A Cloud Model Saved This Construction Project From Catastrophe

I recently took on a computer forensics consulting project. A state agency was renting a small office building for the supervisors of a large construction project. They reported that an intruder had entered the building over a weekend and left a mess which included locking up one of their computers.

They found the computer with a full-screen warning supposedly from the U.S. Department of Homeland Security telling them that they faced a possible prison sentence because of their computer’s use in viewing child pornography. However, a US$ 300 fine paid with an on-line money order would make the charges go away. It’s just the common “scareware” or “extortionware” we mention in Learning Tree’s Introduction to Computer and Network Security course. This one was quite effective, both at hiding the Task Manager and Start menu and at frightening the owners. They had power-cycled the system a few times but it always came back to this.

Local law enforcement lacked the resources to investigate the computer side of the intrusion, and they asked me to take a look. Sure, this sounds interesting! But let’s be careful:

  1. Power-cycle it once more and verify the hardware clock setting in the BIOS, so we know how to interpret the file timestamps we find.
  2. Boot the system off a Linux-based forensics DVD so the hard drive is treated purely as a read-only storage device.
  3. Record the SHA-1 and SHA-512 hashes of the disk device as measured with the openssl, sha512sum and shash commands.
  4. Capture an image of the disk with the dd command and verify the SHA-1 and SHA-512 hashes of that image.
  5. Set the target system aside and analyze the image.

The good news for this agency is that they had a peculiar and rather clumsy and messy intruder who was interested in using their Internet connection but not at all interested in easy money. The compromised system was one of six highly visible and easily portable laptops in the building, but nothing was taken.

One of the men said it would have been catastrophic if the project leader’s computer had been stolen, as “that’s where all our plans are stored” and its loss would have set the construction project back several months. “No,” the project leader corrected him, “All of our data is at state headquarters. We just use these computers to access our data.”

Centralized storage with carefully controlled access from lightweight devices in the field. This doesn’t have the scale or the ease, speed and low cost of deployment of the Amazon, Google and Microsoft large-scale public clouds we discuss in Learning Tree’s Cloud Security Essentials course, but it’s a step in that direction.

There’s the potential availability, but is this state agency’s access really “carefully controlled”? Not even close. Their access devices are Windows XP systems with automatic login to one account shared by all users, no password-protected screen lock, and everyone was mystified when I mentioned that the little strip next to the keyboard was a swipe-style fingerprint scanner. The contractor who replaced the system said that they had tried enforcing user authentication but gave up because everyone was continually locked out of their systems and they couldn’t do their work.

You can lead people up to the edge of a secure solution, but you can’t make them use it…

Bob Cromwell

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.