Should Forensic Tools Be Sold To Anyone?

Written by Evan Schuman
May 23rd, 2012

When a software vendor creates a tool for forensic data-breach investigators, can it—should it?—take any steps to try and make sure that product is sold to legitimate investigators and not to cyberthieves? It’s a tricky issue. Unlike limiting sales to government law enforcement, forensic investigators are not licensed and they can work for any retailer or consulting firm or security company. What type of test of legitimacy could possibly work?

This came to mind because of an interesting product rollout on Monday (May 21) by a vendor called Passware. Its launch involves a means of grabbing passwords from within any Excel spreadsheet or Word doc (or really anything from Microsoft’s Office suite) by quickly locating encryption keys in memory.

“With the release of MS Office 2007, Microsoft changed its encryption algorithm to AES, which made instant calculation of an encryption key impossible,” said the news release from Passware. “The latest version of Passware Kit Forensic includes live memory acquisition over FireWire and subsequent recovery of a file’s encryption key—regardless of the password length and complexity. This method works if the target MS Word/Excel file was open on a seized computer at the time of its memory acquisition, or when the computer last went into ‘sleep’ mode.”

It sounds like a fine product. But couldn’t it just as easily be used against retailers as for them?

All it takes is one bad “investigator” to let the secret out. One cracker who gets his/her hands on this tool can figure out how it works. Then the technique can be used to, say, build malware that grabs spreadsheet passwords in-memory. (Passware is designed to do this with seized PCs, but a crook would likely take a different approach.) A legit competitor to Passware probably can’t do this, because that would be intellectual property infringement. But cybercrooks have no such scruples.

Passware spokesperson Nataly Koukoushkina had a very reasonable—although a little unnerving—response to whether the company should at least try and make sure its customers are doing what they say they are doing. She used a retail analogy: “It’s like selling someone a kitchen knife. They could use it for cooking or for killing someone.” (In New Jersey, customers use it for both, but I digress.)

As a practical matter, there is no reasonable way to do this. Given the wide variety of competent types who legitimately employ forensic investigators, it would simply be far too easy for a thief to come up with convincing verification. And the time spent chasing it down would be wasted, especially given the fact that good cyberthieves can get what they need underground.

Still, it is frustrating. It just makes you want to go buy a knife, find a cyberthief and cook something for them.


One Comment | Read Should Forensic Tools Be Sold To Anyone?

  1. A reader Says:

    These tools and techniques have been used by malware writers for years. They are no different than the memory sniffers that Verizon’s security teams discovered stealing credit card data from the memory of POS applications. They’ve just been packaged differently.

    Computers with FireWire have long been known to be vulnerable, since it has DMA access. Password interception via FireWire is not a new trick.

    Making these tools commercially available should put more of them in the right hands, where the overall level of benefit to society goes up. Assuming it doesn’t further enable a corrupt Police State, of course.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.