Download technology - Csiservices.ca

Don Burlack – CISSP, CISM
TECHNOLOGY:
OPPORTUNITIES FOR FRAUD &
INVESTIGATION
ACFE - Nov 28, 2007
ABOUT ME
Previously:
• 30 years in info technology and telecom industries – 20 in info security
• Senior Systems Security Director at SaskTel
• Auxiliary Constable within RCMP Technological Crimes Section
Currently:
• Computer forensics course developer and instructor for Paraben Corp.
• Instruct CompTia Security+ and EC-Council Certified Ethical Hacker
• Senior Security Specialist at SaskPower
• President of C.S.I. Services Inc.
• Related certifications: CISSP, CISM, CEH, CEI, CEECS, GSEC
ACFE - Nov 28, 2007
WHAT WE’LL FOCUS ON TODAY




Growth Of Consumer Technology
The Dark Side’s Perspective
Current Technologies Of Interest To Criminals
Investigative Considerations In Today’s Technologies
ACFE - Nov 28, 2007
GROWTH OF CONSUMER TECHNOLOGY
Consumers being flooded with new IT products
and services
 Consumer products are making their way into
corporate environments – like it or not
 Recent survey of corporate users by Yankee Group
Research Inc., 86% of the respondents said they
had used at least one consumer technology in the
workplace
 Most consumers do not understand the threats
associated with the new technologies

ACFE - Nov 28, 2007
THE DARK SIDE’S PERSPECTIVE
Business has never been better!
ACFE - Nov 28, 2007
Ode To Tech Crime
“A computer lets you make more mistakes faster than
any invention in human history - with the possible
exceptions of handguns and tequila.”
- Unknown
ACFE - Nov 28, 2007
CURRENT TECHNOLOGIES OF INTEREST TO CRIMINALS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Instant Messaging (IM) and Peer-to-Peer (P2P)
Web Mail
Portable Storage Devices
PDAs and Cell Phones
Privacy & Anonymity Solutions
Remote Access Solutions
Downloadable Widgets
Virtual Worlds
Search Engines
Wireless Networking
ACFE - Nov 28, 2007
2007 CSI SURVEY
ACFE - Nov 28, 2007
INSTANT MESSAGING (IM) AND PEER-TO-PEER (P2P) FILE-SHARING

INSTANT MESSAGING




Users communicate in real-time through the use of chat
rooms and instant messages
Chat room – application that enables a group of people to
type in messages that are seen by everyone in the "room"
Instant messages - a chat room restricted to two people
PEER-TO-PEER



A method of file sharing and data exchange over a network
Individual computers are linked via the Internet or a private
network
Users download files and exchange data directly from other
users' computers, rather than from a central server.
ACFE - Nov 28, 2007
HOW INSTANT MESSAGING WORKS
ACFE - Nov 28, 2007
P2P NETWORKS & CAPABILITIES
ACFE - Nov 28, 2007
CONSUMER VOIP SERVICES
Enable users to make voice calls via the Internet
 Majority of free VoIP services are P2P based
 Popular P2P VoIP services:

 Skype
Yahoo! Messenger
 Sipgate X-Lite
 Google Talk
 MSN Messenger
 Babble.net

ACFE - Nov 28, 2007
POPULAR IM CLIENTS/SERVICES







MSN Chat
ICQ
IRC Messenger
AIM (AOL IM)
Cheeta Chat
IRC Toons
Maestro






Yahoo! Chat
Ychat
Miranda
Trillian
mIRC
PalmIRC
ACFE - Nov 28, 2007
IM AND P2P PROLIFERATION
20% of people use IM at work and of those 75% use it to send sensitive
company info.- SC Magazine
P2P networks (often used to share music and other consumer-oriented
content) have entered the enterprise in a similar way.
Source: Osterman Research Inc.
ACFE - Nov 28, 2007
RISKS OF IM AND P2P

Introduce security and privacy challenges:
 IM
and P2P users can send sensitive personal and
company data across insecure networks (Internet)
 Malware can enter a personal or corporate network
through IM & P2P clients
 Vulnerabilities in client software present security
risks to systems and networks where it is installed
 Bots and Botnets
ACFE - Nov 28, 2007
ABOUT BOTS AND BOTNETS

Bot – derived from the word RoBOT
A
type of malware which allows an attacker to gain
complete control over the affected computer
 Computers infected with a 'bot' are referred to as
'zombies„ or „drones‟

