Skip to content

GCHQ gives seal of approval for USW Computer Forensics course

http://www.southwales.ac.uk/news/2016/gchq-gives-seal-approval-usw-computer-forensics-course/

The University of South Wales (USW) has become the only university in Wales to gain the prestigious provisional certification from GCHQ, the UK Government’s Communications HQ, for its Masters course in Computer Forensics.

 

GCHQ approval for Computer Forensics MSC. Neil Gibson. Andrew Blyth weth students.

Professor Andrew Blyth (centre) with USW computer students

The award, which was announced by GCHQ in Westminster today, builds on USW’s work with other security and law enforcement agencies, and supports the development of the UK’s knowledge, skills and capability in all fields of cyber security as part of the National Cyber Security Programme.

 

USW is one of 14 selected higher education institutions across the UK to receive the certification, but is the only one to be recognised in the MSc Computer Forensics course.

 

Earlier this year, USW announced the creation of its National Cyber Security Academy, based in its flagship Newport City Campus.  A joint initiative with the Welsh Government and industry leaders that will help address a shortage of cyber security skills and develop the next generation of cyber security experts, it will take its first students in October.

Also involving Welsh digital innovation company Innovation Point and major industry players – including Airbus, General Dynamics UK, Alert Logic, Information Assurance, QinetiQ, Silcox Information Security, Westgate Cyber, Wolfberry and the South Wales Cyber Security Cluster – the NCSA will work to close an expected skills gap in the cyber security sector. By 2019 it is forecast that an additional 4.5 million personnel will be needed worldwide.

The NCSA builds on plans for a £60m Newport Knowledge Quarter, which would see USW work in partnership with Coleg Gwent to build a new learning campus in the city’s riverbank area.

Rt Hon Alun Cairns MP, Secretary of State for Wales, said: “The seal of approval from GCHQ to the University of South Wales is a prestigious accolade which once again puts Wales on the world map for the outstanding quality of its higher education.

“Cyber security is, as we all know, an area of ever increasing concern and Wales is now in the forefront of producing the experts and research we need to tackle the complex problems it raises.”

Professor Julie Lydon, Vice-Chancellor of the University of South Wales, said: “Cyber security is ranked by the UK Government alongside terrorism, military crises, and natural disasters as major national security threats, and it costs private businesses many millions each year. Both industry and government understand the growing need for the right skills to conquer these threats.  Recognition from GCHQ for our Masters course shows that USW is at leading the way when it comes to training cyber experts.  It shows that our expertise is of the highest quality.”

Professor Andrew Blyth, Head of Information Security at USW, added: “Having GCHQ certification shows that our Masters in Computer Forensics is at the cutting edge when it comes to dealing with the variety of cyber security threats that Government organisations can face.

“We have been working closely with other official and commercial bodies for many years to develop the skills needed to counter threats that exist both externally and within and organisation’s systems.”

*****

**Waves to USW!  Awesome place to study.

****

GCHQ Certification of Master’s degrees in Cyber Security

https://www.cesg.gov.uk/articles/gchq-certification-master-s-degrees-cyber-security

You’ll see that Royal Holloway – University of London has full status.  The lads that started IVPN are all grads from Royal Holloway.  They helped me with my degree – **Waves to IVPN.

I can’t find a more secure VPN provider.  No-one else comes close.

IVPN

www.ivpn.net

Warrant Canary – can be found here:

https://www.ivpn.net/resources/canary.txt

ivpn win 10

 

U.S. nuclear program runs on floppy disks – CNN

Floppy disks are go!

 

Comic version of the same news… pacman rules okay.

FBI raids dental software researcher who discovered private patient data on public server

http://www.dailydot.com/politics/justin-shafer-fbi-raid/

Someone alerts you to exposed, unencrypted patient information on your FTP server. Is the correct response to thank them profusely or try to have them charged as a criminal hacker?

