Category Archives: Training

Security Mindset

User big brother 1984

User big brother 1984 (Photo credit: Wikipedia)

I’m a big fan of Derren Brown, perhaps not so much of his actual performance stuff, but rather his later work on psychology and human manipulation. I’ve not seen all of his programmes, although I plan on going looking for some since I found they existed through the wikipedia link above, but I did just finish watching the “Fear & Faith” pair that I had recorded from a few weeks back on Channel 4 in the UK. There was one particular point that he made that was of interest to me:

People behave better when they have the impression that they are being watched.

Now, after an earlier discussion about AUPs on Forensic Focus where I wrote a draft, simple AUP, I realise that this is what I left out. There is neither mention of consequences, nor is there mention of monitoring – an oversight which I acknowledge leaves the policy toothless. In my defence though that wasn’t the point that I was trying to make at the time !

The research study by Max Ernest-Jones, Daniel Nettle and Melissa Bateson at Newcastle University on “Effects of eye images on everyday cooperative behaviour: a field experiment” further builds on previous research by Terrence Burnham and Brian Hare ( here ) showing that even computer generated “eyes” watching will influence behaviour.

I recall from my first ( and last ! ) permanent role, a Government issued poster, hanging in what very much resembled something that was very reminiscent of Chernobyl ( unsurprisingly really, as it was Hanger 4 at Harwell, home of GLEEP. ) We kept our backup tapes in a room which used to house a Cray – I’d be lying if I said I knew which one, it was long gone by the time I arrived, but I do know that it was one with integral seating … – and it had all of the security that you’d have expected of a data centre on a nuclear site – man-trap doors, security office, etc. – and, some of these posters – I wish now that I’d “redistributed” them before we left the building and it was pulled down – but I was young and foolish, and had no idea that I’d be writing this blog now … The one that sticks in my mind was rather creepy, hanging between the two doors of the man-trap as it was, bored people had messed with it – picking out the eyes with pins giving the poster a very unnatural stare. I don’t know if I behaved any better for it, all I had to do was collect and drop off tapes as it was – the room was cold, empty and unfriendly I didn’t hang around long enough too misbehave. I’ve tried my best to find a copy of it online now, but with no success. I did get these though:

security_poster_1960 security_poster_1962

This first one ( Don’t Brag ) is from 1960 ( I’m told ). And the second from 1962 ( again, I’m told ).

Both are notable for their lack of eyes, as, oddly are many, if not all of the ones that I could find that are currently being circulated.

CESG

I rather like these Welsh ones by Rebecca Lloyd as she says herself – inspired by the very popular iPod adverts.

welsh1 welsh2 welsh3

Quite entertainingly, the most intimidating poster by far and the one with the most eyes, with massive reference to 1984 and a horrendous secret state is this one from Transport for London. Nothing to do with InfoSec per se, but general CCTV surveillance of society.

TFL_CCTV

That’s the sort of thing that nightmares are made of ! On the other hand, if that was stuck before me on a bus, I might well not misbehave – which is a win on the part of the designer !

So there are two things that we should consider then – first off – my oversight on the AUP with regard to consequences and monitoring should be resolved – the addition of something like :

We like to be sure that nothing untoward is happening the machines which are our responsibility, so we do monitor them for things that we have said we don't like. If, once you have signed this document to signify your understanding, you choose to break the agreement you've made, we will have to take disciplinary action, depending on the seriousness of the breach, this could include losing your job.

Secondly, as ongoing awareness of Information Security is a requirement of pretty much every set of best practice guidelines ( and if it isn’t, it should be ! ) perhaps we should make sure that we make use of strategically placed posters with eyes in order to get our point across with the maximum uptake ? How about the following:

Poster1Poster2Poster3

I know that for two out of three, they aren’t exactly “watching” eyes, but there needs to be a line drawn on the amount one intimidates one’s employees !

I leave you with a Seasonal Poster – courtesy of the US Archives ( which are fabulous by the way, can we have a UK one of these please ? ) You’ll need to view it full size to see what the “security” message is.US Christmas InfoSec Poster

 [Actually, you know what, if people send me UK posters, I’ll make an online collection available to everyone myself … ]

Tagged , , , , , , ,

Elgato game capture HD – A quick review …

It’s been a bit of a perfect storm – the step up in blogging, my son’s birthday request and a review in the times – all within a few weeks of each other – has led me to buy an Elgato game capture HD. I wasn’t convinced that, as a life necessity, the need to record a kill streak on MW3, or, more to the point my son knifing me in the back yet again was really that great a plan – but when I discovered that this device was happy to accept any HDMI input, it started to gain ground. For some time I’ve been using the HDMI output from my MacMini, and a couple of laptops ( as well as the PS3 ) as the standard video/audio connection rather than faffing around with other connections, usually with far less successful results, so, as I had been thinking about capturing some video tutorials for the “Introduction to PenTesting” series that I’m running on Forensic Focus the Elgato gcHD seemed to be quite an interesting fit to the problem.

