Download Fraud Committee Briefing for TFO Day 2

Techno Fraud, Cyber Crime and Phantom Phreaks
Introduction of Committee
Members
 Ade Banjoko, Fraud Manager, Zain Nigeria, African Chair





for GSMA Fraud
Pamela Noriega, Revenue Assurance and Fraud Manager,
Nuevatel Bolivia
Md Faizur Rashid, Fraud Management, RA, Finance, Digi
Awwad Badee, Revenue Assurance Supervisor, Wataniya
Jan van der Steen, Manager, General Risk, Ernst and Young
Garry Brown, Business Risk, Digicel Group
TFO Day 2: Network and Technical
Frauds
 Day 2 focuses on Deterrence and Detection for network
and technical domains
 how to stop/prevent fraud in these domains
 how to find fraud and address it (prosecute, etc.)
 Probably the largest exposure of the telco
 Because of the nature of frauds (nested exploits, exploit
chains), the network and technical domains are where
many frauds originate in the form of exploits (fraudsters
require access!)
 Can’t assure or investigate domains you don’t understand –
but body of knowledge is huge, how to tackle?
Housekeeping
 Had some e-mail problems, so some documents got to
you late
 Thank you for returning our NDAs, those that haven’t,
if you could please submit them by the next meeting
 Thanks as well for your help with our press release as
well as your pictures and bios – those who haven’t yet,
please do so
 Will keep all panelists muted for recording – if you
want to ask a question, best way is to type in the “chat”
box, and I will unmute you
Housekeeping (cont.)
 Purpose of the meeting is to ask and answer questions,
so don’t feel like you’re interrupting
 I will be going over the slides fast, tell me if there’s an
area where you want more elaboration
 The committee has to decide how to spend our time
during meetings, whether we review material or have a
conversation (preferably both!) – my role is simply to
facilitate and update you on the details as they become
available
 Copies of slides will be posted/e-mailed after meeting
Large Positive Effect of Committee
Feedback
 You should not underestimate how valuable your expert
feedback is – it has definitely caused us to rethink and
reconsider many aspects of the program
 Most crucial are Ade and Pamela’s points, that the program
has to focus on Detection and Deterrence – finding fraud
and preventing fraud
 Jan’s point about de-emphasizing fraudster profiling is well
taken
 it is important for occupational fraud, so we’ll address it
quickly in Day 1 and some in Day 3, otherwise mostly in the
context of cases
 As it is we focus much more on situational profiling – how
processes should run
 That said, behavior patterns are crucially important
Large Positive Effect of Committee
Feedback (cont.)
 In our initial conversations, Ade, Pamela (and some
others) brought up issues with privacy and the
use/sharing/abuse of customer data, and we are
shifting more emphasis on that (Day 2 Hacking, Day 3
CRM, Day 5 Coerced Accessory)
 At Ade’s suggestion, we’ve also added a significant
section on M-Commerce, including coverage of illegal
money laundering schemes that abuse such systems
such as M-Pesa and G-Cash (Day 5)
Large Positive Effect of Committee
Feedback (cont.)
 The discussion we had on forensics and data analysis was also
very useful
 Pamela is exactly right that forensics and identification of MVPs




(Most Vulnerable Processes) needs more emphasis, and we will talk
about that in more detail in today’s briefing for Day 2, and for Day 5
There is now also a forensic element to each of the Days
But Jan’s point is also well taken, that our certification has to be of
professional practices, rather than software instruction
The training is going to focus on fundamental processes (much as
we do for revenue assurance), though we will certainly talk about
how fraud management systems add value to that process
But in order to stay away from being vendor/software driven, and
maintaining independence and integrity around this process,
professional practices have to come first
Mutually Supportive Committee
Process
 We are extremely happy with the role the committee is
currently playing in helping guide us through this
process
 It is clear that the program has gotten much stronger
since this process began
 It is in our interests to make sure all of you get as much
benefit from this process as possible
 Any ideas/requests you have for promoting your
leadership in the committee, we will be eager to
implement
Day 2 Key Concepts
 Large amount of ground to cover, huge amount of