Botnet – roBOT NETwork
 different
bots connected together
 Consist of a multitude of machines (hundreds,
thousands, hundreds of thousands, millions)
ACFE - Nov 28, 2007
New Botnets Utilizing Instant Messaging to Steal Personal Information
from Online Shoppers and PayPal Customers
FOSTER CITY, CALIF - March 15, 2006 - Research experts at FaceTime
Security Labs™ identified and reported a new threat today affecting instant
messaging (IM) applications.
Researchers have uncovered two "botnet" networks that collectively
represent up to 150,000 compromised computers, one of which is being
used as a vehicle to fraudulently scan desktop and back-end systems to
obtain credit card numbers, bank accounts, and personal information
including log-ins and passwords. The operators could potentially launch
these scans from any computer on the botnet to mask their actual location.
ACFE - Nov 28, 2007
ACFE - Nov 28, 2007
WORKINGS OF A BOTNET
1
Attacker in Russia
4
Attacker sends
commands to bots
5
John in Toronto downloads and executes
“checkers.zip” from a freeware site
His machine is now infected with a BOT program.
2
BOT
Bots now
look for the
“Master”
and
connect to
it and
await
commands
3
BOT
BOT now looks for other vulnerable machines and
infects them.
ACFE - Nov 28, 2007
USES OF BOTNETS





Distributed Denial-OfService (DDOS) attacks
Spamming
Sniffing Traffic (bot can
sniff traffic passing by a
compromised machine)
Keylogging
Spreading new malware




Mass identity theft (send
“phishing” emails)
Manipulating online
poles (cast votes from
zombies)
Google AdSense abuse
(click on Google
advertisements to earn
money)
Attacking IRC Chat
Networks
ACFE - Nov 28, 2007
AN EXAMPLE OF IM & P2P EXPLOITATION
ACFE - Nov 28, 2007
DETECTING IM & P2P

IM and P2P applications often try new sockets and
protocol-tunneling techniques

firewalls generally unable to discern common evasion
techniques
Need to inspect protocol flows to make sure that
port 80 traffic is really HTTP (web) traffic.
 Practical way to detect and prevent these
techniques:


deploy egress enforcement solutions using signaturebased deep packet inspection
ACFE - Nov 28, 2007
INVESTIGATIVE CONSIDERATIONS

Conduct an IM and P2P security scan
determine if and which IM and P2P apps exist on the
network.
 determine what is actually running on the network.

Check for existence of IM & P2P clients and
running processes on workstation(s)
 Investigate network element logs for IM/P2P
activity
 Check for existence of IM & P2P history/archive
logs on system

ACFE - Nov 28, 2007
LOGGING & MESSAGE STORES



Most IM clients have the ability to create and archive
logs of chat/messaging sessions
Messaging client software installs vary in terms of
default configuration – some enable logging by
default… others don‟t
Most client software utilizes non-proprietary log format
and standard log file locations – AIM is NOT one of
these
FINDING IM (CHAT) LOG STORES
Client
Default Log Files Location
ICQ version 2003b
Program Files\ICQ\2003b
ICQ version 1999-2003a
Program Files\ICQ\2003a
Miranda
Program Files\Miranda IM
Msn Messenger v6.1 & v6.2
My Documents\My Received Files
Trillian
Program Files\Trillian\users
Yahoo Messenger
Program Files\Yahoo!\Messenger\Profiles
ACFE - Nov 28, 2007
WEB MAIL

Consumer e-mail services





Users don't realize how insecure their e-mail exchanges are




Messages often transported over the Web in clear text
Messages stored on the e-mail provider's server
Messages stored on ISP's server
Many are careless in sending sensitive information





