By Kurt Seifried, [email protected]
Cindy looks up from her book and stares at the screen for a bit, watching EasyRecover chew through Jeff's hard drive and rebuild files. Yawning, she looks at the clock and has to wonder how much longer it will take. She gets up and leaves her office, locking the door behind herself.
Lesson #30 |
In the process of evidence gathering, it's a bad idea to leave anything unattended. This can break the chain of evidence, rendering it useless for a court of law. Of course, by working on the original media Cindy has already violated this principle, since she is modifying the original evidence. |
Wandering towards the cafeteria, she wonders what was on Jeff's hard drive. Hopefully the video capture board in Jeff's machine was there for a certain reason. . . . She sits down with her coffee and glances around. Where is everyone at 5 a.m.?
Andy glances up from his monitor and blinks a few times. Tapping the keyboard cautiously, he peers at the results on his monitor. A few more cautious taps, a deep breath. Hitting Print, he anxiously waits for the page to come out before grabbing it and sprinting down the hall to Cindy's office. Grasping at the doorknob he bounces off the door as it fails to open inward. He peers through the window. Cindy is gone, but her computer is still on. Spinning around, he starts running towards the cafeteria.
"Andy, you ok?" asks Cindy, gently helping Andy off of the floor.
"I, me. . . log. . . thingy. . . Jeff!"
Cindy stares at Andy. Has he hit his head hard enough to do permanent damage?
"Jeff. . . server. . . printed!" Flopping over, Andy scrambles for a sheet of paper on the floor and thrusts it in Cindy's direction.
Lesson #31 |
Printing out evidence is always wise. |
"This can't be right, are you sure?"
Andy nods his head and flops onto a chair.
"I'm calling the police now. You should get some ice for that bruise."
Cindy heads for her office, relieved to find the door still locked and the computer still working on Jeff's files.
"Hello, Detective Bayliss?"
"Speaking."
"This is Cindy, down at ACME Corp. I think I may have found some new evidence. Could you and your partner please come down?"
"What kind of evidence?"
"I'd rather not say over an open phone line."
"OK."
An hour later a dusty white Cavalier pulls up. The two detectives emerge hastily and enter the building. After taking a few wrong turns they finally end up at Cindy's office. Knocking, Bayliss opens the door to discover Cindy wiping her eyes with a Kleenex. Startled, she composes herself and wipes the last tear away.
"Ah, hello detective. I think I found out what happened."
"Ahh, that's good what do you think happened?"
"Well, why don't I let you watch for yourself?"
Bayliss glances at Pembleton and nods at Cindy. Hitting Enter, Cindy restarts the slide show on the computer.
"I found a work order. Jeff had a cable run from the server room camera to his office. He had it hooked up to his computer, and it stored an image once per second of the video surveillance. Now the attacker deleted all the files on Jeff's computer, but I managed to recover them, and found this."
She points at the screen and taps the bottom righthand corner, at the time index. "It goes from Friday, for several days up until. . . until his death."
Advancing the slideshow several days, she pauses before taking a deep breath and advancing it up several more hours.
"You can see what happens next. . . ."
With morbid fascination Bayliss and Pembleton observe the stop-motion film of a short figure clad in black enter the room. Heading directly for the main tape cabinet, the intruder starts to pry the door open. After a few moments the figure wedges the crowbar between the tape cabinet and the wall, trying to move the cabinet out a bit to get a better purchase on the hinges. The figure appears frustrated, taking a few swings at the cabinet, apparently trying to knock the hinges off.
Another figure enters the room Jeff. Standing between the intruder and the tape cabinet, he appears to be talking. The intruder takes a swing at Jeff and the hood falls backwards.
Cindy pauses the replay and takes a deep breath. "That's my niece, Samantha. I haven't seen her since before this, neither has her mother. . . ."
Starting the slideshow up again, Cindy leans back and shuts her eyes.