It is not a trick question. Once again, a security researcher has found himself facing possible prosecution under a federal statute known as the Computer Fraud and Abuse Act (CFAA). His crime, according to a dental-industry software company, was accessing what had been left publicly available on the open Internet.

Meet dental computer technician and software security researcher Justin Shafer, 36, of Texas.

Shafer and his wife were sound asleep at 6:30am local time on Tuesday morning when the doorbell started ringing incessantly, and the family heard a loud banging on their door.

“My first thought was that my dad had died,” Shafer told the Daily Dot in a phone interview, “but then as I went to the door, I saw all the flashing blue and red lights.”

Justin Shafer

With the baby crying in fear from the racket, Shafer opened the door to find what he estimated to be 12 to 15 FBI agents. One was “pointing a ‘big green’ assault weapon at me,” Shafer told the Daily Dot, “and the baby’s crib was only feet from the door.”

The agents allegedly ordered Shafer to put his hands behind his back. As they handcuffed him, his 9-year-old daughter cried in terror, Shafter said, and his wife tried to tell the agents that there were three young children in the house.

Once handcuffed, Shafer was taken outside, still in his boxer shorts, still not knowing what was going on or why.

Over the next few hours, the agents seized all of Shafer’s computers and devices—“and even my Dentrix magazines,” Shafer said. “The only thing they left was my wife’s phone.” The seized property list, a copy of which was provided to the Daily Dot, shows that federal agents took 29 items.

For those who do not recognize his name, Shafer was responsible for exposing the fact that Dentrix software, produced by Henry Schein Dental, was misleading customers when it claimed to provide “encryption.” In collaboration with DataBreaches.net, a site operated by your author, he exposed that vulnerability and filed an FTC complaint that recently resulted in Henry Schein signing a consent order to settle Federal Trade Commission charges.

8:30am, FBI agents outside Shafer’s home, as seen through a neighbor’s window.

8:30am, FBI agents outside Shafer’s home, as seen through a neighbor’s window. Courtesy of Shafer’s neighbor

So why was the FBI raiding Shafer and treating him like a dangerous criminal? The Daily Dot was unable to obtain a copy of the probable cause affidavit by the time of publication, and it may be under seal. But as one agent subsequently informed Shafer, it stemmed from an incident in February, when Shafer discovered another security vulnerability in dental records, this one a publicly available File Transfer Protocol (FTP) server operated by the team behind Eaglesoft, a dental practice management software.

Eaglesoft is manufactured by Patterson Dental, a division of Patterson Companies. According to Shafer, he was researching an issue with hard-coded database credentials when a search for a password led him to an anonymous FTP server that allowed anyone access. When Shafer looked at the files on the publicly available server and saw a directory with patient data, he took steps to alert Patterson to secure the protected health information.

The FBI was not, of course, there to commend Shafer for responsible disclosure. The agent told him that Patterson Dental was claiming Shafer had “exceeded authorized access” in accessing its FTP server, which is illegal under the CFAA. Attempts by the Daily Dot to contact Patterson by email, website contact form, and phone over the past 24 hours produced no responses.

Shafer discovered the exposed patient data at the beginning of February and contacted DataBreaches.net to request help with the notification and responsible disclosure. Both DataBreaches.net and Shafer began attempting to notify Patterson and clients whose unencrypted patient information had been exposed for an unknown period of time. Over the next few days, we emailed or called Patterson; Timberlea Dental Clinic in Alberta, Canada; Dr. M Stemalschuk in Canada; Massachusetts General Hospital Dental Group; and Dr. Rob McCanon.

Only after Shafer determined that the patient data had been secured did he and DataBreaches.net disclose the incident publicly. As reported on DataBreaches.net, Shafer found that 22,000 patients had had their unencrypted sensitive health information at risk of access by others. It is not clear how long the publicly accessible FTP server was available, and Patterson Dental did not answer the questions DataBreaches.net asked of it on the matter. Shafer told the Daily Dot, however, that the FTP server had been unsecured for years. In an email statement, he wrote (typos corrected):

“Many IT guys in the dental industry know that the Patterson FTP site has been unsecured for many years. I actually remember them having a passworded FTP site back in 2006. To get the password you would call tech support at Eaglesoft\Patterson Dental and they would just give you the password to the FTP site if you wanted to download anything. It never changed. At some point they made the FTP site anonymous. I think around 2010.”

