We have just written a free tool to parse GigaTribe chat logs and output the results into a friendly tab separated values (tsv) file, which can be opened using Excel to allow sorting, filtering and all of the other analytical goodies that Excel brings to the party.

Simply export the chat logs from your forensic application of choice to a folder somewhere and point “GigaView” at the folder. It’s very rapid and puts the output in a .tsv file in the same folder.

You can download a copy of this free tool from our Forensic Tools page.

Are your clients adequately prepared when security incidents occur?

At the QCC London office this morning, a small group of information security experts and corporate lawyers discussed the need for forensic preparedness, the considerations, process to follow and the pitfalls that surround legal cases involving investigations and digital forensics.

The group heard from the Information Security Officer of a major international bank about his experience of security incident investigations and the need for organisations to have a plan in place and run tests on a regular basis to keep strategies and processes up to date. “It does not make financial sense to have an in-house forensic investigator when you may only have one or two cases a year. It is significantly better to have a retainer with an external firm of forensic experts who adhere to best practice principles, have the expertise, credibility and in-depth knowledge required to present evidence to a tribunal or Court” he said. “Third party investigations provide an independence from internal company politics and add a level of integrity to the results which can help greatly when these are subject to a vigorous and robust examination by other side”.

John Douglas, QCC Forensic Laboratory Manager, explained the forensic process in more depth and the importance of keeping the evidence ‘sound’. One of the key success factors to managing any incident is setting up relationships with vendors long before they are needed. This ensures that when things go wrong, time is not lost trying to find the right person to call to resolve the issue. The buy in of board members to the process is also significant here. This will help ensure that management are not too focussed on the possible reputational loss arising from the incident and that the incident is handled properly. The dilemma arising between the conflicting need to restore information to get the business running again versus the need to investigate the cause to ensure it wont be repeated was also analysed in some depth.

The breakfast discussion continued around best practice and ended with a great question and answer session looking at some specific case studies. This was our first breakfast briefing, with a great selection of food and coffee ensuring that the early morning meeting started the day on the right foot.

The next briefing will be on “Forensics in the Cloud” on the 14th of October 2010. If you’d like to attend, drop us a note to ‘contact@qccis.com’.

I’ve made a few updates to CaseNotes to fix a couple of niggling bugs. The first was an inability to display the AM/PM characters correctly in Hangul for Korean users. Rather than try to sort this out for each and every possible language/format combination, I’ve hard coded it to now record the timestamp in 24 hour format regardless of your regional settings. The date remains as it was.

I also had requests to solve an issue regarding unsaved changes. It seems that when a case is closed for whatever reason, if there are unsaved changes then there is only the option to save them; ‘yes’ or ‘no’. Several users asked that a ‘cancel’ option be added to make this process a little more flexible – this has been done.

Lastly, I’ve made a few changes to the way that files are saved and backups are created to reduce the possibility of header data being lost. This includes better feedback to indicate that CaseNotes is busy, so that the save will complete without interruption. To this end, I’ve added a new feature to validate the backup files for a case. With the case file open, choose ‘Validate Case File Backups’ and each of the backup files for your case will be opened and their integrity checked – a report will be displayed on screen and this will be written to the audit log too.

I’m making progress with the new user checklist tab, but coding the editor is proving problematic – watch this space!

I’ve been going through the contact details for everyone that I have and sorting out those of you who have said you’d be happy to beta test the next software version. I hope to get an email out to you soon giving you some information about timings and what I need to be tested. I’m especially interested in those of you working in languages other than English and with double-byte character sets.

Speak to you soon.

Following a few requests, VideoTriage has been updated to add a text based audit log file to its output.

The log file will record the root folder processed, along with each filename, the playback rate and screen capture interval. Helpfully, when the long filenames typically associated with peer-to-peer networks are encountered, VT will rename these by shortening and adding in #TRUNC# to the filename to indicate it has been truncated. This is also logged in the log file.

If you have any additional requests, drop me a line at “contact” at qcc dot co dot uk.

QCC Information Security is proud to announce our continued certification to the ISO27001 standard for Information Security Management. As you would imagine, we take information security very seriously and are constantly monitoring our own systems to ensure that they are as robust and effective as possible. We are totally committed to maintaining our ISO27001 accredited status now and in the future.

Early in 2007 we took a decision to invest in a project to build an ISO standard compliant Information Security Management System (ISMS) that would satisfy three core objectives: To provide an effective system for managing information on behalf of others; to ensure best practice and consistency throughout the organisation in managing information, and to demonstrate to customers, in a verifiable and industry recognised manner, that their information is protected within QCC, in turn helping them to meet demands for regulatory compliance and governance relating to information security.

Neil Hare-Brown, CEO, commented: I am very pleased that we continue to meet the accreditation requirements of this important certification. We have always taken our responsibilities for securing sensitive information seriously, especially where customer data is concerned. Becoming and retaining ISO27001 certification is a major endorsement of our procedures and clearly demonstrates QCC's ongoing commitment in this area, as well as positioning QCC as a compliant supplier to aid customers in meeting the challenge of increasing governance in information security.

