I'm a GCFE. But Will I Use It?


I’m now a GIAC Certified Forensic Examiner (GCFE). Honest! I’ve got a certificate and everything. It even came framed: GCFE Certificate

According to the blurb:

The GCFE certifies that candidates have the knowledge, skills, and ability to conduct typical incident investigations including e-Discovery, forensic analysis and reporting, evidence acquisition, browser forensics and tracing user and application activities on Windows systems.

I’ve got no idea if I’ll get to use these skills. The company I work for is considering applying for us to offer PCI Forensic Investigator (PFI) services, and in order to become eligible there needs to be a number of us suitably qualified. If I were to become a PFI it would sit nicely beside my current PCI QSA designation, so as well as auditing organisations to ensure they adequately protect credit card information, I could also be called on to conduct a forensic investigation in the event they suffered a breach of cardholder data.

The course was fairly intense but it mainly focused on Windows forensics. I’ll probably need to follow this up with the Advanced Computer Forensic Analysis and Incident Response course so I can thoroughly investigate attacks across the network and on multiple platforms.

I really enjoyed the course. The technical aspects were superb and the forensic toolkit that shipped with the course has already come in useful. The course is not just technical however, it also covers the procedural side of forensics and e-Discovery. This is necessary, but being a US-based course it was based on US federal legislation and procedures. I’ll need to bone up on the related Australian legislation and evidentiary procedures to ensure I’m doing the right things to satisfy chain of custody and admissability of evidence for any investigations here.

Monster Password Issues

This week, the massive online job site Monster.com released a security notice that their database had been hacked, potentially releasing the personal details of millions of registered users.   This isn't the first time this has happened, and I'm sure it won't be the last.monster Leave aside the fact that Monster don't seem to be encrypting passwords in their databases, which is extremely shoddy, this is a timely reminder of the importance of thinking about how we all use passwords.  The big threat with this type of attack is that if you tend to use the same passwords across multiple sites, if you're a Monster.com user (or user of their other international sites such as monster.co.uk), your password is now out in the open and could potentially be used to gain access to any other site that you've registered with using that password.

So, it's dangerous practice to use the same password across multiple sites, but at the same time there's no way you're going to remember different passwords for all the sites you use.

The answer to this problem is to use a password manager such as 1Password.  This is a Mac application but there's also PC password managers such as Roboform.  The beauty of 1Password is that there's both a Mac version and a free iPhone version which can be set up to wirelessly sync between each other.  It also plugs in to the major web browsers (I use Firefox) so that it can automatically enter your username and password into the form each time you visit a site.  The way I use it is to let 1Password generate a random strong password for each site that I use, which then gets added to the application's database.  I now only have to remember one password - the password to open up 1Password.  The thing you have to remember with Password Managers though is that the encryption is only as strong as the one  password you use.  Therefore the normal rules apply - make it long, include numbers, letters (uppercase and lowercase) and special characters such as $.!["]?*&#", etc.

It's basic maths.  If an hacker tries a brute force attack against your password, the time it takes to crack your password will be dependant upon the number of variables in the characters you use, the length of the password, and the processing power of the application and PC used to try and crack the password.  Just by using both upper case and lower case letters you are doubling the number of characters that the password cracker must use, from 26 to 52.  Add numbers and the figure becomes 62, and then there's a large number of special characters you can use to add even more possibilities.  Then, every time you increase the length of your password you are increasing the strength to the power of x.  Although, this can be undermined if the application you use doesn't 'salt' your password and the hacker uses Rainbow Tables, but I won't go in to that here.

When using a Password Manager it's also important to set a time out value in the settings so that you're required to re-enter your master password after a period of time, just in case your PC/Mac/iPhone gets stolen while you have a session open.

If you are using the same password for multiple sites by using something like OpenID, it's particularly important to make sure your OpenID password is strong.

I'm in no way affiliated with 1Password, honest, I just think it's a particularly useful application!

You can find news of other hacked websites at The Breach Blog.