Google
Microsoft
AOL
Yahoo
Social Insurance/Security numbers
Passwords
Credit card numbers
Confidential business data
“Free” e-mail service users are low hanging fruit for scammers
ACFE - Nov 28, 2007
GONE PHISHING…
ACFE - Nov 28, 2007
“UNIQUE” PHISHING REPORTS
Source: www.antiphishing.org
ACFE - Nov 28, 2007
SETTING UP A PHISHING OPERATION
1.
Mirror the entire website from the target URL
Example: www.bankofcanada.com
2.
Register a fake domain name which sounds like
the target website
Example: www.bnkofcanada.com
3.
4.
5.
Host the mirrored website into the fake URL
website
Send phishing emails with links to fake website to
victim(s)
Update the mirror of the target website to
maintain disguise
ACFE - Nov 28, 2007
SURFER BEWARE!
ACFE - Nov 28, 2007
INVESTIGATIVE CONSIDERATIONS
ACFE - Nov 28, 2007
INVESTIGATIVE CONSIDERATONS
Tricking the user by URL Encoding
ACFE - Nov 28, 2007
INVESTIGATIVE CONSIDERATIONS
Program Storage Specifics Index/Table of Contents
Mailbox
Index File
Mail File
Outlook Express 4.x
*.idx
*.mbx
Eudora
*.toc
*.mbx
Poco
*.idx
*.mbx
Netscape 6.x
*.msf
*.
Netscape over 6.x
*.snm **
*.
The Bat!
*.tbi
*.tbb
The Bat over 1.42
*.tbx
*.dat
Agent
*.idx
*.dat
Pegasus
*.pmi
*.pmm
FoxMail
*.ind **
*.box
Outlook Exchange
Stored in main mail archive *.pst (usually encrypted)
Outlook version 5 & 6
Stored in main mail archive *.dbx
ACFE - Nov 28, 2007
ACFE - Nov 28, 2007
PORTABLE STORAGE DEVICES
 Flash
memory
 Cards
SD
 SDHC
 CF
 MMC

 USB
thumb drives
ACFE - Nov 28, 2007
PORTABLE STORAGE DEVICES
 Hard
drives
 Standard
 Micro
ACFE - Nov 28, 2007
PORTABLE STORAGE DEVICES

Physically small but large in capacity
 USB
thumb drives – up to 32 GB (64 GB on
the way)
 Flash memory cards – 8 GB (64 GB on the
way)
 Hard drives – 1 TB (standard) , 4GB (micro)

Risks presented:
 Theft
of information
 Introduction of malware
ACFE - Nov 28, 2007
USB DRIVES POSE INSIDER THREAT
Robert Lemos, SecurityFocus 2006-06-25
Workers have become more wary of putting giveaway CDs in their company's
computers, but USB flash drives are another story.
In a recent test of a credit union's network security, consultants working for
East Syracuse, N.Y.-based security audit firm Secure Network Technologies
scattered twenty USB flash drives around the financial group's building.
Each memory fob held a program--disguised as an image file--that would
collect passwords, user names and information about the user's system.
Fifteen of USB drives were picked up by employees, and surprisingly, all
fifteen drives were subsequently plugged into credit union computers.
The test confirmed that employees play a key role in a company's security and
that many workers still do not understand the danger of USB drives, said Steve
Stasiukonis, vice president and founder of Secure Network Technologies.
ACFE - Nov 28, 2007
INVESTIGATIVE CONSIDERATIONS

Check for existence of USB devices:
 Windows
registry:
HKLM\System\CurrentControlSet\Enum\USBStor
 Linux: lsusb

Include removable/portable storage devices in
seizure and evidence gathering
ACFE - Nov 28, 2007
PDAS AND SMART PHONES

Multipurpose











Camera (still & streaming)
Calendaring
Email
Word Processing
Sound recording
Multimedia (music, images, movies, etc)
Phone service
Internet
Gaming
Wireless networking
Data storage

Pros:





Small
Lightweight
Incredible info processing
and storage capability
Widely Used
Cons:



Easily misplaced/lost
Targeted by criminal
element
Used as a tool by criminals
(camera, wireless intrusion)
ACFE - Nov 28, 2007
DIFFERING NEEDS AND INTERESTS…
Doctors
Network Administrators
“I store some of my patient information
(medications, treatments) in my PDA.”
“As the network administrator I like to
store all of the IP addresses for the
network in my PDA.”
Criminal
“I can easily get the info I need
by grabbing these guys’
handheld devices.”
Truck Drivers
They consult e-mail and keep track
of expenses, shipping records,
maps and schedules.
Average John or Jane Doe
“I store all of my user names and
passwords in my PDA so they are
always with me.”
ACFE - Nov 28, 2007
INVESTIGATIVE CONSIDERATIONS

Sources of Evidence

Provider/Carrier


Phone or PDA


Phone Calls, SMS, MMS, Graphics, Audio/Video Files, and more
SIM Card


IMSI, IMEI, Duration, Call Data Records
Phone Numbers, Text Messages, more
If a suspect computer has handheld synchronization
software installed, then you need to ask “Where is the
handheld?”
ACFE - Nov 28, 2007
INVESTIGATIVE CONSIDERATIONS