I’ve finally had a bit of time to fix a few annoying anomalies with CaseNotes that have been causing a few headaches for users.

This is an incremental release, so there isn’t any new functionality – just bug fixes. A list of the fixes is shown below:

Case file backups only made during explicit user initiated saves

In previous versions, every time CaseNotes was closed, or whenever your case’s metadata changed, CaseNotes would save your case file. Hardcoded into the program if ‘make backups’ is selected, was the function to make a backup copy of your case file. If the case file had some level of corruption present, it means that after three saves, all of your backups would now be corrupt too. Not great, so I’ve removed this function and cut it back so that backups are only created when you explicitly click the save button (or select the save menu option).

Backup copies now stored in a dedicated sub-folder

This means backup files are easier to identify and can be themselves backed up nightly or whenever.

Number of case file backups increased from 3 to 10

To add more resilience to the backup process, there will be ten unique backup files stored in the backup folder, up from the existing three.

Greater assistance for the corrupt case file 'password' issue

This is the one problem that affected users more than any other. If the header becomes corrupt, CaseNotes assumes the file is encrypted – to explain:

What happens when CaseNotes opens a case file is that it reads the file sig (cnote or cnotr) – if the first five bytes are neither of these then CaseNotes assumes that the file is encrypted, as the file sig would be unreadable in this case. So it prompts you for the password. The usual reason that this problem occurs is if you open the case file from two separate instances of CaseNotes simultaneously. It’s very important that you only ever have one copy of each case file open at any one time. You can have as many copies of CaseNotes running as you like, but they must all be for different cases.

Anytime you have a problem, you should immediately close CaseNotes and make additional copies of the backup files before proceeding. I’ve implemented a change which prompts with the steps to follow whenever a password prompt is delivered, this should allow users to rescue the situation before all of the backup files are lost by save actions.

New menu item to reset screen position data to fix maximised windows

Occasionally, CaseNotes will loose its screen position settings and disappear off the screen unless in full screen or minimised mode. I’ve created a new menu item which allows the screen data to be reset, so that CaseNotes can be restored to a normal screen position.

Fix for Open File dialog not recognising .Notes files in Windows 7

This was pretty simple to fix and required a small code change to account for new syntax for the Windows 7 open file dialog.

New dedicated 32 & 64 bit versions

I’ve now created two distinct versions of the software, so if you’re running a 64 bit operating system, you’ve got a version of CaseNotes which will interact with your system correctly.

Future enhancements

There’s a lot more on the horizon for CaseNotes – the next version should include user customisable check lists and workflow templates allowing you to use CaseNotes as a prompt for major steps in your investigations dependant upon case type, and to provide boiler plate text for various note types. I’m hoping this should be released around August and will send an email out to those who have downloaded the app and indicated I can contact them. If you’ve indicated you’d be happy to beta test, then you may get an email a bit sooner!

We have been working long and hard on a new way of risk modelling that allows for assets and asset groups to form a structure that is representative of the operational risk tree for a generic organisation. Enter PIPS (People, Information, Property, Systems).

The PIPS tree (really more a root system) is a structured collection of risk model templates. These templates have been pre-configured using the Yo-Yo risk modelling technique in Blackthorn RITA.

Each model template, for instance a generic application or building has undergone an Exposure Analysis and Cover Analysis by a subject matter expert. We have used ISO 27000 as our basis for this generic analysis.

Users are now able to ‘clone’ the templates from the PIPS template tree and graft them into their own production PIPS tree with a simple drag-drop action. Then they simply give the asset a value and the risk exposure/cover is immediately calculated.

The really great thing about PIPS is that the functionality of Blackthorn RITA enables calculated risk totals to be rolled up the tree, aggregating values at each common node. The result is an accurate calculation of risk at the top which represents the total risk for the organisation.

As with all risk models, Blackthorn RITA enables risk assessors to constantly review the risk models in using a vulnerability & controls-based approach. With empirical data cross-correlated from reactive activities this gives an unparalleled accuracy in real-time operational risk management.

A report released this week at Infosecurity Europe by PricewaterhouseCoopers (PwC) has claimed that a wave of security breaches is hitting UK organisations, costing them billions of pounds.

The 2010 Information Security Breaches Survey (ISBS) claimed that this is a continuing problem, despite the fact that security remains high on management's agenda and the recession has not dampened spending on security.

The survey found that larger organisations are being bombarded with attacks, with 62 per cent infected by a virus or malicious software in the last year, compared with 21 per cent in 2008. Sixty-one per cent had detected a significant attempt to break into their network, almost double the amount from 2008.

Among large organisations 46 per cent said they had had staff lose or leak confidential data, while 45 per cent of confidentiality breaches were very or extremely serious. Most respondents were pessimistic about the future, with 56 per cent of large organisations and 43 per cent of smaller ones, expecting more incidents next year, back to levels last recorded in 2006.

Chris Potter, partner of OneSecurity at PwC, said: “Almost half the organisations we polled told us they had increased their expenditure on information security in the last year and roughly the same number said they expected to spend more on it next year.

“At the same time most organisations assess information security risks now, compared to just 48 per cent who did so in 2008. So organisations are getting better at understanding security risks in a changing business environment where a large majority of them are relying increasingly on external services hosted over the internet.

