It would appear that NY governor David Patterson and the NYS senate agree with my sentiments that we can do better to protect the individuals affected by Identity Theft. This article discusses the amendments to the New York State Data Breach Notification Law. The amendment can be found here. Among the changes...
Only the last 4 digits of SSN can be stored/used by employers when access is 'open'. I'm not quite sure what they mean by this.
skimmer devices have been outlawed.
Affected individuals can now contact the Consumer Protection Board which will help people undo the damage caused by ID theft.
Affected individuals are now entitled to restitution for time spent clearing up any damages caused by the theft.
This is precisely what we need. I'd like to see even more of this, and definitely more accountability.
Tuesday, June 24, 2008
Friday, June 20, 2008
Finding PII data
In case you didn't know I live in New York. New York has a fantastic law on par with California's SB1386. In case you're not sure if your state has a similar law check out this article. Odds are your state has one of these great laws enacted.
Why is this important? In every security breach the following question MUST be asked. "Was there PII data on the system?". If you're not asking that question or addressing it in a timely fashion, you're not doing your job if you're dealing with security breaches. If you don't believe me, ask the company identified in this article. Waiting six weeks to notify even if data was not accessed is considered NEGLIGENCE, and it'll cost you $60,000 in New York. That's just negligence...the cost of the investigation usually starts around $500,000 for a small incident involving this type of data.
This law generally applies to every business, including educational institutions that suffer a security breach where Personally Identifiable Information is at risk of unauthorized disclosure. So what is PII data?
In New York it's:
(1) social security number;
(2) driver's license number or non-driver identification card number;
or
(3) account number, credit or debit card number, in combination with
any required security code, access code, or password that would permit
access to an individual's financial account;
"Private information" does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records.
What I find absolutely amazing is that the commercial world doesn't seem to give a damn about this information, let alone losing it on a regular basis, yet the proverbial security industry punching bag (read higher education) has taken the lead in this arena.
Cornell University has a tool and a feature list of the latest version is here. The use of this tool has been mandated in a few places already.
Virginia Tech has a tool
Utexas Austin has a tool
Illinois U has a tool as well.
Sippy has released a tool called WHACK as well that will work with web sites, though I've not tried it yet.
Oh yeah..Identity Finder, a commercial outfit, has well uhm.."borrowed" code from some of these applications and is charging for it. I wonder if they've heard of GPL.
You can also use tools like PowerGrep to search for PII data.
You could also use expensive tools like Encase to do searches but that will cost you about $3,800, and you can only do one machine at a time. Many of the tools listed above are FREE as in BEER and have many more capabilities. You can also run the tools above over an F-response connection during a live response, but I definitely prefer to see a proactive scanning methodology. If you have the consultant edition, you could provide a service..hint hint. Figure out a technique that works for you.
My point in this post is simply to deliver a small wakeup call to whoever is reading. I have conducted numerous searches for PII data in recent years and it's EVERYWHERE. It's in email, it's in databases, spreadsheets, word docs, Scanned PDF's, CV's and on and on. It's in your organization right now and I guarantee that the majority of organizations are doing nothing about it. The worst thing about this data is that it's been so heavily overused in the past few decades that it's on computers and people don't even realize it. Search for it, Get rid of it. You don't need it, and consumers do NOT need to provide SSN for many of the transactions that take place.
I also promise this..if I ever receive a notification letter from your company, you'll be hearing from me.
Why is this important? In every security breach the following question MUST be asked. "Was there PII data on the system?". If you're not asking that question or addressing it in a timely fashion, you're not doing your job if you're dealing with security breaches. If you don't believe me, ask the company identified in this article. Waiting six weeks to notify even if data was not accessed is considered NEGLIGENCE, and it'll cost you $60,000 in New York. That's just negligence...the cost of the investigation usually starts around $500,000 for a small incident involving this type of data.
This law generally applies to every business, including educational institutions that suffer a security breach where Personally Identifiable Information is at risk of unauthorized disclosure. So what is PII data?
In New York it's:
(1) social security number;
(2) driver's license number or non-driver identification card number;
or
(3) account number, credit or debit card number, in combination with
any required security code, access code, or password that would permit
access to an individual's financial account;
"Private information" does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records.
What I find absolutely amazing is that the commercial world doesn't seem to give a damn about this information, let alone losing it on a regular basis, yet the proverbial security industry punching bag (read higher education) has taken the lead in this arena.
Cornell University has a tool and a feature list of the latest version is here. The use of this tool has been mandated in a few places already.
Virginia Tech has a tool
Utexas Austin has a tool
Illinois U has a tool as well.
Sippy has released a tool called WHACK as well that will work with web sites, though I've not tried it yet.
Oh yeah..Identity Finder, a commercial outfit, has well uhm.."borrowed" code from some of these applications and is charging for it. I wonder if they've heard of GPL.
You can also use tools like PowerGrep to search for PII data.
You could also use expensive tools like Encase to do searches but that will cost you about $3,800, and you can only do one machine at a time. Many of the tools listed above are FREE as in BEER and have many more capabilities. You can also run the tools above over an F-response connection during a live response, but I definitely prefer to see a proactive scanning methodology. If you have the consultant edition, you could provide a service..hint hint. Figure out a technique that works for you.
My point in this post is simply to deliver a small wakeup call to whoever is reading. I have conducted numerous searches for PII data in recent years and it's EVERYWHERE. It's in email, it's in databases, spreadsheets, word docs, Scanned PDF's, CV's and on and on. It's in your organization right now and I guarantee that the majority of organizations are doing nothing about it. The worst thing about this data is that it's been so heavily overused in the past few decades that it's on computers and people don't even realize it. Search for it, Get rid of it. You don't need it, and consumers do NOT need to provide SSN for many of the transactions that take place.
I also promise this..if I ever receive a notification letter from your company, you'll be hearing from me.
Thursday, June 19, 2008
Technique Development
A number of weeks ago I was working on Biometric Bypassing techniques and decided that I needed to invest in a latent fingerprint kit. So I called ForensicsSource - formerly Armor Forensics and ordered a kit. A few days later my kit arrived and I began my projects. I'd done some homework on latent development techniques but like most things, reading a book is nothing like the real thing. You can read all you want about the correct amount of pressure, which brush stroke, how much powder to use and what to do when you discover what may be a print, but nothing prepares you for actually determining what that correct pressure is supposed to be, following the ridges properly and the brush stroke to use. Nothing prepares you for the act of lifting a print like doing it. Sure I messed up a number of prints because too much or too little pressure was used, there was too much or too little powder on the brush or the surface I was testing on was ridged itself and the powder had gone in to the ridges in the table, making the lifted print worthless. Knowing when to take a 1:1 picture and when to lift a print is important, as are the many other points involved in developing and lifting a latent print. If you've never done so yourself I recommend you give the fuming technique a try, if only to understand the process. I use the following (there's plenty of room for variance here):
Zap-a-gap superglue - nickle sized drop.
aluminum tea candle containers - remove the tea candle
A plastic storage container with lid
candle warmer
Hot cup of water
item to be fumed
So, you might be saying who cares about latent prints? This is digital forensics, not fingerprinting 101. Remember this, studying other fields is the best way to master your own. In digital forensics, like other fields of study, we must understand that technique development is of the utmost importance. Anyone can shoot a gun, but can they hit the target? In order to master the mozambique drill one needs to master the fundamentals.