A cached copy of the directory, still available on FileWatcher, shows that the files were originally uploaded in 2009:

A cached copy of the directory, found on FileWatcher, indicates that some files may have been exposed as early as January 2009.

A cached copy of the directory, found on FileWatcher, indicates that some files may have been exposed as early as January 2009. FileWatcher

Shafer wrote about the exposed patient data on his blog, but he also called attention to a security vulnerability he had found with Eaglesoft itself—a vulnerability that would make it easy for someone to attack a database and steal patient information. Shafer reported the vulnerability to CERT, a division of the Software Engineering Institute at Carnegie Mellon University that is sponsored by the Department of Homeland Security, which issued a Vulnerability Note.

CERT’s records indicate that, since Patterson Dental was first notified on Feb. 19, the company has yet to provide CERT with a plan to patch or address that vulnerability. Patient data may still be at risk, as CERT describes the impact of the vulnerability this way:

“An attacker with knowledge of the hard-coded credentials and with network access to the database may be able to obtain sensitive patient information.”

Knowledge of those hard-coded credentials is fairly widespread, Shafer claimed in a blog post, where he provided the default login for read access.

To recap: Shafer reported that Patterson Dental had left patient data on an unsecured FTP server, and then he called attention to another vulnerability in one post in February, and then again in a second post in March. And now, according to an FBI agent, Patterson Dental was allegedly claiming that in accessing their unsecured anonymous FTP server, Shafer had accessed it “without authorization” and should be charged criminally under CFAA.

Shafer is now left wondering, is this an attempt to silence or discredit him? This would not be the first time a company seemingly attempted to chill Shafer’s speechabout their security issues. And he would certainly not be the first researcheraccused of criminal hacking.

After programmer and open-data activist Aaron Swartz took his own life in 2013 under the pressure of what many described as an overly aggressive prosecution under CFAA, there was public support for reforming the law. In February 2013,Cindy Cohn and Marcia Hofmann of the Electronic Frontier Foundation addressed the need to reform the law and to protect researchers from criminal prosecution in certain scenarios. They wrote:

“The law needs to protect tinkerers, security researchers, innovators, and people who seek to avoid being tracked and discriminated against. The CFAA not only fails to protect these people, it allows ambitious prosecutors (and unhappy companies) to target them.”

Despite increased support, a bill proposed by Sens. Ron Wyden (D-Ore.), Rand Paul (R-Ky.), and Rep. Zoe Lofgren (D-Calif.) failed to pass last year. More than three years after Swartz’s death, CFAA has yet to be reformed, and unhappy companies can still attempt to get security researchers prosecuted as criminals.

“It’s weev all over again.”

Prophetically, perhaps, one FBI agent asked Shafer how he knew Andrew “weev” Auernheimer, a notorious hacker-troll who became famous for leaking the personal information of AT&T iPadusers he accessed through the company’s publicly available website. Shafer told him that they didn’t know each other, but he had tweeted to him that he was glad he was out of jail (after a court overturned Auernheimer’s conviction in a hacking case over a challenge to venue).

There are some similarities between Auernheimer’s prosecution for “hacking” AT&T and Shafer’s situation. As George Washington University Law professor and CFAA scholar Orin Kerr explained in 2013, when asked why he was representing Auernheimer pro bono on appeal:

“At bottom, the conduct here was visiting a public website. As the Sixth Circuit stated in Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295 (6th Cir. 2011), everyone is authorized to visit an ‘unprotected website’ that is ‘open to the public.’”

