Add to del.icio.us     Digg this

December 18, 2009

A few days ago, a ring of hackers have released a new program they say completely undermines a suite of law enforcement forensics tools that Microsoft provides for free to hundreds of policemen, the FBI and Interpol.

Dubbed "Decaf", the hacker's software is an application that monitors Windows systems for the presence of COFEE, a bundle of about 153 point-and-click tools used by police and law enforcement agencies around the world to collect digital evidence at various crime scenes.

When a USB pen containing the software is attached to a protected PC, Decaf automatically executes a seried of countermeasures aimed at helping law enforcement.

"We want to promote a healthy and unrestricted free flow of Internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligence evidence gathering," one of the two hackers behind Decaf said in explaining the objective of the project.

In November, when COFEE leaked out on the Internet, Microsoft downplayed concerns the breach would allow hackers to create countermeasures. Microsoft representatives weren't immediately available for comment when called.

Decaf features a wide variety of user-driven countermeasures against COFEE. In addition to "nuking" temporary files within seconds of detecting files or processes associated with the investigative tool, Decaf can also clear all COFEE logs, disable USB drives and even contaminate or spoof a variety of MAC addresses on the same Windows computers.

Future versions of Decaf even promise to add new features that allow users to remotely lock down protected systems, says the hacker, which has asked to remain anonymous.

The software giant has been pouring COFEE in its Windows operating system to law enforcement officers since at least June or July of 2007.

COFEE, an acronym for Computer Online Forensic Evidence Extractor, packages forensics tools onto an easy-to-use USB stick that allows investigators to easily collect browsing history, temporary files and other sensitive and compromising data from most Windows-based PCs.

COFEE is freely distributed through Interpol, Microsoft has said.

Decaf began seeding on private BitTorrent trackers on Dec. 13 in the afternoon.

The release of the software follows a leak in November of COFEE. By the time Microsoft lawyers demanded the removal of COFEE from sites such as Cryptome, 'the rabbit was already out of the hat'.

As of today, COFEE still remains available on Wikileaks.

While the program's authors are making available the Decaf executable, they are not releasing the source code for fear that the signatures used will be reverse engineered.

The end user license agreement that accompanies the software states: "You will not disassemble, decompile or reverse engineer it, in whole or in part, except to the extent expressly permitted by law. You will not use DECAF for illegal purposes. You will comply with all export laws. DECAF is licensed, not sold."

Add to del.icio.us     Digg this

Source: HTS.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.