Anyone can install a tool and execute it, but can you interpret the results properly? Do you know how the tool works? Do you know the underlying OS well enough to have the proper foundation? When you're dumping memory on a live system, do you dump to the suspect file system, and then copy it off, as is implied in this post? It's all about technique development. I've maintained since the early days that forensics is not about tools. It's about process, procedure and technique. In the early days forensics was done with simple tools such as a hex editor. These days we have flash bang, gee whiz tools that do it all for us. Consider if you will, a live scenario. Which tools are you going to use, what order are you executing them in, where do the results end up, and how do they get there, and what gets altered in the process? For all the flashing, blinking, and marketing where are our techniques going? It's an inverse relationship.
I am baffled that we are entering a new era in tool execution happiness. The forensic market is becoming saturated with tools that have "find evidence" buttons and everyone is telling us that the product they're selling is the best on the market, yet the underlying techniques and knowledge are still lacking. When it comes down to it, forensics is not about how flashy the tools you use are, it's about the techniques used. Go ahead, try developing and lifting a latent print. Buy the really expensive fingerprint kits(to get that digital forensics gouging feeling) to really understand what I'm trying to say here. For fun, try it on different surfaces. You may get lucky and do it right the first time, but odds are you'll need to develop your technique, and you may just realize that had you done your homework you could have gotten the same results with the smaller, cheaper toolkit.
Zap-a-gap superglue - nickle sized drop.
aluminum tea candle containers - remove the tea candle
A plastic storage container with lid
candle warmer
Hot cup of water
item to be fumed
So, you might be saying who cares about latent prints? This is digital forensics, not fingerprinting 101. Remember this, studying other fields is the best way to master your own. In digital forensics, like other fields of study, we must understand that technique development is of the utmost importance. Anyone can shoot a gun, but can they hit the target? In order to master the mozambique drill one needs to master the fundamentals.
Anyone can install a tool and execute it, but can you interpret the results properly? Do you know how the tool works? Do you know the underlying OS well enough to have the proper foundation? When you're dumping memory on a live system, do you dump to the suspect file system, and then copy it off, as is implied in this post? It's all about technique development. I've maintained since the early days that forensics is not about tools. It's about process, procedure and technique. In the early days forensics was done with simple tools such as a hex editor. These days we have flash bang, gee whiz tools that do it all for us. Consider if you will, a live scenario. Which tools are you going to use, what order are you executing them in, where do the results end up, and how do they get there, and what gets altered in the process? For all the flashing, blinking, and marketing where are our techniques going? It's an inverse relationship.
I am baffled that we are entering a new era in tool execution happiness. The forensic market is becoming saturated with tools that have "find evidence" buttons and everyone is telling us that the product they're selling is the best on the market, yet the underlying techniques and knowledge are still lacking. When it comes down to it, forensics is not about how flashy the tools you use are, it's about the techniques used. Go ahead, try developing and lifting a latent print. Buy the really expensive fingerprint kits(to get that digital forensics gouging feeling) to really understand what I'm trying to say here. For fun, try it on different surfaces. You may get lucky and do it right the first time, but odds are you'll need to develop your technique, and you may just realize that had you done your homework you could have gotten the same results with the smaller, cheaper toolkit.
Thursday, June 12, 2008
Linux forensics book
This is a really short post...
I came across this book today and will be ordering shortly. Written by Chris Pogue, Cory Altheide, Todd Haverkos.
Some information about the contents:
The book begins with a chapter to describe why and how the book was written, and for whom, and then immediately begins addressing the issues of live response (volatile) data collection and analysis. The book continues by addressing issues of collecting and analyzing the contents of physical memory (i.e., RAM). The following chapters address /proc analysis, revealing the wealth of significant evidence, and analysis of files created by or on UNIX systems. Then the book addresses the underground world of UNIX hacking and reveals methods and techniques used by hackers, malware coders, and anti-forensic developers. The book then illustrates to the investigator how to analyze these files and extract the information they need to perform a comprehensive forensic analysis. The final chapter includes a detailed discussion of Loadable Kernel Modules and Malware. The companion DVD provides a simulated or "live" UNIX environment where readers can test the skills they've learned in the book and use custom tools developed by the authors.
I came across this book today and will be ordering shortly. Written by Chris Pogue, Cory Altheide, Todd Haverkos.
Some information about the contents:
The book begins with a chapter to describe why and how the book was written, and for whom, and then immediately begins addressing the issues of live response (volatile) data collection and analysis. The book continues by addressing issues of collecting and analyzing the contents of physical memory (i.e., RAM). The following chapters address /proc analysis, revealing the wealth of significant evidence, and analysis of files created by or on UNIX systems. Then the book addresses the underground world of UNIX hacking and reveals methods and techniques used by hackers, malware coders, and anti-forensic developers. The book then illustrates to the investigator how to analyze these files and extract the information they need to perform a comprehensive forensic analysis. The final chapter includes a detailed discussion of Loadable Kernel Modules and Malware. The companion DVD provides a simulated or "live" UNIX environment where readers can test the skills they've learned in the book and use custom tools developed by the authors.
Wednesday, June 11, 2008
Enterprise Forensics tools
After thinking about a few things over the past few days and digesting some comments and the presentations I saw down at techno security an idea popped in to my head regarding enterprise forensics tools. Currently there are two major players and one or two up and coming players in the field. I wanted to focus on the two major players, AccessData and Guidance. Please note that all of this is speculative and purely theoretical because I can't afford either of the two products to do any testing against.
This all began a few years ago when bad guys really started targeting applications, specifically those applications intended to protect end points on a network. Let me refer specifically to Veritas Backup Exec and Symantec Antivirus as references for this. To get even more specific I mean this one and this one. Having dealt with compromises related to successful exploitation of both products I thought to myself "what about other tools that I think will become as pervasive in the enterprise, what about enterprise forensics tools?"
Think about it a second..
