The very strange story of an old mobile phone
It is spreading like a small slumbering fire over the internet: Criminals pay big money for your old Nokia 1100 mobile phone. They only seem to be interested in Nokia 1100’s from 2001 or 2002 and they have to be manufactured in Germany (to be more precise: from Bochum). The news was released by the ‘company’ UltraScan on Saturday 18 April 2009 and the original press release can be read on the UltraScan website. All the media coverage on the subject made me think of the following.
The press release states that the criminals use these phones to capture SMS messages with TAN codes (one time passwords to sign an online banking transaction) of online banking systems. But it does not give any proof for these claims.
How would this work? The attacker will need your login credentials for the online banking website and your mobile phone number. Of course the mobile phone number can for a lot of people be found on the social networks, but then they still need your credentials. They can not retrieve your mobile phone number from the online banking website, as this is – at least at the Dutch ING bank – partly obscured and can not be changed online without a letter being sent to your postal address to confirm the change. The attackers need quite some information from you before they can target you with this kind of attack. Capturing TAN codes is just a small part of the attack in that case.
But let’s assume that the attacker indeed has retrieved your credentials, your mobile phone number and he is targeting you. Will in that case your own phone disconnect from the providers network during the attack? If so, you would most likely notice your phone being disconnected from the network, which is a nice trigger that something is going on.
The other way is that both you and the attacker will receive the SMS message at the same time, like some sort of cloned connection. In that case it is a nice warning system when your account is being plundered, because you will receive a TAN SMS at a time when you are most likely not even using the online banking system. If you call the bank as soon as you receive the SMS, the bank should have enough time to get your money back.
I doubt if this attack will work better than the current Man in the Middle and Man in the Browser attacks which only need a little piece of malware installed on the victims PC and don’t require the difficult intelligence phase to collect the credentials and the mobile phone numbers.
Well if the attack would work, how much would the criminals pay for this phone? The press release quotes the amount of 25.000 Euro’s (around 32.000 dollars), which is quite a lot for a phone even with these characteristics – you would need to be able to finish quite a lot of successful transactions to even get your investment back, let alone make some money. What kind of things could you do with 25.000 Euro’s? Well for starters you could build your own hardware which mimics the hardware from the Nokia 1100. If it is just for stealing SMS messages from other people it doesn’t matter if the device doesn’t look like a phone. Criminals are smarter than to hunt down old mobiles if they can build the hardware themselves. So why didn’t they build the hardware themselves? Possibly because it needs to be a phone, not some SMS receiver. But why does it need to be a phone?
One of the people leaving a comment on this subject on the Engadget website is Paul Prijs. Paul explains that the phones can be used to send out SMS messages to someone else using the same provider, the provider then does not keep records of where the SMS has been send to. This is of course highly useful for criminals, they can communicate by SMS without traces. That is worth something isn’t it? They are not going to walk around with some home made device for this, so it needs to be the Nokia 1100. Of course until someone finds a way to modify any phone to do this.
I hope UltraScan is wrong, but if they are right we have much worse problems than criminals trying to snoop our TAN codes. If the story would be true then it doesn’t mean that the attackers can only steal TAN codes by SMS but that the whole SMS system has been broken. Since this is a problem with an old phone it seems that it can not be solved from the providers point of view. Or it can and they just don’t seem to bother to fix it.
In that case from this day on we can not trust SMS anymore. All your SMS messages to your loved one, all your SMS messages with passwords or any SMS you could think of can be read by another. But on the other side, I just looked through my SMS messages and overall they are actually pretty boring, who would want to read those anyways.
On the topic of UltraScan I could probably write another long blog post, which I won’t at this moment. The Dutch based ‘company’ however does not have a Dutch Chamber of Commerce registration and therefore is not a real company. Despite having cool flowcharts containing al the different parts of the ‘company’ and claims of more than 3000 informants on their websites the only person that ever surfaced to the outside world is Frank Engelsman. You might just think that it is just a big one man show.
