[SecurityRatty] tag: investigative

Major Industries Drop The Ball On Data Security

Fri, 03 Oct 2008 10:10:17 +0000

Verizon, recently analyzed "four years of data from over 500 cases worked by the Verizon Business Investigative Response team," to produce a report that gives an in-depth look into how data breaches are occurring in four major industry groups: financial services, food and beverage, retail, and technology services.

$13 Billion of U.S. Taxpayers Money was Stolen or Wasted in Iraq.

Thu, 25 Sep 2008 00:03:00 +0000

This article in yesterday's "Washington Post" was sickening to read but hardly comes as a surprise.

It is also sad to read that there was most likely involvement by Iraqi Government officials and U.S. contractors. The investigator who testified as to the waste and theft was fearful of his life as 32 of his fellow investigative co-workers have been killed.

One scheme involved officials from the Iraqi Defense Ministry setting up a front company that received $1.7 Billion in U.S. funds to buy guns, armoured vehicles and other equipment. Only a small percentage was ever purchased and in one case, they had bullet-proof vests delivered that were defective and useless.

In another case involving Iraqis and U.S. contractors, $24.4 million was spent on an electricity project that "only existed on paper". The worst part was that money sent to the Defense Ministry was discovered to have been diverted to Al-Qaeda and found its way to bank accounts in Jordan and other places.

Let us hope the Government spends the proposed $700 Billion bail out funds in a more responsible and accountable manner.

Corporate Identity Theft

Sat, 16 Aug 2008 05:58:30 +0000

I remember a talk by the value investor Mason Hawkins (Longleaf Funds) where someone asked him about investing overseas. He answered that he does, but mainly in places where the British flag flew at some point, where there is a rule of law. Here is one example of what he is worried about and why investing in places where your assets have no legal protection does not give the investor a margin of safety.

Hermitage Fund was until recently the largest fund in Russia. From the Business Week story "Hijacking the Hermitage Fund"

Corruption, intimidation, robbery, violent assault, forgery, large-scale fraud. No, not the subject of the latest John Grisham novel, but sensational allegations, made public Apr. 4 by Hermitage Capital Management -- until recently the largest foreign portfolio investor in Russia. In a detailed and damning report, titled Criminal Justice -- Russian-Style, Hermitage alleges the fund's Russian subsidiaries have fallen victim to an elaborate con designed to defraud the fund of hundreds of millions of dollars.

The most sensational part of Hermitage's allegations is that the attempted larceny was carried out with the direct connivance of officials in the Russian police. Hermitage alleges the police seized documents and equipment that were instrumental to the attempted fraud, which involved bogus court cases based on forged documents, the aim of which was to sue Hermitage subsidiaries for hundreds of millions of dollars. "The most shocking thing is not that there are corporate raiders in Russia who attempt to steal your shares," says Jamison Firestone, managing partner of Firestone Duncan, Hermitage's law firm. "The shocking thing is that the police worked hand-in-hand with them, and actually performed the theft of the documents so that the corporate raiders could then do their work."

From the most recent Hermitage Fund letter, here is the current state:

So the two-pronged scam worked in one area and failed in another. The perpetrators weren’t able to steal the assets from us based on the fake court claims, but they were able to steal $230 million from the Russian government by filing amended tax returns on behalf of our stolen companies. What makes this story even more shocking is that we filed six 255-page criminal complaints with the Russian authorities in December last year, one month before the tax fraud took place, and they did nothing to stop it. Two complaints were sent to the Russian General Prosecutor, two to the Russian State Investigative Committee and two to the Internal Affairs Department of the Interior Ministry. There was enough information to prevent the fraud and indict a number of people behind it if the government had acted.
Instead of doing anything to save the Russian state from this highly sophisticated and organized looting, two of our complaints were thrown out immediately; two were returned to the same Interior Ministry official we were complaining about (essentially, he was being asked to “investigate himself”); and one was thrown out for “lack of any crime committed.” Only one complaint was taken seriously. It was taken up by the Russian State Investigative Committee in early February, but before it could get any traction, the case was lowered to the South region of the Moscow district of the State Investigative Committee (the lowest level of the Committee) and by June, another senior Interior Ministry official whom we had named in our complaint had joined the “investigation” team (again, to “investigate himself”). To this day there has been no serious response by the Russian authorities to this massive fraud against the Russian state.
As we described in our April letter, the problem of corporate “raiding” is now so endemic in Russia that President Medvedev speaks about it as one of the biggest problems faced by Russian businesses. In this case, raiders have taken this problem to a new and absurd extreme by “raiding” the Russian state itself and so far getting away with it. Together with HSBC, we will shortly be filing new criminal complaints with the Russian General Prosecutor and Russian State Investigative Committee as well as with many law enforcement authorities outside of Russia. It is hard to predict what will happen next in this unfolding and unbelievable saga, but as always we will keep you updated on any further developments as they arise.

Of course we see individual identity theft on a regular basis (actually as Ross Anderson points out its not really identity theft but poor controls on the bank's parts using SSNs as secrets and so on), but you dont see a major corporation stolen every day.

Social Security Administration lists live people in the Death Master File

Mon, 07 Jul 2008 04:44:12 +0000

Technorati Tag: Security Breach

Date Reported:
6/26/08

Organization:
U.S. Government

Contractor/Consultant/Branch:
Social Security Administration

Victims:
United States citizens

Number Affected:
"more than 20,000"

Types of Data:
Name, date of birth and Social Security number

Breach Description:
"The Social Security Administration inadvertently compromised the personal information of more than 20,000 people by listing them in the Death Master File (DMF) while they were still alive"

Reference URL:
FederalComputerWeek

Report Credit:
Michael Hardy, FederalComputerWeek

Response:
From the online source cited above:

The Social Security Administration inadvertently compromised the personal information of more than 20,000 people by listing them in the Death Master File (DMF) while they were still alive, the agency's inspector general has determined.
[Evan] "The DMF is a publicly available database maintained by SSA that contains detailed information on more than 82 million deceased numberholders. Each year, SSA receives death reports for more than 2.5 million individuals and adds the information to the DMF. " (Source: SSA Inspector General AUDIT REPORT A-06-07-27156). This breach was not the result of single occurrence, but instead is a result of errors in current process.

The IG's analysis dates to January 2004.

Since then, SSA has made the live people's Social Security number, full name, date of birth, and state and ZIP code of last known residence available to users of the database
[Evan] The organization that distributes and manages the "system" cannot secure the information. Is this is just another case that proves that the "system" is busted?

After learning that those people were not deceased, SSA deleted the information

The IG's investigators found some instances where the personal information was available for free viewing on the Internet

SSA provides the data to the Commerce Department's National Technical Information Service (NTIS), which in turn sells it to customers.
[Evan] Selling a dead man's (or woman's) information doesn't seem right to me. Do you see anything wrong with it?

Customers include the government, investigative businesses, financial and credit reporting firms, and geneaology researchers.

Some, including prominent geneaology Web sites, post some or all of the information online for their users.

To prevent a repeat of the situation, the IG's recommendations include:

Implementing a risk-based approach for distribution of DMF information. One suggestion: Have NTIS delay release of updates to public customers for one year to give SSA ample time to correct erroneous entires.
Limiting information included in the data sold to public customers.
Starting required breach notification evaluation procedures.
Providing appropriate notification to living individuals whose information was released in error.

In response to the IG's report, SSA said limiting the personal information might be difficult, but it would consider doing so.
[Evan] There are many practices to secure information that "might be difficult", but this is not a good excuse. Life "might be difficult", so what?

The agency agreed with the other recommendations.

Commentary:
The use of Social Security numbers as personal identifiers as well as authenticators seems to be a very significant contributing factor to the identity theft mess we face today. So how did Social Security numbers become so important in the first place? Read the "Social Security Number Chronology" on the Social Security Administration web site for some clues.