They're agent based - If it's on the network and listening, it's attackable. They're services, which means they can potentially be killed or tampered with.
They require authentication - There's potential here to falsify or steal credentials.
They give full access to memory, and disk - There's potential here to bypass operating system protective mechanisms so attackers can gain access to sensitive data.
They communicate with a server - There's potential here to pivot an attack to get to the source, gaining access to other systems.
They communicate with the examiner machine - There's potential here to evade, confuse, corrupt, or otherwise negatively impact the examiner.
One communicates with an oracle database - where ALL case data is stored (AD) - potential here to destroy all investigations.
There's more potential spots to look but wow, those few open up wondrous places to begin exploring. Granted both vendors use encryption and AAA to supposedly protect access to the agents etc, but if someone can create it, someone will break it. If it's encrypted, an attack over the tunnel wouldn't be noticed by network forensics or network monitoring tools.
Eventually like I said I think these enterprise forensics tools will become as pervasive and mainstream as software like Antivirus, and will be as targeted by the bad guys as Antivirus has become. The question on the table is how secure are these products and their components?
Thoughts, comments and questions as well as any insights are definitely welcome on this one.
This all began a few years ago when bad guys really started targeting applications, specifically those applications intended to protect end points on a network. Let me refer specifically to Veritas Backup Exec and Symantec Antivirus as references for this. To get even more specific I mean this one and this one. Having dealt with compromises related to successful exploitation of both products I thought to myself "what about other tools that I think will become as pervasive in the enterprise, what about enterprise forensics tools?"
Think about it a second..
They're agent based - If it's on the network and listening, it's attackable. They're services, which means they can potentially be killed or tampered with.
They require authentication - There's potential here to falsify or steal credentials.
They give full access to memory, and disk - There's potential here to bypass operating system protective mechanisms so attackers can gain access to sensitive data.
They communicate with a server - There's potential here to pivot an attack to get to the source, gaining access to other systems.
They communicate with the examiner machine - There's potential here to evade, confuse, corrupt, or otherwise negatively impact the examiner.
One communicates with an oracle database - where ALL case data is stored (AD) - potential here to destroy all investigations.
There's more potential spots to look but wow, those few open up wondrous places to begin exploring. Granted both vendors use encryption and AAA to supposedly protect access to the agents etc, but if someone can create it, someone will break it. If it's encrypted, an attack over the tunnel wouldn't be noticed by network forensics or network monitoring tools.
Eventually like I said I think these enterprise forensics tools will become as pervasive and mainstream as software like Antivirus, and will be as targeted by the bad guys as Antivirus has become. The question on the table is how secure are these products and their components?
Thoughts, comments and questions as well as any insights are definitely welcome on this one.
Tuesday, June 3, 2008
The Tech at TechnoSecurity
Here's a few of the things I took a look at when the exhibit hall was open at the conference..
P2P Marshal was released by Cyber Security Technologies. You may have heard of this tool under a different name File Marshal. Anyways there's a free download available of P2P marshal here . It's being marketed as a tool to investigate peer to peer file sharing use. I know the developers behind the tool and I'm glad it was finally released. Great work! I've got a copy that I'll be playing with shortly. I can't wait to try it over an F-response connection
WetStone showed a VERY BETA copy of Livewire Investigator 4. It's a marked improvement over the older product. Much cleaner with some interesting features. I wouldn't jump on board with this tool at this time. They had to rush to get something they could show at the conference. They're also beta testing a U3 device analysis tool. If you're gov't or LE and are interested, shoot them an inquiry message.
Paraben was showing off their CSI stick which is very cool if you haven't checked it out already. They'll also be hosting a conference in Utah from Nov. 9-12 this year.
Tableau will be releasing a drive copier/eraser device. The guy I talked to suggested a 6GB/min throughput for SATA/SATA but said they'll see how that actually turns out. This device is due out in August. Price point should be under $3k.
Vantos has a somewhat interesting workflow/playbook based appliance used in automating Incident Response across multiple parties such as LE,Legal,Risk Management etc. Basically anyone involved in a case. Looks very bulky but kind of interesting. I did not get a price, nor did I ask.
I finally got a preview of HBGary's Responder tool. The tool looks very interesting. I'm a bit perturbed by the Guidance partnership, but at least Responder Pro will still be sold as it's own product.
Forensic Computers has migrated to the Cooler Master Cosmos case. If you haven't seen this case yet, you've got to check it out. It's a fantastic design and is great for a forensics machine.
I'm not a mobile device examiner so I pretty much stayed away from the booths selling the related products. It's such a specialty that quite frankly it's probably cheaper for most people to subcontract or hire out a specialist when confronted with mobile devices. It's a hardware nightmare.
Techno Security was a good conference, it was good to meet some great people who work all sides of the industry. Some talks were fantastic while some were simply sales pitches. I had hoped to meet Richard Bejtlich down here but maybe some other time. It was disheartening to hear about the Michigan decision to force PI licensing, especially after meeting those directly affected by this decision. That's about it for TechnoSecurity 2008 for me.
EDIT: Clarification on the Wetstone U3 tool. This tool is based on a U3 device that gets plugged in to a suspect machine. It will collect volatile data. Sounds a little like COFEE and USB hacksaw in one.
P2P Marshal was released by Cyber Security Technologies. You may have heard of this tool under a different name File Marshal. Anyways there's a free download available of P2P marshal here . It's being marketed as a tool to investigate peer to peer file sharing use. I know the developers behind the tool and I'm glad it was finally released. Great work! I've got a copy that I'll be playing with shortly. I can't wait to try it over an F-response connection
WetStone showed a VERY BETA copy of Livewire Investigator 4. It's a marked improvement over the older product. Much cleaner with some interesting features. I wouldn't jump on board with this tool at this time. They had to rush to get something they could show at the conference. They're also beta testing a U3 device analysis tool. If you're gov't or LE and are interested, shoot them an inquiry message.
Paraben was showing off their CSI stick which is very cool if you haven't checked it out already. They'll also be hosting a conference in Utah from Nov. 9-12 this year.
Tableau will be releasing a drive copier/eraser device. The guy I talked to suggested a 6GB/min throughput for SATA/SATA but said they'll see how that actually turns out. This device is due out in August. Price point should be under $3k.
Vantos has a somewhat interesting workflow/playbook based appliance used in automating Incident Response across multiple parties such as LE,Legal,Risk Management etc. Basically anyone involved in a case. Looks very bulky but kind of interesting. I did not get a price, nor did I ask.
I finally got a preview of HBGary's Responder tool. The tool looks very interesting. I'm a bit perturbed by the Guidance partnership, but at least Responder Pro will still be sold as it's own product.
