Tag: Security

Understanding Network Forensics

Digital Forensics is moving award from traces of activity toward network forensics, where the key information about activity is contained within network traces. Unfortunately these network traces are often extremely verbose, where a typical user might generate hundreds of data packets every minute. Thus, in order to detect a range of threats we need to understand what the traces of activity look like so that we can create network rules which detect the activity. For this we can use an Intrusion Detection System (IDS) to monitor a range of network traffic, and create events for the system manager to analyse.

Key features of an IDS

One of the key things about an IDS is how specific we make the rules. If we make it too specific we will miss threats which vary slightly from the signature, where if we make it too general, we may get swamped by alerts, which can often desensitise the administrator to the alerts. Thus we try to balance the sensitivity of the rules that we create. In some cases, such as for a specific virus, we can be extremely focused, and actually capture a small and unique section from the binary footprint of the executable code. Otherwise, if it is a human-launched threat, then a human will often change their activity in order to avoid detection. For these we define the number of times that the IDS detects a threat correctly as true-positive, while one which causes an alert, but is incorrectly identified, is known as a false-positive. If it misses a threat, and does not alert the system, it is then a true-negative. In a well run system we want to maximum the ratio of true-positives to false-positives.

Understanding the Protocols

The greatest problem with network forensics is that there are so many protocols to understand, and many of these were created as single pin-point solutions, without any real thought of how they would integrate into the Internet. But, it must be said, that the reason the Internet has been so successful was this distributed approach to its development, where standards were quickly drafted as RFC (Request For Comments) and then adopted by industry. An Internet designed by a committee or a standards agency would never had happened, as there would be so many vested interests involved.

So to understand network protocols, I’ve created a lecture:

and have created a Web site in which you can analyse a whole range of network traces here.

Understanding More Advanced Traces

Often we not only have to understand the network trace, we also have to create signatures for the network of threats. For this, I have created a presentation which outlines some key threats, such as password cracking, DoS attacks, system scanning, and so on:

and I’ve created a Web page in which you can analyse these traces here.

Understanding Snort

Finally, once we have the traces, and have analysed it for a signature for the threat, we can now analyse using Snort. For this we run Snort with a network capture and use some rules to see if we can detect the threat. This can be time consuming, so we can also analyse it off-line, with a capture trace:

and then I’ve setup a Web page where you can analyse Snort alerts with various example traces and rule files here, where the following is a demo:


We learning networks forensics is all about learning about everything that happens on the Internet … and as we move increasing to the Cloud, it is one of the key skills for now, and for the future. Luckily I learnt all the protocols when I wrote my handbooks, pouring over RFCs, but now, with Wireshark and Snort, you can use these tools to learn them. Please enjoy … it’s great fun to learn, and you’ll use your knowledge in some many ways.

Getting More Kids into Computing!

I’ve been working on a range of books with Bright Red Publishing on N5 books (which relates to the new syllabus within Scottish Schools), and just now I’m working on the new N5 Computing book. The syllabus looks to be a great improvement on the previous one, with over half of it on software development, and good coverage of things such as security and databases. It thus highlights a changing work, as we now move towards new subjects within computing.

So many job roles …

brp02Over the past few years I’ve been presenting at events on how we need to get more kids into Computing. So why, in the UK, are we still funding so many university places in subjects in which there are few jobs in? Shouldn’t we be funding more student places in Computing? Few subjects can offer the breadth of jobs that Computing … from software development to network support, and from user interface design to computer security. In fact there’s so many jobs titles that someone entering a computing programme in lots of interesting areas: networking, computer security, software development, media design, mobile devices, web development, and many others. Along with this, there’s new areas such as Cloud Computing, Big Data and lots of developments around mobile devices. So a first year student in a computing degree can often select from a wide range of subjects, and select the one that interests them most, and which, possibly, has the best career options for them.

It’s at the core of everything now …

brp03The Internet is probably one of the greatest creations ever, and one which provides us with the core of the modern world. Without it, many industries such as banking, energy, education and so on, could not exist in their current form. We can see from the increasing creation and consumption of digital information that there is an increasing reliance on the Internet, with over 12TB of tweets every day, and almost 90% of all the data produced in the Cloud has been produced in the last two years. Along with this we see, over 2.5 Quintillion bytes of data being produced – that’s over 1 billion hard disks of data, every day. And the Internet is not just about computer data, we are moving toward digitizing a whole range of media, including with voice, video and sensor data. Along with this, areas such as health and social could be radically changed with digital methods, where patients could Skype with their GP, rather than having to arrange appointments for a face-to-face meeting.

For example … computer security

brp04A good example of the new industries that are being created within Computing, and the rise in the academic requirements is in computer security. Within it there’s a wide range of things to focus on including network security, operating systems, people, encryption, identity, mobile devices, wireless, and so on. Also there’s new applications for the Internet, and new threats occur ever days, especially as we become more mobile and more reliant on the Cloud. Many application areas, including banking, shopping, government services, health care and so on, are all going on-line, increasing the threats we are all under, which thus requires a new range of professionals, which ten years ago would not have even existed … computer security consultants.

Where are the employers …

brp05Well they are everywhere .. with large and small companies expanding from key applications sectors such as in banking to core IT companies. From my side, I see an increasing demand for graduates in computing, and where there is a wide range of companies looking for many graduates. Many years ago I would see graduates move away from Scotland, but now there are companies recruiting them on their home base where companies such as Dell SecureWorks and Amazon recruiting students to work on Princess Street … how great is that? And there’s great SMEs which are leading on an international basis, whether is it miiCard for identity provision, or Rock Star leading the way in computer games, there has never been a better time to get into computing.

