* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download technology - Csiservices.ca
Survey
Document related concepts
Airborne Networking wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Wireless USB wikipedia , lookup
Deep packet inspection wikipedia , lookup
Policies promoting wireless broadband in the United States wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Distributed firewall wikipedia , lookup
Computer security wikipedia , lookup
Wireless security wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Transcript
Don Burlack – CISSP, CISM TECHNOLOGY: OPPORTUNITIES FOR FRAUD & INVESTIGATION ACFE - Nov 28, 2007 ABOUT ME Previously: • 30 years in info technology and telecom industries – 20 in info security • Senior Systems Security Director at SaskTel • Auxiliary Constable within RCMP Technological Crimes Section Currently: • Computer forensics course developer and instructor for Paraben Corp. • Instruct CompTia Security+ and EC-Council Certified Ethical Hacker • Senior Security Specialist at SaskPower • President of C.S.I. Services Inc. • Related certifications: CISSP, CISM, CEH, CEI, CEECS, GSEC ACFE - Nov 28, 2007 WHAT WE’LL FOCUS ON TODAY Growth Of Consumer Technology The Dark Side’s Perspective Current Technologies Of Interest To Criminals Investigative Considerations In Today’s Technologies ACFE - Nov 28, 2007 GROWTH OF CONSUMER TECHNOLOGY Consumers being flooded with new IT products and services Consumer products are making their way into corporate environments – like it or not Recent survey of corporate users by Yankee Group Research Inc., 86% of the respondents said they had used at least one consumer technology in the workplace Most consumers do not understand the threats associated with the new technologies ACFE - Nov 28, 2007 THE DARK SIDE’S PERSPECTIVE Business has never been better! ACFE - Nov 28, 2007 Ode To Tech Crime “A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila.” - Unknown ACFE - Nov 28, 2007 CURRENT TECHNOLOGIES OF INTEREST TO CRIMINALS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Instant Messaging (IM) and Peer-to-Peer (P2P) Web Mail Portable Storage Devices PDAs and Cell Phones Privacy & Anonymity Solutions Remote Access Solutions Downloadable Widgets Virtual Worlds Search Engines Wireless Networking ACFE - Nov 28, 2007 2007 CSI SURVEY ACFE - Nov 28, 2007 INSTANT MESSAGING (IM) AND PEER-TO-PEER (P2P) FILE-SHARING INSTANT MESSAGING Users communicate in real-time through the use of chat rooms and instant messages Chat room – application that enables a group of people to type in messages that are seen by everyone in the "room" Instant messages - a chat room restricted to two people PEER-TO-PEER A method of file sharing and data exchange over a network Individual computers are linked via the Internet or a private network Users download files and exchange data directly from other users' computers, rather than from a central server. ACFE - Nov 28, 2007 HOW INSTANT MESSAGING WORKS ACFE - Nov 28, 2007 P2P NETWORKS & CAPABILITIES ACFE - Nov 28, 2007 CONSUMER VOIP SERVICES Enable users to make voice calls via the Internet Majority of free VoIP services are P2P based Popular P2P VoIP services: Skype Yahoo! Messenger Sipgate X-Lite Google Talk MSN Messenger Babble.net ACFE - Nov 28, 2007 POPULAR IM CLIENTS/SERVICES MSN Chat ICQ IRC Messenger AIM (AOL IM) Cheeta Chat IRC Toons Maestro Yahoo! Chat Ychat Miranda Trillian mIRC PalmIRC ACFE - Nov 28, 2007 IM AND P2P PROLIFERATION 20% of people use IM at work and of those 75% use it to send sensitive company info.