Bayliss takes out a notepad and jots down a few details while watching the screen. The intruder takes a swing at Jeff, hitting him in the stomach. The next frame shows him falling backwards. The next few frames are like something out of a horror film: Samantha backing up with her mouth open and the deceptively slow fall of the cabinet onto Jeff.
Samantha flees the room shortly after taking several tapes from the cabinet.
"Wow, looks like she killed him all right. I'd say that's assault with intent to harm. Have you got a description of her?"
Cindy nods and hands him a piece of paper.
"This photograph is current?"
"Yes."
"Hey, look at that "
Bayliss taps the screen as another figure moves into the frame. "Who's that?"
"I don't know I didn't watch this far the first time."
Observing the second intruder, Cindy wonders how he manages to shift the tape cabinet off of Jeff. She turns pale as Jeff's body is dragged out of the room along with several tiles.
"He must have then come into Jeff's office and deleted the files. . . but who would do this?" Cindy looks at Bayliss and Pembleton for an answer.
"Well, he also knew Jeff's passcode, and which tapes to take from the surveillance room. It looks like an inside job. You gave us a list of all employees, right?"
"Yes. Do you want the fingerprints as well?"
"Why didn't you give that to us the first time?"
"Well, we try to protect the privacy of our employees. . . ."
Taking a deep breath, Pembleton wonders about the sanity of certain ACME Corp employees. "Those fingerprints would be greatly appreciated. Is there anything else we should know?"
Cindy blinks. "Well, someone. . . that is, it looks like Jeff logged in from a remote location. We tried to trace it back but the system no longer exists. It was at the local university."
"Don't you mean the intruder?"
"No, it must have been Jeff. . . . Whoever logged in from the remote location used a fingerprint scanner to get in."
Holy floppy disks, a doppelganger in disguise? Jeff's spirit returned to haunt the IT department? A glitch in the logging server? Stay tuned!
The Ford Pinto, destined to go down in history as one of the world's most dangerous cars, could have been made relatively safe with the addition of a $5 rubber bladder for the fuel tank. With a rubber bladder, the gas tank would have been much less likely to puncture during a rear-end collision and cause the Pinto to burst into a fireball. Now in virtually every modern car there is a rubber bladder in the fuel tank.
More or less identical situations happen all the time in computer security. Protocols are unsecure because they lack a simple authentication or encryption method. SNMP, for example, has earned a reputation of being an extremely unsecure protocol. If you read the history of SNMP, you will find that security was supposed to be built in. However, the vendors never quite got around to formalizing any standards regarding security.
Lesson #32 |
It's easy to make horrendous mistakes. Even with technology available for avoiding them, failure to use that technology can lead to disastrous results. There are no exceptions. This means you. |
A well-lit office, full of cubicles. Oddly enough, many of the employees appear to be wearing sidearms, ranging from snubnose revolvers to .45 caliber Glocks. A tired-looking Cindy walks in behind Bayliss and Pembleton, a large carton in her arms full to the brim with printouts and hard drives. Stopping at a rather messy desk, Cindy sets the carton down on the floor.
"Cindy, this is Officer Collier. He's in our technical services branch."
Nodding, Officer Collier shakes Cindy's hand. "This is all the evidence, right?"
"Yes: Jeff's hard drive, the recreated data, printouts of access logs, and the logs on tape backup."
"OK, and how did you recreate the data on Jeff's drive?"
"I pulled his hard drive, put it in another machine and ran a data recovery program."
"Using Jeff's hard drive as the source? Or a copy?"
"Jeff's hard drive. . . ."
"Ermm. . . OK. . . we might not be able to use that in a court of a law. For all we know, you created this footage to exonerate your niece."
"I did not! Besides, who accessed his account after he disappeared?"
"Maybe you did, to throw us off the trail."
"But that's impossible! Our new biometric authentication system is virtually foolproof."
Officer Collier indicates Cindy to sit down in a chair next to his desk. "Do you want coffee, tea, maybe pop?"
"No thanks. . . . I just want for all this to be solved, it's driving me nuts."
"I can understand. OK, so this biometric authentication, why are you using it?"