To my knowledge, the victims in this breach have not been (nor will they be) notified.

Past Breaches:
U.S. Government:
March, 2008 - A breach that hits home with 2008 presidential candidates
March, 2008 - Laptop stolen from NHLBI contained personal health information

Some firms don't admit security breaches - Geez, ya really think so?

Sun, 29 Jun 2008 12:51:24 +0000

It's not often that security issues make mainstream media outlets. So when I saw this article on cbsnews.com I wanted to see what kind of "investigative journalism" the same folks who do 60 minutes would bring to the story. The story takes the particular case of Direct Marketing Services, Inc, the parent company of Montgomery Ward. It does a good job documenting the breach, the discovery of the breach and how the company complied with credit card company rules by notifying Visa, Mastercard, Discover, etc. but did not notify the 51,000 potentially affected customers. It also does a nice job of giving credit to Affinion Group Inc.'s CardCops for spotting and discovering this theft.

The article than goes on to say that 44 states have passed statues making disclosure and notification of security and confidential breaches to affected consumers mandatory. The article does caution though that based upon the volume of data being sold in "online black markets", there are many more breaches than we are being told about. I think it good that CBS bangs the drums on this, but frankly that "evidence" is a bit flimsy. I also found it gratifying that the article blames the credit card companies themselves for not doing more to publicize these breaches, so that they don't have to issue new cards. Just goes to prove what has been written before, that in the bigger picture the cost of doing business may include the risk of compromised data and big business has determined that that is a risk worth taking.

Montgomery Ward breached, no notification obligation?

Fri, 27 Jun 2008 19:45:03 +0000

Technorati Tag: Security Breach

Date Reported:
6/27/08

Organization:
Direct Marketing Services Inc.

Contractor/Consultant/Branch:
Montgomery Ward
HomeVisions.com
SearsHomeCenter.com
SearsShowPlace.com
SearsRoomForKids.com

Victims:
Customers

Number Affected:
"at least 51,000 records"

Types of Data:
Names, addresses, phone numbers, card numbers, "security codes", and expiration dates

Breach Description:
"NEW YORK (AP) -- The parent company of Montgomery Ward is admitting that it was hit with a credit card hack, but it didn't inform the customers affected."

Reference URL:
The Associated Press
The Associated Press via WZTV Channel 17 News

Report Credit:
The Associated Press

Response:
From the online sources cited above:

At least 51,000 records were exposed in the breach at the parent company of Montgomery Ward.

The venerable Wards chain that began in 1872 went out of business in 2001, but in 2004 a catalog company, Direct Marketing Services Inc., bought the brand name out of bankruptcy.

Direct Marketing Services' CEO, David Milgrom, said the financial company Citigroup detected the computer invasion in December.

By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company's retail properties.
[Evan] The AP story names five of the six Direct Marketing Services retail properties (See Above). I don't know what the sixth is.

It now runs a Wards.com Web site along with six other sites, including three with Sears brands it has acquired: SearsHomeCenter.com, SearsShowplace.com and SearsRoomforKids.com

Milgrom said Direct Marketing Services immediately informed its payment processor and Visa and MasterCard.

Direct Marketing Services closely followed a set of guidelines, issued by Visa, on how to respond to a security breach.
[Evan] This is sad. The Visa documentation regarding breach response is way too narrowly focused to be used as an organizational incident response. Every organization that creates, collects, uses, stores, and/or transfers confidential information should have an incident response policy and accompanying procedures. Take a look at the Visa "What To Do if Compromised" procedures, and judge for yourself.

That included a report to the U.S. Secret Service.

He said he believed by the end of December that Direct Marketing Services had met its obligations.
[Evan] Mr. Milgrom is the president of the company. He really thought that his company had met all of its obligations with respect to this breach? It never occurred to him that he should notify customers, even if he weren't required to by law? Not only was the lack of notification illegal, but I think it is also unethical.