Follow strict handheld device seizure rules
1. Maintain Power on the device.
2. Place device in protective case.
3. Gather all accessories and cables.
ACFE - Nov 28, 2007
PRIVACY AND ANONYMITY SOLUTIONS
Anonymity is as important to a criminal as anyone
wishing to protect their privacy
 Proxy servers are a means of
establishing/maintaining anonymity on a network
 Definition: Proxy

A network computer that can serve as an intermediate
for connection with other computers
 Sample proxy based web browsing tool:

 Torpark

Browser - see www.torrify.com
Sample anonymous surfing website:
 www.proxify.com
ACFE - Nov 28, 2007
MALICIOUS USE OF PROXIES
ACFE - Nov 28, 2007
INVESTIGATIVE CONSIDERATIONS




Check system under investigation for existence of
proxy server (typically port 8080)
Check logs on network elements (firewalls, routers,
IDS) for suspect activity
Check with ISP to identify network traffic originating
from or destined to a suspect proxy address
Request co-operation of anonymizer service provider
ACFE - Nov 28, 2007
REMOTE ACCESS SOLUTIONS



Products that enable users to access a home or office
computer‟s services and files while they are away from
home or office
 PC Anywhere, Back Office, RealVNC, Access Remote
PC, many others
Several operate on the principle of protocol tunneling
Pass through firewalls and other security controls
based on “You cannot deny what you must allow”
ACFE - Nov 28, 2007
ACFE - Nov 28, 2007
REMOTE ACCESS SOLUTIONS

HTTP tunneling is most common


UDP tunneling


Tunnel TCP packets through ping packets
Pro:


Tunnel UDP packets by disguising them as TCP
ICMP tunneling


Perform file transfers (ftp), interactive sessions (telnet), chat and
other functions using port 80
Convenience
Cons:


Several circumvent network security controls
Unauthorized and undetected access to and from a
computer/network
ACFE - Nov 28, 2007
INVESTIGATIVE CONSIDERATIONS





Check systems for existence of remote access client
/server software
Inspect startup and running processes on
workstations and servers
Perform “deep packet” inspection on the network
(firewalls, IDS)
Inspect log files (on workstations, servers, firewalls,
routers, etc) for remote access activity
Check web logs for access to protocol tunneling
service providers
ACFE - Nov 28, 2007
DOWNLOADABLE WIDGETS


Definition: WIDGET - Any icon or graphical interface
element that is manipulated by the computer or internet
user to perform a desired function online or on their
computer.
Not just a graphic… they contain executable code

Sample widgets:
Stock tickers
 Media player buttons
 Web browser controls
 Email function controls
 Social-networking sites that enable information sharing
 RSS feed icons
 Interactive graphs, charts, and other statistical media

ACFE - Nov 28, 2007
ACFE - Nov 28, 2007
A WIDGETS DASHBOARD
ACFE - Nov 28, 2007
DOWNLOADABLE WIDGETS
Ethical intent: Provide convenience to the user
 Unethical intent: To perform criminal or malicious
acts on behalf of the perpetrator
 Widgets of unknown source should not be trusted
 Links or code within the widget can direct a user to
a malicious internet site or execute malicious code
on the user‟s system
 Flawed code in widgets can be exploited by
attackers

ACFE - Nov 28, 2007
ACFE - Nov 28, 2007
INVESTIGATIVE CONSIDERATIONS



Inspect running processes on system(s) in question
(task manager)
Check network connection status on system(s) in
question (netstat, Fport, etc)
Inspect log files (on workstations, servers, firewalls,
routers, etc) for suspect activity
ACFE - Nov 28, 2007
VIRTUAL WORLDS
Virtual communities consisting of social
activities, financial transactions (Linden dollar),
gaming, society, etc
 User is provided an avatar which interacts with
other characters in the VW
 Being quickly populated by businesses

 Clothing,
automobile, real estate, entertainment,
banking, etc
ACFE - Nov 28, 2007
SAMPLE VIRTUAL WORLDS
Active Worlds
Coke Studios
Cybertown
Disney's Toontown
Dreamville
Dubit
Habbo Hotel
The Manor
Mokitown
Moove
Muse
The Palace
Playdo
Second Life
The Sims Online
Sora City
There
TowerChat
Traveler
Virtual Ibiza
Virtual Magic Kingdom
Voodoo Chat
VPchat
VZones
whyrobbierocks
Whyville
Worlds.com
Yohoho! Puzzle Pirates
ACFE - Nov 28, 2007
VIRTUAL WORLDS