The same should be true of FTP servers that have no protection on them and are indexed where anyone can find them via a search engine, legal experts say. When asked for his opinion on Shafer’s case, Kerr told the Daily Dot:

“This is a troubling development. I hope the government doesn’t think that accessing unsecured files on a public FTP server counts as an unauthorized access under the CFAA.  If that turns out to be the government’s theory—which we don’t know yet, as we only have the warrant so far—it will be a significant overreach that raises the same issues as were briefed but not resolved in weev’s case. I’ll be watching this closely.”

For his part, Shafer shared his feelings about Patterson Dental with the Daily Dot, saying that they are the ones who acted irresponsibly.

“I think it is a cowardly thing to do to my family,” he said. “I think they owe me a thank you, and I think they owe the patients and covered entities an apology. I also feel like they should be heavily fined for storing patient data on an anonymous FTP site for years.”

Asked whether he was nervous about the possibility of being prosecuted, he replied: “Yes, only because of how I see how harsh they were to guys like Chelsea Manning and guys like Aaron Swartz. Although I haven’t heard of anyone being prosecuted for downloading files from an anonymous FTP [server] before, I suppose there is a first time for everything.”

Defense attorney Tor Ekeland, who represented Auernheimer in the federal court case in New Jersey, has offered to help Shafer, telling the Daily Dot, “It’s weev all over again.”

If the government does plan to charge Shafer, which remains undecided, they may find themselves up against some legal heavy-hitters on the CFAA. It will also be forced to confront that, while exposing a company’s inadequate security may not be good for its business, chilling security research could be bad for consumers and all businesses.

Armed FBI agents raid home of researcher who found unsecured patient data

http://arstechnica.com/security/2016/05/armed-fbi-agents-raid-home-of-researcher-who-found-unsecured-patent-data/

Prosecutors allegedly say he exceeded authorization in viewing unsecured FTP server. (lol, seriously)

FBI agents, one armed with an assault weapon, reportedly raided the home of a security professional who discovered sensitive data for 22,000 dental patients was available on the Internet, according to a report published Friday.

Justin Shafer, who is described as a dental computer technician and software security researcher, reportedly said the raid happened on Tuesday at 6:30am as he, his wife, and three young children were sleeping. He said it started when his doorbell rang incessantly and someone banged hard on his door. According to Friday’s report:

“My first thought was that my dad had died,” Shafer told Daily Dot in a phone interview, “but then as I went to the door, I saw all the flashing blue and red lights.”

With the baby crying in fear from the racket, Shafer opened the door to find what he estimated to be 12 to 15 FBI agents. One was “pointing a ‘big green’ assault weapon at me,” Shafer told Daily Dot, “and the baby’s crib was only feet from the door.”

The agents allegedly ordered Shafer to put his hands behind his back. As they handcuffed him, his 9-year-old daughter cried in terror, Shafter said, and his wife tried to tell the agents that there were three young children in the house.

Once handcuffed, Shafer was taken outside, still in his boxer shorts, still not knowing what was going on or why.

Over the next few hours, the agents seized all of Shafer’s computers and devices—“and even my Dentrix magazines,” Shafer said. “The only thing they left was my wife’s phone.” The seized property list, a copy of which was provided to Daily Dot, shows that federal agents took 29 items.

Enter Eaglesoft

A FBI agent told Shafer the raid stemmed from an incident in February, when Shafer discovered a file transfer protocol server operated by Eaglesoft, a provider of dental practice management software. The FTP server reportedly stored patient data in a way that made it easily accessible to anyone. Shafer contacted DataBreaches.net and asked for help privately notifying the software maker, and once the patient data was secured, the breach notification site published this disclosure. In a blog post of his own, Shafer later discussed the FTP lapse and a separate Eaglesoft vulnerability involving hard-coded database credentials.

The FBI agent reportedly told Shafer that Patterson Dental, a parent company of Eaglesoft, was claiming Shafer had exceeded authorized access when viewing the publicly available data.