However, those guidelines from Visa are largely technical, and they do not cover a key additional step: that notification laws in nearly every state generally require organizations that have been hacked to come clean to the affected consumers, not just to the financial industry.

Companies that fail to comply can be hit with fines or be sued by affected customers, depending on the state

After being asked about those laws by The Associated Press, Milgrom said Direct Marketing Services now plans to contact consumers.

This hack might have stayed quiet except for online chatter detected in June by Affinion Group Inc.'s CardCops, a group of investigators who track payment-card theft for financial institutions.

In Internet chat rooms frequented by card thieves, CardCops spotted hackers touting the sale of 200,000 payment cards belonging to one merchant.

CardCops then intercepted several hundred of the records, along with the online handles belonging to hackers whose real names remain unknown.

Along with the card numbers, their three-digit "security codes" and expiration dates, the thieves had the cardholders' names, addresses and phone numbers.

The data had been organized in the same way, indicating the numbers likely came from the same database.

CardCops' president, Dan Clements, also noticed that the vast majority of the cardholders were women, a clue that the records came from a merchant catering to a certain demographic.

When he began calling them, the first eight said they had bought things online or through mail order from Montgomery Ward. At that point, Clements realized, "there's a high probability the entire database of Montgomery Ward was breached."
[Evan] This is some good investigative work.

It is not clear to Clements, though, whether the hackers were inflating their claim when they offered 200,000 records or whether Milgrom's number of 51,000 is accurate.
[Evan] According to the article, the "hackers" were able to compromise the information from all six Direct Marketing Services, Inc. properties. 51,000 may be Montgomery Wards customer accounts, and the remainder could be from the other five properties (just speculating).

A spokeswoman for Discover Financial Services LLC, Mai Lee Ua, said her company had addressed the problem by sending new cards to its cardholders who appeared in the compromised records.

Ua said they weren't told which merchant had been breached

Visa declined to comment.
[Evan] Visa always declines to comment. No sense in even seeking one.

MasterCard issued a statement Friday acknowledging it was aware of the breach at Direct Marketing Services, and had notified the banks that issue MasterCards, telling them to monitor the accounts for suspicious charges.
[Evan] Three different card companies, three entirely different responses. Of the three, I think I like the Discover one the best.

Such silence was the norm in the industry for years. But in response to fears of identity theft, 44 states have passed laws that generally require organizations holding consumer data to tell people when their information has leaked

Clements and other security analysts say that despite those laws, many breaches still are kept quiet, judging by the data being hawked in online black markets.

Avivah Litan, an analyst at Gartner Inc., believes unreported data breaches might still outnumber the ones that do get publicized.
[Evan] I absolutely agree. You would be naïve to think that victim notifications go out in all breaches. Too many corporate leaders would rather not notify and hope that nobody notices.

Litan says it especially is the case with online merchants. She believes it happens because of a lack of pressure from credit card companies, which are not responsible for fraudulent charges in "card not present" transactions over the Web and mail order.

Until fraud actually appears on the card, they'd rather avoid the cost of voiding compromised cards and giving consumers new ones, she said.

"What it reveals is the convoluted banking system," she said. "If this had taken place at a grocery store, we all would have heard about it."

In fact, because of the silence that still sometimes follows data breaches, even people who have never been informed one of their records has leaked should assume their information is floating online, Litan said.

"Probably every one of our cards is up there somewhere now," she said.
[Evan] I agree with all of the statements made by Avivah Litan except this one. This is a stretch.

On the Net:
Links to the 44 state notification laws

Commentary:
Is this a case of a company that was caught trying to cover up a breach, or was this a company that didn't know any better? I lean towards the former. Either way, is ignorance of the law any kind of valid excuse?

Let's assume for a second that company really didn't know that they were required to notify victims. If this were true, then this leads me to believe that the company doesn't govern information security well (due care?), probably has no formal information security program, lacks incident response policy and procedures, and doesn't manage risk well.

