Friday 29 March 2013

Massive DDoS against Spamhaus reaches 300Gbps

If the DDos below is committed again in the future with several or even many big targets on a certain country, it could shut the internet down in a wide range of the country's area. If this happens, many people cannot do their own activities based on the internet such as accessing emails, bank accounts, online news and much more. I could say this is one form of cyber terrorism or even cyber war, if it attacks a certain country and the perpetrators are supported by another country. Do we already think about this?  What should we do to strengthen/harden the internet backbone in our country? That requires a well-coordinated team work involving several parties.

From The SANS Institute:
Following a dispute between Dutch hosting provider Cyberbunker and anti-spam group Spamhous, the latter suffered what initially began as a relatively small - 10 Gbps -DDoS, which escalated over the course of last week to a 300Gbps flood. Anti-DDoS provider CloudFlare noted that the attackers - who have not been conclusively linked to Cyberbunker - were able to generate such huge volumes of traffic by using open DNS resolvers, which can respond to small, spoofed requests with massive floods of data. As a result of this attack - one of the largest ever on the Internet to date - a new project has been announced to locate and fix all of the approximately 27 million such systems on the Internet today. Reference: http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet http://openresolverproject.org/

Thursday 28 March 2013

vSkimmer Steals Payment Card Data From Windows Point-of-Sale Terminals

Several news sent by The SANS Institute in which the latest was dated on March 22, 2013, makes me to a rough conclusion. It is that nowadays the criminals on hacking bank system prefer to play trojan horse as the tools. It means that the bank's security people must be aware on this and warn other staff of the bank about this. The news of The SANS Institute below shows it.

The vSkimmer Trojan horse program steals payment card data from point-of-sale (POS) terminals. The malware has the capacity to steal the data from cards' magnetic strip, which contains account numbers, expiration dates, and security codes; it is being used in targeted attacks. vSkimmer targets Windows machines and sends the data it steals to a remote server. vSkimmer does not work on cards that use the EMV, also known as chip-and-pin authentication standard. HTtp://www.scmagazine.com/vskimmer-trojan-steals-card-data-on-point-of-sale-systems/article/285725/http://www.computerworld.com/s/article/9237828/Researchers_uncover_vSkimmer_malware_ targeting_point_of_sale_systems?taxonomyId=17

Saturday 23 March 2013

Mobile Forensic: How to detect Reconditioned BlackBerry

I just want to share knowledge and experience on how to detect reconditioned BlackBerry. There are 2 methods for this purpose.
The first one is through the Options - Device - Device and Status Information. With this way, we will find any information related to the current condition of BlackBerry such as signal, battery, IP address, free memory and so on. On this state, we type B U Y R, it will display Buyer's Remorse. In Buyer's Remorse, it will show data usage, voice usage and IT policy. If the BlackBerry is a brand new gadget, it must show null value for data and voice usage. If it is not null, or it already has value, so it means the BlackBerry is already used before.
The second method is by using mobile forensic integrated device such as UFED of Cellebrite, XRY of Micro Systemation and so on. With this device, try to perform physical extraction by applying flash memory dumping. With this way, we do forensically sound imaging on the BlackBerry's flash memory. It takes time about 2 to 6 hours. After it finishes, we perform hex analysis. If it is a brand new, the flash memory should contain OS's file system and factory-based applications only. It means that about 1/2 or more at the end of the flash memory will be 00 because the data usage will be minimum and is allocated at the beginning of the flash memory. If at around the end of the flash memory has been allocated with data, it means that the BlackBerry is already used. The other way is to seek the naming model of root directory. The purpose is to find out deleted or wiped files. If a file is deleted, the file actually still exists in its sectors. It just put unallocated information in the root directory. Also if a file is wiped, it only wipes the allocated sectors of the file. The information of the root directory shows the sectors are unallocated. If we can find the naming model of root directory and it shows deleted or wiped files, it means that the BlackBerry is not a brand new gadget. In the other words, it is already used.
If the BalckBerry which is already used and reconditioned is sold as if it is a brand new, it is a crime as the seller cheats customer. The seller can be arrested and sent to the court for his crime.

Cyber Command Will Deploy More than 100 Cyberdefense Teams by End of 2015

The news of The SANS Institute makes me wondering and a bit jealous. I have a dream that my country also have the cyber defense team to strengthen internet and other computer networks from any computer attacks. I would like to develop it along with other computer professionals in Indonesia. Please read the news.

Cyber Command Will Deploy More than 100 Cyberdefense Teams by End of 2015 (March 19 & 21, 2013) The US Defense Department's Cyber Command plans to deploy more than 100 military cyberdefense teams by the end of 2015. Most of these teams will focus on protecting military networks, not on attacking systems of adversaries. General Keith Alexander, head of Cyber Command, said last week that by September 2013, 13 cyberwarrior teams will be deployed. These teams will focus on taking action against adversaries' networks to prevent attacks on US critical infrastructure systems. http://www.nextgov.com/defense/2013/03/pentagon-plans-deploy-more-100-cyber-teams-late-2015/61948/?oref=ng-channelriver http://www.nextgov.com/cybersecurity/cybersecurity-report/2013/03/military-cyber-strike-teams-will-soon-guard-private-networks/62010/?oref=ng-HPtopstory

Major Cyberattack Hits South Korean Banks and Broadcasters

The news of The SANS Institute in this early morning wakes me up from sleepy condition. Trojan.....and trojan again. Always the same way to attack banks. Why are the bankers not aware from this attack? There are many ways to install trojans to bank computers as the targets. They should be aware of this. Please read it below.

