Issue 23 – Dec 2011 | Page - 1
Issue 23 – Dec 2011 | Page - 2
Issue 23 – Dec 2011 | Page - 3GSM                                                 The GSM ProblemIntroduction             ...
Issue 23 – Dec 2011 | Page - 4word radio here is used as a generic              frequency, which can be sampled by ADCstra...
Issue 23 – Dec 2011 | Page - 5USRP Daughterboards                             Software tools that can be used for         ...
Issue 23 – Dec 2011 | Page - 6Calling                                      <freq>       [duration...
Issue 23 – Dec 2011 | Page - 7implementation:      OpenBTS[8]        and    computers. The probability of success withOpen...
Issue 23 – Dec 2011 | Page - 8We end the article with a promise to comeup with hands on tutorials on how toactually get ou...
Issue 23 – Dec 2011 | Page - 9                                       , the same folks who createdEc...
Issue 23 – Dec 2011 | Page - 10Another way is to inject into a process which    If everything works fine, you will get ais...
Issue 23 – Dec 2011 | Page - 11and when the request is still within theapplication, while the other network proxytools lik...
Issue 23 – Dec 2011 | Page - 12Ankur Bhargava                               Ankit          ...
Issue 23 – Dec 2011 | Page - 13OWASP MobileSecurity Project                                Top 10 Mobile Risks            ...
Issue 23 – Dec 2011 | Page - 14  M1      Insecure Data StorageSensitive data left unprotected, applies to locally stored d...
Issue 23 – Dec 2011 | Page - 15  M7     Security Decisions Via Untrusted InputsCan be leveraged to bypass permissions and ...
Issue 23 – Dec 2011 | Page - 16OWASP Mobile Security Project also hasthe Top 10 Mobile Controls and DesignPrinciples.   1....
Issue 23 – Dec 2011 | Page - 17ReasonableSecurity Practices                            1. What is meant by „reasonable    ...
Issue 23 – Dec 2011 | Page - 182. What are the major standards                   Management System (ISMS) is   and framewo...
Issue 23 – Dec 2011 | Page - 19       2. Exhaustive: The 11 domains         with 133 controls are exhaustive     However, ...
Issue 23 – Dec 2011 | Page - 20    27001      has    gradually    gained        programme         and    information    ac...
Issue 23 – Dec 2011 | Page - 2110. Does India have its             own    Standard/framework?    India is keen on having a...
Issue 23 – Dec 2011 | Page - 22Forensics – Part III                             index.dat :                               ...
Issue 23 – Dec 2011 | Page - 23How to Use                                   Implementation                                ...
Issue 23 – Dec 2011 | Page - 24The output is written to a excel file which is   PDAs, and MP3 players. Its primary usagest...
Issue 23 – Dec 2011 | Page - 25                                        Figure 3Using Execute SQL tab we can execute       ...
Issue 23 – Dec 2011 | Page - 26Sqlite is the other good option to analyse thedatabase files for browsers.For any further d...
Issue 23 – Dec 2011 | Page - 27
Upcoming SlideShare
Loading in …5

ClubHack Magazine – December 2011


Published on

There was a time when mobile phones were of the size of a shoe and had no features other than calling and sms and at that time I used to play the game - Snake on my dads phone :p Now as the time has passed we have reached the age of smart phones which are capable of doing lot of stuff and world wide web of application causing serious concern where an attacker can use this platform to steal data. This issue of CHMag is dedicated Mobile/Telecom Hacking and Security.

The coverpage of this December issue was released at ClubHack 2011, India’s Pioneer International Hacking Conference held last week. Talking about ClubHack Conference, if you missed ClubHack here are the presentations available at - and videos at

We recently released CHMag's Collector's Edition Volume II. If you wish to buy the Collectors Editions (vol1 – from issue 1 to 10 & vol2- from issue 11 to 20), please write back to us: As of now its on demand printing.