I could only guess how the "hack" took place. What vulnerability was exploited? Even in this, the company appears to have not detected the attack. Direct Marketing Services, Inc. had to be told of it by Citibank. Does this mean that the company did not use intrusion detection/prevention?

I could go on and on, but in the end I don't have much confidence here.

Past Breaches:
Unknown

Murder, His Hard Drive Wrote

Fri, 23 May 2008 00:00:00 +0000

SAN DIEGO -- Forget everything you've seen on CSI. In the information age, crime scene forensics are beginning to take a back seat to the science of recovering and sifting through evidence hidden on computers, cellphones and thumb drives.

Nowhere is that shift clearer than at the FBI's Regional Forensic Computer Lab here, which once lifted traces of incriminating Google searches from a suspect's hard drive to help convict him of murder. This week the lab became the sixth computer forensic lab in the nation to be accredited by the American Society of Crime Laboratory Directors, in another sign that computer forensics is no longer just about investigating hacker attacks.

"We've found video of gangsters rapping a song about a murder they committed," RCFL examiner John Leamons says.

The growth of law enforcement computer labs is an indication of how technology is increasingly involved in, or on the periphery of, criminal activity. San Diego-area law enforcement agencies founded the first regional forensic lab in 1998; there are now 14 such labs in the United States, with two more coming online this year. Last year the labs collectively performed more than 13,000 forensics examinations. The San Diego lab alone handled more than 1,000 requests from 40 law enforcement agencies in 2007, including 171 child pornography cases and 160 murder investigations.

In its early days, the RFCL examiners not only recovered the data, they analyzed it for evidentiary value based on the particulars of the case. But with exponentially growing data and caseloads, the 22 examiners here now focus on collecting and preserving data in a manner that will hold up in court, then hand that data back to the police agency for analysis.

Not surprisingly, the most valuable information comes from the files that suspects thought they had deleted, but which remained hidden in the nooks and crannies of their hard drives. "The key to computer forensics is unallocated space," says Leamons, who is on loan to the lab from the San Diego Police Department.

No one can remember a case being kicked because the lab made an error, but they can remember cases where they found evidence that exonerated people charged with crimes, Leamons says.

Cellphones pose a particular challenge, says Rebecca Adimari, one of the five examiners who work on them.

"Each has its own operating system and frequency -- there's probably over 500 makes and models and not many of them are the same," she explains. "There can be so much evidence on there."

From the unique ringtone caught on camera during a holdup -- to the accidentally recorded conversations on voice notes, to the Israeli thug keeping notes of extortion visits on his PDA -- the way people use their phones can be pretty incriminating.

"When they arrested the Arellano Felix people (a gang of Mexican drug lords later convicted of murder and drug crimes in 2007), they recovered 14 phones including one with a photo of a machine gun," Adimari says.

She has hundreds of power and data cables, since they're all peculiar to individual phones. And she has a special box that blocks signals on the phones in the lab, so no information is lost or compromised.

Examiner Patrick Lim, from the Naval Criminal Investigative Services, says he recently recovered data from a hard drive that had been burnt to a crisp. Asked if it was from an arson or a murder, Lim says he can't reveal the details.

"It was burned. That's all I can say."

A coward exposes personal information on 40% of Chileans

Fri, 16 May 2008 09:56:50 +0000

Technorati Tag: Security Breach

Date Reported:
5/10/08

Organization:
Chilean Government

Contractor/Consultant/Branch:
None

Victims:
Chilean residents

Number Affected:
~6,000,000

Types of Data:
"names, addresses, telephone numbers and taxpayer identification numbers"

Breach Description:
"An anonymous hacker has posted personal data about 6 million Chilean residents on the Internet, highlighting wider privacy problems in the country. The data was posted early Saturday morning on Fayerwayer.com, a popular Chilean technology blog."