knowledge and material
However, in many cases, there already exists relatively well
defined approaches, procedures and security standards
Again it is not the TFO’s job to know everything, but to
understand the breadth of telco fraud and be able to ensure
it is being addressed
Domains and cross-domain vulnerabilities
Most Vulnerable Processes (MVP)
Hardening and Honeypots
DAY2
Slides
Time
Minutes Hours
Techno Fraud, Cyber Crime and Phantom Freaks
d2p01 Network Domains - Introduction
d2p02 Media, Delivery and Topology
45
30
30
0.50
193
90
120
2.00
15
135
2.25
Coffee
d2p03 Methods of Access and Attack
20
15
150
2.50
d2p04 Hacking and Phreaking
84
45
195
3.25
60
255
4.25
134
60
315
5.25
d2p06 CORE
68
45
360
6.00
d2p07 CELL
148
45
405
6.75
15
420
7.00
Lunch
d2p05 BSS Domain (I/T, COBIT, Audit and Security)
Break
d2p08 LAN
108
45
465
7.75
d2p09 WEB
113
45
510
8.50
33
30
540
9.00
540
9.00
540
9.00
d2p10 Honeypots and Hardening
130
Introduction
 Network is the telco’s largest exposure
 Telco also has security responsibilities to Law
Enforcement and National Security (users must be
accountable rather than anonymous)
 Because customers have access, and there are a large
volume of transactions, networks have to be
managed/automated
 Importance of the Fraud Management Systems
 Five discrete network domains
Network Domains
Core
Network
BSS
Systems
Cell Phones
Internet
Cloud
LAN/WAN
Domain/Cross-Domain Hacking
 Examples of single domain hacks: tee-in, triggerfish,




altering B-number routing table, website hacking,
WEP hacking
Domain specialists tend to have expertise in their area
Unfortunately majority of exploits/exploit chains
involve more than one domain
Systems are most vulnerable where domains intersect
– junctions where expertise/jurisdiction is hazier, less
well defined
Examples: DDoS, hacking private lines, PBX hacking,
Magicjack Bypass
But It’s Not the TFO’s Job to Know
Everything
 As with RA, you don’t do everything, you make sure it’s







done
However, does need to understand Standards Checks
across Network Domains for Compliance
Normative Architecture and Operations
AAA – Authentication, Authorization, Accounting
MOA (Methods of Access)/POA (Points of Access) – most
often used points to compromise systems/bypass AAA
Exploit profiles
Domain standards/standards bodies
Controls, Institutional treatments, Investigative techniques
Hackers
 Unauthorized users: hackers, former employees,
consultants
 Authorized users: employees, consultants, clients
 Forms of hacking:
 The alteration or copying of system input.
 The theft of processing capabilities due to unauthorized
use.
 The unauthorized duplication, deletion, modification,
or installation of software.
 The unauthorized duplication, deletion, or modification
of data.
 The theft or misuse of system output.
Common Hacks
 Former employees utilizing acquired