Risk and threats in VWs are beginning to parallel those in
reality
Crime in VWs can impact reality







Currency in VWs is purchased with money in reality
Unregulated international currency exchange


Installation/spread of computer viruses, keyloggers and other
malware
ID harvesting
Money laundering
Fraud
Theft
transactions can be conducted worldwide without the oversight
that typically accompanies international bank remittances
Local, national and international laws addressing activity in
VWs are non-existent or immature
ACFE - Nov 28, 2007
ACFE - Nov 28, 2007
INVESTIGATIVE CONSIDERATIONS
Check for existence of VW client and/or server
software
 Inspect web cache, history and favorites for VW
related activity
 Inspect network logs (firewalls, routers, IDS,
etc) for VW related activity
 Check with VW hosting service provider for
activity logs

ACFE - Nov 28, 2007
SEARCH ENGINES
Powerful and fast
 It‟s all about what you‟re looking for
 Criminal needs include - but are not limited to:

 Credit
card numbers
 Passwords
 Bank account info
 Driver‟s license numbers
 Social insurance/security numbers
ACFE - Nov 28, 2007
SEARCH ENGINES

Well known search engines:
 Google
 Yahoo!
 Ask
 AOL
 HotBot
 AltaVista
 Kartoo
Check “Advanced Search” info for non-vanilla search techniques
ACFE - Nov 28, 2007
POINT & CLICK GOOGLE HACKING
ACFE - Nov 28, 2007
Point & Click Google Hacking (cont‟d)
ACFE - Nov 28, 2007
Point & Click Google Hacking (cont‟d)
ACFE - Nov 28, 2007
Point & Click Google Hacking (cont‟d)
ACFE - Nov 28, 2007
ACFE - Nov 28, 2007
Point & Click Google Hacking (cont‟d)
ACFE - Nov 28, 2007
SOURCES OF EVIDENCE







Browser cache files
Browser history log
Cookies
Firewall logs
Page file
Slack space
Unallocated space
EVIDENCE DETAIL

Search queries such as:


http://www.google.com/search
?hl=en&lr=&ie=ISO-88591&safe=off&q=intitle%3A%22I
ndex+of%22+%22.htpasswd%
22+htpasswd.bak
http://www.google.com/search
?ie=ISO-88591&q=inurl%3Ashopdbtest.asp
&btnG=Suche&meta=
INVESTIGATIVE CONSIDERATIONS
ACFE - Nov 28, 2007
WIRELESS NETWORKING

Pros:







Convenient
Mobility
Cheap to implement
Easy sharing
Initial wireless standards did not adequately address
security
Mass and quick implementations have not included security
considerations
Just about any information technology device can be wireless
... a criminal‟s dream come true.
ACFE - Nov 28, 2007
WIRELESS DEVICES
Many opportunities for unauthorized access…





Hard drives
Print servers
Headsets
PDA‟s/Cellphones
Computers





Routers
Bridges
Switches
Repeaters
Cameras
ACFE - Nov 28, 2007
WIRELESS TERMS
ACFE - Nov 28, 2007
WARCHALKING
ACFE - Nov 28, 2007
WARDRIVING MAP – EDMONTON, ALTA
ACFE - Nov 28, 2007
ACFE - Nov 28, 2007
INVESTIGATIVE CONSIDERATIONS

Locate and identify wireless devices
May be concealed (ceilings, walls, drawers, etc)
 Trace electrical connections to end point

 Device
may be battery powered (self-contained)
Field strength meter (triangulation)
 Software based solutions (NetStumbler, Kismet, etc)


Check log files associated with wireless devices

Most wireless devices are capable of generating and
storing logs onboard
ACFE - Nov 28, 2007
INVESTIGATIVE CONSIDERATIONS

Check device configurations
MAC and IP addresses, SSID, etc
 Most devices have HTML based configuration
interfaces
 Check for configuration details on computer(s) used to
configure wireless device

Check registry and file system for
indication/details of wireless devices and their
use.
 Others too numerous to mention

ACFE - Nov 28, 2007
PREDICTIONS

What isn‟t about to slow down:
Technology
 Consumer‟s utilization of technology
 Criminal use and exploitation of technology

Investigators will continually need to increase their
skills and knowledge in technological crime
 Law makers will eventually address most
technology based crime – enforcement another
matter

ACFE - Nov 28, 2007
Regina Leader Post Nov 22, 2007
ACFE - Nov 28, 2007
QUESTIONS?
ACFE - Nov 28, 2007
END