“However, this focus is not translating into fewer breaches of security; in fact the number has risen to well over double what it was two years ago and has reached record levels for all sizes of organisation. All types of breach were on the increase and a conservative estimate is that the total cost of breaches to UK business in billions of pounds is now well into double figures.”

Commenting, John Colley, managing director EMEA at (ISC)2, said: “The spectacular reversal of fortunes reported in the survey proves that more security controls do not necessarily add up to more control. Despite the fact that more companies are placing a high priority on security, establishing formal security policy, and even investing in more controls, the opportunities to exploit are multiplying. 
“Clearly the opportunists are being strategic; more of the same is required of their victims. With 44 per cent of companies entrusting critical services to third parties, and only 17 per cent encrypting the sensitive data held with third parties, companies are making some basic errors. Similarly, the rapid adoption of new technologies, such as VoIP and virtualisation, continues to lag the adoption of effective controls for them.
“Many of the vulnerabilities—such as social networking behaviour –do not have a technical response so throwing more or new technology at this problem rather than common sense is not the answer.  This report confirms that the pressures driving demand for information security services today speak to core business priorities that demand professional assessment. Only then will we see the strategic enterprise-level response to the risks that is required.”

Neil Stephenson, CEO of Onyx Group, said: “This is a staggering rise in cyber crimes over a two year period. Reports of viruses affecting business will ring true for companies of all sizes, highlighting the need for an extensive and secure data recovery and back up protocols in the event of a serious cyber attack.

“Businesses may understand how critical their data is but they need to ensure they secure this data appropriately, and put in place mechanisms to reduce the detrimental affects a security breach can cause to business operation and, ultimately bottom line. As businesses continue to rely on external organisations to host and manage their data, they need to ensure they are aware of the security risks and implement the appropriate mechanisms to prevent security hacks to their IT systems.”

Article was published on  this website. http://www.mondaq.com/unitedstates/article.asp?articleid=98692

Anyone who deals with credit card data is probably familiar with the Payment Card Industry Data Security Standard. PCI DSS requires anyone who stores, processes, or handles payment cards to meet certain technical and process requirements. Larger merchants and service providers must pass regular external security assessments, and everyone subject to PCI DSS must undergo frequent scans for technical vulnerabilities. Failure to comply with PCI DSS can lead to significant fines in the event of a data breach.

In 2007, Minnesota became the first state to pass a law based on PCI DSS. The Minnesota law prohibits anyone conducting business in Minnesota from storing sensitive information from credit and debit cards. The law makes non-compliant entities liable for financial institutions' costs of canceling and replacing credit cards compromised in a security breach.

Last year, when Nevada updated its encryption law, it included a requirement that anyone who does business in that state and accepts payment cards must comply with PCI DSS. On March 22, 2010, Washington became the third state to enact a law connected to PCI DSS. Washington's law is similar to Minnesota's in that it allows financial institutions to recover the costs of reissuing payment cards after a data breach. If a business fails to take reasonable care to protect against unauthorized access, and that failure is found to be the cause of a breach, then the business is liable for the cost to financial institutions of reissuing the compromised cards of Washington residents. However, a business is not liable under the new law if that business was certified as PCI DSS compliant within one year prior to the breach.

As with most laws of this type, Washington's law applies to organizations outside its own borders. For example, a "business" is any legal or commercial entity that "provides, offers, or sells goods or services" to Washington residents and handles six million or more payment card transactions per year. The law also applies to "vendors" and "processors," the definitions of which do not include any geographic restrictions and might be expected to include anyone who would be within the reach of Washington law.

Anyone who stores, processes, or handles credit cards has already been subject to PCI DSS requirements. Washington's new law does not appear to add any new requirements, but it does create the risk of additional costs for non-compliance. Merchants with customers in Washington who handle large numbers of credit cards now have an extra incentive to maintain PCI DSS compliance.

According to researchers from Infosecurity Europe, the average amount stolen was £1,448 per person, and 37 per cent did not get their money back from the bank.  It also found that people who lost a small amount of money would not be refunded, with 91 per cent of people who lost more than £5,000 getting their money back compared with only 41 per cent of people who lost less than £100.

The type of organisation that most people blame for making them vulnerable to fraud were retailers at 60 per cent, whilst only 12 per cent blamed the bank and 28 per cent said it was their own fault that they had lost money or had their identity stolen.

Of those who had been a victim of identity fraud, 37 per cent had stopped online banking and 34 per cent stopped online shopping. In terms of reporting fraud and ID theft, 78 per cent reported it to the police, 69 per cent reported it to their bank or credit card provider and 14 per cent reported it to the retailer. Eleven per cent did not report the incident to anyone.

The place that people said that they were most likely to have their details stolen from was online via websites or email with a quarter (27 per cent) saying that this was how they were duped, while a fifth (20 per cent) said that face-to-face transactions in shops, hotels etc was how they lost their details.

The overall sample of people said that they trusted online banking, with 70 per cent saying that they did, 36 per cent said that they trusted websites from brands that they already knew and only 19 per cent would buy from any website.