English: A standard HDMI connector for hooking...

English: A standard HDMI connector for hooking up audio/visual equipment. (Photo credit: Wikipedia)

Anyhoo … I wouldn’t go as far as to say that it’s hard to get hold of – Amazon is Amazon as always, however there isn’t exactly a crowd of people trying to sell you one of these, so perhaps it is rather a niche market. There was a rather long lead time predicted ( 2 to 4 weeks ) although this seems to have disappeared, and, mine didn’t take that long to arrive in any case. When it did get here, I must admit to being rather surprised at how small it is. I don’t know what had given me the impression that it would be more substantial, but it is maybe 3.5″ by 2″ by 1″ of rounded shiny black plastic. Feels substantial enough. What was a pleasant surprise was that it comes with all the required cables – a short HDMI, an PS3 special cable, a composite cable and a USB cable – everything that you need as it requires no additional power beyond that drawn from the ports.

Connection is easy enough, provided you read the manuals – the device won’t work with the PS3 HDMI out for example, only the special cable – which did cause a little head scratching ! However that’s not what I was interested in – and I’ll let my son write and post a gaming perspective guest review shortly – for me I couldn’t wait to try it with a PC HDMI connection. My quick test rig is a Sony Vaio running Windows 7 with an HDMI out and my MacBook Pro taking the USB feed. The software isn’t included in the package – but is only a quick download from the Elgato website. There are both Mac and Windows versions ( so I may try this the other way round before long – I have a Mac MiniDisplayPort to HDMI adaptor cable ) and it took no time at all to download and install. The software isn’t very “feature rich”, but it is straightforward and easy to use.

Basic Recording Screen for Elgato game capture HD on MacOS X

There are a number of built-in submission tools for the likes of YouTube, FaceBook, Twitter but also for conversion to various “i” formats ( iPad, iPhone), e-mail, ProRes ( whatever that is … ) and just dumping them in your movies folder. I’ve not experimented with these yet, but I might have a go with the Twitter one at a later date. I think that the boy has ideas ( partially because I pointed them out to him when the times article quoted a £60,000 a month profit of online games review sites ) of uploading some things onto YouTube, again, I’ll let him address the effectiveness of this in his review.

Basic Editing Screen for Elgato game capture HD on MacOS X

Basic Editing Screen for Elgato game capture HD on MacOS X

I wasn’t that impressed with the editing features of the app, which are, to say the least, basic. I’m a long term Mac user though, and thus am not afraid to nip into the App store and put down some hard earned cash on an “i” app – a quick “iMovie” purchase later ( less than £11 ) and I was able to import the .m4v file for some more capability in post-production as it were.

All in all I’m impressed, I’ll update this as time goes on and there are actually some videos created that I’ve uploaded and might – very might – actually contain some real content …

Until such time, check this one out – this is the Mac with HDMI out, feeding back into itself …

Tagged , , , , , , , , , ,

DMU and Documents … ( Part 3 )

For the curious – the exam yesterday went “ok” … Not as well as I would have liked. It was good in the sense that as I went through the task, I realised the errors that I was making and managed to correct them before it went _too_ far in throwing out subsequent calculations but it really slowed me down and I didn’t quite get through all of it. I’m confident that I passed, and, interestingly, I managed to learn something new about the behaviour of Word during the exam – I also know that, without any time constraint, I would have been able to do it, so the course should be classed as a success (!). This is the first occasion I can recall in my entire academic history ( since GCSE none the less ) where I want to get the coursework component so that I can beat the darn thing !

The exam was, I think, well positioned – if I hadn’t made any mistakes it would have been feasible to complete it in about 1hr 45min I reckon – Tony and Brian said that they each sat it, and it took each of them just over an hour. The content of the week ( which took 4 days of 9am to 6pm training to get through ) couldn’t possibly all be examined – so the sub section chosen had to demonstrate understanding, and I must admit that it does that very well indeed.

Roll on the coursework !

Tagged ,

DMU and Documents … (Part 2)

Wow. Four days later I think that I’ve grasped it – in a few hours the exam ( a 2 hour practical ) will be over and I’ll know how much of it has actually sunk in !