Like the game - Snake, I have played lots of other games too which have reflected in the previous coverpages I have designed and yes I promise another awesome coverpage based on a game on the theme of android security which would be the theme for an upcoming issue, for which send in your articles to

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ClubHack Magazine – December 2011

  1. 1. Issue 23 – Dec 2011 | Page - 1
  2. 2. Issue 23 – Dec 2011 | Page - 2
  3. 3. Issue 23 – Dec 2011 | Page - 3GSM The GSM ProblemIntroduction GSM is an old technology and it can also beIn this article we will describe the various regarded as one of the most successful one,tools, software, hardware and techniques, but it has been over 20 years since GSM wasthat can be employed to attack the GSM. All designed, during that time several securitythese are described in brief and problems have been discovered in GSM.corresponding references are given so that However till recently it was not practicallyyou will able to go and read more about the viable to exploit these weaknesses; partlytool from the provided link. due to the closed nature of the GSMGSM protocol, but mostly due all the complexGSM came into being during the late 1980s signal processing involved and the high costand was put into use in the western part of of the hardware needed for the same.the world in the early 1990s. GSM has come Here in this article we describe somea long way since then and has risen in both currently available opensource hardwarein terms of coverage as well as the number and software which can be used to play withof subscribers. According to a survey of ITU GSM these include the Universal Softwarethere are about 4.1 billion people (apprx Radio Peripheral (USRP) together with the60%) who had a mobile subscription and GnuRadio implementation for signalabout 90% of the people lived in an area capturing and the AirProbe and OpenBTShaving access to GSM [1]. India itself has project for handling GSM signals.around 0.865 billion mobile subscribersthat is about 72% of the total population [2]. In the next section we describe the tools andBesides communication, more and more tricks needed to get started playing withadditional services - like payment , one time GSM.passwords, tokens, sms banking etc arebeing deployed on top of GSM. Software Defined Radio (SDR) Traditionally radios were a hardware matter, they were created to transmit and receive on specific frequencies and modulation scheme, (please note that the
  4. 4. Issue 23 – Dec 2011 | Page - 4word radio here is used as a generic frequency, which can be sampled by ADCstransceiver using electro-magnetic waves for (Analog to Digital converter) and thetransmissions) not specifically as the device resulting digital signal can be sent to aknown for the reception of programmed FM computer. Often other common equipmentbroadcasts made by radio stations. like amplifiers and band-pass filters are also a part of the hardware subsystem. One ofThen comes the Software Defined Radio the most versatile and widely used SDR(SDR), the main idea here is to create very systems is GNU Radio, mostly combinedversatile transceivers by emulating a lot of with a USRP as the hardware subsystem.signal processing hardware in to thesoftware domain. Therefore t it has various USRPadvantages like costs and versatility.Imagine a universal radio with which you The Universal Software Radio Peripheralare able to tune in to wifi, Bluetooth, GSM, (USRP) is designed as a general purposeSatellite TV all with one piece of hardware hardware subsystem for software definedand software, this is where the SDR‟s comes radio. It is an open-hardware deviceinto picture, In an SDR the signal developed by Matt Ettus and which can beprocessing is implemented in software, so ordered through his company Ettusall that needed is a generic receiver that can Research [3].receive and transmit over a range offrequencies and corresponding signal A USRP consist of a motherboard whichprocessing software viz software for contains a Field Programmable Gate Arrayprocessing GSM, Bluetooth, wifi etc. Still a (FPGA), Programmable Gain Amplifierradio can never be 100% software, some (PGA), ADC(s), DAC(s) and ahardware is needed to capture and create communication port to connect it to theradio waves. computer. Special boards called „Daughterboards‟ can be plugged into theSo in a SDR all signal processing activities USRP motherboard to tune in the specificlike (de)modulation etc. are done in frequency bands needed. Thesesoftware, but the actual trans-receiving is daughterboards can be hooked up todone via the hardware subsystem. This appropriate antenna‟s for receptionmakes for a much more adaptable system, similarly we have daughterboards forgiving it the ability to receive GSM signals as transmission as well.well as GPS and also television broadcastsby only changing something in the software.Now comes the next problem this idealscheme however is not practically viable,because in practice software are not fastenough to process a large portion of thespectrum and antennas are designed forspecific frequency bands. Therefore we havemore extended hardware subsystems forSDRs. Typically such a hardware subsystem Figure 1: An USRP 1consists of a wide band receiver that shifts afrequency band to a standard intermediate