Reference URL:
Fayerwayer.com Alert
ABC News
The Tech Herald
International Herald Tribune
vnunet.com

Report Credit:
JI Stark, Fayerwayer.com

Response:
From the online sources cited above:

ORIGINAL POST TEXT GOOGLE TRANSLATED
Something really horrible has just come to our comments. Moments after writing about the purchase of Inquisitor by Yahoo, an anonymous comment left three links to download two files that contain databases in CSV of public and private institutions where there is sensitive information of millions of Chileans, like RUN - Role purely national identification number Chilean -, socio-economic data, electoral, educational, addresses, and telephone numbers individuals, among others.

We urge that these files if they see us please not download or disseminated by any electronic means.

It is extremely dangerous what can happen - and what can happen to you, as the only disseminate is an offence punishable by law - in the case that such senstive data failling to the hands unscrupulous. It seriously.

Update 02:46 AM (GMT -4): The team of FireWire is doing everything in its power at this time to cooperate and ensure that this situation is resolved as soon as possible.

Update 03:25 AM (GMT -4): The topics in our forums with links to the files were deleted. The FireWire forums require registration, so that data - although most likely false, including IP's mask - will be put in the hands of the authorities.

Update 04:45 PM (GMT -4): The Cybercrime Brigade of the Investigative Police of Chile already contacted us, told us about the progress of the investigation that is already under way and we extend all cooperation that is within our grasp.

END OF ORIGINAL POST TEXT

A hacker has obtained the personal details of around six million Chileans from government and military servers and posted them on a technology blog.
[Evan] "Anonymous Coward" posted the information in the comments of the purchase of Inquisitor by Yahoo posting on www.fayerwayer.com. href="http://www.fayerwayer.com.%3C/span%3E%3Cbr%3E%3Cbr%3EThe">

The hacker, who calls himself "Anonymous Coward," posted three compressed files of data that included names, addresses, telephone numbers and taxpayer identification numbers for Chilean residents, said Leo Prieto, Fayerwayer.com's director.

The data was taken early Friday from servers at the Education Ministry, the electoral service and the military

it was first reported to police early Saturday by Leo Prieto, the administrator of a local technology-oriented Internet site who discovered links to the information online.

Among the data was a list of students who receive preferential public transportation rates, including one of President Michelle Bachelet's two daughters

Despite the information's prompt removal from the Internet, some people may have downloaded it "and it may still be around on the Internet,"

over the following days the files started popping up on other sites including Google's Blogger
[Evan] You can't un-disclose confidential information. Once the confidentiality of information has been compromised, it is always going to be compromised.

Reports claim that the hacker performed the stunt to highlight poor levels of data protection in Chile.
[Evan] What idiot would pull such a stunt and claim such a ridiculous justification?

In a note accompanying the files, Anonymous Coward said he posted the databases to draw attention to the poor data protection measures in the country
[Evan] This is the worst way to draw attention to poor data protection. What "Anonymous Coward" did was create 6,000,000+ enemies and put his/her very well being at risk. He/she caused an extraordinary amount of harm to almost 40% of Chile's population and made a complete ass out of him/herself.

El Mercurio reported that it had access to some of the data, including a file in which the hacker said he intended "to demonstrate how poorly protected the data in Chile is, and how nobody works to protect it."

The files include tips on what to do with the data and how best to access it.

"Chile may be on the other side of the world, but the scale of this data breach should not be ignored," said Graham Cluley, senior technology consultant at security firm Sophos.

"No matter how moral or ethical the motive, this prank was irresponsible and has left almost 40 per cent of Chile's population at risk of identity theft."

Cluley added that all organisations around the world should see this as a wake-up call and ensure that all personal and sensitive information is stored securely.
[Evan] You would think that the 94,000,000 credit card numbers stolen from TJX, or the 26,500,000 Social Security numbers on the stolen Veterans Affairs laptop, or the 25,000,000 personal records lost on CDs from HM Customs and Revenue would wake organizations up. There is still this illogical thought in organizations that "this will never happen to us". It DOES and IT WILL. I'm not even going to get into information security personnel that lack skill and have business leaders fooled into thinking that they are doing the right thing(s).