usernames/passwords, logic bombs
Current employees using/exceeding authorization to steal
client or customer information
Stealing data (credit card numbers, financial information)
Installing/modifying software
Using high level of technical expertise to steal passwords,
install software, delete data/software, virus activation
rendering systems unusable for a period
Theft of computer time, input fraud, output fraud
More often than not, standards /organizations exist to
protect against these – enabling insurance
DAY2
Slides
Time
Minutes Hours
Techno Fraud, Cyber Crime and Phantom Freaks
d2p01 Network Domains - Introduction
d2p02 Media, Delivery and Topology
45
30
30
0.50
193
90
120
2.00
15
135
2.25
Coffee
d2p03 Methods of Access and Attack
20
15
150
2.50
d2p04 Hacking and Phreaking
84
45
195
3.25
60
255
4.25
134
60
315
5.25
d2p06 CORE
68
45
360
6.00
d2p07 CELL
148
45
405
6.75
15
420
7.00
Lunch
d2p05 BSS Domain (I/T, COBIT, Audit and Security)
Break
d2p08 LAN
108
45
465
7.75
d2p09 WEB
113
45
510
8.50
33
30
540
9.00
540
9.00
540
9.00
d2p10 Honeypots and Hardening
130
A Network Perspective on Fraud
 A large number of Frauds are network related
 Both directly, and within Nested Exploits
 While the variance of specific technologies is immense, the
fraud vulnerabilities are quite narrow and consistent across
the different network domains
 Objective: Identify the common, systematic approach that
can be applied across domains
 Key:
 Media, topology, control protocol
Media
 Wired/Wireless
 Most obvious/easiest method of ingress
 Nested relationships
 LAN – Wireless, Wireline
 CORE – Wireless, Wireline
 WEB – Wireless, Wireline
 CELL – Wireless, Wireline
 BSS – Wireless, Wireline
 Transport media (Cabling): Copper, twisted pair, coax,
fiber
Wireless (RF) Technologies
 GSM / 3G
 CDMA / WCDMA
 LMDS / MMDS
 Microwave
 WiFi
 WiMax
 Satellite
 Pager
 GPS Tracking
Media by Network Domain
 WEB – Fiber, Coax, GSM, CDMA, 3G, GPRS
 CORE – Fiber, Copper, Microwave, WIMAX
 LAN – Copper, WiFi
 BSS – Fiber, Copper, Coax, Wifi
 CELL – GSM, CDMA, GPRS, UMTS
Topology and Architecture
 Types of devices
 It takes a large number of different types of devices and
equipment to support a telecommunications network
 The major categories of equipment include:




Cabling
Transport devices
Switching devices
Specialty devices
Networking
 What are ports, how do they work, TCP/IP
 Proxy servers, what is, how they work
 Firewalls, NAT (network address translation)
 Buffer overflows
Network Topology
 Basic units
 Trunks – cabling itself
 Rings – organization of network elements to create a closed
loop of network traffic
 Spurs – A branch off of a ring that does not close the loop
 Circuit switch topology
 Where are the major switches to be located?
 How will they connect to other carrier networks?
 Transport topology
 Where and how will rings be organized?
 Design for volume of traffic and consolidation
 Access topology
 How will customer end points be connected to the network
DAY2
Slides
Time
Minutes Hours
Techno Fraud, Cyber Crime and Phantom Freaks
d2p01 Network Domains - Introduction
d2p02 Media, Delivery and Topology
45
30
30
0.50
193
90
120
2.00
15
135
2.25
Coffee
d2p03 Methods of Access and Attack
20
15
150
2.50
d2p04 Hacking and Phreaking
84
45
195
3.25
60
255
4.25
134
60
315
5.25
d2p06 CORE
68
45
360
6.00
d2p07 CELL
148
45
405
6.75
15
420
7.00
Lunch
d2p05 BSS Domain (I/T, COBIT, Audit and Security)
Break
d2p08 LAN
108
45
465
7.75
d2p09 WEB
113
45
510
8.50
33
30
540
9.00
540
9.00
540
9.00
d2p10 Honeypots and Hardening
130
Network Incursion
 Common Approaches to the Five Network Domains
 Methods of Access (MOA), Vulnerabilities
 Physical Access (media penetration)
 Bypass/Deception



Authentication
Authorization
Accounting
 Manipulation



Reference Data (File/DB)
Program Code
Control Protocol Misdirection
Methods of Incursion
 Accessory, Brute Force, Deception (Social Engineering)
 Physical Access – Standard Ingress (hi-jack, fool the






system) and Forced Ingress (jack-in, tee-in/splice/firewall
penetration)
Authentication Override
Authorization Override
Accounting Override
Reference Data Corruption
Program Corruption
Control Protocol Intercept/Bypass
Network Fraudsters
 Methods of Conversion (MOC)
 Theft of Service

Use service without paying
 Diversion of Service

Use a service to do something other than what it was intended to do
 Abuse of Service