  5. 5. Issue 23 – Dec 2011 | Page - 5USRP Daughterboards Software tools that can be used for GSM analysis.A variety of daughterboards are available forspecific frequencies, this can be plugged GNU Radiointo the USRP motherboard Currently thereare about 13-15 daughterboards available, GNU Radio started by Eric Blossom is a freeof which three are interesting in relation to toolkit under GPL license for implementingGSM signals[4]: the software defined radios. Fundamentally GNU Radio is a library containing a variety  DBSRX, a 800 MHz to 2.4 GHz of standard signal processing functions, Receiver. these are known as blocks, typically there  RFX900, 800-1000MHz are hundreds of implemented blocks inside Transceiver, 200+mW output. the GNU Radio implementation. These  RFX1800, 1.5-2.1 GHz Transceiver, blocks are programmed to work with several 100+mW output. different types of RF hardware but it is  The most used GSM frequencies are mostly used in combination with an USRP. GSM900 (890.2-959.8 MHz) and GSM1800 (1710.2-1879.8 GNU Radio, fresh out-of-the-box, does not offer much in terms of GSM sniffing capabilities, although it can be used to locate the beacon frequencies of GSM masts [18]. However GNU Radio is quite useful when used in tandem with other software packages, like AirProbe, to perform the low level functions of GSM sniffing, like reception and demodulation etc. Figure 2: A DBSRX2 800 MHz to 2.35 GHz Receiver Daughterboard AirProbeMHz) in Europe, India also uses this [5], Airprobe [6] is an open-source projectand GSM850 (824.0-894.0 MHz) and trying to built an air-interface analysis toolGSM1900 (1850.0-1990.0 MHz) in America for the GSM (and possible later 3G) mobileand Canada. The DBSRX board covers all phone standard. This project came forththese frequencies, but is only a receiver out of the GSM-sniffer project [20]. Theboard. In order to actively transmit a RFX most interesting part of AirProbe is theboard is needed. Keep in mind that most gsm-receiver project. It is, at this moment,countries require a license to transmit on the best working capture tool for GSM.these frequencies. Airprobe comes with two simple shell scripts that call all the necessary functions for saving the signals on a frequency to a file and for interpreting the signals in this file.
  6. 6. Issue 23 – Dec 2011 | Page - 6Calling <freq> [duration==10] Another good tool for capturing the GSM[decim==112] [gain==52] with a frequency traces is by the uses of Gammu, which is awill capture the signals on that frequency to open source project which can managea file. The duration, decimation and gain are various functions on cellular phones. Inoptional arguments with default values. A order to work with Gammu we will need afile will be created called Nokia DCT3 enabled phone one such phonecapture_<freq>_<decim>.cfile, containing can be 3210. We can use Nokia phones herethe captured IQ samples. These can then be because, Nokia used a simple remoteinterpreted by calling: logging facility for debugging their DCT3 firmwares remotely but apparently forgot <file.cfile> [decim==112] remove this when going into production.The file name has to be provided, but the So this debugging functionality can bedecimation is again optional, though you enabled it back using Gammu. A cable cableshould use the same decimation value that to connect the specific DCT3 phone to awas used during capturing. computer is also needed. Once Gammu is installed on this computer [7] and theThe script runs a python file that mobile phone is connected to the computer,defines a software radio, which does all the you can run Gammu using the followingprocessing needed to get the information commands:bits out of the samples. This results in aseries of hex values that represent the gammu --nokiadebug nhm5_587.txt v20-information as sent by the GSM network. 25,v18-19The script uses a UNIX pipe methodto have these hex-codes interpreted by The software will then interface with thegsmdecode - one of the other projects in the phone and create a .xml debug log of lots ofAirProbe repository. You could also try to packages sent to and from the mobileconvert these hex codes to a .pcap file, phone.which can be read by the wireshark program[21]. The .xml file that can be interpreted either by wireshark or AirProbe‟s gsmdecode [6].Currently the gsm-receiver project will onlydecode the downlink (GSMnetwork to The Gammu + Nokia phone method has amobile phone). much better receive quality than the USRP + AirProbe, after all the mobile phone isAt this moment it can handle several of the specifically made to receive these signals.control channels in GSM (control channelswill be discussed in section 4.2), and speech OpenBTS/OpenBSCchannels. However due to encryption(chapter 7) and frequency hopping (section Base Transceiver Station (BTS) is a GSM3.1.2) this will not yet work in most real cell tower, and a Base Station Controllerworld situations. (BSC) is a control center for several BTSs. Both of these systems have an open-source