I wouldn’t dare to say that Frank Engelsman has great delusions. But people could think that, and you can’t blame them.
Will web 2.0 pose a “threat” to conventional forensics?
Will the advance of web 2.0 applications impose a threat to conventional forensics?
First let’s provide some examples of what I feel web 2.0 applications are in this context, since that too is still a matter of debate. Sharing pictures with friends using Flickr, keeping in touch with those friends through MySpace, adding content to Wiki pages, updating your Twitter. The list can go on and on. For the record, this is not my definition of Web 2.0, these are just some examples of a trend that I sure will continue.
More and more data we produce is no longer stored on the disk in our computer, but on a network server, often far away and not always within reach or within our control. And when it is stored on our disk, often in part and quickly overwritten.
We see this trend also in webmail. Five years ago it was not uncommon to track entire Hotmail correspondence on disk, each opened e-mail item creating digital traces on a file system. Nowadays, with the usage of Ajax for example, content is offered in a more dynamic fashion, often resulting in less footprint on a (local) disk. At least, this is what I am seeing. Perhaps my interpretation is flawed or my experience too narrow.
So, digital traces of our activity will be more dispersed, perhaps making it more difficult to obtain a complete (and truthful) view of ones actions off- and online. Perhaps threat is not a good choice of words. You could also see it as an incentive to further innovate digital forensic methodology and technics.
Personally I feel we need to change our way of working, or in the future we might find ourselves inadequate to keep up with investigative needs.
Internet law (Dutch only)
Just a plain old linkdump to start the new year (happy new year of course 
! ). New year’s resolution: blog more 
!
A lot of readers will probably already know this site, but just for those few who don’t: Arnoud Engelfriet regularly blogs (in Dutch only) about law, more specifically internet/ICT law. And as a new year is a good time to look back, a link to his overview of what happened in this area in 2008.
Mac OS X forensics website and book
A lot of the forensic software, research and investigations are still about Windows software, reflecting the market share that this operating system has. However, it looks like Apple is definitely doing some good work to grab its piece of the market.
When you run into one of these machines, it might give you a bit of a forensic challenge, as you have to deal with both another operating system (which is luckily Unix/BSD based) and with new hardware. Take a look at the various guides at http://www.ifixit.com/Guide/Mac/ to get a feeling about the number of screws you have to remove to get to a hard drive in a MacBook Pro for example…(luckily there are some other ways to create an image without removing the drive, for example using target disk mode).
Quality journalism…
Someone on the Digital Detective forum posted about an article in the Times, describing a supposed link between Muslim terrorists and child porn. Below is my reaction to his post, that I think would also fit here. Please have a read through the article before continuing.
InPrivate Browsing; Fancy or Flawed?
For those of you that didn’t catch it on the wire, Internet Explorer 8 Beta 2 was released this week. As a forensic examiner I have a natural interest in any product released to the general public that is expected to see wide usage. Internet Explorer is one those products. What caught my attention was new functionality called “InPrivate Browsing”.
Here’s what Microsoft has to say about this functionality: “InPrivate Browsing prevents Internet Explorer from storing data about your browsing session. This includes cookies, temporary Internet files, history, and other data” . Ouch, when implemented right a feature like that could wreak havoc to us forensic dudes, so one could be inclined to think But did Microsoft implement it correctly?
Initial tests we conducted show it didn’t, which is strange. Didn’t it state that this function prevents data from being written? Well, it doesn’t, which is good for us forensic folk, but bad for you if you trust this feature to provide you with your desired level of privacy.
I browsed several sites using the InPrivate function, used several search engines and to top it of logged into my online (SSL protected) banking website and transfered my monthly rent. Traces of this activity were easily recovered from the disk using both a simple Hex editor, Pasco and FTK.
