Ed Smiley's Blog

These are my links for April 26th through April 29th:

• Jessland – Jess Garcia’s Website – The below procedure will allow you to install Helix v1.8 to hard drive
• digfor: Installing Helix 2008R1 –
• “Data Breaches: What the Underground World of ‘Carding’ Reveals.” –
• gpicsync – Google Code – Automatically geocode pictures from your camera and a GPS track log.
• Bypass Windows Logon Password – Accessing a Windows computer without knowing the password is fairly simple with this free tool called Kon-Boot .There are alternatives like Ophcrack etc, but those rely on grabbing the SAM hashes and cracking those. What sets Kon-Boot apart is that is modifies the kernel on-the-fly while booting (everything is done virtually – without any interferences with physical system changes) and allows you to log into any account without entering a password. All you have to do is insert a boot (cd or floppy) disk burned with Kon-boot software(110kb) in to the computer and boot up.

These are my links for April 13th through April 23rd:

• SecurityFocus – Infocus: Incidents – Various topics of incidents with complete a run through.
• JADsoftware – IEF home page – Internet Evidence Finder (IEF) searches the selected drive or memory dump file (or pagefile.sys / hiberfil.sys file) for Internet artifacts. It can currently find Facebook® live chat messages and page fragments, MSN® chat, and Yahoo!® chat.
• Computer Security Jump Bag – A Jump Bag is the term used to describe the bag or container holding all of the tools you need to appropriately respond to a computer security incident.

  SANS Incident Handling Course covers the topic of Incident Handling in-depth.

• Entering the Networked World – Reference for getting started in computer forensics – Great post of references for getting started in computer forensics
• NirBlog: Saved Password Locations – a list of password storage locations for popular applications

An study(PDF) put out by the Ponemon Institute yesterday has the average cost of a lost laptop at $49,246.  This includes the following components: replacement cost, detection, forensics, data breach, lost intellectual property, lost productivity, and legal expenses.  The total variation was incredibly large from just over $1K to just under $1M.

2 interesting points that I see:

Encryption makes a difference.  When lost laptops have encryption, the average cost of the lost laptop is $37,443. If it is not encrypted, the average cost is $56,165. This is almost a $20,000 difference in the cost

Only $20K?  I would think that having a properly encrypted laptop would take out mostly all costs other than replacement and lost productivity.  Of course, the best encryption is not going to defeat the user who tapes the encryption key on the laptop.  However, if all encryption rules are followed I pretty much thought this was a safe bet?

The existence of a full backup increases the average cost of the lost laptop. There is an inverse relationship between the average cost of a lost laptop and the existence of a full backup. The average cost of a lost laptop with a full backup is $69,899 as opposed to $39,253 when there is no backup system. One possible reason for this is that the backup makes it easier to confirm the loss of sensitive or confidential data. In other words, it could be the ignorance is bliss hypothesis.

Wow, save money by not doing backups!  Quite an interesting piece of information with data to back it up.  Who is going to go to the VP and says we can save money by not doing backups?

Tie this in with 12,000 lost laptops per week at airports, and that is quite a large chunk of change.

These are my links for March 26th through April 13th:

• Podnutz Episode 29: Hard Drives and Data Recovery w/Scott Moulton | Podnutz – Tech Podcast Network – Here we attempt to cover all there is to know about hard drives, from the physical parts to the data they contain. We of course couldn't fit this all into one show so we'll have to get Scott back for another!
• DIY Forensics & Incident Response Lab – Evil Bytes Blog – Dark Reading – Continuing with the do-it-yourself lab theme, let's turn to the areas of incident response (IR) and forensics, and how they can benefit from an in-house security training lab.
• Virtual appliances for the security professional | tssci security –
• The Ethical Hacker Network – Video Tutorial: Pass-The-Hash Toolkit – Ryan Linn is back with another video for your learning pleasure. This time he gives a video tutorial of an existing toolset, the Pass-The-Hash Toolkit by Core Security. Core describes it as, "The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component.
• Downloads: MinTTY Gives Cygwin a Native Windows Interface – If you need your Unix command line on a Windows PC, chances are you use a terminal emulator like Cygwin—and if you do, you want to check out MinTTY.

These questions have been on my mind for a while, and a recent data breach makes me want to get some answers from the experts.

On plenty of breaches I read the following lines:

“We have no reason to believe that this information was accessed by unauthorized individuals…”

“It cannot be determined with certainty that any data was pulled from a computer by infectious software…”

“there is no indication that any of the information has been misused…”

These lines seem to be from the first pages of the “Breach Notification for Dummies” because I have hardly read an announcement without one of these type of statements.� My questions are how do they know that it has not been misused and if they know that is has not been misused, why can it not be determined if the data has been pulled from the computer?� I kinda thought that this was the whole point of forensic investigation, finding out what the bad guy did once they were on the machine.� Is it money, time, notification time (i.e cannot analyze the drive quick enough before notification is necessary), historical data (obviously every breached computer with PII does not lead to ID fraud) or a combination of everything?

Am I missing something here? � I would love to hear what everyone thinks.

UPDATE 04/16/2009: Dave Hull tweeted a link the Security Breach Notification Symposium that should give some great insight to the topics discussed in this post.� The audio/slides for the talks have recently been posted.� Thanks everyone for the great comments!