  7. 7. Issue 23 – Dec 2011 | Page - 7implementation: OpenBTS[8] and computers. The probability of success withOpenBSC [9] respectively. this table of decrypting the GSM communications is around fifty percent toBoth the software use different approaches find the encryption key for an encryptedto the same problem. OpenBTS, founded by conversation.David Burgess, offers a BTS implementationusing the USRP and turning it into a BTS. Sample GSM communicationsSome of the logic normally present in a BSC captureis placed inside OpenBTS. Below figure shows a trace capture, the traceWhereas OpenBSC, developed by Harald doesn‟t present information in a humanWelte, on the other hand implements most friendly way. Therefore we use eitherof the BSC functions and currently includes wireshark or gsmdecode to examine thesupport for two BTS types (nanoBTS and traces.the Siemens BS-11 microBTS). It does notsupport an OpenBTS driven USRP. Figure below shows what a trace examined with Wireshark looks like.With the helpof thesesystems youcan setup youpersonal GSMnetwork,although thisrequires alicence in mostconutires, youwill have tospend croresof rupees tobid for thatspectrum ;)A5/1Cracking project Figure 3GSM communications in the countriesacross the world including India is Wireshark is good tool for analyzing andencrypted using an algorithm know as A5/1. decoding GSM traces, as it organizes all theIn August of 2009 a project was started to information and conveniently shows extrause a generic time-memory-trade-off to information like the current frame numberbreak A5/1, by pre-computing a large and frequency. The results of therainbow table. The pre-computation is done interpreting with Wireshark (from versiondistributed on the Internet. Volunteers can 1.2.6 on) are also better than those ofdownload the table from the project‟s [10], and run it on their own
  8. 8. Issue 23 – Dec 2011 | Page - 8We end the article with a promise to comeup with hands on tutorials on how toactually get our hands dirty trying to attackthe GSM. If anyone is interested in knowingmore about the current state of research onthe same please feel free to email me atutsav [at] Xiarch [dot] com, questions,comments and any feedback is appreciatedand will be rewarded.References1. Chris Tryhorn. Nice talking to you ... mobile phone use passes milestone. The Guardian, 2009. Tuesday 3 March 2009/mar/03/mobile-phones1 Utsav Mittal2. ountries_by_number_of_mobile_phon es_in_use. Utsav, founder and Principal Consultant3. at Xiarch, (, earned his4. Masters in information security from5. CERIAS, Purdue University, USA. He hp?_m=knowledgebase&_a=viewarticle also has a CISSP. Some of things that &kbarticleid=227#gsm-in drive him in life are spirituality, info6. security and passion. He is a firm obe/wiki believer in God, who believes in living7. life to the fullest. obe/wiki/tracelog and http://bs11-
  9. 9. Issue 23 – Dec 2011 | Page - 9, the same folks who createdEcho Mirage the famous „BeEF‟. Echo Mirage uses DLL injection and function hooking techniques to redirect network related function calls soIn the past few years, Web application that data transmitted and received by localsecurity has really got some good attention. applications can be observed and modified.Because of this attention, we have so many Using these techniques this tools gives youproxy tools (Burp/Fiddler/Paros) readily an advantage that it will attach itself to aavailable, are making our lives easy at each particular „EXE‟, and only packets of thatstep of penetration testing. EXE are captured(in case of wireshark we have to use filter as it captures each andThese tools are helpful when we can every packet with goes out of the machine).configure or force some applications to passthrough their already configured proxy set- Since the theme for this edition is Mobile/tings(IP address and port number) but what Telecom Security, I would like to take anif some applications we want to test do not example of Android Emulator here. Thehave that ability?? What if we have a problem with Android emulator is that, theprocess running in background (might be proxy settings for emulator works only formalware) and we want to see the packets the browser, it does not work with the appsthat EXE is sending to the network?? Yes installed inside the emulator. The best waywe can use network analyzer tool like wire- is to use the base machine itself to captureshark to capture and analyze the packets but the packets which emulator (the apps inusing these tools you can only capture the emulator) is sending. This is where the toolpackets, there is no option to tamper the like ECHO MIRAGE becomes very handy.packets at the runtime. If there is a require- To know how Echo Mirage does this all this,ment in which you just have to capture the read through the next paragraph.packets and analyze them, wireshark willsuffice the needs, but if you really want to One way is to directly open an executabletamper the request and response (which we using echo mirage as shown in thenormally do using Paros/fiddler in web screenshot below. You can also give the pathapplications) you need to have a tool which and parameters for executing the exe usingcan capture network packets and has a Echo Mirage. It will automatically inject thecapability to intercept and tamper them. dll and start hooking the functions.To help this I would like to introduce you toa tool called Echo Mirage. This is justanother excellent tool from the folks at