"Well, it's a test project. We had several break-ins due to bad passwords, and due to people not logging out when they left their computers unattended."
"Right, like this Russian hacker you say defaced your Website, or your niece Samantha getting administrative privileges by using your terminal?"
Cindy blushes and nods. "Yes, at least that's how we think she got in, and it makes sense. So we've been looking to get rid of passwords, and we decided on a combination of smartcards and biometric authentication. We decided as well that any cryptographic processing has to be done on the card. Otherwise the key would need to be copied off the smartcard, meaning it could easily be copied."
"Right, why didn't you use tokens? They are completely self-contained."
"If someone steals the token and the PIN number, or guesses it, they can get in. Plus, by requiring a special card reader on workstations, it makes it a little harder for an attacker to attempt a break-in via it."
"OK, makes sense, go on."
"So we decided to use a smartcard system that was certificate-based. This makes logging access really easy, especially with our Web-based systems, and they can also use it to sign and encrypt email easily something tokens don't do."
Lesson #33 |
Tokens (CRYPTOCard, RSA, etc.) are great for authentication, and do not require a special card reader. However, they cannot be used to sign or encrypt email, whereas X.509-based smartcards can. |
"OK, so this system would handle more than just authentication, then?"
"Yes. We figured we might as well kill several birds with one stone. The next problem was how to protect the certificate on the card. While it is virtually impossible to remove if you don't have the password, it is possible to put some sort of key logging software on a workstation that records the password. Then the attacker can steal the card and use it until it is revoked, which could take several days if it's over a long weekend."
"OK, So you've got smartcards with onboard cryptographic processing, and certificate creation and storage. But wouldn't it be possible for an attacker to load software on the workstation that captures the user's fingerprint when they scan their finger in to access their smartcard?"
"No, the scanner is placed on the smartcard. It's not on the reader. This makes the smartcard completely self-contained, and very hard to attack or compromise."
"So you need to scan your finger to access your smartcard?"
"Yes, and it can tell whether it's a live or dead finger." She pauses. "So it's not like the attacker could have cut off Jeff's finger, warmed it up and used it."
"Hmmm. . . . And you're sure the access came after the alleged incident where you found Jeff dead in the server room?"
"Yes, over a day afterwards. I disabled his accounts but forgot about his test administrative account. We haven't yet integrated the token system with our normal procedures."
Lesson #34 |
If someone figures out how to break your biometric authentication system, you must either add another level of authentication (such as a password), or replace every single biometric sensor with a better one that cannot be fooled. Never use biometrics alone to authenticate users. It will be very hard for them to change biometric "passwords" fingerprints, retinal patterns, and the rest. |
"OK, so for the attacker to get in, they needed Jeff's card, a reader, and the fingerprint?"
"Yes. So it must have been Jeff that logged in! The chances of someone else having the same fingerprint or close enough are minuscule. And I talked to the manufacturer; they claim it's not breakable yet. It's driving me nuts!"
Lesson #35 |
Any vendor that claims its security system is 100% effective and unbreakable is lying. |
"OK, let's take a look at that video footage, and the logs."
Nodding, Cindy starts pulling things out of the carton and handing them to Officer Collier.
Is Jeff a zombie? Will we ever find out the truth? You can't handle the truth!
"So that's the surveillance footage you managed to recover off of Jeff's hard drive?"
"Yes. Apparently he had maintenance install a splitter and run a second cable from the camera to his office."
"Well, at least we now know that it wasn't a murder. Of course there's still the matter of the missing body, and Samantha."
"Yes, and the intruder getting into our systems using Jeff's fingerprint, which shouldn't be possible."
"Yes, there is that. I think you should talk to Agent Moldy at the FBI."
Cindy nods and follows Officer Collier out of the room.
Deep in the wastelands of Arizona, we see Samantha entering a large cave set in a hillside. Continuing down the cave with the aid of a flashlight, she stumbles over rocks until arriving at a large steel door. Grunting, she shoves on it, and a high-pitched wail echoes down the cave as old metal is forced to move for the first time in years. Squeezing through the opening, she looks back once at the faint point of light before closing the door and continuing on in total darkness.
