On Tuesday, February 4th Target and Neiman Marcus officials testified before the Senate Judiciary Committee. Symantec, Consumer Union, Justice Dept, U.S. Secret Service, and others testified before the committee. You can watch the entire 2 hours and 47 minutes of C-SPAN video here. The hearing focuses on protecting Americans' privacy and combating cyber crime. The Target and Neiman Marcus data breaches are highlighted, with much discussion on moving away from magnetic credit cards and direct impacts on "brick 'n mortar" stores.

In this hearing, the malware that targeted Target and Neiman Marcus is often referred to as "advanced" and how it was so sophisticated that it avoided multiple layers of detection systems (i.e. IDS, A/V, DLP, etc.), which is another topic for discussion when it comes to signature-based solutions. But just as my friend and colleague Brian Moran points out, the Target malware from the viewpoint of a seasoned incident responder and forensic examiner, is only as sophisticated as it needs to be to steal data. Brian states, "Cyber criminals will continue to use malware that is only as advanced as it needs to be to allow the compromise, collection, and exfiltration of data."  In my previous post, I also discussed of how we all can turn this information into actionable intelligence.

With data breaches, NSA data collection debate, and consumer privacy being at the forefront of news and debate...future legislation will have a direct effect on the entire country going forward. What are your thoughts? Leave me a comment. 

There is a lot to be learned from the Target Data Breach.  Brian Krebs initially broke the story on this data breach. This story just posted late this evening caught my attention and I thought a quick blog post would be in order to share some thoughts. Those of us in the information security and digital forensics field understand that the user is the weakest link in the security chain. But, what immediate actions can be done to strengthen this area of opportunity? 

Target announced this evening, "The ongoing forensic investigation has indicated that the intruder stole a vendor's credentials, which were used to access our system," Target spokeswoman Molly Snyder said in a statement referenced in the MSN story.

There are so many takeaways from the Target data breach. Not only for the information security industry, but the retail sector and general public as a whole. As our lives are connected to the Internet and we conveniently use our plastic cards as forms of payment, we tend to brush security off to the side, for the "freedoms" in the technological age for whatever is more convenient. I'm optimistic that this very large scale data breach will begin dialogue on the necessity of cyber-security collaboration amongst the government and private sector. Not through a coalition or task force, but through sharing actionable, intelligible information. No matter what industry you derive from, information sharing is always a challenge (or has many obstacles). However, when you look at what occurred with this data breach and can begin to decipher media reports and other data sources, there are many lessons to be learned and actionable intelligence. Brian Krebs does an excellent job in dissecting the intrusion. In the last month, we have Target, Neiman Marcus, and now Michael's Stores announcing data breaches. The question remains, "Who else?"

More on this at a later date...

Now, some DFIR actionable intelligence for us to explore from this data breach... Brian Moran of BriMorLabs has some great information up on his blog. Today, Mr. Moran shared his research on the Target POS Malware. Very easy to set up a test environment and see how this malware is exfiltrating payment data from POS (Point of Sale) systems.  In case you missed it, Jake Williams shared his joint anti-forensics ADD talk with Alissa Torres from Shmoocon here. Basically, ADD is a conceptual tool to create fake memory artifacts, but just as @jackcr methodically points out, forensic analysis is focused on collaborating multiple artifacts, not just a single artifact. The forensic analyst must be aware of anti-forensic techniques, how artifacts are legitimately created, and how they can be falsified. Understanding normal will help you detect the anomalies during your forensic analysis. 

Here are some recent articles from this past week that I thought were noteworthy and share:

1.  Patrick Olsen has a blog post up that I should've included in last week's Sunday reading "Know your Windows processes or Die Trying". Patrick provided a high level overview of Windows processes and also reminded and reiterates of how important it is to "know normal" on Windows systems that we are analyzing.
2. Harlan has included his book review of Cloud Storage Forensics up on his blog. Speaking of Harlan, WFA 4/e is rumored to be released in April. 
3. The weekly Forensic Lunch hosted by David Cowen is every Friday @ NOON Central Time. This week's Forensic Lunch featured Hal Pomeranz and Jake Williams. Hal discusses his Digital Forensic Perl scripts that he posted to GitHub and Jake discusses his recent Shmoocon Talk with Alissa Torres on anti-memory forensics titled ADD. Also, this week's show featured Lee Whitfield discussing his new online safety videos series. Kudos to Lee for creating this series for anyone who wants to learn more about the dangers of the internet today. A great way to give back to the public at-large on computer security issues today. Lee's first video, Streaming Consequences has gone "viral" and has had over 21,000 views to date. Online Safety: Part I is also now available. If you can't catch the Forensic Lunch live, catch this week's show and past shows on YouTube.
4. Michaels Stores just announced and alerted its customers that is may have also suffered a potential POS (point of sale) data breach. This is yet another "known" retailer to have recently announced of a data breach since December. Target announced in December and Neiman Marcus announced just a few weeks ago.
5. e-Discovery Law Blog: This article points out on why it's important for organizations to preserve ESI (electronically stored information) in anticipation of litigation and sanctions for "selective" preservation.
6. Brian Moran of BriMorLabs has a new blog post up on his blog regarding RAM scrapers. A very good read and overview of RAM scrapers targeting POS systems for credit card data.
7. Benjamin Wright, Esq. has a new blog post up titled Legal Evidence from Dedicated Computers. Benjamin provides good, cyber investigative techniques from a legal perspective. Mr. Wright is an attorney and also a SANS instructor.

Finally, SANS just announced the #DFIRCON photo contest. If you are looking for top-notch Digital Forensics training, SANS is having a contest to win a FREE Simulcast seat for the upcoming DFIRCON March 5-10 in Monterey, CA.