Forensic Computers has migrated to the Cooler Master Cosmos case. If you haven't seen this case yet, you've got to check it out. It's a fantastic design and is great for a forensics machine.
I'm not a mobile device examiner so I pretty much stayed away from the booths selling the related products. It's such a specialty that quite frankly it's probably cheaper for most people to subcontract or hire out a specialist when confronted with mobile devices. It's a hardware nightmare.
Techno Security was a good conference, it was good to meet some great people who work all sides of the industry. Some talks were fantastic while some were simply sales pitches. I had hoped to meet Richard Bejtlich down here but maybe some other time. It was disheartening to hear about the Michigan decision to force PI licensing, especially after meeting those directly affected by this decision. That's about it for TechnoSecurity 2008 for me.
EDIT: Clarification on the Wetstone U3 tool. This tool is based on a U3 device that gets plugged in to a suspect machine. It will collect volatile data. Sounds a little like COFEE and USB hacksaw in one.
Techno Security Day 3
Today was an interesting day.
I started the day listening to Eric Thompson from AccessData do some damage control as a result of FTK 2's absolute failures. I found his talk to be as tasteless as the email that was sent out regarding FTK2. It was interesting that he received 1 question, which had nothing to do with his talk. More on AccessData later...
Up next after a caffeine fix was Dave Thomas from the FBI and Rohyt Belani's talk "Current and Emerging Cyber threats and the Internet".
I was a little disappointed that Rohyt used some of the same content from a 2006 blackhat talk he did as far as compromises go. Dave's portion of the talk was very interesting. He had a fantastic visual analogy for systems administrators. If you've ever seen 'ice age' there's a scene where the squirrel is attempting to plug a number of holes with various body parts. Very accurate in my opinion. Dave pretty much focused on cyber crime from the FBI's perspective - when they get called in to a corporate incident. He discussed the difficulties they have with foreign countries and the differences in breaking encryption in the US vs. Italy. In the US it's a very technologically intensive process. In Italy, they apparently grab the suspect and beat them over the head to get the key out of them. Interesting talk, especially from the perspective of the FBI.
Next up was Amber Schroader from Paraben. Her talk was "Emerging threats in digital devices".
The talk was interesting from the perspective of someone who specializes in mobile device analysis and she pretty much discussed how to deal with them in your own organization. A few good points:
Define what's required for the organization to function.
Determine how they are regulated in the organization, and and how they should be.
Determine if you are auditing these portable devices.
The mobile field is changing daily. Update your requirements frequently.
Apparently Paraben takes the stance "if it gets plugged in to our machines, then we get to make a copy of the contents". They actively monitor their systems for mobile devices and refuse to allow I-phones.
These are just a few things to consider when you talk to clients, or when devising your own internal policies regarding mobile/portable devices.
She did point out the I-Fone which I'd never seen or heard of. Interesting device..takes 2 sims, a storage card and it looks exactly like the I-Phone.
The Day ended with Marc Weber Tobias' talk on breaking medeco locks. I'd seen parts of his talk before and the discussion surrounding the M3 and biaxial locks but it's always best to see his stuff in the flesh. Playing the Tomahawks and medeco locks is not a common occurrence.
Some takeaways from his talk:
Work the problem, consider all design parameters and explore all aspects.
Ignore the so called experts.
Always believe there is a vulnerability.
The key does not unlock the lock, the key actuates the mechanism which locks/unlocks the lock.
Time is on their side. It took 18 months to crack the medeco locks. This reinforces the idea that given time as a constant, all security can be compromised.
Ok, so on to AccessData. Pay attention to this one because it may have implications for you.
I approached the AccessData booth at least 4 times without being noticed by a single person manning the booth. There were no less than 7 people there at any time I stopped by. Finally I grabbed the attention of one of the folks at the booth and asked a simple question.
"With the web based case review/external viewing capability, what are the implications of an external case reviewer, reviewing case contents from a remote location? Specifically, what are the implications of a reviewer using Internet Explorer - upon which the tool is based - caching the images of a CP case? Even with the don't store ssl pages in cache option, IE still caches the pages and wipes them when done. The potential for CP images to be cached by browser and cached in a thumbnail file exists."
There is currently no solution to this. It is now being discussed and we talked about a few potential solutions - such as using an Vmware browser appliance and secure wiping - so the case reviewers machine does not become tainted by CP images.
In addition, they are now allowing EVIDENCE outside of the forensic lab. Not in the sense of copying data, but viewing the data, which due to caching is essentially the same as copying. This is not what I would consider acceptable in the real world. The digital world needs to be treated no differently. The traditional forensic lab model has been violated by AccessData with the creation of their web based tools. This is what I'm calling Evidence Sprawl or Evidence Leakage and it needs to be treated very seriously. In addition, the images can be found outside of the database in the case temporary directory. This is not only serious from the leakage potential, but consider the case integrity implications. We know Espionage exists. If I know who the forensic company is working with I can target the potential case reviewers for compromise and jeopardize the integrity of the entire case. By extending the reach of the forensic lab, they are exposing the lab to more risk. The model of not having forensics machines connected to the internet disappears with this architecture. If you have the more advanced AccessData products consider the implications and network security architecture that must be implemented to adequately protect the case data.
I am not trashing AccessData here. I just want to make sure we all understand the implications of using their new breed of tools. When building the networks required to implement the new tools, you really need to consider the security of the 'system'. By system I mean any computer, network, or other asset that has access to or processes case data.
If you have thoughts on the FTK issues, please share them.
I started the day listening to Eric Thompson from AccessData do some damage control as a result of FTK 2's absolute failures. I found his talk to be as tasteless as the email that was sent out regarding FTK2. It was interesting that he received 1 question, which had nothing to do with his talk. More on AccessData later...
Up next after a caffeine fix was Dave Thomas from the FBI and Rohyt Belani's talk "Current and Emerging Cyber threats and the Internet".
I was a little disappointed that Rohyt used some of the same content from a 2006 blackhat talk he did as far as compromises go. Dave's portion of the talk was very interesting. He had a fantastic visual analogy for systems administrators. If you've ever seen 'ice age' there's a scene where the squirrel is attempting to plug a number of holes with various body parts. Very accurate in my opinion. Dave pretty much focused on cyber crime from the FBI's perspective - when they get called in to a corporate incident. He discussed the difficulties they have with foreign countries and the differences in breaking encryption in the US vs. Italy. In the US it's a very technologically intensive process. In Italy, they apparently grab the suspect and beat them over the head to get the key out of them. Interesting talk, especially from the perspective of the FBI.
Next up was Amber Schroader from Paraben. Her talk was "Emerging threats in digital devices".