- SC Magazine P2P networks (often used to share music and other consumer-oriented content) have entered the enterprise in a similar way. Source: Osterman Research Inc. ACFE - Nov 28, 2007 RISKS OF IM AND P2P Introduce security and privacy challenges: IM and P2P users can send sensitive personal and company data across insecure networks (Internet) Malware can enter a personal or corporate network through IM & P2P clients Vulnerabilities in client software present security risks to systems and networks where it is installed Bots and Botnets ACFE - Nov 28, 2007 ABOUT BOTS AND BOTNETS Bot – derived from the word RoBOT A type of malware which allows an attacker to gain complete control over the affected computer Computers infected with a 'bot' are referred to as 'zombies„ or „drones‟ Botnet – roBOT NETwork different bots connected together Consist of a multitude of machines (hundreds, thousands, hundreds of thousands, millions) ACFE - Nov 28, 2007 New Botnets Utilizing Instant Messaging to Steal Personal Information from Online Shoppers and PayPal Customers FOSTER CITY, CALIF - March 15, 2006 - Research experts at FaceTime Security Labs™ identified and reported a new threat today affecting instant messaging (IM) applications. Researchers have uncovered two "botnet" networks that collectively represent up to 150,000 compromised computers, one of which is being used as a vehicle to fraudulently scan desktop and back-end systems to obtain credit card numbers, bank accounts, and personal information including log-ins and passwords. The operators could potentially launch these scans from any computer on the botnet to mask their actual location. ACFE - Nov 28, 2007 ACFE - Nov 28, 2007 WORKINGS OF A BOTNET 1 Attacker in Russia 4 Attacker sends commands to bots 5 John in Toronto downloads and executes “checkers.zip” from a freeware site His machine is now infected with a BOT program. 2 BOT Bots now look for the “Master” and connect to it and await commands 3 BOT BOT now looks for other vulnerable machines and infects them. ACFE - Nov 28, 2007 USES OF BOTNETS Distributed Denial-OfService (DDOS) attacks Spamming Sniffing Traffic (bot can sniff traffic passing by a compromised machine) Keylogging Spreading new malware Mass identity theft (send “phishing” emails) Manipulating online poles (cast votes from zombies) Google AdSense abuse (click on Google advertisements to earn money) Attacking IRC Chat Networks ACFE - Nov 28, 2007 AN EXAMPLE OF IM & P2P EXPLOITATION ACFE - Nov 28, 2007 DETECTING IM & P2P IM and P2P applications often try new sockets and protocol-tunneling techniques firewalls generally unable to discern common evasion techniques Need to inspect protocol flows to make sure that port 80 traffic is really HTTP (web) traffic. Practical way to detect and prevent these techniques: deploy egress enforcement solutions using signaturebased deep packet inspection ACFE - Nov 28, 2007 INVESTIGATIVE CONSIDERATIONS Conduct an IM and P2P security scan determine if and which IM and P2P apps exist on the network. determine what is actually running on the network. Check for existence of IM & P2P clients and running processes on workstation(s) Investigate network element logs for IM/P2P activity Check for existence of IM & P2P history/archive logs on system ACFE - Nov 28, 2007 LOGGING & MESSAGE STORES Most IM clients have the ability to create and archive logs of chat/messaging sessions Messaging client software installs vary in terms of default configuration – some enable logging by default… others don‟t Most client software utilizes non-proprietary log format and standard log file locations – AIM is NOT one of these FINDING IM (CHAT) LOG STORES Client Default Log Files Location ICQ version 2003b Program Files\ICQ\2003b ICQ version 1999-2003a Program Files\ICQ\2003a Miranda Program Files\Miranda IM Msn Messenger v6.1 & v6.2 My Documents\My Received Files Trillian Program Files\Trillian\users Yahoo Messenger Program Files\Yahoo!\Messenger\Profiles ACFE - Nov 28, 2007 WEB MAIL Consumer e-mail services Users don't realize how insecure their e-mail exchanges are Messages often transported over the Web in clear text Messages stored on the e-mail provider's server Messages stored on ISP's server Many are careless in sending sensitive information Google Microsoft AOL Yahoo Social Insurance/Security numbers Passwords Credit card numbers Confidential business data “Free” e-mail service users are low hanging fruit for scammers ACFE - Nov 28, 2007 GONE PHISHING… ACFE - Nov 28, 2007 “UNIQUE” PHISHING REPORTS Source: www.antiphishing.org ACFE - Nov 28, 2007 SETTING UP A PHISHING OPERATION 1. Mirror the entire website from the target URL Example: www.bankofcanada.com 2. Register a fake domain name which sounds like the target website Example: www.bnkofcanada.com 3. 