Major Cyberattack Hits South Korean Banks and Broadcasters (March 20 & 21, 2013) A major cyberattack hit South Korean banks and broadcasters earlier this week. Two of the country's large banks and three broadcasters were affected, but government systems were not targeted. The malware wiped files from infected computers. Shortly after the attacks, there was speculation that North Korea was responsible, but there has not been positive attribution. James Barnett, former chief of public safety and homeland security for the US Federal Communications Commission (FCC) notes that, "This needs to be a wake-up call. This can happen anywhere." Investigators think that malware may have been spread through servers that send out automatic updates and patches. Symantec researchers say the attack used a Trojan horse program known as Jokra, which can overwrite computers' master boot records and all the data stored there. http://www.washingtonpost.com/business/technology/police-investigating-reports-that-computers-of-south-korean-banks-media-paralyzed/2013/03/20/a7366760-9126-11e2-9173-7f87cda73b49_story.html http://www.latimes.com/news/world/worldnow/la-fg-wn-south-korea-cyber-attack-20130320,0, 1356665.story http://www.scmagazine.com/south-korean-corporations-hit-by-widespread-attack-that-wiped-data-and-shut-down-systems/article/285315/ http://www.foreignpolicy.com/articles/2013/03/21/who_is_whois. More details at http://edition.cnn.com/2013/03/22/world/asia/south-korea-computer-outage/index.html.

Video Profiling on The Best 10 of Chevening Alumni in Indonesia

Several days ago, a team of British Embassy came to my office and labs. They would like to take video profiling on me as the Best 10 among thousands of Chevening alumni in Indonesia. Chevening is a scholarship provided and supported officially  by yhe Foreign and Commonwealth Office (FCO) of the UK government. In the implementation, it is administered by the British Council. It is open for any candidates of any country who would like to join postgraduate degree in the UK. They have to pass several tests before getting this prestigious scholarships award. With the Chevening scholarships, I took MSc in Forensic Informatics at the University of Strathclyde, in Glasgow, UK. I joined it in 2008/09. I got mark of distinction for my dissertation about Steganography Forensic. After finishing my study at the Strathclyde, I returned to my office in Jakarta, Indonesia. I have a personal mission to develop digital forensic at my labs and in Indonesia in general, that's why I like sharing on digital forensic a lot such as to be speaker or instructor for seminars and courses, even I wrote a technical book with title of "Digital Forensic: Practical Guidelines for Computer Investigation" which was published last year. Currently I hold the job as the Chief of Computer Forensic Sub-Dept. at Indonesian Police Forensic Lab Centre (Puslabfor Bareskrim Polri). In this job, I and my team are responsible for digital forensic analysis on any type of electronic and digital evidence coming from cases of computer crime and computer-related crime in Indonesia.
With this job, I've already made 15 Standard Operating Procedure (SOP) on each technical  steps of digital forensic. I could say my computer forensic lab is one of institutes in the world having many SOPs as the guidelines for digital forensic works.

Tuesday 19 March 2013

Telkom dan Biznet Bantah "Intai" Pengguna Internet Internet

From Kompas.com:

Telkom dan Biznet Bantah "Intai" Pengguna Internet Internet
ADITYA PANJI

JAKARTA, KOMPAS.com — Dua perusahaan penyedia jasa internet besar di Indonesia, Telkom dan Biznet Network, membantah dugaan pihaknya menggunakan perangkat lunak intelijen untuk memata-matai pengguna internet.

Hasil penelitian Citizen Lab, Universitas Toronto, Kanada, menunjukkan bahwa tiga perusahaan penyedia jasa internet (internet service provider atau ISP) di Indonesia memakai perangkat lunak FinFisher atau dikenal juga sebagai FinSpy. Selain Telkom dan Biznet, Matrixnet Global juga diduga memata-matai pelanggan.

"Dari Biznet tidak ada policy seperti itu. Kita sedang cek IP address itu punya siapa," kata Presiden Direktur Biznet Network Adi Kusma saat dihubungi KompasTekno, Senin (18/3/2013).

Hal senada diungkapkan pihak Telkom. "Bahwa Telkom tidak mempunyai server untuk melakukan monitoring atau memata-matai pelanggan," ujar Slamet Riyadi, Head of Corporate Communication and Affair Telkom.

FinFisher adalah perangkat lunak pemantau jarak jauh yang dikembangkan oleh Gamma International di Muenchen, Jerman. Menurut Citizen Lab, produk FinFisher dipasarkan dan dijual secara eksklusif untuk penegak hukum dan badan intelijen oleh Gamma Group yang berbasis di Inggris.