"Whether or not the loss results in a fine is almost irrelevant; the consequences of falling victim to such an attack can mean irreversible damage to reputation and customer confidence."
[Evan] I couldn't agree with Mr. Cluley any more. This is a guy that "gets it".

Commentary:
Unbelievable. The evil in some people. So let's say that "Anonymous Coward" is caught (I think chances are better that 50/50). Now what? How do you punish someone whose actions put 6,000,000 people at risk of losing their identities. These people will live with some level of fear for a very long time. Punishment will be severe, but how severe is enough? This will be an interesting story to follow.

Let's not lose sight of another issue with this breach. What is the Chilean government doing to protect confidential information and what does it intend to do in response to this breach? Obviously the government needs to secure information better, but how will they respond to 40% of their residents being exposed to fraud and all that comes with it? I don't know what can be done short of re-assigning government issued identifiers to Chilean residents. This breach (or series of breaches) could be very costly to residents, the Chilean economy and the government.

Past Breaches:
Unknown

Microsoft Has Developed Windows Forensic Analysis Tool for Police

Wed, 30 Apr 2008 09:54:37 +0000

Really :

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB "thumb drive" that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.
The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer.

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

More news here. Commentary here.

How long before this device is in the hands of the hacker community? Days? Months? They had it before it was released?

EDITED TO ADD (4/30): Seems that these are not Microsoft-developed tools:

COFEE, according to forensic folk who have used it, is simply a suite of 150 bundled off-the-shelf forensic tools that run from a script. None of the tools are new or were created by Microsoft. Microsoft simply combined existing programs into a portable tool that can be used in the field before agents bring a computer back to their forensic lab.
Microsoft wouldn't disclose which tools are in the suite other than that they're all publicly available, but a forensic expert told me that when he tested the product last year it included standard forensic products like Windows Forensic Toolchest (WFT) and RootkitRevealer.

With COFEE, a forensic agent can select, through the interface, which of the 150 investigative tools he wants to run on a targeted machine. COFEE creates a script and copies it to the USB device which is then plugged into the targeted machine. The advantage is that instead of having to run each tool separately, a forensic investigator can run them all through the script much more quickly and can also grab information (such as data temporarily stored in RAM or network connection information) that might otherwise be lost if he had to disconnect a machine and drag it to a forensics lab before he could examine it.

And it's certainly not a back door, as TechDirt claims.

But given that a Federal court has ruled that border guards can search laptop computers without cause, this tool might see wider use than Microsoft anticipated.

Cyber Espionage

Mon, 28 Apr 2008 02:45:35 +0000

Interesting investigative article from Business Week on Chinese cyber espionage against the U.S. government, and the government's reaction.

When the deluge began in 2006, officials scurried to come up with software "patches," "wraps," and other bits of triage. The effort got serious last summer when top military brass discreetly summoned the chief executives or their representatives from the 20 largest U.S. defense contractors to the Pentagon for a "threat briefing." BusinessWeek has learned the U.S. government has launched a classified operation called Byzantine Foothold to detect, track, and disarm intrusions on the government's most critical networks. And President George W. Bush on Jan. 8 quietly signed an order known as the Cyber Initiative to overhaul U.S. cyber defenses, at an eventual cost in the tens of billions of dollars, and establishing 12 distinct goals, according to people briefed on its contents. One goal in particular illustrates the urgency and scope of the problem: By June all government agencies must cut the number of communication channels, or ports, through which their networks connect to the Internet from more than 4,000 to fewer than 100. On Apr. 8, Homeland Security Dept. Secretary Michael Chertoff called the President's order a cyber security "Manhattan Project."

It can only help for the U.S. government to get its own cybersecurity house in order.