4. 5. Host the mirrored website into the fake URL website Send phishing emails with links to fake website to victim(s) Update the mirror of the target website to maintain disguise ACFE - Nov 28, 2007 SURFER BEWARE! ACFE - Nov 28, 2007 INVESTIGATIVE CONSIDERATIONS ACFE - Nov 28, 2007 INVESTIGATIVE CONSIDERATONS Tricking the user by URL Encoding ACFE - Nov 28, 2007 INVESTIGATIVE CONSIDERATIONS Program Storage Specifics Index/Table of Contents Mailbox Index File Mail File Outlook Express 4.x *.idx *.mbx Eudora *.toc *.mbx Poco *.idx *.mbx Netscape 6.x *.msf *. Netscape over 6.x *.snm ** *. The Bat! *.tbi *.tbb The Bat over 1.42 *.tbx *.dat Agent *.idx *.dat Pegasus *.pmi *.pmm FoxMail *.ind ** *.box Outlook Exchange Stored in main mail archive *.pst (usually encrypted) Outlook version 5 & 6 Stored in main mail archive *.dbx ACFE - Nov 28, 2007 ACFE - Nov 28, 2007 PORTABLE STORAGE DEVICES Flash memory Cards SD SDHC CF MMC USB thumb drives ACFE - Nov 28, 2007 PORTABLE STORAGE DEVICES Hard drives Standard Micro ACFE - Nov 28, 2007 PORTABLE STORAGE DEVICES Physically small but large in capacity USB thumb drives – up to 32 GB (64 GB on the way) Flash memory cards – 8 GB (64 GB on the way) Hard drives – 1 TB (standard) , 4GB (micro) Risks presented: Theft of information Introduction of malware ACFE - Nov 28, 2007 USB DRIVES POSE INSIDER THREAT Robert Lemos, SecurityFocus 2006-06-25 Workers have become more wary of putting giveaway CDs in their company's computers, but USB flash drives are another story. In a recent test of a credit union's network security, consultants working for East Syracuse, N.Y.-based security audit firm Secure Network Technologies scattered twenty USB flash drives around the financial group's building. Each memory fob held a program--disguised as an image file--that would collect passwords, user names and information about the user's system. Fifteen of USB drives were picked up by employees, and surprisingly, all fifteen drives were subsequently plugged into credit union computers. The test confirmed that employees play a key role in a company's security and that many workers still do not understand the danger of USB drives, said Steve Stasiukonis, vice president and founder of Secure Network Technologies. ACFE - Nov 28, 2007 INVESTIGATIVE CONSIDERATIONS Check for existence of USB devices: Windows registry: HKLM\System\CurrentControlSet\Enum\USBStor Linux: lsusb Include removable/portable storage devices in seizure and evidence gathering ACFE - Nov 28, 2007 PDAS AND SMART PHONES Multipurpose Camera (still & streaming) Calendaring Email Word Processing Sound recording Multimedia (music, images, movies, etc) Phone service Internet Gaming Wireless networking Data storage Pros: Small Lightweight Incredible info processing and storage capability Widely Used Cons: Easily misplaced/lost Targeted by criminal element Used as a tool by criminals (camera, wireless intrusion) ACFE - Nov 28, 2007 DIFFERING NEEDS AND INTERESTS… Doctors Network Administrators “I store some of my patient information (medications, treatments) in my PDA.” “As the network administrator I like to store all of the IP addresses for the network in my PDA.” Criminal “I can easily get the info I need by grabbing these guys’ handheld devices.” Truck Drivers They consult e-mail and keep track of expenses, shipping records, maps and schedules. Average John or Jane Doe “I store all of my user names and passwords in my PDA so they are always with me.” ACFE - Nov 28, 2007 INVESTIGATIVE CONSIDERATIONS Sources of Evidence Provider/Carrier Phone or PDA Phone Calls, SMS, MMS, Graphics, Audio/Video Files, and more SIM Card IMSI, IMEI, Duration, Call Data Records Phone Numbers, Text Messages, more If a suspect computer has handheld synchronization software installed, then you need to ask “Where is the handheld?” ACFE - Nov 28, 2007 INVESTIGATIVE CONSIDERATIONS Follow strict handheld device seizure rules 1. Maintain Power on the device. 