USSS History Investigations: • Secret Service Division began on July 5, 1865 in Washington, D.C., to suppress counterfeit currency. • In 1867 Secret Service responsibilities were broadened to include "detecting persons perpetrating frauds against the government." This appropriation resulted in investigations into the Ku Klux Klan, non-conforming distillers, smugglers, mail robbers and land frauds. Protection: • In 1901, Congress informally requested Secret Service Presidential protection following the assassination of President William McKinley. • In 1902, The Secret Service assumed full-time responsibility for protection of the President. Two operatives were assigned full time to the White House Detail.
USSS History • In 1984 Congress authorized the Secret Service to further investigate Financial Crime violations relating to: • Credit/Debit cards • Computer and Telecommunications Fraud • Fraudulent Identification documents • Bank Fraud (access device fraud, advance fee fraud, electronic funds transfers, and money laundering) • Financial Institution Fraud • Core Treasury Violations still under USSS jurisdiction under Homeland Security: • Counterfeit checks • Treasury Checks • Counterfeit Bonds • Counterfeit Money • P Notes • OMC Notes • Off-set
On October 26, 2001, President Bush signed into law H.R. 3162, the “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act of 2001.” • In drafting this particular legislation, Congress, recognized the Secret Service philosophy that our success resides in the ability to bring academia, law enforcement and private industry together to combat crime in the information age. • As a result, the U.S. Secret Service was mandated by this Act to establish a nationwide network of Electronic Crimes Task Forces.
Electronic Crimes Special Agent Program - ECSAP • Early 1990’s saw the need for Computer Specialists • Treasury Computer Forensics Training Program • ATF (Now under DOJ) • ICE • IRS • USSS
Electronic Crimes Special Agent Program - ECSAP • Training • A+ Certification • Six weeks at FLETC • Hard Drive geometry • Operating Systems • Forensic programs • Practical Exercises • Court Testimony • Exams
Electronic Crimes Special Agent Program - ECSAP • Advanced Certifications • ACERT/ Network + • CISSP • NASA • Ernst and Young “Hacking” School • EnCase • FTK Boot Camps • ILook – IRS • Yearly training conferences
Electronic Crimes Special Agent Program - ECSAP • 200 Deployed to the Field • All sworn personnel • Forensic Computer Exams • Assistance for State and Local Law Enforcement • Train state and local agencies • Expert Witness Testimony • Search Warrant Assistance
Electronic Crimes Task Force • The concept of the ECTF is unique in that it brings together not only federal, state, and local law enforcement, but also prosecutors, private industry, and academia. • The common purpose is the prevention, detection, mitigation, and aggressive investigation of attacks • Currently over 20 Electronic Crimes Task Forces and Electronic Crimes Working Groups spanning the entire nation.
New EnglandElectronic Crimes Task Force • USSS (MA, NH, RI, VT, ME) • ICE • DOT • IRS • ATF • DOD • Local Departments: Norwood, Medford, Boston, Cambridge.
Special Programs • CERT – Carnegie Mellon • Best Practices Guide for Law Enforcement • Critical Systems Protection Initiative • National Center for Missing and Exploited Children
High Tech Crime Trends • Credit Card Skimming/Parasitic Devices • Phishing Scams • Network Intrusion • Identity Theft
Phishing • A form of identity theft in which deception is used to trick a user into revealing confidential information with economic value • Term “phishing” coined in 1996 by hackers stealing AOL accounts by scamming passwords • Origin of the term phishing comes from the fact that cyber attackers are “fishing” for data, while the “ph” is derived from “Password Harvesting” • Involves harvesting of personal and financial account information
Phishing • Usually accomplished through a response to un-solicited e-mail • Victim believes the e-mail is from his/her bank or other institution accessed online • Criminals take over accounts, transfer funds, duplicate credit cards, assume identities of victims, open new accounts, etc…..