The talk was interesting from the perspective of someone who specializes in mobile device analysis and she pretty much discussed how to deal with them in your own organization. A few good points:
Define what's required for the organization to function.
Determine how they are regulated in the organization, and and how they should be.
Determine if you are auditing these portable devices.
The mobile field is changing daily. Update your requirements frequently.
Apparently Paraben takes the stance "if it gets plugged in to our machines, then we get to make a copy of the contents". They actively monitor their systems for mobile devices and refuse to allow I-phones.
These are just a few things to consider when you talk to clients, or when devising your own internal policies regarding mobile/portable devices.
She did point out the I-Fone which I'd never seen or heard of. Interesting device..takes 2 sims, a storage card and it looks exactly like the I-Phone.
The Day ended with Marc Weber Tobias' talk on breaking medeco locks. I'd seen parts of his talk before and the discussion surrounding the M3 and biaxial locks but it's always best to see his stuff in the flesh. Playing the Tomahawks and medeco locks is not a common occurrence.
Some takeaways from his talk:
Work the problem, consider all design parameters and explore all aspects.
Ignore the so called experts.
Always believe there is a vulnerability.
The key does not unlock the lock, the key actuates the mechanism which locks/unlocks the lock.
Time is on their side. It took 18 months to crack the medeco locks. This reinforces the idea that given time as a constant, all security can be compromised.
Ok, so on to AccessData. Pay attention to this one because it may have implications for you.
I approached the AccessData booth at least 4 times without being noticed by a single person manning the booth. There were no less than 7 people there at any time I stopped by. Finally I grabbed the attention of one of the folks at the booth and asked a simple question.
"With the web based case review/external viewing capability, what are the implications of an external case reviewer, reviewing case contents from a remote location? Specifically, what are the implications of a reviewer using Internet Explorer - upon which the tool is based - caching the images of a CP case? Even with the don't store ssl pages in cache option, IE still caches the pages and wipes them when done. The potential for CP images to be cached by browser and cached in a thumbnail file exists."
There is currently no solution to this. It is now being discussed and we talked about a few potential solutions - such as using an Vmware browser appliance and secure wiping - so the case reviewers machine does not become tainted by CP images.
In addition, they are now allowing EVIDENCE outside of the forensic lab. Not in the sense of copying data, but viewing the data, which due to caching is essentially the same as copying. This is not what I would consider acceptable in the real world. The digital world needs to be treated no differently. The traditional forensic lab model has been violated by AccessData with the creation of their web based tools. This is what I'm calling Evidence Sprawl or Evidence Leakage and it needs to be treated very seriously. In addition, the images can be found outside of the database in the case temporary directory. This is not only serious from the leakage potential, but consider the case integrity implications. We know Espionage exists. If I know who the forensic company is working with I can target the potential case reviewers for compromise and jeopardize the integrity of the entire case. By extending the reach of the forensic lab, they are exposing the lab to more risk. The model of not having forensics machines connected to the internet disappears with this architecture. If you have the more advanced AccessData products consider the implications and network security architecture that must be implemented to adequately protect the case data.
I am not trashing AccessData here. I just want to make sure we all understand the implications of using their new breed of tools. When building the networks required to implement the new tools, you really need to consider the security of the 'system'. By system I mean any computer, network, or other asset that has access to or processes case data.
If you have thoughts on the FTK issues, please share them.
Monday, June 2, 2008
TechnoSecurity Day 2
Today was much more interesting, probably because I was a bit more alert.
I forgot to mention that I finally got to meet Christopher Brown of Pro-discover the night before. Chris is a great guy and if you haven't had a chance, pick up his book. We discussed the difficulty he had with publishers and how the book as a result has not received the marketing and advertising it deserves. If you don't own the book, buy it. It's a good read with a lot of fantastic information.
I had the pleasure of meeting and having dinner with Matt Shannon from F-response today. Matt is a real stand-up guy and if you're down at the con, stop by the booth and see the demo if you haven't checked out his videos. We chatted quite a bit today about a wide range of topics and while at the booth I thought it was very interesting to watch the reactions of people checking out F-response. You could literally see the lights turn on as investigators and consultants watched the tool at work. Some people just get it. I'll be back by the booth at various times tomorrow, and if you're at the con, stop by and say hi. I'm always interested in meeting people, especially anyone that reads this blog. Speaking of which I finally met Christine of E-evidence.
Conference talks:
I started off in Joe Stewart's presentation about analysis of the storm worm. Wow, this was a really geeky but interesting talk. Lots of hex, lots of details about the various protocols and encryption used by storm variants. Joe wins points in my book as being the ONLY presenter I've seen so far at the con using Zoomit to show fine print during a presentation. Word to the wise for other presenters, learn and use this tool if you're showing small font text in your talks. I can't tell you how frustrating it is as someone in the audience when you hear "You probably can't see this very well"... If the audience can't see it, then don't show it. No takeaways here other than geeky tech details and perhaps some research opportunities.
Next I scooted to a talk by Y12. I'd never heard of Y12 before this conference. They do some pretty interesting things which while interesting is just scary at the same time (think nuclear energy). The talk was interesting and I have one takeaway when it comes to operational testing of security technologies (presentation topic).
Government agencies need to share more information. If I am a corporate consumer of security technologies, specifically physical security and someone has done operational testing of the product, then I want to know about it, and the results before I purchase. Y12 stated that there are currently NO testing standards or even guidelines which I found alarming, especially coming from their group. When I asked, they suggested that they may release their own best practices for others to work with, but of course no promises of sharing information. I love the government.
Takeaways:
Get your products to testers early on in the development process.
I next attended Anthony Reyes' presentation on international incident response challenges. This talk was interesting even though I skipped out early. He shared some good information on what to look out for in an international investigation, even if it's an internal corporate investigation.
two takeways:
Does your Incident Response Plan Consider international regulations?
Does your IR plan consider international geographic locations?
The talk I skipped out to see was poorly attended and more of a showcase for netwitness. So...I quickly jumped next door to a fantastic talk.
Michael Cahoon of Sandia Labs shared some warstories and wisdom from Sandia's experiences. Fantastic stuff. I can refer to the Counter Insurgency Field Manual as a basis for his talk. Consider if you will the Intelligence Planning of the Battlefield. This is absolutely vital when looking at your own environment, especially when analyzing all of the data and the operational environment. You can begin to identify your threats and the necessary actions required to deal with that threat. This talk was just great and I will likely have quite a bit to say about the contents at a later time.
Thoughts of the day:
Why did Vantos have a chixor dressed like a stripper cop at their booth? I may never understand this.