Use of a service to do something it is not legal to do
 Denial of Service

Deprive others of a service they have a right to
 Network Fraudster Sequence
 Fraudster Logic – The Professional
 Fraudster Logic – The Tourist
DAY2
Slides
Time
Minutes Hours
Techno Fraud, Cyber Crime and Phantom Freaks
d2p01 Network Domains - Introduction
d2p02 Media, Delivery and Topology
45
30
30
0.50
193
90
120
2.00
15
135
2.25
Coffee
d2p03 Methods of Access and Attack
20
15
150
2.50
d2p04 Hacking and Phreaking
84
45
195
3.25
60
255
4.25
134
60
315
5.25
d2p06 CORE
68
45
360
6.00
d2p07 CELL
148
45
405
6.75
15
420
7.00
Lunch
d2p05 BSS Domain (I/T, COBIT, Audit and Security)
Break
d2p08 LAN
108
45
465
7.75
d2p09 WEB
113
45
510
8.50
33
30
540
9.00
540
9.00
540
9.00
d2p10 Honeypots and Hardening
130
Hacking and Phreaking
 Phreaking (Phone hacking) is the process of identifying
and exploiting vulnerabilities in the telecommunication
network infrastructure in order to bypass billing AND
tracing of activities, used by
 Criminals
 Terrorists
 Tourists
 Phreaking rules, how to phreak, history/etymology of
phreaking
 Computers, toll fraud, diverters, Boxes, ANAC numbers,
IPhone hack, hacking Cell VMBs
 Surveillance software/hardware, keystroke grabbers etc.
Hacking and Phreaking (cont.)
 Hacking
 White Hats and Black Hats, crackers, script kiddies
 Patriot Hacking
 GhostNet (network spying uncovered March 2009)
 PC Cracking, Back Orfice, Netbus, Sub7
 Detecting Phreaks
 Sophisticated line monitors to detect the “bypass” signal and other
network diagnostics are the key
 Funny looking CDRs
 Gross Tally Counts that are off with no explanation
 Variance in traffic levels versus revenue levels
 Anomalies in patterns for particular switches or lines
 Hacker characteristics and communities
 Key methods of attack
DAY2
Slides
Time
Minutes Hours
Techno Fraud, Cyber Crime and Phantom Freaks
d2p01 Network Domains - Introduction
d2p02 Media, Delivery and Topology
45
30
30
0.50
193
90
120
2.00
15
135
2.25
Coffee
d2p03 Methods of Access and Attack
20
15
150
2.50
d2p04 Hacking and Phreaking
84
45
195
3.25
60
255
4.25
134
60
315
5.25
d2p06 CORE
68
45
360
6.00
d2p07 CELL
148
45
405
6.75
15
420
7.00
Lunch
d2p05 BSS Domain (I/T, COBIT, Audit and Security)
Break
d2p08 LAN
108
45
465
7.75
d2p09 WEB
113
45
510
8.50
33
30
540
9.00
540
9.00
540
9.00
d2p10 Honeypots and Hardening
130
(BSS) Business Support Systems
 Mainframes/“Big Iron”, environment of systems
 Accounting systems
 Customer management (CRM) systems
 Product management systems
 Vendor management systems
 Characteristics, Types of Systems, Appliances, Control
Protocols, Vulnerabilities
BSS Systems Domains include:
 Billing systems
 All component of the Revenue Management Stream (See




CORE)
Accounting Systems (Day3)
CRM Systems (Day3)
Supply Chain (Day3)
Administrative and Regulatory (Day5)
 MVP (Most Vulnerable Processes)
 File and DB Storage
 Any program or system that handles money
Why, and Who?
 Most vulnerable because of:
 Breadth, depth and scope of systems
 Size of systems
 Number of people authorized to view information
 Number of people authorized to work on systems
 Number of people authorized to access and change information
 Chaotic lack of structure, controls overall
 Far worse in telco’s than in most organizations
 BSS Fraudster Profiles
 Programmers
 Administrative/Clerical Staff
 Accounting Personnel
 Contractors
 Executives
BSS Case Studies