Friday’s report continued:

To recap: Shafer reported that Patterson Dental had left patient data on an unsecured FTP server, and then he called attention to another vulnerability in one post in February, and then again in a second post in March. And now, according to an FBI agent, Patterson Dental was allegedly claiming that in accessing their unsecured anonymous FTP server, Shafer had accessed it “without authorization” and should be charged criminally under CFAA.

Shafer is now left wondering, is this an attempt to silence or discredit him? This would not be the first time a company seemingly attempted to chill Shafer’s speech about their security issues. And he would certainly not be the first researcher accused of criminal hacking.

It’s not clear if Shafer used any of the hard-coded credentials to access patient data, something that would likely be a technical violation of the Computer Fraud and Abuse Act. Even if he did, an early morning raid by armed agents on a sleeping family is a highly disproportionate response and a flouting of the type of discretion federal prosecutors claim they apply when pursuing CFAA violations.

 

Observations:

This echos a case in the UK – which went to the European Court of Human Rights in Strasbourg.  A lady running a website became suspicious of posts with links in the signature.  She clicked the link and went to a site with child porn. Therefore being a good citizen she went to her local police station to report this.  The police asked her if she’d seen the site – and she replied yes, that’s why she’s reporting it.  SHE was charged and convicted as a sex offender for doing her moral duty.

The moral of the story for UK civilians is where you discover child porn, do not report it or you will gain a criminal record as a sex offender.  Her case has been escalated to the ECHR to remove her sex offender status – and you have to wish her barristers the best of luck as this prosecution was an abhorrent abuse of police powers.

It seems the FBI are making a similar policing decision in considering the responsible actions of a security researcher as a crime.  This is clearly a mistake of policing and public policy. Where you see a breach or data loss, you should be able to report this without fear of a prison sentence or criminal record.

I hope that both the EFF and civil rights movements support him.  Even better, change your dentist so that your records are not held on the FTP server of the dental company in question.  It’s the medical company who should be prosecuted for a blatant lack of Data Protection.  It’s also a rule that you can’t operate an FTP server and be PCI complaint within banking, simply due to the insecure nature of FTP.  If the dental company operate an FTP that is unsecured, well they should be fined, just as a bank would be fined.

In the “Alice in Wonderland” world of infosec, the good guys become the bad guys and the bad guys are generally the police, FBI and prosecutors.  When a security researcher discovers a glitch and acts with integrity to fix the data loss, he is not the villain of the story.  Those who create unsecured FTP servers containing medical data need to be fined and given criminal sanctions including putting the directors of the company in jail.

IVPN – Free Trial of VPN

If you’ve always wanted to try out a VPN without risk, then IVPN’s 3 day trial may be the right solution for you.  As you’ve probably guessed, I’m a fan of their service – which after 4 years of faultless service, I can honestly recommended as flawless.

www.ivpn.net

IVPN FREE TRIAL

IVPN operate your DNS server, so that  your ISP can’t tell the sites you’re visiting.

If you want to use torrents you have to connect to European servers.

Their VPN speeds are superior as they are geared for high speeds.

As I’ve said, IVPN have provided flawless service and its been designed from top to bottom to provide ultimate security.  What makes them different from other VPN providers includes:

  1. Resistant to court orders.  IVPN has been designed to withstand court orders under FISA or the Patriot Act.
  2. Strong encryption – RSA 4096 public key crypto to safeguard the AES 256 symmetric key.
  3. Their installer works on mobile phones, laptops, MAC, Linux, Android and even your router.  Up to 3 devices can connect under one account – so your home router and mobile phone can both use IVPN.
  4. Multiphop technology – so your VPN can route via two countries eg from the UK to the Netherlands back to the UK.
  5. They have never complied with a court order, or a DMCA order for disclosure.
  6. The server log is wiped every 10 minutes.  This was the deciding factor for me – other VPN’s keep their server logs for 3 days or even a week. The 10 minute log deletion rule was the killer factor for me.  Whatever residual data may have existed, has been wiped before a court order could even be obtained.
  7. Their warrant canary confirms each month that no servers have been seized.
  8. They offer a 3 day free trial if you’d like to test out their lightening speeds.
  9. The system is so good, it even works in China – it bypasses the great firewall of China.