Samantha arrives at the end of the tunnel. Examining another metal door, she notes the undisturbed dust and spider webs with approval before hauling it open and entering. Flicking on a light switch, she closes the door and starts to beat the dust out of her clothes.
Lesson #36 |
If you abandon a facility, you may wish to demolish it or otherwise block access into it. |
Smiling, Agent Moldy shakes Cindy's hand. "So I hear you have a weird crime?" Cindy nods and starts to tell the complete story, occasionally pausing to wipe her eyes. She winds down quietly and blows her nose. She looks exhausted.
"Well, I'll start by doing a background check on Jeff, and Samantha. Let me just fire up my computer."
Sitting down at his desk, Agent Moldy turns on a rather severe-looking Sun workstation. He points his Web browser at http://www.usshadowgovernment.com/. Clicking on the National Database, he enters Jeff's SSN and name into the appropriate fields before hitting Search.
Lesson #37 |
There is a US shadow government. Trust no one. |
"Well, that's interesting. According to this Jeff has a twin brother did he ever mention that?"
"No, no he didn't."
"Well, I'll just pull up his information, run it against the surveillance tape and see if they match."
"Uhh, isn't stuff like this illegal? I mean, how do you make sure people don't sell or steal information about other people?"
"Good question, I'm not sure."
Lesson #38 |
Databases with sensitive information should require strong user authentication, and log access to records. There have been cases of government and law enforcement employees selling data on people to private companies. |
Agent Moldy turns back to his computer and watches the status bar slowly slide towards 100%.
"Yup, it's a match. Jeff's twin brother dragged the body away."
A rather stunned Cindy pauses before speaking. "But why did he do this? Why on earth would he go to all this trouble?"
"Well, according to Jeff's file, he's evil."
"Huh? Evil? What are you talking about?"
"This is a well-documented fact. You know how identical twins happen, right?"
"Yes, the cell splits and you get two copies."
"Right. Well, in rare cases the cell splits perfectly, but for some reason nature abhors identical copies, so in the case of DNA-identical twins, one is evil and one is good."
Cindy nods. "You're crazy."
"No, no, see, right here." Turning the screen, Agent Moldy points his finger under a text field with a single word, "EVIL."
Cindy's brain temporarily freezes up as this new and utterly strange information refuses to mesh with her version of reality. After several moments her frontal lobes submit and quietly store the data. "So you're saying Jeff was evil, and his exact twin took the body, cleaned up, and...?"
"Yes, it's well documented. The good twin wants to rid the world of the evil twin, but because they are good, they cannot kill the evil twin. So they usually start stalking the evil twin, learning what the evil twin knows, and waiting for the twin to die. Once the evil twin dies, they usually dispose of the body and assume the evil twin's place, so that people are not emotionally hurt."
Cindy gently rubs her temples. "So what you're saying is we hired an evil twin, who was killed in an accident, so his good twin disposed of the body, and will be showing up at work to take his place?"
"Exactly."
"Well, isn't that just peachy. What am I supposed to do?"
"Nothing at all, since no real crime took place, we're not too interested. I'd advise letting the good twin take his place, and get on with life."
Cindy nods, not sure what to think of this all.
Several days later at a staff meeting, Cindy and the rest pause as they hear a knock on the door. After a moment the door opens and Jeff^2 sticks his head in. "Am I interrupting anything?"
"No, not at all, we were actually just discussing the biometric system, and any possible weaknesses in it."
Jeff^2 nods. "I think it's OK. The chances of someone having an identical fingerprint are astronomically small."
Andy grins. "I agree. So I can order 4,000 units?"
"Certainly."
The End. Seriously. This is it. No more. Of course, I'll soon be starting a Unix-based series. No rest for the wicked.
Last updated on 3/23/2002
Copyright Kurt Seifried 2002