Why employees commit fraud
The challenge of conversion
Often the result of collusion or lax controls/compliance
Examples:
 The money machine
 A Startup Booster
 The case of the Holey Tapes
 Premature Acquisition
 Free Calls for Mom
 I Buy, You Pay
 Case Discussion
Prevention
 Existing security standards
 ISO-17799
 International Standards Organization
 COBIT
 Control Objectives for Information and Related
Technologies
 ITIL
 ISF (Information Security Forum ) – Standard of Good
Practice (SOGP)
 SAN
Hierarchy of issues
 Identification – Who are you?
 Authentication – Can you prove it?
 Authorization – What are you allowed to do?
 Auditing – What did you do?
 Integrity – Is it tamperproof
 Privacy – Who can see it?
 Non-repudiation. Can I prove that you did what
you said that you did?
39
2/10/2010
Things to Manage
 Identity Management
 Access Management
 Security over files / databases
 Security over programs
 New Development
 Change Management
 Incident Management
 Capture, Disposition, Tracking
 Change Management
40
2/10/2010
Ways to Manage
 Security Policy
 Physical Access Security
 Logical Access Security
 Incident Management Discipline
 Change Management Discipline
41
2/10/2010
More Details On…
 Incident Management
 Controls and monitoring
 Change Management
 Cases
 Exercises
 SoGP (Standards of Good Practice)
 ISO
 CoBIT
DAY2
Slides
Time
Minutes Hours
Techno Fraud, Cyber Crime and Phantom Freaks
d2p01 Network Domains - Introduction
d2p02 Media, Delivery and Topology
45
30
30
0.50
193
90
120
2.00
15
135
2.25
Coffee
d2p03 Methods of Access and Attack
20
15
150
2.50
d2p04 Hacking and Phreaking
84
45
195
3.25
60
255
4.25
134
60
315
5.25
d2p06 CORE
68
45
360
6.00
d2p07 CELL
148
45
405
6.75
15
420
7.00
Lunch
d2p05 BSS Domain (I/T, COBIT, Audit and Security)
Break
d2p08 LAN
108
45
465
7.75
d2p09 WEB
113
45
510
8.50
33
30
540
9.00
540
9.00
540
9.00
d2p10 Honeypots and Hardening
130
(CORE) Wireline
 PSTN (Public Switched Telephone Network)
 The NOC
 Network Components
 Variations
 Leased Line
 Frame Relay
 Interconnect
 Interconnect differences, architectural components,
appliances, control protocol,
Attacks/Vulnerabilities
 Most Frequent Attacks
 Theft of Service
 Denial of Service
 Fraudulent Anonymity
 Averse Accessory

Terrorism, Criminal Activity
 Most Vulnerable Points
 Instream Abuse (Control Protocol)
 Internal Reference Data
 Customer End Device
 Junctions/Gateways
 Tee In / Signal Intercept
Major Attack Zones
 SS7
 Employee/Hacker Manipulation
 Physical Incursion
 Logical Incursion
Methods of Access
 Physical Forced Incursion