  10. 10. Issue 23 – Dec 2011 | Page - 10Another way is to inject into a process which If everything works fine, you will get ais already running. Selecting this option will window show below which says “Injectedshow you all the processes running on that into %PROCESS NAME%”.system. For Echo Mirage to start itsinjection you just have to select any one ofthese processes and click on start. Echo Mirage is now ready to trap and inter- cept all your requests which are sent through emulator.exe. The screenshot of interceptor below was taken when I tried to open Google Maps application in emulator after setting up Echo Mirage. The interceptor tool intercepts the function calls in run time and unless you click on OK the request will not move forward. You can even tamper the request and response and then click on OK to move the request forward. One great advantage of Echo Mirage is that it works on the calls made by process itself
  11. 11. Issue 23 – Dec 2011 | Page - 11and when the request is still within theapplication, while the other network proxytools like burp etc intercept the requestswhen it has left the application.There are many more features which makesthis tool the “God of all proxies”. One ofthem is that in Echo Mirage, Windowsencryption and OpenSSL functions are alsohooked so that plain text of data being sentand received over an encrypted session isalso available. This feature is not reallyavailable in any(almost) of the proxy tools. This is not all, we would recommend you to run this tool and explore the features. The tool has been a life saver for us many times and for many projects we worked on. I hope this article hits home and proves the necessity of input validations and security testing, even in thick client environments. As tools like Echo Mirage becomes more mature, this type of attack will only become more common and more dangerous. Thanks to Bindshell for developing such a wonderful tool.Another one is that Traffic can be About the Tool:intercepted in real-time, or manipulatedwith regular expressions and action scripts. Name: Echo Mirage Author: Dave Armstrong Home Page: .html Latest Version: 1.2 (as on 1st DEC 2011)
  12. 12. Issue 23 – Dec 2011 | Page - 12Ankur Bhargava Ankit ankitgoyal06@gmail.comAnkur is Working in a MNC where his Ankit is a diploma holder indaily job includes research in Web “Information systems and Cyberapplication security, Penetration Testing. security” from C-DAC Pune. He is aHe is a Certified Ethical Hacker and has Certified Ethical Hacker and has a goodworked with Infosys Technologies where knowledge in Network security,he did research on Malware Analysis, Vulnerability Assessment, PenetrationPenetration Testing, and Mobile Testing.Penetration Testing. Ankur was a speakerat C0C0N 2010, 2011 here he presentedhis paper on topic “Client Side ExploitsUsing PDF”,”Android Security”. Ankur isactive member of null and OWASPBangalore chapter.
  13. 13. Issue 23 – Dec 2011 | Page - 13OWASP MobileSecurity Project Top 10 Mobile Risks The first version was released on September 23 rd, 2011 at AppSec USA by JackWhat is the “Mobile Security Mannino, Zach Lanier and Mike Zusman.Project”? The Top 10 Risks is focused on areas of risksThe OWASP Mobile Security Project is a rather than a individual vulnerabilities, alsocentralized resource intended to give is based on the OWASP Risk Ratingdevelopers and security teams the resources Methodology.they need to build and maintain securemobile applications. Through the project, 1. Insecure Data Storage.our goal is to classify mobile security risks 2. Weak Server Side Controls.and provide developmental controls to 3. Insufficient Transport Layerreduce their impact or likelihood of Protection.exploitation. 4. Client Side Injection. 5. Poor Authorization and Authentication 6. Improper Session Handling 7. Security Decisions via Untrusted Inputs. 8. Side Channel Data Leakage. 9. Broken Cryptography 10. Sensitive Information Disclosure.
  14. 14. Issue 23 – Dec 2011 | Page - 14 M1 Insecure Data StorageSensitive data left unprotected, applies to locally stored data + cloud synced.Impact Confidentiality of Data Credentials Privacy Non-compliance Lost Disclosed Violations M2 Weak Server Side ControlsApplies to the backend services. Not mobile specifically, but essential to get right.Impact Confidentiality of Data Integrity of Data - - Lost not Trusted M3 Insufficient Transport Layer ProtectionComplete lack of encryption for transmitted data. Weakly encrypted data in transit.Impact Man-in-the-Middle Tampering with Confidentiality - Attacks Data in Transit of Data Lost M4 Client Side InjectionComplete lack of encryption for transmitted data. Weakly encrypted data in transit.Impact Privilege Device Compromise Toll Fraud - Escalation M5 Poor Authorization and AuthenticationCan be part mobile or part architecture. Some applications rely solely onimmutable, potentially compromised values (IMEI, IMSI, UUID).Impact Unauthorized Privilege Escalation - - Access M6 Improper Session HandlingMobile applications sessions are generally much longer. They use generally HTTPCookies, OAtuh Tokens, SSO Authentication Services.Impact Circumvent Unauthorized Privilege Escalation Licensing and - Access Payments
  15. 15. Issue 23 – Dec 2011 | Page - 15 M7 Security Decisions Via Untrusted InputsCan be leveraged to bypass permissions and security models. Several attackvectors like Malicious Apps, Client Side Injection.Impact Consuming Paid Privilege Data Exfiltration - Resources Escalation M8 Side Channel Data LeakageMix of not disabling platform features and programmatic flaws. Sensitive data endsup in unintended places.Impact Data Retained Privacy Violations - - Indefinitely M9 Broken CryptographyTwo primary categories: A) Broken implementations using strong crypto libraries,B) Custom, easily defeated crypto implementations.Impact Circumvent Confidentiality of Data Privilege Licensing and - Lost Escalation Payments M10 Sensitive Information DisclosureApplications can be reverse engineered with relative ease. Code obfuscation raisesthe bar, but doesnt eliminate the risk.Impact Intellectual Credentials Disclosed - - Property Exposed
