,000 ? Same thing.) That can be trivially checked for. Any custom-compiled executable will stand out as a sore thumb. How? Not if you get something like a Sharp Zaurus and compile your own environment. Hey, I want to get as much performance out of this shitty little ARM chip as I can. You will suffer considerably less bodily damage inducing you to spit the passphrase than to produce the source and the complier. What makes you think they'll have enough of a clue as to how to read the files off your PDA without booting it in the first place? 99% of these dorks use very expensive automated hardware tools that do nothing more than dd your data to their device, then run a scanner on it which looks for well known jpg's of kiddie porn. If you're suspected of something really big, or you're middle eastern, then you need to worry about PDA forensics. Otherwise, you're just another geek with a case of megalomania thinking you're important enough for the FedZ to give a shit about you. Just use the fucking PGP. It's good for your genitals. And PGP won't stand out because ? --Kaos-Keraunos-Kybernetos--- + ^ + :Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ --*--:and our people, and neither do we. -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + :War is Peace, freedom is slavery, Bush is President. -
Re: Forensics on PDAs, notes from the field
Right, in which case GPG (or any other decent crypto system) is just fine, or you wouldn't be looking for stego'ing it inside of binaries in the first place. --Kaos-Keraunos-Kybernetos--- + ^ + :Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ --*--:and our people, and neither do we. -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + :War is Peace, freedom is slavery, Bush is President. - On Fri, 13 Aug 2004, Thomas Shaddack wrote: In the world of industrial espionage and divorce lawyers, the FedZ aren't the only threat model.
Re: Forensics on PDAs, notes from the field
A cool thing for this purpose could be a patch for gcc to produce unique code every time, perhaps using some of the polymorphic methods used by viruses. The purpose would be that they do not figure out that you are using some security program, so they don't suspect that noise in the file or look for stego, right? The last time I checked the total number of PDA programs ever offered to public in some way was around 10,000 (5,000 ? 100,000 ? Same thing.) That can be trivially checked for. Any custom-compiled executable will stand out as a sore thumb. You will suffer considerably less bodily damage inducing you to spit the passphrase than to produce the source and the complier. Just use the fucking PGP. It's good for your genitals. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail
Re: Forensics on PDAs, notes from the field
On Fri, 13 Aug 2004, Sunder wrote: If you're suspected of something really big, or you're middle eastern, then you need to worry about PDA forensics. Otherwise, you're just another geek with a case of megalomania thinking you're important enough for the FedZ to give a shit about you. In the world of industrial espionage and divorce lawyers, the FedZ aren't the only threat model.
Re: Forensics on PDAs, notes from the field
On Fri, 13 Aug 2004, Tyler Durden wrote: And it seems to me to be a difficult task getting ahold of enough photos that would be believably worth encrypting. Homemade porn?
Re: Forensics on PDAs, notes from the field
Sunder wrote... And PGP won't stand out because ? Just wondering. Is it possible to disguise a PGP'd message as a more weakly encrypted message that then decrypts to something other than the true message? OK...perhaps we stego an encrypted message, then encrypt that photo using something weaker. Not like they haven't already thought of that, though. And it seems to me to be a difficult task getting ahold of enough photos that would be believably worth encrypting. -TD From: Sunder [EMAIL PROTECTED] To: Morlock Elloi [EMAIL PROTECTED] CC: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: Forensics on PDAs, notes from the field Date: Fri, 13 Aug 2004 14:11:36 -0400 (edt) On Fri, 13 Aug 2004, Morlock Elloi wrote: The purpose would be that they do not figure out that you are using some security program, so they don't suspect that noise in the file or look for stego, right? The last time I checked the total number of PDA programs ever offered to public in some way was around 10,000 (5,000 ? 100,000 ? Same thing.) That can be trivially checked for. Any custom-compiled executable will stand out as a sore thumb. How? Not if you get something like a Sharp Zaurus and compile your own environment. Hey, I want to get as much performance out of this shitty little ARM chip as I can. You will suffer considerably less bodily damage inducing you to spit the passphrase than to produce the source and the complier. What makes you think they'll have enough of a clue as to how to read the files off your PDA without booting it in the first place? 99% of these dorks use very expensive automated hardware tools that do nothing more than dd your data to their device, then run a scanner on it which looks for well known jpg's of kiddie porn. If you're suspected of something really big, or you're middle eastern, then you need to worry about PDA forensics. Otherwise, you're just another geek with a case of megalomania thinking you're important enough for the FedZ to give a shit about you. Just use the fucking PGP. It's good for your genitals. And PGP won't stand out because ? --Kaos-Keraunos-Kybernetos--- + ^ + :Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ --*--:and our people, and neither do we. -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + :War is Peace, freedom is slavery, Bush is President. - _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Re: Forensics on PDAs, notes from the field (your teenage son's homemade porn)
At 10:07 PM 8/13/04 +0200, Thomas Shaddack wrote: On Fri, 13 Aug 2004, Tyler Durden wrote: And it seems to me to be a difficult task getting ahold of enough photos that would be believably worth encrypting. Homemade porn? Your 16 year old son's homemade porn. [google on Heidl rape; a deputy sheriff's teen son makes a porn movie with a passed out teen and gets busted]
Re: Forensics on PDAs, notes from the field
At 01:46 PM 8/13/04 -0400, John Kelsey wrote: From: Major Variola (ret) [EMAIL PROTECTED] Obvious lesson: Steganography tool authors, your programs should use the worm/HIV trick of changing their signatures with every invocation. Much harder for the forensic fedz to recognize your tools. (As suspicious, of course). I would have thought the obvious lesson was to keep all your important work on an encrypted disk partition, with a good password and a high iteration count. This is true not just for criminals and terrorists, but for anyone who doesn't want the information on their hard drive read by anyone who happens to steal their computer. If you include PDA Cellphone as computer; or include flash eeprom as a hard drive, then we agree. Most Persons of Interest will have secrets on their mobile gizmos (which use flash memory) as well as their PC's spinning disks. Sync'ing the PDA + PC means the security boundary includes them both. The important lesson is that all your gizmos will be seized and analyzed. And that the world needs good Linux-based-PDA flash-mem-compatible security tools. And don't forget the epoxy...