Don't make me come to a conference to hear your sales pitch disguised as a presentation. If I want a sales pitch, I'll stop by your booth or call your sales team. I look for useful information at talks, not sales pitches.
Fantastic crime scene photos at the ECTF booth. Very illuminating photos. The Paraben booth took a good approach of having a mock crime scene in which you had to identify all of the sources of potential evidence.
Accessdata...Wow what can I say? They've released a lackluster product in FTK 2.x, essentially called their customers morons in an email by shifting the blame to the customer for their own failures and they weren't exactly very friendly to many folks at the conference as far as I could tell. Not exactly the approach I would take from a business standpoint.
A lot of people have mocked them as overly expensive drill presses but this EDR product is impressive. They had a few of them at their booth doing live demonstrations. Some folks are required by various contracts to be present during drive destruction and this is one of those devices that I would ask to operate because it's fun to press the button on the remote. Check out the pile of destruction! I think I'll ask them for a destroyed drive as a souvenir tomorrow.
Tomorrow will be my final day at the conference. Should be another interesting day.
I forgot to mention that I finally got to meet Christopher Brown of Pro-discover the night before. Chris is a great guy and if you haven't had a chance, pick up his book. We discussed the difficulty he had with publishers and how the book as a result has not received the marketing and advertising it deserves. If you don't own the book, buy it. It's a good read with a lot of fantastic information.
I had the pleasure of meeting and having dinner with Matt Shannon from F-response today. Matt is a real stand-up guy and if you're down at the con, stop by the booth and see the demo if you haven't checked out his videos. We chatted quite a bit today about a wide range of topics and while at the booth I thought it was very interesting to watch the reactions of people checking out F-response. You could literally see the lights turn on as investigators and consultants watched the tool at work. Some people just get it. I'll be back by the booth at various times tomorrow, and if you're at the con, stop by and say hi. I'm always interested in meeting people, especially anyone that reads this blog. Speaking of which I finally met Christine of E-evidence.
Conference talks:
I started off in Joe Stewart's presentation about analysis of the storm worm. Wow, this was a really geeky but interesting talk. Lots of hex, lots of details about the various protocols and encryption used by storm variants. Joe wins points in my book as being the ONLY presenter I've seen so far at the con using Zoomit to show fine print during a presentation. Word to the wise for other presenters, learn and use this tool if you're showing small font text in your talks. I can't tell you how frustrating it is as someone in the audience when you hear "You probably can't see this very well"... If the audience can't see it, then don't show it. No takeaways here other than geeky tech details and perhaps some research opportunities.
Next I scooted to a talk by Y12. I'd never heard of Y12 before this conference. They do some pretty interesting things which while interesting is just scary at the same time (think nuclear energy). The talk was interesting and I have one takeaway when it comes to operational testing of security technologies (presentation topic).
Government agencies need to share more information. If I am a corporate consumer of security technologies, specifically physical security and someone has done operational testing of the product, then I want to know about it, and the results before I purchase. Y12 stated that there are currently NO testing standards or even guidelines which I found alarming, especially coming from their group. When I asked, they suggested that they may release their own best practices for others to work with, but of course no promises of sharing information. I love the government.
Takeaways:
Get your products to testers early on in the development process.
I next attended Anthony Reyes' presentation on international incident response challenges. This talk was interesting even though I skipped out early. He shared some good information on what to look out for in an international investigation, even if it's an internal corporate investigation.
two takeways:
Does your Incident Response Plan Consider international regulations?
Does your IR plan consider international geographic locations?
The talk I skipped out to see was poorly attended and more of a showcase for netwitness. So...I quickly jumped next door to a fantastic talk.
Michael Cahoon of Sandia Labs shared some warstories and wisdom from Sandia's experiences. Fantastic stuff. I can refer to the Counter Insurgency Field Manual as a basis for his talk. Consider if you will the Intelligence Planning of the Battlefield. This is absolutely vital when looking at your own environment, especially when analyzing all of the data and the operational environment. You can begin to identify your threats and the necessary actions required to deal with that threat. This talk was just great and I will likely have quite a bit to say about the contents at a later time.
Thoughts of the day:
Why did Vantos have a chixor dressed like a stripper cop at their booth? I may never understand this.
Don't make me come to a conference to hear your sales pitch disguised as a presentation. If I want a sales pitch, I'll stop by your booth or call your sales team. I look for useful information at talks, not sales pitches.
Fantastic crime scene photos at the ECTF booth. Very illuminating photos. The Paraben booth took a good approach of having a mock crime scene in which you had to identify all of the sources of potential evidence.
Accessdata...Wow what can I say? They've released a lackluster product in FTK 2.x, essentially called their customers morons in an email by shifting the blame to the customer for their own failures and they weren't exactly very friendly to many folks at the conference as far as I could tell. Not exactly the approach I would take from a business standpoint.
A lot of people have mocked them as overly expensive drill presses but this EDR product is impressive. They had a few of them at their booth doing live demonstrations. Some folks are required by various contracts to be present during drive destruction and this is one of those devices that I would ask to operate because it's fun to press the button on the remote. Check out the pile of destruction! I think I'll ask them for a destroyed drive as a souvenir tomorrow.
Tomorrow will be my final day at the conference. Should be another interesting day.
TechnoSecurity Day 1
I arrive at the marriot in my smelly clothes, hauling my backpack full of travel gear and I find my way to registration...can you say lack of directional signs?
The registration process was simple. Last name only and they verify on a check-sheet. Hmm a security conference and the only verification is done by last name? No other authentication mechanism, such as presenting a receipt, or confirmation email? My how interesting.
Anyways I got my fancy padfolio and badge - kind of cool by the way - and an obnoxious bag from a sponsor. Sorry guys but that's rediculous. I thought to myself "what the hell am I supposed to do with this huge bag?" I dumped the bag as soon as I could.
Quotes from the day:
"Did you see that cop's wrist? Harley accident in the mountains, he hit black ice and was dead for 27 seconds."
I did a massive double take on that one. Did I hear that right? I ended up meeting said cop on day two. I'll have to confirm that story with him. Nice guy by the way..will add comments on that discussion later.
First talk of the day:
Roel Schouwenberg(sp?) from Kaspersky labs talking about Malware Ecosystems and their evolution.
Takeaways from his talk:
The threat is not changing (people like to say that), it already has changed.
Malware authors are using search engines optimization to get their hacked sites rated higher on google searches so it's more likely the links will be clicked.
They are expecting 20 million threats this year (ouch)
He spoke on a Criminal to Criminal business model - kind of like the B2B model but for criminals. There are multinational rings involved and the players take roles such as (translators, money mules, R&D, Spammers).
I found that particularly interesting in that he exposed a little bit about the organization of the criminals, which is to say that it's a pretty impressive mode of operation.