  16. 16. Issue 23 – Dec 2011 | Page - 16OWASP Mobile Security Project also hasthe Top 10 Mobile Controls and DesignPrinciples. 1. Identify and Protect Sensitive Data on the Mobile Device 2. Handle Password Credentials Securely on the Device 3. Ensure Sensitive Data is Protected in Transit Maximiliano Soler 4. Implement User Authentication/Authorization and Session Management Correctly Maximiliano, a fanatic of open 5. Keep the Backend APIs (Services) standards, is a security Analyst and the Platform (Server) Secure working in an International Bank and 6. Perform Data Integration with Third participating in some Projects like Party Services/Applications Securely Vulnerability Database, Zero Science 7. Pay Specific Attention to the Lab, OWASP. Collection and Storage of Consent for the Collection and Use of the T:@maxisoler Users Data F:maximiliano.soler 8. Implement Controls to Prevent PGP ID: 0x1DDEDB1E Unauthorized Access to Paid-for Resources 9. Ensure Secure Distribution/Provisioning of Mobile Applications 10. Carefully Check any Runtime Interpretation of Code for Errors.The roadmap of this project includes:Threat Model, Top 10 Mobile Risks, Top 10Mobile Controls and more.You will find all the information here:
  17. 17. Issue 23 – Dec 2011 | Page - 17ReasonableSecurity Practices 1. What is meant by „reasonable security practice andunder Information procedures‟?Technology Rule 8 (1) provides the definition for(Amendment) reasonable security practices and procedures. It states as followsAct, 2008 “A body corporate or a person on its behalf shall be considered to have complied with reasonable securityOrganizations are required to take practices and procedures, if they“reasonable security practices and have implemented such securityprocedures” to protect personal data or practices and standards and have ainformation of its customers. The ICT comprehensive documentedMinistry with the recent clarification has information security programmealso settled the confusion which existed and information security policiesregarding the application of the Rules. that contain managerial, technical, operational and physical securityThis post in the FAQ format is an effort to control measures that arethrow light on the expression “reasonable commensurate with the informationsecurity practices and procedures” referred assets being protected with thein the Information Technology nature of business.”(Amendment) Act 2008 and the Rulesthereto.
  18. 18. Issue 23 – Dec 2011 | Page - 182. What are the major standards Management System (ISMS) is and frameworks on information provided in this standard. It has a total of 133 Controls spread across 11 security? domains. There are many standards, frameworks and guidelines on information security. While some standards are very exhaustive, some are domain specific or targeted towards a particular Industry sector. Organizations can choose from a wide variety of such standards/frameworks and guidelines. A compilation of the major standards and frameworks can be found here.3. What is ISO and does India have a stake in it? International Organization for Standardization (ISO) is the world‟s largest developer and publisher of Figure 4 International standards. It is a network of the national standards 5. Why is ISO 27001 given institutes of 162 countries, one member per country, with a Central preference over standards? Secretariat in Geneva, Switzerland, ISO 27001 is preferred due to the that coordinates the system. India is following reasons: a member of ISO and is represented by the Bureau of Indian Standards 1. Certifiable: It is a certifiable (BIS). standard. Organizations can4. What is ISO 27001 standard? market their certification to earn new customers. The Certification ISO 27001 is the widely-recognized indicates that a third party international standard for accredited independent auditor information security. This has performed an information security standard is not assessment of the processes and new to the country. According to the controls of the organization and International Register of ISMS confirms they are operating in Accredited Certificates, India has alignment with the 3rd highest number of ISO 27001 comprehensive ISO 27001 certified organizations. The best certification standard known Information Security