2. Place device in protective case. 3. Gather all accessories and cables. ACFE - Nov 28, 2007 PRIVACY AND ANONYMITY SOLUTIONS Anonymity is as important to a criminal as anyone wishing to protect their privacy Proxy servers are a means of establishing/maintaining anonymity on a network Definition: Proxy A network computer that can serve as an intermediate for connection with other computers Sample proxy based web browsing tool: Torpark Browser - see www.torrify.com Sample anonymous surfing website: www.proxify.com ACFE - Nov 28, 2007 MALICIOUS USE OF PROXIES ACFE - Nov 28, 2007 INVESTIGATIVE CONSIDERATIONS Check system under investigation for existence of proxy server (typically port 8080) Check logs on network elements (firewalls, routers, IDS) for suspect activity Check with ISP to identify network traffic originating from or destined to a suspect proxy address Request co-operation of anonymizer service provider ACFE - Nov 28, 2007 REMOTE ACCESS SOLUTIONS Products that enable users to access a home or office computer‟s services and files while they are away from home or office PC Anywhere, Back Office, RealVNC, Access Remote PC, many others Several operate on the principle of protocol tunneling Pass through firewalls and other security controls based on “You cannot deny what you must allow” ACFE - Nov 28, 2007 ACFE - Nov 28, 2007 REMOTE ACCESS SOLUTIONS HTTP tunneling is most common UDP tunneling Tunnel TCP packets through ping packets Pro: Tunnel UDP packets by disguising them as TCP ICMP tunneling Perform file transfers (ftp), interactive sessions (telnet), chat and other functions using port 80 Convenience Cons: Several circumvent network security controls Unauthorized and undetected access to and from a computer/network ACFE - Nov 28, 2007 INVESTIGATIVE CONSIDERATIONS Check systems for existence of remote access client /server software Inspect startup and running processes on workstations and servers Perform “deep packet” inspection on the network (firewalls, IDS) Inspect log files (on workstations, servers, firewalls, routers, etc) for remote access activity Check web logs for access to protocol tunneling service providers ACFE - Nov 28, 2007 DOWNLOADABLE WIDGETS Definition: WIDGET - Any icon or graphical interface element that is manipulated by the computer or internet user to perform a desired function online or on their computer. Not just a graphic… they contain executable code Sample widgets: Stock tickers Media player buttons Web browser controls Email function controls Social-networking sites that enable information sharing RSS feed icons Interactive graphs, charts, and other statistical media ACFE - Nov 28, 2007 ACFE - Nov 28, 2007 A WIDGETS DASHBOARD ACFE - Nov 28, 2007 DOWNLOADABLE WIDGETS Ethical intent: Provide convenience to the user Unethical intent: To perform criminal or malicious acts on behalf of the perpetrator Widgets of unknown source should not be trusted Links or code within the widget can direct a user to a malicious internet site or execute malicious code on the user‟s system Flawed code in widgets can be exploited by attackers ACFE - Nov 28, 2007 ACFE - Nov 28, 2007 INVESTIGATIVE CONSIDERATIONS Inspect running processes on system(s) in question (task manager) Check network connection status on system(s) in question (netstat, Fport, etc) Inspect log files (on workstations, servers, firewalls, routers, etc) for suspect activity ACFE - Nov 28, 2007 VIRTUAL WORLDS Virtual communities consisting of social activities, financial transactions (Linden dollar), gaming, society, etc User is provided an avatar which interacts with other characters in the VW Being quickly populated by businesses Clothing, automobile, real estate, entertainment, banking, etc ACFE - Nov 28, 2007 SAMPLE VIRTUAL WORLDS Active Worlds Coke Studios Cybertown Disney's Toontown Dreamville Dubit Habbo Hotel The Manor Mokitown Moove Muse The Palace Playdo Second Life The Sims Online