Should Forensic Tools Be Sold To Anyone?
When a software vendor creates a tool for forensic data-breach investigators, can it—should it?—take any steps to try and make sure that product is sold to legitimate investigators and not to cyberthieves? It's a tricky issue. Unlike limiting sales to government law enforcement, forensic investigators are not licensed and they can work for any retailer or consulting firm or security company. What type of test of legitimacy could possibly work?
This came to mind because of an interesting product rollout on Monday (May 21) by a vendor called Passware. Its launch involves a means of grabbing passwords from within any Excel spreadsheet or Word doc (or really anything from Microsoft's Office suite) by quickly locating encryption keys in memory.
"With the release of MS Office 2007, Microsoft changed its encryption algorithm to AES, which made instant calculation of an encryption key impossible," said the news release from Passware. "The latest version of Passware Kit Forensic includes live memory acquisition over FireWire and subsequent recovery of a file's encryption key—regardless of the password length and complexity. This method works if the target MS Word/Excel file was open on a seized computer at the time of its memory acquisition, or when the computer last went into 'sleep' mode."
It sounds like a fine product. But couldn't it just as easily be used against retailers as for them?
All it takes is one bad "investigator" to let the secret out. One cracker who gets his/her hands on this tool can figure out how it works. Then the technique can be used to, say, build malware that grabs spreadsheet passwords in-memory. (Passware is designed to do this with seized PCs, but a crook would likely take a different approach.) A legit competitor to Passware probably can't do this, because that would be intellectual property infringement. But cybercrooks have no such scruples.
Passware spokesperson Nataly Koukoushkina had a very reasonable—although a little unnerving—response to whether the company should at least try and make sure its customers are doing what they say they are doing. She used a retail analogy: "It's like selling someone a kitchen knife. They could use it for cooking or for killing someone." (In New Jersey, customers use it for both, but I digress.)
As a practical matter, there is no reasonable way to do this. Given the wide variety of competent types who legitimately employ forensic investigators, it would simply be far too easy for a thief to come up with convincing verification. And the time spent chasing it down would be wasted, especially given the fact that good cyberthieves can get what they need underground.
Still, it is frustrating. It just makes you want to go buy a knife, find a cyberthief and cook something for them.