Archive for May, 2010

Fingerprinting a Web server from an investigative point of view

Wednesday, May 19th, 2010

Fingerprinting web servers is not a startling new revelation in web development. For several years now technology to identify web servers has been used by black and white hackers to identify weaknesses in web servers. Companies have used these “fingerprinting” techniques to identify incoming information about IP addresses and the servers they come from to prevent Identity Theft and credit card fraud. These techniques are also commonly used by penetration testers to help identify a system prior to attempting to review the system. Hackers have used the techniques to ascertain weakness in a web servers implementation to attack the system.

Most often the technique of “fingerprinting” is implemented as a server side technique to view the incoming traffic. The implementation of client side application is what would be of interest to the online investigator. There have been numerous discussions about its use and technical development but not from the law enforcement investigative capacity. Identify the information about a server can be advantageous for an investigation being conducted on the internet. “Fingerprinting” the web server can identifying certain aspect about the server, including the operating system and version.  This identification can potentially provide law enforcement investigators with additional useful information as to the nature and origin of the website.

Using browser responses to identify what the system is running can aid the investigators preliminary examination of a website. The initial review of the website can determine the website’s ownership and validity. A commonly used tool that has been a hacking/penetration tester staple for years is Nmap. Nmap is short for Network Mapper, an open source utility for exploring networks and doing security audits. Other tools have been developed specifically for the purpose of identifying web servers through the server’s response to a browsers request. Some of those tools include hmap, Nikto, httprint and XProbe.

More in depth identification of web server “fingerprinting” needs to be accomplished to identify its complete benefit as an investigative tool. Based on its current use in the field, as a reliable penetration tester’s tool, the prospect appears great that this methodology could be beneficial to law enforcement.

Now available: 3 free model policies for social networking support

Wednesday, May 12th, 2010

Our 2-day on-site training devotes a fair amount of time to policy issues: investigative ethics applied online, undercover work, deconfliction, and employee stress management. However, while we talked about the need for policy, we didn’t have a model to offer.

Well, now we do! In the “White Papers” section of our Web site, you’ll now find three separate model policies: social networking investigations, official agency communication, and employee off-duty use.

Why 3 policies?

Law enforcement presence online isn’t just about gathering evidence. It’s also about ensuring that employees represent themselves and their agencies as professionals at all times (including not conducting investigations via their personal accounts). Also, just as agencies simultaneously conduct investigations and community relations in their communities, they should at least consider doing the same online.

The three policies complement each other, and as Todd is quoted in our press release, they’re meant to minimize the risk and maximize the reward of an online presence. They also fill a gap: while many policies are available from private companies, few are published by law enforcement agencies.

What the policies cover

The “Investigative Use of Social Networking” policy provides for:

  • Professional online conduct
  • Investigation preparation
  • Undercover work
  • Legal issues
  • Employee stress management

The “Agency Official Use of Social Networking” policy discusses:

  • Social media tools
  • Strategy for use
  • Communicating on the agency’s behalf
  • Restrictions on use
  • Handling requests from media and general public

The “Employee Off-Duty Use of Social Networking” policy includes:

  • Employee self-identification as a police officer
  • Confidential and sensitive information
  • Legal requirements
  • Disciplinary action

Because these are model policies, be sure to run them through administrators and department or other legal staff before you implement them, as state or jurisdictional laws may need to be specifically addressed.

Who will benefit?

We timed these policies’ release during the week of the ICAC Conference in Jacksonville, FL, where Todd is exhibiting. Now, we know ICAC investigators are well-versed in online investigation and thus policy – but we also know that their investigations can take them into jurisdictions where other detectives are not familiar with online work, undercover or otherwise.

So whether you’re an investigator whose agency needs social networking policies, or you know of investigators who do, please feel free to pass these along. You can refer others to the policy page using this address:

http://tinyurl.com/verepolicies

And if you have any questions, please let us know at info (at) veresoftware (dot) com !