“Phished” Information Includes: • Name, address, phone numbers • Social Security number • Date of birth • Mother’s maiden name • Account number • Bank name • Bank login information • Login password • Card expiration date • Card Verification Value (CVV)
What Happens to The Phished Information? • Account takeovers • Identity theft • Money laundering (through wire transfers) • Credit card/ATM fraud (using duplicated cards) • Fictitious online auctions • Credit card number harvesting/internet posting
Typical Bank Phishing Scheme • Website is created and placed on the internet (2-8 days) • E-mails are generated • Data is collected (54 hours) • Accounts are taken over • Funds are electronically transferred • Funds are cashed out via Western Union, E-Gold account, or ATM card • Funds are then re-deposited into accounts in Eastern Europe
Current Phishing Statistics • Fastest growing and largest fraud scheme in U.S. history • 65% of all phishing attacks occur against financial institutions • The average phishing website is active less than 3 days after phisher e-mail launched • Current phishing success rate is 5% • Phishers adapting techniques to defeat security
Carding Websites and Networks • Former Soviet Union and Eastern European States produce and launch malicious software • “Mal-ware” intrudes into private financial networks and government institutions • “Mal-ware” then extracts personal data and carding websites and networks used to traffic in stolen information
Carding Portals • Carding Portals are like on-line bazaars some with several thousand registered users • Administrators screen potential members • Potential members must prove worth before allowed entry • Most based in Former Soviet Union or Eastern European States
Carding Portals • Activity occurs in forums similar to bulletin boards or on Internet Relay Chat (IRC) • Registered users may post announcements of goods or services • Portals allow users to contact one another through the site • Hierarchical organization structure similar to “Mafia” organizations
Evolution of Card Data Sold • 1990s: Plain Cards (Card Number, Expiration Date, Cardholder Name and Address) • Early 2000s: CVV Data also Present • Roughly 2002 On: Full Track Data (“Dumps”) • Roughly 2004 On: Full-info Cards • Response to Increased Anti-fraud Measures • Allow Online Enrolls • 2005: Increased Traffic Referencing “Verified by Visa” and “MasterCard SecureCode” Cards
Network Intrusion Attack Techniques Information Gathering Attacks: • Snooping - Simple traffic monitoring can yield tremendous amounts of information if the traffic is not encrypted. Done by compromising a router or other key infrastructure device that traffic flows through. 2. Man in the Middle - Attacker redirects traffic to equipment the attacker owns, intercepts each message, reads such, and retransmits intercepted message to the intended recipient. • Trojan - Programs that masquerade as a benign tool. When executed, capable of mimicking standard login prompts that fool the user into thinking they are logging into their real account. After the username and password are entered, the Trojan records the information.
Network Intrusion Attack Techniques Denial of Service Attacks: • A single host can be used to generate large quantities of traffic, causing a target, or the network to which it is connected, to become so flooded that the target host becomes incapable of responding to valid requests. Spoofing Attacks: • Faking an IP address can allow firewalls to be bypassed, causing the traffic to appear to have originated from a source authorized to pass through the firewall. • Spoofed IP address can allow an attacker to conceal their own IP address, making it more difficult to trace.
Threats Can be From InternalSources InternalMost expensive attacks come from inside (Up to 10x more costly) Source: CSI / FBI Security Study 2003
Threats Also Come from ExternalSources External78% of Attacks Come fromInternet Connection (up from 57% in 1999) Source: CSI / FBI Security Study 2003
How to Report an Attack • Initiate company’s incident response plan. • Make appropriate contacts within the company (i.e. management, legal, public relations, IT, etc.). • Contain the attack. a) secure the area using physical security. b) victim company may “backup” the system. c) collect and preserve electronic evidence (floppy disks, CDs, skimmers, caller ID boxes, network activity logs!). • Report the attack to US Secret Service.
Network Incident Report • Assistance that is being requested. • Type of incident (denial of service, malicious code or virus, intrusion). • Type of service, information, or project compromised. • Damage done (system downtime, cost of incident, number of systems affected).
