Ride The Lightning

John and I do a lot of lecturing on IT security. Like harpies, we repeat over and over "as soon as someone is terminated, cut their access." Seems as though someone at Fannie Mae forgot to do just that.

Rajendrasinh Makwana was indicted on Tuesday in the U.S. District Court for Maryland. From early 2006 to October 24, 2008, Makwana was a contractor for Fannie Mae. According to the indictment, Makwana allegedly targeted Fannie Mae’s network after he was terminated. The goal was to “cause damage to Fannie Mae’s computer network by entering malicious code that was intended to execute on January 31, 2009.” Makwana worked at Fannie Mae’s data center in Urbana, MD as a Unix engineer as a contractor with a firm called OmniTech. He had root access to all Fannie Mae servers.

Apparently, his intention was to bring down all those servers, destroying or altering data. Fannie Mae was just plain lucky. A senior UNIX engineer stumbled on the malicious script and Fannie Mae security was able to put everything right. Had they not been so lucky, it is estimated that millions of dollars of damage would have been done and Fannie Mae would have been out of business for a week.

In this economy, where employees are being terminated by the thousands every day, it is more important than ever that employers make sure the employee's access is terminated promptly. It is hard to imagine a better cautionary tale than this one.

Further information may be found here.

Hat tip to Debbie Knapp.

E-mail: snelson@senseient.com       Phone: 703-359-0700

http://twitter.com/sharonnelsonesq

Ryan Frederick may well be guilty of the murder of a police officer during a marijuana raid on his home. But I was appalled to read that a video reenactment of the night of the murder, shown in court, was inaccurate. I include a snippet about the examination of one of the police officers from The Virginian-Pilot below:

"Defense attorney James Broccoletti questioned how police could have made a video without duplicating exactly how they knocked on Frederick's door the night of the raid.

Frederick claims self-defense. He says he never heard police banging at his door or shouting and that he fired thinking someone was breaking in.

"The most critical and important moment of that night was incorrect?" Broccoletti asked Roberts.

Prosecutors, though, objected, and the judge would not allow him to answer. Broccoletti tried again.

"The knock and announce by you, the method of the knock and announce by you, the sequence of the knock and announce by you, was not correct?" he asked of the video.

"No, it was not," Roberts answered."

Virginia judges have long hesitated to allow this sort of evidence to be shown to jurors who tend to treat videos as gospel - and this story sure demonstrates why. Absolutely appalling that an inaccurate reenactment was made and shown in such an important case.

E-mail: snelson@senseient.com       Phone: 703-359-0700

http://twitter.com/sharonnelsonesq

Regretfully, we are no longer in South Carolina. Our travels took us to Myrtle Beach and our beloved Charleston, where we heartily recommend Planters Inn as a charming, affordable, centrally-located hotel and its Peninsula Restaurant for a wonderful meal. They make a Southern Manhattan of which I became inordinately fond. Dismal that I no longer have good looking men in uniform serving me these wonderful libations on a nightly basis.

Should you get to Charleston and have a car, make sure you visit the magnificnent Magnolia Plantation, with splendid trails and gardens, a wonderful tram ride with very knowledgeable guides (if you're lucky, you'll see one of the dominant pond alligators like Bubba or Big Wally) and a splendid boat ride on the Ashley River. A young Orson Welles, using a cane as an affectation (at 19!), loved this place so much that he came two summers in a row.

We did encounter an alligator (7-1/2) feet long, sunning himself right beside the trail on the bank of a pond. The tram driver somehow managed to stop us such that the alligator was positioned with his snout aiming right at me by the OPEN tram. Though not normally the most agile of creatures, I was prepared to bound for the tram's roof if the alligator so much as twitched. Fortunately, he was beguiled by the sun and I emerged unscathed from my adventure.

Surely this post is connected to electronic evidence somehow. Ah yes, we went to South Carolina to speak at the state bar's annual conference. As always, we had a warm, wonderful. inquisitive audience, mostly comprised of solo/small firm lawyers. Roughly 40% of them had handled electronic evidence cases, but it was quite clear that many of them still felt uncomfortable in the EDD world.

There were lots of practice specific questions, especially with respect to family law. If you should practice in this area, do try to attend a CLE that specifically deals with "Electronic Evidence in Family Law" - the generic e-evidence CLEs tend not to do justice to the many elements of EDD that are specific to family law.

Still mourning the absence of a Southern Manhattan - I will have to console myself with having my obliging husband make me a "Mommy Martini" - we are still not sure whether that concoction is named in my honor or as a nod to the size of the drink. No matter, another trip to Charleston is sure to beckon. As it is nearing the end of the day, solace is almost at hand. Cheers.

E-mail: snelson@senseient.com       Phone: 703-359-0700

http://twitter.com/sharonnelsonesq

Kahn Consulting, in collaboration with ARMA and other organizations, has released a survey entitled GRC, E-discovery and RIM. One of the findings from the survey:

"Less than one quarter of organizations surveyed believe that their employees understand their [governance, risk management and compliance], [records and information management] and E-Discovery responsibilities and how to fulfill them. Only 9% of employees have a good understanding of how GRC impacts them; only 15% understand their Legal Hold and E-Discovery responsibilities; and only 21% understand how information should be retained and disposed of. Although 67% of those surveyed state that employee training is “critical to their success,” the low confidence in employee awareness indicates that most organizations have more GRC, RIM, and E-Discovery training to do."