So, the actual course content – if you forensically examine Office documents, you need to do this course. As with all Sammes/Jenkinson courses – don’t expect “point & click” forensics – this isn’t a step-by-step how to guide, nor does it sell/use any given product ( although examples of EnCase output are included in places where pertinent to the point being made … ). It is much, much better than that – it is a course in how to approach a document ( … and remember an Office document is anything created by Word, Excel, Powerpoint or Visio … ) in order to obtain evidence that can be presented in court regarding the information that supports the case. We’ve been through the usual suspects – creation/modification times & dates, save locations, names etc. – but more importantly how these data structures are represented within the document – this means that ( coupled with the supporting documentation – provided as part of the course ) you can successfully decompose any and all data held in a document by following the principles taught. Please forgive me for not going into more detail – all I can really say is that if you need to do documents, you need to do this course – there is so much here that is (a) original research and (b) that isn’t covered elsewhere I imagine that it would be very bad news to try and present as an expert against someone who has done the course as you will look like a right idiot.

Anyone who has read what I’ve written before is ( I hope ! ) aware of my feelings about education – much as “giving a man a fish feeds him for one day, teaching him to fish feeds him for a lifetime” – teaching someone to use an application solves one case, teaching them to “forensicate” solves a hell of a lot more. I hope that Brian and Tony will forgive me for saying this ( I’m pretty sure that they feel this way themselves ) – if all you want from a course is to learn how to use EnCase/FTK/ForensicatorAppOfYourChoice DON’T DO THIS COURSE – if on the other hand you actually want to learn about the art and practice of digital forensics this course (and any/all others from DMU given by these gentlemen) will set you down the path to that. If you are law enforcement, there is nothing, and I repeat nothing, out in the remainder of the education market that can match the benefits of being taught by Tony and Brian – Dr Colonel Professor Sammes and Ex-Detective Inspector Jenkinson – have, I believe, probably produced ( certainly in combination ) more digital forensics court evidence over more complex cases than any other pair in history – this results in a great deal of practical advice as well as many anecdotes to fill coffee breaks with related to Policing & Computing in general.

For the rest of this entry I’m going to tread a fine line and hope that anyone intelligent enough to be considering a career in Forensics can read between the lines. I’ve known both Tony and Brian for a few years now – I started at Shrivenham more than a few years ago and dragged out my degree there, and now have gone with them to DMU – I consider them both to be friends and thus I’ll allow you to consider my bias both for what is written above and now as you will. I spoke to Brian not long after they parted company with Cranfield/Shrivenham – oddly to ask about my MSc thesis – and I know that there was a serious disparity between the direction that the Department of Forensic Computing at Cranfield wanted to take (“point and click”) and the direction that they wanted to develop the course and their belief in the importance of the understanding of fundamental principles. The ultimate decision to part company was made by Cranfield, _not_ by Tony and Brian – a ludicrous step on the part of Cranfield, which coupled with subsequent staff losses, has left the University with next to no actual real-world Forensic experience in the department full time. Within weeks Brian and Tony had been approached by more than one University – and after much discussion they chose to align with DMU. This is the best thing that they could have done, it has not only provided some first-class facilites for them to use, but it has fully supported them in taking their course in the direction that they want to take it. The Cyber ( sorry, I still hate that term ) Security centre here is practically focused to provide solutions – and they fit right in. DMU has given over secure facilites ( that exceed the guidelines for secure storage btw … ) so that the department can start to take in case work, and the plans for developing this consultancy stream are very exciting indeed. I personally am thrilled that I changed, and I’m very encouraged by the level of commitment shown by DMU , not only to the course, but also to me as an individual.

I understand that more information regarding the course & developments will be officially published by the University over the next few months – I’ll make this available as and when it appears – either follow my Twitter feed or subscribe to the blog, and it should automagically let you know when it arrives !

Anyway, I have to go and try an make use of what I’ve been taught !

Tagged , , , ,

DMU and Documents …

I’m embarrassed to say that I’ve let my blogging slip again – I’d like to plead busy-ness, and it isn’t as if my Twitter hasn’t suffered too ! I think I’ve managed one Tweet this year so far …

In any case, it isn’t like I’ve got much more time now – I’m currently in Leicester at DeMontfort University sitting in the brand new PostGrad Forensics Lab on the “Binary Analysis of Microsoft Office Documents” course. I’ve jumped ship from Cranfield & Shrivenham to follow Professors Tony Sammes and Brian Jenkinson to their new home in the Cyber Security department of DMU*, and I must admit that I have only one regret and that is that Leicester is so much further from home ! Other than that, the course ( so far ! This is day 2 … ) is excellent – the facilities here are far superior to those at Cranfield – much has been invested in the brand new lab – a 15 seat (on a quick count – looks like it can support 3 more) there are some of the snazziest whiteboards that I’ve ever seen (frosted glass none-the-less) and some excellent HD projectors. The smell of various solvents – carpet & paint I think – still are lingering a little, but the AC is gradually filtering it out as the week goes on.

