I enjoyed reading your post, and I appreciate your comments on my post. Sometimes it’s easy to forget the tools I (we) use every day to protect information because we don’t trust broader access controls. I have been using tools like AxCrypt and VeraCrypt (previously TrueCrypt) for years to protect personal data, similar to Microsoft Bitlocker. My company used a full disk encryption for a while which required you to enter a password before booting your laptop; the idea was that all data on the hard drive was encrypted so If the laptop was lost or stolen someone could not pull the drive, connect to another machine and start perusing data. I hated the laptop encryption, it was a good concept, the software-based encryption slowed down the computer tremendously. Software-based encryption full volume encryption on a laptop just crushed I/O performance making it impractical. I think you bring up an excellent point regarding things like public drives and even network shares or other network-based technologies where we assume our data is secure, confidential and guaranteed authentic but it practice this is a bigger challenge than many realize. I work with organizations of varied sizes, from the Fortune Ten to SMB and I have always been amazed by the power of the IT guy/gal and how the desire for simplicity often gives way to massive security issues. Group shares like HR, legal, etc… and user shares in departments that should be highly confidential with root or administrative privileges removed so often are fully accessible by IT administrative users. It’s understandable why but no less concerning. The removal of root or administrative privileges greatly complicates tasks like backups and migrations, and these are tasks that IT organizations (the IT guys/gals) perform all the time and often lead to practices which create security holes. Granular user controllable permission which orchestrated from an API and a move toward guaranteed authenticity became popular with content-addressable storage (CAS) and today the properties of CAS, are part of object-based storage systems like Amazon (AWS) S3.
Let’s look at the following example:
The original file, iou.txt says the following: “John Doe owes Jane Smith $1,000.00”
Below you can see I create a file (set-content) with the contents above, I output the contents of the file (set-content), I display the file attributes (get-itemproperty) and then I hash the file (get-filehash). The file hash is very import.
PS D:\Downloads\week3> Set-Content .\iou.txt ‘John Doe owes Jane Smith $1,000.00’
PS D:\Downloads\week3> Get-Content .\iou.txt
John Doe owes Jane Smith $1,000.00
PS D:\Downloads\week3> Get-ItemProperty .\iou.txt | Format-List
Directory: D:\Downloads\week3
Name : iou.txt
Length : 36
CreationTime : 3/26/2017 5:55:46 PM
LastWriteTime : 3/26/2017 5:55:46 PM
LastAccessTime : 3/26/2017 5:55:46 PM
Mode : -a—-
PS D:\Downloads\week3> Get-FileHash .\iou.txt -Algorithm MD5 | Format-List
Algorithm : MD5
Hash : 17F6B6FB31AAEB1F37864667D87E527B
Path : D:\Downloads\week3\iou.txt
Now let’s compromise the file, let’s assume I am John Doe the IT guy with access to global administrative privileges. Let’s also consider that most people don’t take a hash of their files when they save them to ensure authenticity.
Below I overwrite the contents of iou.txt (set-content) to state that Jane now owes John $100,000 dollars, a pretty significant change.
I display the contents of iou.txt (get-content) to validate that the modification was made. I then display the file attributes (get-itemproperty), here you can see that the file size is the same, and the only attribute that changes is the LastWriteTime, significant attribute but we will make sure we set that to match the attribute before we tampered with the contents of the file.
Next is the hash of the file contents (get-filehash) which shows a different hash, this is a hash of the file contents, but remember that most people don’t hash their files and store the hash to guarantee authenticity. The hash is a powerful tool in determining authenticity.
Next, I set the CreationTime, LastWriteTime and LastAccessTime to ensure they match the original file.
Listing the file attributes again you can see now everything matches the original file, same name, file size, timestamps, etc…
The only things we have as evidence that the file was changed is the differing hash.
PS D:\Downloads\week3> Set-Content .\iou.txt ‘Jane Smith owes John Doe $100,000.’
PS D:\Downloads\week3> Get-Content .\iou.txt
Jane Smith owes John Doe $100,000.
PS D:\Downloads\week3> Get-ItemProperty .\iou.txt | Format-List
Directory: D:\Downloads\week3
Name : iou.txt
Length : 36
CreationTime : 3/26/2017 5:55:46 PM
LastWriteTime : 3/26/2017 6:08:28 PM
LastAccessTime : 3/26/2017 5:55:46 PM
Mode : -a—-
PS D:\Downloads\week3> Get-FileHash .\iou.txt -Algorithm MD5 | Format-List
Algorithm : MD5
Hash : FB86680C6A90402598A2A1E4A27AA278
Path : D:\Downloads\week3\iou.txt
PS D:\Downloads\week3> $(Get-Item iou.txt).creationtime=$(Get-Date “3/26/2017 5:55:46 PM”)
PS D:\Downloads\week3> $(Get-Item iou.txt).lastaccesstime=$(Get-Date “3/26/2017 5:55:46 PM “)
PS D:\Downloads\week3> $(Get-Item iou.txt).lastwritetime=$(Get-Date “3/26/2017 5:55:46 PM “)
PS D:\Downloads\week3> Get-Content .\iou.txt
Jane Smith owes John Doe $100,000.
PS D:\Downloads\week3> Get-ItemProperty .\iou.txt | Format-List
Directory: D:\Downloads\week3
Name : iou.txt
Length : 36
CreationTime : 3/26/2017 5:55:46 PM
LastWriteTime : 3/26/2017 5:55:46 PM
LastAccessTime : 3/26/2017 5:55:46 PM
Mode : -a—-
PS D:\Downloads\week3> Get-FileHash .\iou.txt -Algorithm MD5 | Format-List
Algorithm : MD5
Hash : FB86680C6A90402598A2A1E4A27AA278
Path : D:\Downloads\week3\iou.txt
Note: All f the above example and commands were executed on a Windows host using PowerShell.
References:
Compliance: Governance, Authenticity and Availability. (n.d.). Retrieved March 26, 2017, from http://object-matrix.com/solutions/corporate/finance/compliance/
Pfleeger, C. P., Pfleeger, S. L., & Margulies, J. (2015). Security in computing (5th ed.). Upper Saddle River: Prentice Hall. Edited on 03/22/2017 at 07:35:PM EDT