Re: Forensics on PDAs, notes from the field
On Fri, 13 Aug 2004, Thomas Shaddack wrote: In the world of industrial espionage and divorce lawyers, the FedZ aren't the only threat model. At 03:06 PM 8/13/04 -0400, Sunder wrote: Right, in which case GPG (or any other decent crypto system) is just fine, or you wouldn't be looking for stego'ing it inside of binaries in the first place. I don't think Sunder grasps how much fun divorce lawyers can be. So, Mr. Smith, what *do* you hide with your crypto tools? And why won't you let the court examine the plaintext in camera, if your content is so benign? (Or are your ex-wife's accusations true?) Also, public schools prohibit the use of encryption. No kidding. And finding a crypto tool on a .mil slave's personal machine may be indicting evidence, given their lack of civilian legal processes, when accused by their own. Since mere possession of lockpick tools is criminal, do you really think you can possess crypto tools freely?
Re: Forensics on PDAs, notes from the field
At 02:11 PM 8/13/04 -0400, Sunder wrote: If you're suspected of something really big, or you're middle eastern, then you need to worry about PDA forensics. Otherwise, you're just another geek with a case of megalomania thinking you're important enough for the FedZ to give a shit about you. Perhaps you're a geek working for people who think they're important enough? In any case, its not just the FedZ, the locals send the tricky shit to the FedZ if they don't have the LabZ. Same as with arson, poisonings, etc. So we all fall under the same logic-analyzer-panopticon.
Re: Forensics on PDAs, notes from the field
On Wed, 11 Aug 2004, Major Variola (ret) wrote: Obvious lesson: Steganography tool authors, your programs should use the worm/HIV trick of changing their signatures with every invocation. Much harder for the forensic fedz to recognize your tools. (As suspicious, of course). It should be enough to do that at the installation time. The adversary in this model gets to analyze the file only once, and we want to make sure that nobody tampered with the file as a protection against other, more active threat models. What we want is to have a file and its hash, so we can make sure the file content is unchanged, but the hash has to be as globally-unique as possible. The NIST CDROM also doesn't seem to include source code amongst its sigs, so if you compile yourself, you may avoid their easy glance. A cool thing for this purpose could be a patch for gcc to produce unique code every time, perhaps using some of the polymorphic methods used by viruses. Just adding a chunk of data to make the hash unique will work against the current generation of the described tools. But we should plan to the future, what moves the adversary can do to counter this step. Then there's the matching of date/time of the files to real-life events. Perhaps a countermeasure could be a modified vfat filesystem which assigns free clusters randomly instead of sequentially (on a solid-state medium fragmentation does not matter), which avoids the reconstruction of the file saving order by matching the position of their clusters (for the price of making undelete difficult), and an absence of timestamps (01-01-1970 is a nice date anyway). The file delete function in the filesystem driver can be modified to file overwrite-and-delete, for the price of higher wear of the FlashEPROM medium. Linux-based (and open-architecture in general) PDAs should offer much higher thug-resistance.
Forensics on PDAs, notes from the field
Saint John of Cryptome has a particularly tasty link to http://csrc.nist.gov/publications/drafts.html#sp800-72 which describes the state of the art in PDA forensics. There is also a link to a CDROM of secure hashes of various benign and less benign programs that the NIST knows about. Including a list of hacker programs. Including stego. Pigs use this to discount commonly-distributed software when analyzing a disk (or, presumably, your PDA's flash). See http://www.nsrl.nist.gov/ also http://www.nsrl.nist.gov/Untraceable_Downloads.htm Obvious lesson: Steganography tool authors, your programs should use the worm/HIV trick of changing their signatures with every invocation. Much harder for the forensic fedz to recognize your tools. (As suspicious, of course). The NIST CDROM also doesn't seem to include source code amongst its sigs, so if you compile yourself, you may avoid their easy glance. Notes from the Field: My paper image handling kiretsu job has a fellow working on secure Linux disk-drive delete --even if you pull the plug, on power up it finishes the job. Nice. Thank you, HIPAA, banks, etc.