"FinSpy menangkap informasi dari komputer yang terinfeksi, seperti password dan panggilan Skype, dan mengirimkan informasi ke server perintah dan kontrol FinSpy," demikian hasil penelitian Citizen Lab.

Dalam hasil penelitian, Citizen Lab mengungkap alamat internet protokol (IP address) di Indonesia yang diduga mengandung FinSpy atau FinFisher. Alamat IP Telkom dan Matrixnet Global tidak diungkap sepenuhnya.

- 118.97.xxx.xxx PT Telkom dari Indonesia - 118.97.xxx.xxx PT Telkom dari Indonesia - 103.28.xxx.xxx PT Matrixnet Global dari Indonesia - 112.78.143.34 Biznet ISP dari Indonesia - 112.78.143.26 Biznet ISP dari Indonesia

Menurut Slamet, berdasarkan parsial IP address yang dilaporkan Citizen Lab, disimpulkan bahwa itu adalah pelanggan Astinet/Transit Telkom. "Untuk mengidentifikasinya perlu IP address yang lengkap," ungkap Slamet.

Untuk memblokir IP address tersebut, lanjut Slamet, harus ada permintaan dari computer emergency response team (CERT) negara, dalam hal ini Indonesia Security Incident Response Team on Internet Infrastructure (ID-SIRTII) yang berada di bawah Kementerian Komunikasi dan Informatika.

Citizen Lab mencatat, perangkat lunak FinSpy terdeteksi di 25 negara. Selain Indonesia, ia juga ada di Australia, Bahrain, Banglades, Brunei, Kanada, Ceko, Estonia, Etiopia, Jerman, India, Jepang, Latvia, Malaysia, Meksiko, Mongolia, Belanda, Qatar, Serbia, Singapura, Turkmenistan, Uni Emirat Arab, Inggris, Amerika Serikat, dan Vietnam.

Sunday 17 March 2013

Bank Fraud Investigation Sharing

Yesterday I came to Bandung Indonesia for attending sharing session on bank fraud investigation. We talked and discussed a lot about modus operandi how to make a fraud from a practical phising, e-bank tapping, carding until study case. There were three study case to share. It's about ATM case, Remote Desktop Protocol case and Clearing case. The study case showed the steps of action how to make a successful fraud, so that's why the contens were so sensitive. In this case we need to harden the bank security from knowing the modus operandi. If we know it well, we expect that we can close or patch the holes of breached security properly. No more fraud from such modus operandi.

Wednesday 13 March 2013

Reserve Bank of Australia Targeted in Cyberattacks (March 11, 2013)

From The SANS Institute:

Reserve Bank of Australia Targeted in Cyberattacks (March 11, 2013) The Reserve Bank of Australia (RBA) has acknowledged that in November 2011, hackers managed to gain access to RBA systems through targeted phishing attacks. The information has come to light through a Freedom of Information request and was disclosed in December 2012. The phishing email messages appeared to come from "a possibly legitimate external email address ... from a senior bank employee" and were accompanied by an attachment that installed a Trojan horse program on the computers of those who opened the attachment. An RBA spokesperson said that while the infection posed the threat of data theft, no information was stolen. http://www.theage.com.au/it-pro/security-it/hackers-breach-reserve-bank-20130311-2fv8i.html http://www.bbc.co.uk/news/business-21738540 http://www.v3.co.uk/v3-uk/news/2253724/australian-central-bank-hit-by-cyber-attacks RBA Media Release: http://www.rba.gov.au/media-releases/2013/mr-13-05.html

U.S. Department of Defense Not Ready for Cyberwar (March 12, 2013)

From The SANS Institute:

U.S. Department of Defense Not Ready for Cyberwar (March 12, 2013) This editorial in today's Washington Post, describes and discusses the findings of the Defense Science Board (DSB), probably the most prestigious collection of technical, policy, and industrial leadership the U.S. has ever asked to focus on cybersecurity and cyber warfare. The DSB report "hints that U.S. nuclear weapons, hardened to survive an atomic blast in the Cold War, may not be ready to survive a cyber-onslaught...[and] called for "immediate action" to make sure the nuclear weapons would survive." The report also projected that when open conflict breaks out, potentially, "hundreds" of simultaneous, synchronized offensive and defensive cyber operations would be needed, and yet the task force found the U.S. military is not ready. http://www.washingtonpost.com/opinions/the-us-is-not-ready-for-a-cyberwar/2013/03/11/782e299a-8838-11e2-98a3-b3db6b9ac586_story.html?hpid=z3

Monday 11 March 2013

I'm back...!

For a long time, I did not deliver a post in this blog because of getting busy to accomplish tasks of digital forensic analysis. In 2012, I and my team had finished analysis of electronic and digital evidence with the amount of 488 items which were much more than the total days in a year.
This is my first post in this year. Hope it can continue to post.
This week, I will be attending the launching of Cyber Defence Academy in Jakarta, Indonesia. This will be the first institute which will focus on deep information security in Indonesia. It is an honor for me to be invited. Good Luck for my colleagues involved in this project.