Roel surmised that the next large area of focus for criminals will be mobile banking. Which is to say banking from a mobile device will be very interesting shortly.
Talk 2:
James Aquilina - Stroz Friedberg - Malware investigations and their legal implications. This talk was a lot of lawyerese, but he made some very interesting points and had good information.
If you didn't know, James was the prosecutor in the Anchetta case (botnet related, received a lot of press). James had a very amusing talk at first. He had great graphics designed to make complex topics understandable by judges and non-technical people.
Some interesting stuff on the implications of using packet sniffers for investigations such as collection beyond the scope of the investigation so, instead of doing a full packet capture at a choke point, you should only do the capture against the affected victim computer and the attacker. Doing the full capture could be outside the scope of the investigation, this could come in to play in many cases. Other points:
When investigation/prosecuting a minor who's a malcode author you may not refer to them by name in any notes. This could be construed as releasing their name and identifying a minor is a no-no.
I have a lot of post processing of his talk to do.
Talk 3: Chris Mellen - AccessData - Volatile and memory analysis in a network environment.
I actually ended up taking no notes during this talk. It quickly seemed to turn in to a "this is AD enterprise and here's how we do memory analysis" talk. The talk ended early which allowed me to sneak in to a great talk..
Talk 4: Jack Wiles - Social engineering in progess.
Wow what a good talk. I ended up not taking notes here either, mainly because I was focused on Jack. Lot's of props and even some sleight of hand tricks to illustrate the point that as adults our minds have been trained to ignore the "sleight of hand" or the tricks of the social engineer. Very interesting stuff from a social sciences standpoint of looking at human relationships and trust.
Thoughts from today:
When did it become ok for us to trojan corporate systems with "forensic tools" that utilize rootkit hiding mechanisms?
Techno Security - Travel
I had such an exciting adventure attempting to get down to Techno Security that I decided I needed to have a dedicated blog entry about it. Please note this is a break from IR and forensics.
My day began at 6 am. I arrived in Philadelphia for my connecting flight to Myrtle Beach around 1pm. My flight was scheduled to leave at 3:30. No worries, just a 2 hour layover...yeah right. And that's when things went awry.
As an experiment in not just awareness but self-amusement I decided to take my notebook with me on my trip so I could take notes on what happened during my trip and write down any observations at the same time. So without further ado, here are some observations, quotes and other stories from my beleaguered trip down.
The following is from my Airport of Origin:
Observation: 9:15am
"8 TSA guys at baggage check. One spinning in chair getting dizzy, standing up then attempting to walk. Other TSA employees standing by laughing".
- comment - tax dollars hard at work, no problem with homeland security here.
At the security check I attempt to add a little humor to the screening process.
TSA Guard:"How are you today"
Me:"Overdressed apparently" This in reference to the de-robing that passengers must undergo.
TSA Guard:"I take it you have to pee"
Me:"No not really".
She clearly did not get my brand of humor.
-comment- Why is it that I can't take a certain size container of "liquids or gel" onboard but I can take bomb making components - copper wire, batteries, tools etc.
-comment- Oh great a turboprop, I love massaging chairs.
Observation:
10:00am Young man across the way using a macbook sets it down on the chair next to him, and goes to bathroom.
10:05am Young man returns
10:18 Old man across the way using an Asus EEEPC sets it down on chair next to him, and walks down the hallway.
10:23 Old man returns
-comment- Can people really be that trusti..stupid?
I refer to Johnny Long at this point...No Tech Hacking all the way.
There were two women sitting behind me at the airport having a very candid discussion about HR issues in a corporation. I won't get in to details but let's just say people need to be more aware of the conversations they have in public. We do pay attention even if we appear to be "pre-occupied". I was pre-occupied with capturing their conversation.
The following is from Philadelphia:
After 2 hours of the following comment our plane arrived...
Woman at Gate: "The flight to Myrtle Beach is running behind schedule due to weather. As soon as it arrived it will need to be fueled, cleaned and catered. As soon as that's done we'll begin the boarding process".
After a relatively short boarding process the captain gets on and says (by the way you never want to hear this)
Pilot flight 3245: "Ladies and gentlemen, unfortunately we can't push off yet, it looks like we took a bird in the #2 engine and maintenance just needs to take a look at it".
Observation - The maintenance crew pulls up and "takes a look at it" and essentially confirmed "yep there's a bird in the engine" and drove off.
My plane finally pushes off from the gate and we make it out to the tarmac for taxi and as we are pulling near the runway I look out the window and see approximately 15 airplanes stacked up in holding positions. Uh-oh that can't be good...
Pilot Flight 3245: "Folks this is the captain on the flight deck. I have bad news, they're holding up all the southbound flights at this time. There's a line of thunderstorms over virginia that's slowly moving east. It's going to be about 15 minutes before they update us".
25 minutes later...
Pilot Flight 3245: "Folks, we're headed back to the gate. They've found us a new flight path that will take about 2 hours but we don't have enough fuel. We need to head back to the gate to refuel and we'll be on our way. Thank you for your patience, we're trying to get you to Myrtle Beach as soon as possible."
At the gate some time later...
Pilot Flight 3245: "I know it's a pretty depressing situation folks. The flight attendant's will bring around water if you need a drink."
30 minutes later still at the gate...
Flight attendant (speaking to woman nearby):"No Ma'am I have no idea, I've been in the back there and know less than you." This in reference to what's taking so long and when we're going to leave.
The plane finally pushes off again and as we are being backed up so we can begin to taxi, the plane is all of a sudden heading back to the gate..my how odd. When we get back to the gate the co-captain opens the flight deck door and gets on the radio and says..
Co-captain:"Ladies and gentlemen I have a bit of bad news...we've missed our flight window and the big wigs upstairs have said we can't go. We missed our flight window, your crew has been in service for 15 hours and the FAA won't let us fly because we've timed out. Please bear with us, we're going to try to find a new crew."
Meanwhile, the baggage loading vehicle has approached the plane and is unloading us...
Flight attendant: "Ladies and gentlemen we have some good news to bring a smile to your faces. I'm breaking out the liquor cart. Ya'll have put up with more than you should have to today to I'm going to bring around the liquor cart."
The flight attendant made it through the first 1/3rd of the plane before they de-planed the passengers. Great I didn't even get a drink.
And this folks is where we start to have some real fun. Emergency planning 101: HAVE A PLAN.
At this point there are over 100 angry passengers that have spent the last 4 hours, waiting for their plane to take off. Not a lot of happy people... The airline set up three gates to re-ticket passengers, provide hotel and food vouchers and handle issues.