The survey includes a number of findings, basically indicating how much work remains to be done to increase awareness of GRC (Governance, Risk Management, Compliance), EDD (Electronic Data Discovery) and RIM (Records and Information Management) issues. The stats are not surprising, but nice to have them, along with several nice graphs for those of us who think in terms of PowerPoint presentations.

E-mail: snelson@senseient.com     Phone: 703-359-0700

http://twitter.com/sharonnelsonesq

Back to the salt mines after a 10 day Panama Canal cruise. There was a norovirus outbreak aboard- happily, we stayed healthy. Though perhaps we wouldn't have left so much money in the ship's casino if we'd been quarantined in our stateroom!

Hat tip to Jason Shinn for letting me know that Michigan has adopted e-discovery rules, largely tracking the federal rules. The rules may be found at http://jshinn.files.wordpress.com/2009/01/mi-amended-rules-re-esi2.pdf

E-mail: snelson@senseient.com       Phone: 703-359-0700

http://twitter.com/sharonnelsonesq

Law enforcement in Massachusetts did some nifty work recently finding a girl who had allegedly been kidnapped by her grandmother. Electronic evidence can be found anywhere and these two colleagues put Google Street View to a new use. They obtained the girl's cell phone coordinates from the carrier and found that the phone was located near an intersection in Virginia.

Using Google Street View, they "looked" around the intersection and spotted a building that appeared to be a motel, which they confirmed on Google. Then they called in the Virginia State Police, who found both the girl and the grandmother in the motel.

Case closed. Nice work guys!

Hat tip to Dan Fuller.

E-mail: snelson@senseient.com       Phone: 703-359-0700

http://twitter.com/sharonnelsonesq

A new book will be released by CastleQuest on January 15th, entitled Defending Electronic Mail As Evidence: The Critical E-Discovery Questions. John and I had the opportunity to have lunch with author Jeffrey Ritter, who was kind enough to share parts of the book with us. There is a lot of valuable content here - this is a book you can pick up and use right away. Highly recommended.

You can receive a 15% discount by ordering the book at http://www.cqdiscovery.com/ProductDetails.asp?ProductCode=CQB%2D102

E-mail: snelson@senseient.com    Phone: 703-359-0700

http://twitter.com/sharonnelsonesq

Among the computer forensics crowd, or those who follow the field, the subject of MD5 collisions always brings folks to a fever pitch, with some insisting that these collisions are a real problem and others saying, basically, "pish posh."

John is pretty much in the "pish posh" camp, at least until there is a real world example of an MD5 collision that isn't artificially engineered.

One of our friends, an EDD consultant but not a computer forensics technologist, wrote us to alert us to a brouhaha on the litsupport listserv about whether these MD5 collisions are something to worry about in the real world.

So, here is John's two cents:

"Yes, I have been following the discussion on the litsupport list . . . it is entertaining to see the theoretical bantering! Granted there have been some thoughtful responses, but I think most folks are missing the practical point.

Nobody is disputing that the MD5 collission is possible or that SSL certificate validation can be compromised. These things were demonstrated and documented years ago. Here's the main question: Is it possible to have two different (and actually usable files) containing different contents with the same MD5 hash value? My response is that anything is possible given enough time and money. But is it probable? I say no. Even those that have demonstrated the "vulnerability" call it a proof of concept."

Might things evolve one day to the point where we have to take another look at this? Sure. But for now, consider that it is possible for you to buy lottery tickets in all the states that offer them (through your many minions of course) and to win every one of those lotteries in a single week. Possible yes. Probable? If I thought it were even remotely possible, I'd be marshaling my minions right now!

For the moment, John and I concur that MD5 collisions make for lively conversation, but you're not likely to see one in the wild anytime soon.

E-mail: snelson@senseient.com       Phone: 703-359-0700

http://twitter.com/sharonnelsonesq

I promise to leave this subject soon, but there was so much response to my last blog posting, it seems as though many people would like to get to know Twitter.

It is an excellent way to get EDD and computer forensics updates - just be careful who you follow. In the EDD arena, my top choices (other than http://twitter.com/sharonnelsonesq of course) are:

http://twitter.com/complexd (Rob Robinson from Orange Legal Technologies)

http://twitter.com/TomMighell (Tom Mighell from Fios)

http://twitter.com/commonscold  (Monica Bay from Law Technology News)

http://twitter.com/EDDUpdate (Multi-author EDD blog)

If you want to stay current on EDD, these are great resources. The water's fine, come on in!

E-mail: snelson@senseient.com    Phone:703-359-0700

http://twitter.com/sharonnelsonesq

And yes, it burned half a day. Poof. Hours had vanished. I feel as though I am standing on a magic carpet, willing it to fly.

I am following good pal Rob Robinson to this uncharted land. Watching Rob use Twitter was inspiring - like Rob, I hope to make a lot of computer forensics and electronic discovery information available to all - and, of course, to learn from others. This constitutes my 2009 GRAND EXPERIMENT. So . . . for those of you in Tweetland, I am at http://twitter.com/sharonnelsonesq

Follow the yellow brick road . . . though I'm keeping my ruby slippers close at hand.

E-mail: snelson@senseient.com   Phone: 703-359-0700

http://twitter.com/sharonnelsonesq