XScoreKey: Network Radar Deja Vu

(I posted this video earlier but never provided a link to it from the video blog)

One of Edward Snowden's leaks describes a system called XKeyScore (yes... I've transposed the name in the video). While the exact nature of the XKeyScore program is still a mystery, some of the slides published so far appear eerily similar to my Network Radar system from a decade earlier. This video tries to shine a light on what XKeyScore may be doing and why by comparing it to my earlier Network Radar system.

Data Fence: Packages for Useful Auditing and Live Analysis

When you install Data Fence, it is ready to analyze BSM audit files. But how do you configure your Mac to generate useful audit data? And how can you analyze live audit data? This video walks you through downloading and installing a couple of extra packages from one of Net Squared's web site.

Seriously, live analysis is so much more fun than analyzing a file.

Data Fence: Least Privilege, False Positives, and Resolution

Data Fence applies the "Principle of Least Privilege" to data. But the very nature of Least Privilege means that many systems will get some false positives until it learns (or is told) exactly what the programs on that particular system are that need to access a particular file.

This video discusses the problem and shows how a false positive can be resolved in about 10 seconds.

Data Fence: First Data Set

I re-architected parts of Data Fence to get it through the Apple Mac App Store approval process, so I need to "re-shoot" some video tutorials. Hopefully the current version of Data Fence sails through the approval process with no problems.

This is a "getting started" video for someone who has purchased Data Fence and wants to jump right it. The video show how to download and analyze a sample BSM audit trail file.

Windows 7 Audit Trails: Exfiltration of the Swift

An old (2010) video showing how Windows 7 audit data can be used to determine how sensitive documents were exfiltrated from a computer and by whom. In this case, the "fictional" Navy traitors John Walker and Jerry Whitworth conspire to steal the data.

Glowing Embers

Old 2012 video showing that it is not too difficult to build a simple cyber espionage system with many of the features attributed to the Flame system.

Bob Has an APT

This is an old (2011) video from the Snow Leopard days showing how Audit Explorer can use Apple's BSM audit data to detect and analyze the activity of malware installed by an Advanced Persistent Threat actor.

Data Fence vs. Espionage

This presentation shows how Data Fence can be useful for combatting cyber espionage. For this demonstration I wrote a small persistent malware system that steals email attachments. Data Fence flags the theft.

Data Fence: Audit Data vs. Last Access Time

This 9+ minute technical presentation discusses strange behaviors in programs, when these behaviors occur, and how these behaviors cause discrepancies between audit data, last access times for files, and a user's actual actions. These behaviors led to the "Two-Fence Strategy" I use when constructing fence rules for Data Fence.

Data Fence: Getting Started

Data Fence itself does not require any escalation of privileges (a big "no no" for apps in the Mac App Store). However you still need to configure your Mac's BSM audit system to collect useful data, and if you want to do live analysis, you need a little help via some launchd scripts. To do these things, Data Fence generates the files that you need to install via a Terminal window. This video shows this being done.

Using Data Fence to detect sniffers

While Data Fence was designed to detect suspicious access to regular files like Microsoft Word documents, it can also be used to detect access to directories and special files. In this video I show how Data Fence can watch programs opening the Berkeley Packet Filter devices, a common technique attackers will use to sniff packets on your network.

Data Fence, First Introduction

Here is a very quick introduction to the Data Fence concept. Data Fence is the latest tool I've been working on that processes Apple's BSM audit data. It is currently in testing and should be released soon.