Ascension Blog

Introduction

This is the second in a two part guest post by Ian Charters, an expert in digital forensics.  As a result of reading Evan Shuman’s blog post: Heartland Sniffer hid in Unallocated Portion of Disk, I asked Ian if he would be willing to write a guest post on the topics that Mr. Shuman detailed in his post.  My thought was to reframe, in layman’s terms, what happened so that managers and executives would have a better understanding what happened without getting tied up in technical terms.   What I received were two submissions that gave a bit of background on unallocated disk space and then looked at what is reported to have happened in the Heartland Incident. 

Many thanks to Ian for sharing his time and knowledge with us.  Ladies and Gentlemen: Is there a Ghost in the Machine:

Is there a Ghost in the Machine?

It just seems that in the world of computer security and digital forensics, the more things change, the more they stay the same.  In this case, I’m referring to a recent security incident reported by Evan Schuman in his wonderful blog, entitled Heartland Sniffer hid in Unallocated Portion of Disk.

The incident that Mr. Shuman describes is typical of today’s credit card information theft.  It appears that organized criminals in Easter Europe targeted a credit card payment processing firm.  They implanted a software sniffer on the firm’s servers (a sniffer is a software package that examines and records data moving across the network that it is attached to).  The sniffer apparently collected significant amounts of unencrypted credit card data.  From a technical point of view, what makes the incident interesting if that it appears that the sniffer was installed in unallocated disk space on Heartland’s servers.  (For those who might need to brush-up on what unallocated disk space is see, “A short primer on empty disk space”.)

What was not reported was how the collected data was stored (presumably also in unallocated disk space), and how the collected data was moved off the network.  If the storage and transfer of the stolen data was handled in as sophisticated a manner as the implanting of the sniffer, this was an attack of some significance.  

Getting back to the initial issue of the use of unallocated disk space to hide files and executables is not a new technique.   It does require significant level of sophistication for both the programmer involved and for those operating the scheme over all.  One of the first times I saw the technique used was around 1990. At the time MP3s were fairly new but immensely popular with young computer professionals of all stripes. Young programmers in particular wanted to listen to music at work.  However, folks running the networks didn’t want them to use the network’s resources to listen to (and perhaps unfairly presumed sharing) music.  So, the cat and mouse game of hide and seek began.   When the “mouse’s” started hiding their file shares in plain sight using unallocated disk space they pretty much had the upper hand for a while.

The problem with this is that eventually this same technology started being used for darker purposes. Folks involved in the illegal or unlicensed sale of software want to have their software securely stored but they also didn’t want the software associated with or indeed located anywhere physically connected to them for fear of arrest.  In the early 1990’s, Federal law enforcement started treating the trade in illegal or unlicensed software seriously.  This resulted in several spectacular arrests. So, the folks selling unlicensed software started hacking corporate servers in order to hide their unlicensed software in the unallocated disk space found on their servers. 

Even before the peddlers of unlicensed software started using this approach, hackers had been storing and hiding their hacking tools on corporate servers.  This led to an interesting underworld market in hacked servers in which hackers would take over corporate or even government servers and “sell” control of the servers within the underworld to the highest bidder.  Unfortunately this trade goes on even today. 

Because I was aware of all of the silly games of file hide and seek going on, I got into the habit of regularly overwriting the slack space, unused space and unallocated space on my computers. I even did this on my home computers at the time.  However, with time the popularity of this approach to hiding data declined in favor of other techniques. As a result I also stopped this preventative practice.  I guess Evan’s article reminds me that there are several old security techniques that I have discontinued that I should reconsider. If you have similar concerns, please contact an digital forensics professional.  After all, I see a lot a “solutions” offered on the internet.  In many cases, if you aren’t careful, the cure is worse than the original symptom. 

Thanks Evan, for the great article and the nudge to never forget the past. 

About the Author

With over 20 years of experience in the field of digital forensics, Ian Charters has a unique perspective on the evolution of digital forensics.  His career has taken him from the private sector into government service and back to the private sector. 

After successfully starting and running his own networking, software development and systems integration firm, Ian was recruited into the nation’s Intelligence Community, including service in both the Defense Intelligence Agency and the Central Intelligence Agency where he proudly served his country for over 20 years. 

Upon retiring from Federal service, Ian served as the Security Practice Leader with the Unisys Federal Group based in Reston, Virginia.  While being responsible for leading the practices efforts in the development, sales, and delivery of a full range of IT security solutions, he was responsible for the development and introduction of a code application assurance into the Federal market. 

Ian is currently a Senior Manager in a Big 4 Accounting firm’s information security and risk management practice.  His responsibilities include leading engagements to provide security services to both commercial enterprises and government agencies.

Ian holds a Bachelor of Arts in Political Science from Washington State University and a Masters of Arts in Security Policy Studies from George Washington University in addition to completing extensive post-graduate and commercial coursework in Computer Security, Architectures, Networking, Programming, Telecommunications, Computer Simulation and Simulation Theory.  He is a frequent seminar speaker with the Potomac Forum Ltd, a non-profit educational foundation (www.potomacforum.org) and serves on the Board of Advisors for Ascension Risk Management LLC (www.ascensionriskmanagement.com).

This entry was posted on Thursday, February 26th, 2009 at 08:01 and is filed under General.You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.