It’s true some records are not written to the index.dat history file, namely the host records. This results in the user seeing an empty history overview in the browser. However, all other records related to a visit to a specific website are written to the index.dat file. Keep in mind that most websites are built-up of tens of separate webpage elements, filling up the Index.dat file quickly.
What’s worse, in contrary what Microsoft states, the temporary Internet files cache is used, files are written to disk but after closing the browser the cache is cleared/deleted. Not erased. Oopsss. Unless I use some sort of erase/wipe tool information on my browsing session is all there.
Of course it would still be fairly easy to recover the cached files using carving techniques, but one could argue that this is not something a regular user would or could do. I disagree. Just a simple Google query in search for data recovery tool yields almost 1.5 million results. We’re not talking quantum physics here.
Microsoft plays down the story, stating that the privacy of regular users is protected, at least against other regular users. Maybe so, but I would not rely on this feature too much until we know more.
On a side note: I did find information about the wire transfer (my monthly rent), which surprised me. And in case you are wondering, the traces were not part of the pagefile but located in freespace.
I’m not done with IE8, expect an update when I’ve had some more time to chew on this.
Forensics in space?
Two days ago the website SpaceRef.com told us ‘NASA Discovers Computer Virus Aboard the International Space Station‘. Somehow a computer virus made it to at least one of the Space Station not critical computers. This might seem like a small thing because it wasn’t an important computer. But then again, we all know how dangerous a space virus can be, if you have seen Independence Day of course.
The SpaceRef website states: Theory is virus either in initial software load or possibly transferred from personal compact flash card.
Well, only a theory is not enough, is it? This sounds like a very good reason to do a full forensic investigation. Send an investigator to space, that might be quite a challenging job.
So NASA, if you are looking for a forensic investigator: Just contact us
Shortinfosec Computer Forensics Competition
Another competition! Shortinfosec is hosting a computer forensics competition. This one is about analyzing a disk image for incriminating evidence.
More info can be found on:
http://www.shortinfosec.net/2008/07/competition-computer-forensic.html
No rewards on this one, but like stated before: Challenges are a great way to see what the status of your current knowledge is and you also might learn something from it.
F-Secure Reverse Engineering Challenge
F-Secure is having another one of their Reverse Engineering Challenges. The current challenge can be found on http://www.khallenge.com/ Previous challenge files can be found on: http://www.f-secure.com/security_center/asm.html
The contest started on Friday 1st of August 2008 at 12:00 and is already almost over as it ends on August 3rd 2008 at 11:59 (EET). By the time of this writing you can’t win the prices anymore as two people already solved the last round. But that shouldn’t spoil the fun in participating in it of course. Challenges are a great way to see how good your current knowledge is and you also might learn quite some new things.
Ok, back to level 2!
Beware what you travel with
Multiple news sites tell the story of the USA now being able to detain the laptops (or any other electronic device) from travelers. The Policy Regarding Border Search of Information states:
Officers may detain documents and electronic devices, or copies thereof, for a reasonable period of time to perform a thorough border search. The search may take place on-site or at an off-site location.
What does this mean for a traveling Forensic Investigator? At first, how are you going to do your job when your electronic friend is being held for investigation. What is a “Reasonable period of time”, maybe you can pick it up again when you are leaving?
And if it is being detained, what data is on it? Of course you should never have any case data on your own laptop, right? But what if you have a new case and you did a quick investigation on the secured evidence with your own laptop? There might be some traces left in the slack and free space. Let’s hope the data doesn’t contain any references to terrorist acts, it might be a long stay then instead of a short trip.
Or, what if you just made a forensic copy for a case and you are traveling with that copy to deliver it in your own lab for your investigation. If the hard disk with the forensic copy is being detained how does that look on your chain of evidence? Not to think of the data that might be on a just newly imaged evidence item.
Of course if you keep thinking about it there will be a lot more consequences when your items are being detained at the border. But then again, why would a good Forensic Investigator be stopped at the border for such a investigation? Oh well, as long as they don’t take my PSP.