DragNet? In what form?

Wednesday, May 5th, 2010

In February, CNet reported that police are looking for a “back door” to private data, in the form of “a national Web interface linking police computers with those of Internet and e-mail providers so requests can be sent and received electronically.”

This was followed up in April by a revelation that the Department of Justice had requested Yahoo emails without a warrant—because the emails were older than 180 days and stored on Yahoo servers rather than on a local machine.

Civil libertarians, of course, regard these stories as evidence of Big Brother manifesting all his totalitarian glory. But the original concept of a national network, says its originator, has been misrepresented.

More efficient, not more invasive

Sgt. Frank Kardasz is director of the Phoenix (Arizona) area Internet Crimes Against Children task force and, in a report to the Commerce Department’s Online Safety and Technology Working Group, wrote about the need for Internet service providers (ISPs) at least to maintain records for longer than the few weeks they currently do—up to a year or longer.

“The trouble with real life policing is that there are reporting delays from victims, overwhelming caseloads for detectives, forensics analysts and prosecutors, time delays or no response from Internet service providers and many other systemic issues that impede the rapid completion of our work,” he wrote in his report, “Internet Crimes Against Children and Internet Service Providers: Investigators Request Improved Data Retention and Response.”

Similar problems exist among government agencies, which is why Los Angeles County instituted the Electronic Suspected Child Abuse Report System. The Web-based system links public agencies together, replacing outdated forms of communication like faxes and postal mail, and reducing the likelihood that charges will be dropped or reduced due to missing evidence.

Not a direct link from law enforcement to private records, it doesn’t carry quite the same implications for privacy. It does, however, solve very similar problems, and as the first of its kind in the country, could easily serve as a model for other efforts.

Logistical concerns

The need for a strong model is particularly important when it comes to security. Many companies have hesitated over moving to “the cloud,” fearful of what might happen if a malware-infected PC accessed cloud-based private information. (Many of these issues are discussed in our white paper, “Basic Digital Officer Safety.”)

However, the U.S. Army is now using “milBook”, a secure Facebook-like interface restricted to its own personnel. Connecting people with each other as well as with defense-related topics, milBook facilitates the sharing of a broad range of information. Fundamentally, it might be compared to the Regional Information Sharing System, though more socially oriented.

Whether this would be as easy to set up is debatable, however. The Army, after all, has the DoD to administer its private network. For the DOJ to set up and maintain a public-private information exchange would not, to put it lightly, sit well with groups like the Electronic Frontier Foundation.

More likely may be for the DOJ to require ISPs to set up their own networks. Some already do, as CNet pointed out. The networks would have to comply with certain requirements regarding data storage and speed of retrieval, but the companies would retain control of user information.

The need for better ISP support

Kardasz noted, based on a 2009 survey of 100 investigators:

  • 61% reported ISP delays and limited time periods for storage detrimentally affected their investigations.
  • 47% reported they had to end investigations because the ISP didn’t retain the data they needed to make a case.
  • 89% wanted to see a national network established to make legal process requests more efficient.

“Investigators recognize that the subject of data preservation is controversial,” Kardasz wrote. “I think investigators respect the Constitution, support the rights of Commerce and simultaneously want to protect citizens from cybercrime. They seem to be asking for a system that is more efficient, not more invasive, a system that favors the crime-fighters instead of the criminals.”

What law enforcement can do

In last month’s issue of Law Enforcement Technology, Vere president and CEO Todd Shipley was quoted as saying, “It’s not just a federal problem. It’s a state and local problem too because the victims are citizens of the local community.”

So while ISPs can improve their processes, so can law enforcement. Todd’s recommendations: Know how to take reports on cyber crimes. Collect information the cybercrime experts need. Know how to share information and with whom. These pieces, the building blocks of professional police response, must be in place so that whatever ISPs institute to help law enforcement, it will be supported rather than criticized.

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and digital forensics and can be reached at christa at christammiller dot com.