So … why don’t we funding more graduate places in computing, and less in areas which struggle to find enough jobs for their graduates?

Introducing Bob and Alice …

brp06Over the past few years, Edinburgh Napier University has been engaging with local schools on creating interest in computing with both IT4U, which bring schools into universities, and provides them with a range of interesting workshops, and with the Cyber Christmas lecture. For this we have presented on a range of things including within computer security, and showing kids some fun things in cracking codes and introducing Bob and Alice. Can you remember the time when you passed secret messages to your friends at school? Well the need for code cracking increases by the day, as we see new threats evolve … so the time is right to engage with these young minds, and get them interesting in some of the new problems that the world faces. It is within areas such as computer security, that we created the architectures of the future, and one in which physical buildings have been replaced with virtual ones.

So how can a 1.8 million billion billion billion billion billion billion years become a few minutes?


I always find it amusing when someone loses a laptop or a USB stick with some sensitive information, and they say “It’s okay, it was encrypted” … which unfortunately, is far from the truth, as the encryption can be easily broken in most cases. But in a previous blog I outlined how it takes 1.8 million billion billion billion billion billion billion years to find a 256 bit encryption key. So how come we can still crack even the strong encryption? Well it tends to be quite easy, as if you have find out where the key is, you can normally open it up, as humans tend to use weak passwords to save their keys. So if prompted to save your newly created password, which would you choose … “$p7GiLl1%69” or “password”? If the answer to this is “password”, then read on … If it isn’t then you are super-human, and easily a match for any intruder.

You’ve got to store it somewhere …

bob10Like it or not, you’ve got to store your encryption key somewhere, as you’ll need it to decrypt your encrypted content. If you loose your key, you’ll not be able to recover your encrypted data. This can become a particular problem when you encrypt your whole disk drive, as you’ll not be able to even start your computer. So how to you keep it secure? Well we could put it in a secret place, but an intruder could search for this. The method that is normally used, it to protect it with a password. So here is the flaw, it takes a 1.8 million billion billion billion billion billion billion years to find the encryption key, but it can take just a few minutes to find out someones password, as the passwords we use are normally memorable, and are thus found with a standard dictionary. So if an intruder pops-off the key with its protection, they can then run it against a standard dictionary, and crack the key. So protecting keys with a simple password, it a bit like having a high quality security systems, and leaving the key to it under the plant pot.

It’s on a certificate

The place to find encryption keys is normally the certificate store, and the important one to find is the digital certificate which contains the private key. Thus even if we use top quality encryption, the certificate itself can be cracked with a dictionary attack. In this video I show how we can break a certificate with a password:

If you want to try my certificate cracker, it is here:


and I’ve created an example of reading a digital certificate with a password:


where the first certificate has a password of apples and the second as battery. Both are easy to guess from a standard dictionary. With the advent of cloud-based systems, the concept of distributing the cracking over a range of processors becomes so much easier. So to crack an encryption key with purely brute force … almost impossible! … to determine it from a container which is protected by a password … simple … to determine the a source which is based on a phase phrase … just as simple! I often to surveys of audience at conferences, and you would be amazed how many people say they use the name of their pet, or their favorite football team, or the name of someone in their family, all of which are normally easy to guess.


Well we’ve just seen that it’s passwords that’s the problem. Is your password secure from a dictionary attack? Well most people use a fairly simple password, so that they can remember it. So forget about the size of your keys, and the methods used, it is likely that it is the certificate that causes the problems. In fact, it may be the Windows password that will compromise the whole system.

What takes 1.8 million billion billion billion billion billion billion years to find?


4-bit key
4-bit key

So what takes 1.8 million billion billion billion billion billion billion years, on average, to find, and is only 256 things long? Well it is the time it would take you, or to be more precise, your high-powered computer, to find the key used in a 256-bit encryption process. This calculation takes into account that you would be using one of the best computers around, which would be able to process at 1,000,000,000 keys per second, which is much faster most normal desktop computer. The following tables shows you how long it would take for different key sizes:


So you can’t understand why it would take so long? Well the number of keys that we have relates to the number of bits that we have in the key. So a 4-bit key would have 8 different keys from 0000 to 1111. An 8-bit key has 256 keys, a 20-bit key has over 1 million keys, and so on. Mostly we start with something like a 56-bit key, which gives us:


different keys. So if we use a computer which checks 1 billion keys per second, then the time to check one key will be 1ns, so the time to find, on average, the key will be:

T = 72,057,594,037,927,936 * 1×10^-9 / 2

which is 36,028,797 seconds, or 600,479 minutes, or 10,007 hours or 416 days, or 1.14 years. But why do we go from just over a year to billions of years? Well for ever bit that we add, we double the key space. So 57 bits takes 2.28 years, 58 bits takes 4.56 years, and so on. Thus it doesn’t take too long to get to a point where it takes billions of years. So for 256-bits, we get:


different keys, so if you do the calculation you get:

1,835,871,531,540,400,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years

which is a LONG TIME!


For a completely random key, 256-bits is completely uncrackable with today’s, tomorrow’s computers. If we were to do it, we would need a quantum computer, which could parallelise the computation, and perform them at the speed of light. But the thing we must ask is … are the keys actually random? If not, then it’s a whole different calculation?