  19. 19. Issue 23 – Dec 2011 | Page - 19 2. Exhaustive: The 11 domains with 133 controls are exhaustive However, Rule 8 (3) says that enough to address the major organizations using other standards risks to any organization. “shall get its codes of best practices duly approved and notified by the 3. Flexibility: The standard gives Central Government for effective management a lot of flexibility in implementation.” The authorities to selecting and implementing the be approached or the procedure to be controls in the standard. There is followed in such cases is missing in no stringent way prescribed for the rules. This ambiguity, legal implementing the controls. ISO hassles and inordinate delay that can 27002 provides guidance on be caused are the reasons why implementing the controls of organizations are favoring ISO 27001 ISO 27001. standard. 4. Broad Applicability: It is a The Reserve Bank of India (RBI) too general standard that can be has given organizations the freedom applied to any sector. While to select their own security other standards have a specific standards/frameworks while targeted audience /purpose E.g.: implementing Information Security BS 25999- Standard for Business Management Systems (ISMS). Continuity and Disaster Management ISO 20000-ISO RBI in January, 2011 released the standard for IT service „Working Group report on management. information security, electronic PCI DSS- Information security banking, technology risk standard for organizations that management, and cyber frauds‟ handle cardholder information Information Security is addressed in6. Has India mandated ISO 27001 chapter 2 of the report. In the as the default security standard chapter references are also found to for the country? other frameworks like COBIT and ITIL. It is also stated that “Banks Rule 8 (2) of the notification says: may also additionally consider other reputed security frameworks and The international Standard standards from well-known IS/ISO/IEC 27001 on "Information institutions like ISACA, DSCI, IDRBT Technology - Security Techniques - etc. Information Security Management System - Requirements" is one such However, a strong emphasis is laid standard referred to in sub-rule (1). towards implementing “ISO 27001 It means that organization can based Information Security choose and adopt standards and Management System (ISMS) Best best practices other than ISO 27001. Practices for critical functions/processes”. Thus ISO
  20. 20. Issue 23 – Dec 2011 | Page - 20 27001 has gradually gained programme and information acceptance as the defect information security policies.” security standard for the country. Therefore organizations will have to A similar position exists in Japan, prove that they had carried out their where ISO 27001 has tacitly become due diligence activities. the National Information Security Standard. For Example: Under Rule 8 (4) of the notification Due to this Japan today has the The audit of reasonable security highest number of ISO 27001 practices and procedures is to be certified organizations. carried out by an auditor at least once a year or as and when the body7. By implementing ISO 27001 are corporate or a person on its behalf we 100 % secure? undertakes significant up gradation of its process and computer Organizations cannot claim to be resource. 100% secure by implementing ISO 27001. No standard or framework can guarantee 100% security. 9. What is the liability that can Security is not about compliance to a arise for being negligent in particular standard/framework. A implementing and maintaining good post on the topic can be found reasonable security practice here. and procedures?8. By implementing ISO 27001 can Section 43A of Information the organizations free Technology Act, 2008 speaks about themselves from the legal the compensation to be paid for liabilities? being negligent in implementing and maintaining reasonable information Compliance to ISO 27001 by itself security practices and procedures. will not absolve the organization The section provides for damages to from liabilities. be paid by way of compensation to the person so affected. Rule 8 (1) states that: “In the event of an information It is important to note that there is security breach, the body corporate no upper limit specified for the or a person on its behalf shall be compensation that can be claimed by required to demonstrate, as and the affected party in such when called upon to do so by the circumstances. Compensation claims agency mandated under the law, that upto Rs 5 crore are now handled by they have implemented security Adjudicating Officers while claims control measures as per their above Rs 5 crore are handled by the documented information security relevant courts.
  21. 21. Issue 23 – Dec 2011 | Page - 2110. Does India have its own Standard/framework? India is keen on having a stringent framework for information security. However, a one size fits all approach cannot be taken. The country needs a framework which is flexible enough to meet the requirements of different sectors of the economy. The Data Security Council of India has released a framework for data security and privacy. These frameworks are currently under pilot S. Jacob implementation in some organizations in the country. It is hoped DSCI will release detailed S. Jacob is a lawyer and a cyber toolkits for its implementation. security enthusiast. He deals with technology laws focusing on The Reserve Bank of India (RBI) has cyber/information security also released several guidelines regulations. He has experience relating to security in banks. Some of advising clients on IT Governance, these guidelines can be applied to Risk Management, Security and other sectors as well. The Working Privacy Compliance. He also Group report on information possesses a host of information security, electronic banking, security certifications. He blogs at technology risk management, and cyber frauds and the checklist to facilitate conduct of computer audit are the major ones among them.