Tee-In
Junction Box (clip on)
Splice In
Gateway Hack




Credential-ized (Illegally Acquired Real Credentials)
Hacked Credentials
AAA Bypass (Cracked Radius)
Firewall Bypass (Cracked Port)
 Logical Incursion
47
2/10/2010
Methods of Execution
 Modify Files/Databases
 Modify Transaction Streams
 Modify Transaction Data
48
2/10/2010
Principle Conversions
 Free Service
 Theft for Use
 Theft for Cash-Out
 Anonymous Service
 Terrorism
 Mischief
49
2/10/2010
Much More Detail On…
 Cases
 SS7 Vulnerabilities, Approaches and Security
 Physical Incursion
 Misc. Vulnerabilities
DAY2
Slides
Time
Minutes Hours
Techno Fraud, Cyber Crime and Phantom Freaks
d2p01 Network Domains - Introduction
d2p02 Media, Delivery and Topology
45
30
30
0.50
193
90
120
2.00
15
135
2.25
Coffee
d2p03 Methods of Access and Attack
20
15
150
2.50
d2p04 Hacking and Phreaking
84
45
195
3.25
60
255
4.25
134
60
315
5.25
d2p06 CORE
68
45
360
6.00
d2p07 CELL
148
45
405
6.75
15
420
7.00
Lunch
d2p05 BSS Domain (I/T, COBIT, Audit and Security)
Break
d2p08 LAN
108
45
465
7.75
d2p09 WEB
113
45
510
8.50
33
30
540
9.00
540
9.00
540
9.00
d2p10 Honeypots and Hardening
130
(CELL) Wireless
 Half network is exactly like CORE – rest is radio side
 Wireless is:
 Circuit based
 Utilizes the same backbone, interconnect and routing technology
and wireline
 But different security issues
 Architectural components: MSC, Transit switch/routing devices,




Radio side (BTS/BSC)
Control protocols
Wireless switching
POI/POV (points of ingress/vulnerability)
Appliances: SMSC, MMSC, WAP Server , GPRS, Radius Server
(see IP), IN
Domains Include
 “Old Technology” – AMPS
 “Current Technology”
 GSM
 CDMA
 “New Technology”
 Wimax
 3G
53
2/10/2010
Major Attack Zones (over OSS)
 Prepaid Systems
 Handsets and SIMs
 Business Model Complexities
54
2/10/2010
Most Frequent Attacks
 Theft of Service
 Averse Accessory
 Criminal Anonymity
 Wireless “Cons”
55
2/10/2010
Fraudster Profiles
1.
2.
3.
4.
5.
Criminals / Terrorists
Customers – Opportunists
Employees
Hackers
Consultants
Collusion is Common
56
2/10/2010
Special Cell Phone Vulnerability
 Cloning
 GSM – SIM
 CDMA
 Radio Intercept
 Baby Monitors
 Handset Hijackers
 WAP Gateway
 Handset Strippers
 Bluetooth, Wifi, IR
57
2/10/2010
Service Profiles
 Prepaid
 SMS
 Content
 GPRS
58
2/10/2010
More Detail On…
Cases
Wireless AAA
CDMA (Clones, CAVE, A-key, SSD, AC, VLR, MS)
GSM (Spoofing, false BTS, Identity Caching, bypass encryption, IMSI,
PIN, PUK, HLR, VLR, AUC, multi-sim)
 Detection









Customer complaints
CDR’s without valid ESN
ESN with many IMSI
IMSI with many ESN
Multiple simultaneous calls on the same IMSI
 Account Alteration (Deterrence, Detection)
 Other Frauds
 WAP, Text intercept, theft from handset, handset hijack
DAY2
Slides
Time
Minutes Hours
Techno Fraud, Cyber Crime and Phantom Freaks
d2p01 Network Domains - Introduction
d2p02 Media, Delivery and Topology
45
30
30
0.50
193
90
120
2.00
15
135
2.25
Coffee
d2p03 Methods of Access and Attack
20
15
150
2.50
d2p04 Hacking and Phreaking
84
45
195
3.25
60
255
4.25
134
60
315
5.25
d2p06 CORE
68
45
360
6.00
d2p07 CELL
148
45
405
6.75
15
420
7.00
Lunch
d2p05 BSS Domain (I/T, COBIT, Audit and Security)
Break
d2p08 LAN
108
45
465
7.75
d2p09 WEB
113
45
510
8.50
33
30
540
9.00
540
9.00
540
9.00
d2p10 Honeypots and Hardening
130
LAN/WAN Topology