Regarding the course, I won’t divulge content as it is a commercial advantage held by DMU now – I don’t think that you can get this course anywhere else – but needless to say, when it’s being presented by Tony and Brian, you can imagine that not only is it as full of content as you can cram into a day, but it is also seriously stretching all of us here I think – given that 50% of the students are doing their PhD here, I think that gives you some idea of the level that we’re talking about here.

There are several hotels listed by the University, but the closest is the Holiday Inn at St.Nicholas Circle – it’s perfectly acceptable, food is pretty good and the staff are attentive in the restaurant. The Gym, to be fair, is laughable, but lets face it, a majority of Forensic Examiners are known for their athletic ability 😉 It is only a short walk from the Gateway Building where the lab is – and thus far I’ve been blessed with good weather …

Catering on the course is a matter of going to get it yourself – this isn’t a hardship, as the Student Center next door has a number of options for food – including a Starbucks (either rejoice or groan as you personally desire – for me, it beats Nescafe, so I won’t complain !) There is a cash machine, small supermarket etc. much the same range as I recall from my experiences at Edinburgh and Imperial … There seems to be an absence of card taking at the till points – I guess students only operate in cash – so just be prepared. Oh, and two other points – 1) Avoid going to lunch at 1pm, the mass of the student population arrives at this point and 2) there appears to be a constant charity fundraising presence outside – as one of my post-grad colleagues pointed out – this allows the undergrads to feel productive without actually having to do any work 😛 ( Be careful when purchasing cakes/biscuits from the stalls – I’m not sure that student kitchens are best designed for mass catering, and, although the flavour was lovely – the image of Brian having to break his biscuit by repeatedly smashing it against the table in order to eat it will remain with me for a long time ! )

I’ll update this a little later in the week when a bit more course has been covered … But, from first impressions, I’m really rating the move from Cranfield/Shrivenham as “a good thing”…

For more information on De Montfort University courses – both Undergraduate and Postgraduate Forensics & Information Security go to HERE.

* Ok people, let’s be brutally honest here – there isn’t really a course left at Cranfield after Tony and Brian left – so I can’t say that there was much point in _not_ following them …

Tagged , , , ,

CEH – Self Study – The Review

A few weeks ago I mentioned that I had been asked to perform a review of some Self Study material provided by a company called UCertify. Our relationship started out a little rocky, where they asked me to review a demo-version, I refused to review anything except the full thing, and they eventually relented and sent the whole course through, so I at least have full visibility of the whole thing ! There was a choice of courses, but figuring that I’d be better off in my own space, I decided to go for the CEH V7 course – reflecting ( I hope ! ) the changes that have been made to the CEH qualification. Once I had downloaded and installed the program without any issues ( note : Windows only option – a bit of a shame as I would have prefered to run it on my MBP [ while it was still working ] ) I opened it up to have a preliminary wander.

My first impression was that the interface was rather dated – very Windows 3.1, rather than anything else, but, remember that “Content is King” when it comes to training. The interface is laid out with “Practice Tests” and “Study Helper” tabs easily visible, but scrolling further down other features are available, including progress tracking tools and “Articles”. Featurewise, I would say that the course is no better or worse than any other CBT that I have seen, although the layout isn’t entirely intuitive. The right hand side of the window for example is full of “PrepKit Features” – marketing bumph telling you about the product that you’ve allready bought, probably because of the promised features !

Anyway, having made the earlier suggestion that “Content is King” – I suspect that one or two of you might have figured out where I am heading. The course itself is not well structured – it leaps around topics in a non-sensical fashion, it doesn’t deliver on the learning goals highlighted at the beginning of the session and it doesn’t look as if it was written by someone for whom English was their first language – I don’t wish to be negative about this, but it leads to ambiguity in meaning in places, and that – in an educational package is unacceptable. I also have _grave_ reservations about the accuracy of the content in places – how about this one :

“Microsoft networking uses UDP for logon …”

And that’s only one, in the first lesson …

The test questions, at least initially seemed to be quite promising – although my concerns about the accuracy stand.

For my part, I won’t be sitting the CEH exam off the basis of this course, and I can’t say that I would recommend anyone else to either – the quizes, if they are accurate, might well be a useful revision tool if you have learnt your information from somewhere else – but I really would suggest that you approach the product with caution, and use it only in conjunction with another resource to ensure that you are going to get the right learning for the exam.