  22. 22. Issue 23 – Dec 2011 | Page - 22Forensics – Part III index.dat : It is a repository of information such as webHi readers, in the previous forensics issues URLs, search queries and recently openedwe have seen how to use Vinetto to analyse files. Its purpose is to enable quick access tothumbs.db files from a machine or from an data used by Internet Explorer. Theimage. As a continuation to the early index.dat file is user-specific and is open asanalysis tools, we have another in this issue. long a user is logged on in Windows. Separate index.dat files exist for theIn Forensics investigation web history is the Internet Explorer history, cache, andmajor part to gather the evidences. Web cookies. This files are created for each andtraces can be found in index.dat files and every user .A cookie is a small fileother cookies. containing data that the web server places on a user‟s computer so it may request backUsing Pasco we can find evidences in at a later date.index.dat files which store IE and Chromebrowsed cache , where as Firefox has its Some of the areas where you can findown cache files. index.dat files is C:documents and settingsuser directoryPASCO How it is helpful for forensic analysis:Pasco is a Latin word which means toBrowse. It is used to analyze the index.dat  To know the user internet activityfiles to get the Internet history from an IE  To know user motto for accessinginstalled machine. It is used to reconstruct the internetthe data from an index.dat file. Pasco givesthe output in CSV format and it can beextracted to a spreadsheet. We can get someinformation as Record type, URL, Modifiedtime, Access time, File name, Directory,HTTP headers from the index.dat file.
  23. 23. Issue 23 – Dec 2011 | Page - 23How to Use Implementation $ pasco Options “path of the index.dat file”Command to find index.dat in a HDD: > path of excel file | any options to sort thefind /media/Drive –name index.dat data(See Figure 1) Example: $ pasco /home/Krypton/Desktop/index.dat > /home/Krypton/Desktop/a.xls | sort -M Figure 1 Figure 2
  24. 24. Issue 23 – Dec 2011 | Page - 24The output is written to a excel file which is PDAs, and MP3 players. Its primary usagestored on Desktop, which is sorted can be:-according to the month.  Simple to administerOptions for using  Simple to operate  Simple to embed in a larger program  -t Field Delimiters  Simple to maintain and customize  -d Undelete Activity Records How to Use SQLite ?Pasco is the best handy tool for Internethistory analysis. SQLite can be added as a add-on for Firefox, after installing the addon You can observe itAnother way of retrieving data from in tools>SQLite Managerbrowser stored files. Even we can use a package of SQLiteHow we can use sqlite in forensics? browser , can download the package from this sqlite will be a fetch while we go er/ It is similar as the SQLite Manager tothrough sqlite databases in Mozilla use , but we need the dependent dll‟s whichfirefox/chrome profile folders , using this is present in the folder to work.SQLite canwe can analyse the user browser activities. be used to create ,add , retrieve and delete the entries in the database table.You can find the paths of the profile foldersin below mentioned locations. Using SQLiteMozilla Firefox – Open database files in sqlite using open….AppDataRoamingMozillaFirefoxPro option.Database of chrome can be onlyfiles*.default accessible when the browser is closed, if we are using SQLite manager for analysis weChrome – can see the database files listed in the top…AppDataLocalGoogle drop down list shown in fig.we can change the default path to our custom directories ifThis tool can be identified in Mantra any. Selecting the table in the left frame webrowser Arsenal > framework >mantra can access the entries, we can addWhat is SQLite? duplicates,delete and edit the entries with the options.SQLite is an embedded SQL databaseengine.SQLite reads and writes directly toordinary disk files. A complete SQLdatabase with multiple tables, indices,triggers, and views, is contained in a singledisk file. The database file format is cross-platform – you can freely copy a databasebetween 32-bit and 64-bit systems.SQLite apopular database engine choice on memoryconstrained gadgets such as smart phones,
  25. 25. Issue 23 – Dec 2011 | Page - 25 Figure 3Using Execute SQL tab we can execute Database can be import / export as CSV,xmlcustom sql commands to create , edit , or and sql files from Import tab and File menu.delete the tables. we can add user defined Some important files from which we canfunctions by using the User-Defined gather information includes: -Functions tab which is by default hidden,visible on clicking f(x) button. Figure 4
  26. 26. Issue 23 – Dec 2011 | Page - 26Sqlite is the other good option to analyse thedatabase files for browsers.For any further details/queries mail @report@matruix.comFollow us at @matriuxtig3r on twitter and Pardhasaradhi.Ch Pardhasaradhi is working as a Systems QA engineer. He is an active member of ClubHack, HackIT, null and working with Matriux Forensics team . He is also one of the moderators for null Hyderabad chapter. His interests include Forensics, Auditing, Penetration Testing and Designing.
  27. 27. Issue 23 – Dec 2011 | Page - 27