Definitions, what are they, how do they work
WLAN, stations, access points, Basic Service Set (BSS)
Architecture: clients, servers, routers
Control protocols
POV/POI:
 Wireless Access (w/ wo/ WEP)
 Physical Port
 Client Security
 Server Security
 Appliances/Applications
LAN Vulnerabilities
 Often no professional management of platforms or
networks
 Connectivity via Internet and Wireless LANs
 Windows / Ethernet dynamic configuration (hook in
anywhere)
 Major Attacks
 Viruses, Worms, Trojans
 Hacks
62
2/10/2010
Most Frequent Attacks
 Malice – Denial of Service
 Privacy – Theft of Information
 Blackmail – Extortion
 BSS – Entry Point (bypass BSS security)
 Mini-BSS – Application Servers
63
2/10/2010
Getting In






Cracking WLAN (WEP Decrypt)
Cracking WLAN/LAN – Router Firewall Crack
Cracking PC at keyboard
Cracking PC via Bluetooth
Cracking Office Files
Other issues:
 P2P
 Anti-virus
 Windows hacks
 Office, Browser hacks
64
2/10/2010
DAY2
Slides
Time
Minutes Hours
Techno Fraud, Cyber Crime and Phantom Freaks
d2p01 Network Domains - Introduction
d2p02 Media, Delivery and Topology
45
30
30
0.50
193
90
120
2.00
15
135
2.25
Coffee
d2p03 Methods of Access and Attack
20
15
150
2.50
d2p04 Hacking and Phreaking
84
45
195
3.25
60
255
4.25
134
60
315
5.25
d2p06 CORE
68
45
360
6.00
d2p07 CELL
148
45
405
6.75
15
420
7.00
Lunch
d2p05 BSS Domain (I/T, COBIT, Audit and Security)
Break
d2p08 LAN
108
45
465
7.75
d2p09 WEB
113
45
510
8.50
33
30
540
9.00
540
9.00
540
9.00
d2p10 Honeypots and Hardening
130
(WEB) Internet Cloud
 IP applications:
 Backbone (internal)
 Transit (internal)
 ISP (Internet Service Provider)



DialUp
DSL
Cable
 VOIP
 Wireless (WAP/GPRS/MMS)
 Control Languages, Internet commands,
Principle
Components/Vulnerabilities
 Outside of cloud
 Clients – PC’s, Mainframes – Users of Services
 Access to cloud
 Agent ISP - (sells access to clients – connects to ISP)
 Core ISP (True - Internet Service Providers)
 Inner Cloud
 Internet Network Nodes
 POI/POV:
 Client Vulnerabilities
 Network Vulnerabilities
 Server Vulnerabilities
Appliances/Applications
 Firewalls
 Radius Servers (AAA devices)
 Gateways
 IMS (Integrated Multi-Media Service)
 UMTS (Universal Mobile Telecommunications
Service)
Domains of Interest
 The Telco’s Own Systems represent exploit
opportunities for fraudsters
 Telco Own Websites
 Telco Operations on Web (POS, Web Top UP)
 Telco Own Internal Operational Systems
 Telco Employee Functional Systems (Inventory Management,
Salesman Tracking)
 Telco Own Consumer Grade Attack on Employees
 Attack on internal systems via Internet
 Denial of Service Attack on Telco
69
2/10/2010
Domains of Interest – 2
 Averse Accessory
 Telco Liability for violation of systems that telcos
provide to customers
 Telco Liability when fraudsters use telco facilities
 Denial of Service attack on customer
70
2/10/2010
WEB Most Common Attack Points
 Internet Penetration Mechanisms
 Robots, Brute Force and other attacks