Sora City There TowerChat Traveler Virtual Ibiza Virtual Magic Kingdom Voodoo Chat VPchat VZones whyrobbierocks Whyville Worlds.com Yohoho! Puzzle Pirates ACFE - Nov 28, 2007 VIRTUAL WORLDS Risk and threats in VWs are beginning to parallel those in reality Crime in VWs can impact reality Currency in VWs is purchased with money in reality Unregulated international currency exchange Installation/spread of computer viruses, keyloggers and other malware ID harvesting Money laundering Fraud Theft transactions can be conducted worldwide without the oversight that typically accompanies international bank remittances Local, national and international laws addressing activity in VWs are non-existent or immature ACFE - Nov 28, 2007 ACFE - Nov 28, 2007 INVESTIGATIVE CONSIDERATIONS Check for existence of VW client and/or server software Inspect web cache, history and favorites for VW related activity Inspect network logs (firewalls, routers, IDS, etc) for VW related activity Check with VW hosting service provider for activity logs ACFE - Nov 28, 2007 SEARCH ENGINES Powerful and fast It‟s all about what you‟re looking for Criminal needs include - but are not limited to: Credit card numbers Passwords Bank account info Driver‟s license numbers Social insurance/security numbers ACFE - Nov 28, 2007 SEARCH ENGINES Well known search engines: Google Yahoo! Ask AOL HotBot AltaVista Kartoo Check “Advanced Search” info for non-vanilla search techniques ACFE - Nov 28, 2007 POINT & CLICK GOOGLE HACKING ACFE - Nov 28, 2007 Point & Click Google Hacking (cont‟d) ACFE - Nov 28, 2007 Point & Click Google Hacking (cont‟d) ACFE - Nov 28, 2007 Point & Click Google Hacking (cont‟d) ACFE - Nov 28, 2007 ACFE - Nov 28, 2007 Point & Click Google Hacking (cont‟d) ACFE - Nov 28, 2007 SOURCES OF EVIDENCE Browser cache files Browser history log Cookies Firewall logs Page file Slack space Unallocated space EVIDENCE DETAIL Search queries such as: http://www.google.com/search ?hl=en&lr=&ie=ISO-88591&safe=off&q=intitle%3A%22I ndex+of%22+%22.htpasswd% 22+htpasswd.bak http://www.google.com/search ?ie=ISO-88591&q=inurl%3Ashopdbtest.asp &btnG=Suche&meta= INVESTIGATIVE CONSIDERATIONS ACFE - Nov 28, 2007 WIRELESS NETWORKING Pros: Convenient Mobility Cheap to implement Easy sharing Initial wireless standards did not adequately address security Mass and quick implementations have not included security considerations Just about any information technology device can be wireless ... a criminal‟s dream come true. ACFE - Nov 28, 2007 WIRELESS DEVICES Many opportunities for unauthorized access… Hard drives Print servers Headsets PDA‟s/Cellphones Computers Routers Bridges Switches Repeaters Cameras ACFE - Nov 28, 2007 WIRELESS TERMS ACFE - Nov 28, 2007 WARCHALKING ACFE - Nov 28, 2007 WARDRIVING MAP – EDMONTON, ALTA ACFE - Nov 28, 2007 ACFE - Nov 28, 2007 INVESTIGATIVE CONSIDERATIONS Locate and identify wireless devices May be concealed (ceilings, walls, drawers, etc) Trace electrical connections to end point Device may be battery powered (self-contained) Field strength meter (triangulation) Software based solutions (NetStumbler, Kismet, etc) Check log files associated with wireless devices Most wireless devices are capable of generating and storing logs onboard ACFE - Nov 28, 2007 INVESTIGATIVE CONSIDERATIONS Check device configurations MAC and IP addresses, SSID, etc Most devices have HTML based configuration interfaces Check for configuration details on computer(s) used to configure wireless device Check registry and file system for indication/details of wireless devices and their use. Others too numerous to mention ACFE - Nov 28, 2007 PREDICTIONS What isn‟t about to slow down: Technology Consumer‟s utilization of technology Criminal use and exploitation of technology Investigators will continually need to increase their skills and knowledge in technological crime Law makers will eventually address most technology based crime – enforcement another matter ACFE - Nov 28, 2007 Regina Leader Post Nov 22, 2007 ACFE - Nov 28, 2007 QUESTIONS? ACFE - Nov 28, 2007 END