I can’t find a more secure VPN provider.  No-one else comes close.

IVPN

www.ivpn.net

Warrant Canary – can be found here:

https://www.ivpn.net/resources/canary.txt

ivpn win 10

******

Which is the safest VPN on the market? Who do I use for a VPN?

https://uwnthesis.wordpress.com/2013/05/17/which-is-the-safest-vpn-on-the-market-which-vpn-cares-most-for-your-privacy/

 

 

Hashing files for Data Integrity – Hash Tool

If you need to prove the data integrity of a file (ie that it has not been changed), then obtain a hash of that file. A hash is a digital fingerprint of a file.  Even the slight alteration will totally change a hash. I would recommend using the SHA-256, SHA-512 or SHA3-512 hash.

Step 1 – Download a free file hashing tool here:

http://www.digitalvolcano.co.uk/hash.html

Run & Install

Step 2 – Right click on a file > properties

Select the “File Hashes” Tab

hash file hashing tab

The hashes for several algorithms will be shown.

file hashes result

Select “Settings” to use a different algorithm.

hash select algorithm

The Hash Tool interface will allow you to select a file and then a hash type that you can copy to the clipboard.

hashtool interface

If you would like to see how a simple change to a word will totally change the hash, try out miraclesalad hashing site.  Type in a word and then add a full stop to see the hash recalculated on the fly.

http://www.miraclesalad.com/webtools/md5.php

miraclesalad site

You can hash a password, a file or an exe.  It ensures “data integrity”, in that you cannot change the file without changing the hash.

SHA-1 hash generator

http://www.miraclesalad.com/webtools/sha1.php

Next generation of cyber security experts will be trained in Newport

http://m.southwalesargus.co.uk/news/14353244.Next_generation_of_cyber_security_experts_will_be_trained_in_Newport/?ref=erec

THE next generation of cyber security experts will be trained in Newport as the first cyber security academy in Wales is launched.

The USW's Newport City Campus where the National Cyber Security Academy (NCSA) will be based

The USW’s Newport City Campus where the National Cyber Security Academy (NCSA) will be based

The National Cyber Security Academy (NCSA) at the Newport City Campus is a joint project between the University of South Wales and the Welsh Government. The innovative project is to help address a shortage of cyber security skills and develop the next generation of cyber security experts.

By 2019 it is forecast that an additional 4.5 million personnel will be needed worldwide.

With funding support from the Welsh Government, the £500,000 pilot initiative involves current USW computer forensics and computer security undergraduates.

They will work on real-world projects set by NCSA partners, while also ‘flight testing’ the course from October to ensure it meets the latest cyber security challenges.

If the pilot is successful, the university will build up the student numbers through the delivery of a full-time dedicated degree programme in Applied Cyber Security.

The academy will involve Welsh digital innovation company Innovation Point and major industry players – including Airbus, General Dynamics UK, Alert Logic, Information Assurance, QinetiQ, Silcox Information Security, Westgate Cyber, Wolfberry and the South Wales Cyber Security Cluster.

Professor Julie Lydon, vice-chancellor of the University of South Wales, said: “Both government and business understand there is a growing need for graduates with hands-on skills that can fight cyber threats, and that there is a need to work together to address this challenge.

“For industry, it offers direct access to a pool of graduates who have been trained to the highest standards and who have a clear understanding of cyber threats, while, for the students, it will maximise the opportunities for them to get a job when they leave USW.”

Economy minister Edwina Hart AM said: “Cyber crime continues to pose a growing global security threat and there is a real demand for highly skilled cyber security experts to tackle this issue. South Wales is already a renowned centre for cyber security expertise and this initiative is designed to deliver the highly specialist skills required by businesses working in the sector.”

Follow

Get every new post delivered to your Inbox.

Join 225 other followers