71
Zero Day
Web Site Drivers
VPN
SQL Injection Attacks
PHP File Include Attacks
XSS Attacks
Client Side Exploit Scheme
IM
Email Drivers
VOIP
2/10/2010
Top Trends
 Client Side Applications Unpatched
 Number one vulnerability
 Internet Facing Websites
 60% Cases
 Convert trusted site into averse accessory
 80% - XSS / SQL Injection
72
2/10/2010
Robots and Brute Force
Attacks/Vulnerabilities
 Bad Robots
 Bot-trap - A Bad Web-Robot Blocker
 Website Vulnerabilities
 Zero-day attacks
 Web Applications
 Attacks
 Phishing
 Dump Hashes
 Exfiltration
DAY2
Slides
Time
Minutes Hours
Techno Fraud, Cyber Crime and Phantom Freaks
d2p01 Network Domains - Introduction
d2p02 Media, Delivery and Topology
45
30
30
0.50
193
90
120
2.00
15
135
2.25
Coffee
d2p03 Methods of Access and Attack
20
15
150
2.50
d2p04 Hacking and Phreaking
84
45
195
3.25
60
255
4.25
134
60
315
5.25
d2p06 CORE
68
45
360
6.00
d2p07 CELL
148
45
405
6.75
15
420
7.00
Lunch
d2p05 BSS Domain (I/T, COBIT, Audit and Security)
Break
d2p08 LAN
108
45
465
7.75
d2p09 WEB
113
45
510
8.50
33
30
540
9.00
540
9.00
540
9.00
d2p10 Honeypots and Hardening
130
Major Approaches
 Defensive
 Hardening


Is the expression used to describe the process of refining your
servers and other equipment to help make them more HackProof
Server hardening consists of creating a baseline for the
security on your servers in your organization.
 Offensive
 Traps, Honeypots and Diagnostics
Hardening perspectives:
 Servers
 OS
 OU
 SANS- Top Hardening Checklist
 Chuvakins Hardening
 Military perspective
 Honeypots
SANS – Top Hardening Checklist
# 1 - Inventory of Authorized and Unauthorized Devices
# 2 - Inventory of Authorized and Unauthorized Software
# 3 - Secure Configurations for Hardware and Software on Laptops,
Workstations, and servers
# 4 - Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches
# 5 - Boundary Defense
# 6 - Maintenance, Monitoring, and Analysis of Security Audit Logs
# 7 - Application Software Security
# 8 - Controlled Use of Administrative Privileges
# 9 - Controlled Access Based on Need to Know
# 10 - Continuous Vulnerability Assessment and Remediation
# 11 - Account Monitoring and Control
# 12 - Malware Defenses
# 13 - Limitation and Control of Network Ports, Protocols, and Services
# 14 - Wireless Device Control
# 15 - Data Loss Prevention
Chuvakins Hardening
Comp
onent
1
2
3
4
5
6
7
8
Action
Minimize Installed Software
Patch the System
Secure Filesystem Permissions
Improve Login / User Security
Set Physical and Boot Security Controls
Secure Daemons via Network Access Controls
Increase Logging and Auditing
Use IDS (Intrusion Detection System) and Firewall
Alternative to “High Walls”
 Build “Low Walls” in a controlled environment
 Use the intrusion as a way to lure violaters in and
build case for prosecution or for better
understanding of vulnerability and capability
 “ShadowCrew” case – two years to build up
evidence in order to STOP Them.
 Immediate attack would result in re-trenchment
 You don’t want to make the fraudster smarter with
no consequence to them
What is a HoneyPot?
 False information servers that are strategically placed in a
network, which are set up with false information disguised
as files of important nature.
 Configured in a way that is difficult, but not impossible, to
break into by an attacker.
 This condition is made notable by exposing the servers
deliberately and making them highly attractive for a hacker
in search of a target
 The final set-up stage of the server consists of loading it
with monitoring and tracking tools whose purpose will be
to record and report every step and trace of activity left by a
hacker, indicating those traces of activity in a detailed
manner.
Purpose of a Honeypot?
 1. To distract the attention of the attacker from the real
network, in such a way that the main information resources
are not Compromised
 2. To capture new viruses or worms for observation
 3. To build attacker profiles in order to dissect and study
their methods, in a way similar to criminal profiles used by
law enforcement agencies in order to identify a criminal’s
modus operandi
 4. To pinpoint emergent vulnerabilities and risks of
different operating systems, environments and programs
which are not thoroughly identified at the moment
More information: http://www.raacademy.org/Workshops/FraudOfficer/main/main.htm
Upcoming Events: http://www.ra-academy.org/upcomingevents.htm