Fantastic..except it took about 15 minutes per passenger. Now what you ask did they do about the angry passengers? That's right they called security on them. By the time I arrived at the desk, all hotel vouchers had been used and they couldn't find me a hotel room anywhere. Another 30 minutes of waiting..
I walk over to the Airport Marriot at 9:15 or so and check myself in.
The next morning I arrived at security. My Driver's license was viewed as suspicious by TSA..why? Because my address had been crossed off on the front and was written by hand on the back on a DMV sticker. Apparently in NY this is acceptable, but not in Philadelphia. Interesting...TSA has different policies in different areas? Note if you will that TSA said nothing in the NY airport. Maybe the guards should have done more than spin in chairs and get dizzy.
I arrived in Myrtle Beach a day late - the day the conference started. My bag as it turns out was on a different flight..one that got delayed. So, I was in two day old clothes, full of airplane stink and I couldn't check in to my hotel room because it was too early..so what else could I do but hit the conference?
The airline you ask? US Airways...
My day began at 6 am. I arrived in Philadelphia for my connecting flight to Myrtle Beach around 1pm. My flight was scheduled to leave at 3:30. No worries, just a 2 hour layover...yeah right. And that's when things went awry.
As an experiment in not just awareness but self-amusement I decided to take my notebook with me on my trip so I could take notes on what happened during my trip and write down any observations at the same time. So without further ado, here are some observations, quotes and other stories from my beleaguered trip down.
The following is from my Airport of Origin:
Observation: 9:15am
"8 TSA guys at baggage check. One spinning in chair getting dizzy, standing up then attempting to walk. Other TSA employees standing by laughing".
- comment - tax dollars hard at work, no problem with homeland security here.
At the security check I attempt to add a little humor to the screening process.
TSA Guard:"How are you today"
Me:"Overdressed apparently" This in reference to the de-robing that passengers must undergo.
TSA Guard:"I take it you have to pee"
Me:"No not really".
She clearly did not get my brand of humor.
-comment- Why is it that I can't take a certain size container of "liquids or gel" onboard but I can take bomb making components - copper wire, batteries, tools etc.
-comment- Oh great a turboprop, I love massaging chairs.
Observation:
10:00am Young man across the way using a macbook sets it down on the chair next to him, and goes to bathroom.
10:05am Young man returns
10:18 Old man across the way using an Asus EEEPC sets it down on chair next to him, and walks down the hallway.
10:23 Old man returns
-comment- Can people really be that trusti..stupid?
I refer to Johnny Long at this point...No Tech Hacking all the way.
There were two women sitting behind me at the airport having a very candid discussion about HR issues in a corporation. I won't get in to details but let's just say people need to be more aware of the conversations they have in public. We do pay attention even if we appear to be "pre-occupied". I was pre-occupied with capturing their conversation.
The following is from Philadelphia:
After 2 hours of the following comment our plane arrived...
Woman at Gate: "The flight to Myrtle Beach is running behind schedule due to weather. As soon as it arrived it will need to be fueled, cleaned and catered. As soon as that's done we'll begin the boarding process".
After a relatively short boarding process the captain gets on and says (by the way you never want to hear this)
Pilot flight 3245: "Ladies and gentlemen, unfortunately we can't push off yet, it looks like we took a bird in the #2 engine and maintenance just needs to take a look at it".
Observation - The maintenance crew pulls up and "takes a look at it" and essentially confirmed "yep there's a bird in the engine" and drove off.
My plane finally pushes off from the gate and we make it out to the tarmac for taxi and as we are pulling near the runway I look out the window and see approximately 15 airplanes stacked up in holding positions. Uh-oh that can't be good...
Pilot Flight 3245: "Folks this is the captain on the flight deck. I have bad news, they're holding up all the southbound flights at this time. There's a line of thunderstorms over virginia that's slowly moving east. It's going to be about 15 minutes before they update us".
25 minutes later...
Pilot Flight 3245: "Folks, we're headed back to the gate. They've found us a new flight path that will take about 2 hours but we don't have enough fuel. We need to head back to the gate to refuel and we'll be on our way. Thank you for your patience, we're trying to get you to Myrtle Beach as soon as possible."
At the gate some time later...
Pilot Flight 3245: "I know it's a pretty depressing situation folks. The flight attendant's will bring around water if you need a drink."
30 minutes later still at the gate...
Flight attendant (speaking to woman nearby):"No Ma'am I have no idea, I've been in the back there and know less than you." This in reference to what's taking so long and when we're going to leave.
The plane finally pushes off again and as we are being backed up so we can begin to taxi, the plane is all of a sudden heading back to the gate..my how odd. When we get back to the gate the co-captain opens the flight deck door and gets on the radio and says..
Co-captain:"Ladies and gentlemen I have a bit of bad news...we've missed our flight window and the big wigs upstairs have said we can't go. We missed our flight window, your crew has been in service for 15 hours and the FAA won't let us fly because we've timed out. Please bear with us, we're going to try to find a new crew."
Meanwhile, the baggage loading vehicle has approached the plane and is unloading us...
Flight attendant: "Ladies and gentlemen we have some good news to bring a smile to your faces. I'm breaking out the liquor cart. Ya'll have put up with more than you should have to today to I'm going to bring around the liquor cart."
The flight attendant made it through the first 1/3rd of the plane before they de-planed the passengers. Great I didn't even get a drink.
And this folks is where we start to have some real fun. Emergency planning 101: HAVE A PLAN.
At this point there are over 100 angry passengers that have spent the last 4 hours, waiting for their plane to take off. Not a lot of happy people... The airline set up three gates to re-ticket passengers, provide hotel and food vouchers and handle issues.
Fantastic..except it took about 15 minutes per passenger. Now what you ask did they do about the angry passengers? That's right they called security on them. By the time I arrived at the desk, all hotel vouchers had been used and they couldn't find me a hotel room anywhere. Another 30 minutes of waiting..
I walk over to the Airport Marriot at 9:15 or so and check myself in.
The next morning I arrived at security. My Driver's license was viewed as suspicious by TSA..why? Because my address had been crossed off on the front and was written by hand on the back on a DMV sticker. Apparently in NY this is acceptable, but not in Philadelphia. Interesting...TSA has different policies in different areas? Note if you will that TSA said nothing in the NY airport. Maybe the guards should have done more than spin in chairs and get dizzy.
I arrived in Myrtle Beach a day late - the day the conference started. My bag as it turns out was on a different flight..one that got delayed. So, I was in two day old clothes, full of airplane stink and I couldn't check in to my hotel room because it was too early..so what else could I do but hit the conference?
The airline you ask? US Airways...
Subscribe to:
Posts (Atom)