Overall – 1/5

Tagged , , , ,

De Montfort University – New MSc in Forensics

Below I quote a letter from Brian Jenkinson and Tony Sammes regarding the new digital forensics course at De Montfort University. Brian and Tony, formerly of Cranfield, are considered amongst the foremost Digital Foreniscs practicioners and specialists in the UK. This e-mail is reproduced less contact details to reduce spam / annoyance, but if you are serious, please contact me directly and I’d be happy to pass you on.

Dear Students, Colleagues and Friends,

It is with great pleasure that we can now let you all know that our “new”
MSc has been validated by De Montfort University and we will start teaching
in January 2012.

The MSc will run in a configuration that you will recognise. Many thanks
must be extended to the staff at DMU who have worked long and hard hours
to get the MSc developed and in place in a period of about five months.
It has been a heavy time for all of them and for the two of us. Getting this
done in such a short period must be some kind of record!  We were insistent
on speed so as not to leave any existing students in the lurch, as you know
the move was not of our choosing.

Full details of the Courses will be circulated shortly but to cover some of
the questions we have been asked :

– The MSc is made up of the Courses plus Coursework and Project.
– Three qualifications are available, MSc, PG Dip and PG Cert.
– Short Courses will run together with the MSc residential element.
– Those of you with completed modules “in the bank” can put those towards an
MSc at De Montfort.
– Those of you who have done the residential elements only (without the
coursework) will be able to “top up” with coursework only.
– Costings are not yet settled but we are assured that they will be similar
to or less than those you would expect to pay elsewhere.
– We are not aware that any fee will be charged for transfer of credits (in
their various types) to register completed modules or short course
passes at DMU.

The first course/module will be a Foundations of Forensic Computing in
January 2012.

This is an exciting time for both of us – they are building us a teaching
lab as we write with all new kit and extras. The lab is exlusively for our use so we
can do as we wish without constraints and do not have to share with any
other course, the building is massive and its layout is designed for
teaching and students’ comfort. The atmosphere is friendly and welcoming
and the staff are brilliant “can do, will do” people. There is technical support for us
should there be any glitches and the kit is better than anything we possess.
The MSc is “Forensic Computing for Practitioners” and will focus upon
Forensic stuff to do the job and us teaching Forensics rather than padding out
with non-relevant material.There are shed-loads of new stuff and includes bespoke
scripting, differing operating systems getting past the disk interface and
the like – it feels like we have been released from our leashes and can
run free, its great!

In the first instance any one who wishes to express an interest in transferring to DMU,
starting the MSc (or derivative) at DMU or simply want Short Courses at DMU
should EMail with contact details and a short explanation of their circumstances
to “<on request>” PLEASE use “MScFC4P” as the Subject in the EMail header.

Each person enquiring will then be contacted
personally, initially with some further detail and then to discuss the mechanics for those
requesting a transfer. Please include both EMail and telephone contact details.

Please feel free to contact us at “<on request>” with any queries or
telephone Brian on <on request> if you want a personal discussion.

Further Good News with detail will follow shortly, if you want a Foundation place in
January we suggest you register your interest as soon as possible, we are aware
that interest is already high.

Our very Best Regards to all of you, we hope to see you at F3 in November
or, indeed, at DMU.

Please feel free to circulate the content of this EMail to any person whom you feel may
be interested in its content – we do not have access to a database of students or
organisations at present. It would also be very helpful if you would acknowledge
receipt of this EMail, thanks.

Tony and Brian.

——————————————————–
in cauda venenum
——————————————————–
Brian Jenkinson MSc BSc[hon] BA  FBCS CITP
Forensic Computer Consultant
Visiting Professor to The Faculty of Technology of  De Montfort University, Leicester

Tagged , , , ,

CEH – Self Study

I’ve been asked by a company to review a self-study course on the new CEH v7, and they have very kindly provided me with a full copy of their material. On a first look, it seems pretty good – I like the way that it is arranged, and it’s easy to use. Installation was no problem, although I have to use my PC rather than my Mac / Linux box, which isn’t exactly ideal ! So far my only issue with it is that there are some minor errors with the peripheral content ( the price of the exam quoted in the material is $250, I’ve not found it less than $300 for the online exam and $500 for the meat-space exam ). These are early days though, and I actually intend to follow the whole thing through and sit the exam – so there will be more detail comming soon.

UPDATE: Make sure that you read : CEH – Self Study – The Review

And also, if you are heading down this path of CEH perhaps you might like :  An Introduction to Penetration Testing

Tagged , , , ,