Details for Denial of Service • Apparent source IP address. • Primary systems involved (IP address, Operating Systems versions). • Method of operation: a) tool used b) packet flood c) malicious packet d) ports attacked • Remediation performed - application moved to another system. - memory or disk space increased.
Details for Malicious Code • Apparent source (diskette, CD, email attachment, software download). • Primary systems involved (IP address, Operating Systems versions). • Type of malicious code (virus, Trojan horse, worm). • Remediation performed - Anti-virus product obtained, updated, installed. - New policy instituted on attachments. - Firewalls, routers, or email servers updated to detect and scan attachments.
Details for Unauthorized Access • Apparent source (IP address, host name). • Primary systems involved (IP address, Operating Systems versions). • Avenue of attack: a) cracked password b) trusted host access c) vulnerability exploited d) hacker tool used e) social engineering 4. Remediation performed - Patches applied. - Operating System reloaded.
System Analysis • Mirror image of system • Compare with previous back-up if available • wtmp files • History logs • Message logs • syslog • Firewall logs • Router logs • Proxy server logs
System Analysis • Examine all files run with cron • cron is an automation tool for logging • Review the /etc/passwd file for alterations • Unauthorized services • Backdoor access through known versions of finger, rsh, rlogin, telnet, etc.
System Analysis • Check for sniffer programs • Check for trojan horses • Search for setuid and setgid files • Allow hacker to obtain root • Search for + entries on non-local host systems • These would indicate incoming connection from a trusted system
System Analysis • Look for unusual or hidden files • Review all the processes currently running on system • Verify the above information with the system administrator of previous back-up
Useful Information • Network topology • Configure to prevent as many security holes as possible • Observe and detect anomalous behavior • Prevent the attacker from capitalizing on the attack • Eliminate the attacker’s access to the system • Recover the integrity of the network • Follow-up with lessons learned
Operation Firewall Case involving the illegal sale of financial account information, credit cards, passports, driver’s licenses, birth certificates, Social Security cards, insurance cards and diplomas using the internet. • 33 Arrests (24 US, 9 overseas) • 27 Search Warrants • 11+ Plant seizures • 100+ Individual Computers Seized • Anticipated future arrests and search warrants both within the United States and overseas
Case Study 1: Wholesale ClubWireless Access Vulnerability • Inventory Control system used wi-fi bar code readers • System installed did not utilize built-in encryption or security features. • Access to network was wide-open to any user in store parking lot with laptop computer and wi-fi access.
Case Study 1 • Access to inventory system allowed mainframe access. • Exploit posted by criminal groups on forums • Hundreds of thousands credit cards and accounts stolen and information used for identity theft and counterfeit CC’s
Case Study 2: Law School • Rogue employee (Office Manager) who was a prior felon and had access sensitive data. • Access to employee accounts and school credit cards • Used information obtained to apply for more credit cards • Employee ran travel agency, used stolen funds to purchase airlines tickets and cruises • Was hired even though she had prior felony convictions
Case Study 3: Boston based Investment Firm • Employee who was employed in the mailroom had access to customer account information from documents he observed • Used information to transfer money out of customer accounts • Had gambling addiction, used stolen funds to pay off debts • Several thousand dollars of customer funds were stolen
Case Study 4: Boston based Real Estate Investment Firm • Employee stole legitimate corporate checks from employer • Checks were counterfeited using the bank account of the corporation • Hundreds of thousands of dollars was taken over a period of time • Money was used to purchase Mercedes vehicles and properties in New York and Massachusetts
Prevention • The guiding principle of the Electronic Crime Task Force’s approach to both our protective and investigative missions is our “focus on prevention”. • “Harden the target” through preparation, education, training and information sharing.
Prevention • Proper development of business policies and procedures before the incident. • Strong documentation and reporting practices starting at the beginning of the incident. • Internal computer forensics and log analysis. • Technical briefings for law enforcement during the entire course of the investigation. • Victim loss documentation and assistance in trial preparation.
Security Suggestions • Capture logs on another system • Rename logs periodically • Encrypt log files • Analyze logs on routing basis • Use additional monitoring programs to collaborate log information