computer crime n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Computer Crime PowerPoint Presentation
Download Presentation
Computer Crime

Loading in 2 Seconds...

play fullscreen
1 / 77

Computer Crime - PowerPoint PPT Presentation


  • 145 Views
  • Uploaded on

Computer Crime. COEN 1. Classification. Computers as an instrument of crime Check forgery Child pornography e-auction fraud, identity theft Phishing most criminal activity Computers as a target of a crime Intrusion botnets for spamming Identity theft Alteration of websites.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Computer Crime


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Computer Crime COEN 1

    2. Classification • Computers as an instrument of crime • Check forgery • Child pornography • e-auction fraud, identity theft • Phishing • most criminal activity • Computers as a target of a crime • Intrusion • botnets for spamming • Identity theft • Alteration of websites

    3. Email Investigations: Overview • Email has become a primary means of communication. • Email can easily be forged. • Email can be abused • Spam • Aid in committing a crime … • Threatening email, …

    4. Email Investigations: Overview • Email evidence: • Is in the email itself • Header • Contents • In logs: • Left behind as the email travels from sender to recipient. • Law enforcement uses subpoenas to follow the trace. • System ads have some logs under their control. • Notice: All fakemailing that you will be learning can be easily traced.

    5. Email Fundamentals • Email travels from originating computer to the receiving computer through email servers. • All email servers add to the header. • Use important internet services to interpret and verify data in a header.

    6. Email Fundamentals • Typical path of an email message: Mail Server Client Mail Server Client Mail Server

    7. Email Protocols: • Email program such as outlook or groupwise are a client application. • Needs to interact with an email server: • Post Office Protocol (POP) • Internet Message Access Protocol (IMAP) • Microsoft’s Mail API (MAPI) • Web-based email uses a web-page as an interface with an email server.

    8. Email Protocols: • A mail server stores incoming mail and distributes it to the appropriate mail box. • Behavior afterwards depends on type of protocol. • Accordingly, investigation needs to be done at server or at the workstation.

    9. Email Protocols:

    10. Email Protocols: SMTP • Neither IMAP or POP are involved relaying messages between servers. • Simple Mail Transfer Protocol: SMTP • Easy. • Has several additions. • Can be spoofed: • By using an unsecured or undersecured email server. • By setting up your own smtp server.

    11. Email Protocols: SMTPHow to spoof email telnet endor.engr.scu.edu 25 220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005 14:58:49 - 0800 helo 129.210.16.8 250 server8.engr.scu.edu Hello dhcp-19-198.engr.scu.edu [129.210.19.198], please d to meet you mail from: jholliday@engr.scu.edu 250 2.1.0 jholliday@engr.scu.edu... Sender ok rcpt to: tschwarz@scu.edu 250 2.1.5 tschwarz@scu.edu... Recipient ok data 354 Enter mail, end with "." on a line by itself This is a spoofed message. . 250 2.0.0 jBSMwnTd023057 Message accepted for delivery quit 221 2.0.0 endor.engr.scu.edu closing connection

    12. Email Protocols: SMTP Return-path: <jholliday@engr.scu.edu> Received: from MGW2.scu.edu [129.210.251.18] by gwcl-22.scu.edu; Wed, 28 Dec 2005 15:00:29 -0800 Received: from endor.engr.scu.edu (unverified [129.210.16.1]) by MGW2.scu.edu (Vircom SMTPRS 4.2.425.10) with ESMTP id <C0066443608@MGW2.scu.edu> for <tjschwarz@scu.edu>; Wed, 28 Dec 2005 15:00:29 -0800 X-Modus-BlackList: 129.210.16.1=OK;jholliday@engr.scu.edu=OK X-Modus-Trusted: 129.210.16.1=NO Received: from bobadilla.engr.scu.edu (bobadilla.engr.scu.edu [129.210.18.34]) by endor.engr.scu.edu (8.13.5/8.13.5) with SMTP id jBSMwnTd023057 for tjschwarz@scu.edu; Wed, 28 Dec 2005 15:00:54 -0800 Date: Wed, 28 Dec 2005 14:58:49 -0800 From: JoAnne Holliday <jholliday@engr.scu.edu> Message-Id: <200512282300.jBSMwnTd023057@endor.engr.scu.edu> this is a spoofed message. This looks very convincing. Only hint: received line gives the name of my machine. If I were to use a machine without a fixed IP, then you can determine the DHCP address from the DHCP logs.

    13. Email Protocols: SMTPHow to spoof email • Endor will only relay messages from machines that have properly authenticated themselves within the last five minutes. • Subject lines etc. are part of the data segment. However, any misspelling will put them into the body of the message.

    14. Email Protocols: SMTPHow to spoof email telnet endor.engr.scu.edu 25 220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005 15:36:13 - 0800 mail from: plocatelli@scu.edu 250 2.1.0 plocatelli@scu.edu... Sender ok rcpt to: tschwarz@scu.edu 250 2.1.5 tschwarz@scu.edu... Recipient ok data 354 Enter mail, end with "." on a line by itself Date: 23 Dec 05 11:22:33 From: plocatelli@scu.edu To: tschwarz@scu.edu Subject: Congrats You are hrby appointed the next president of Santa Clara University, effectively immediately. Best, Paul . 250 2.0.0 jBSNaDlu023813 Message accepted for delivery quit

    15. Email Protocols: SMTPHow to spoof email

    16. Email Protocols: SMTP • Things are even easier with Windows XP. • Turn on the SMTP service that each WinXP machine runs. • Create a file that follows the SMTP protocol. • Place the file in Inetpub/mailroot/Pickup

    17. Email Protocols: SMTP To: tschwarz@engr.scu.edu From: HolyFather@vatican.va This is a spoofed message. From HolyFather@vatican.va Tue Dec 23 17:25:50 2003 Return-Path: <HolyFather@vatican.va> Received: from Xavier (dhcp-19-226.engr.scu.edu [129.210.19.226]) by server4.engr.scu.edu (8.12.10/8.12.10) with ESMTP id hBO1Plpv027244 for <tschwarz@engr.scu.edu>; Tue, 23 Dec 2003 17:25:50 -0800 Received: from mail pickup service by Xavier with Microsoft SMTPSVC; Tue, 23 Dec 2003 17:25:33 -0800 To: tschwarz@engr.scu.edu From: HolyFather@vatican.va Message-ID: <XAVIERZRTHEQXHcJcKJ00000001@Xavier> X-OriginalArrivalTime: 24 Dec 2003 01:25:33.0942 (UTC) FILETIME=[D3B56160:01C3C9 BC] Date: 23 Dec 2003 17:25:33 -0800 X-Spam-Checker-Version: SpamAssassin 2.60-rc3 (1.202-2003-08-29-exp) on server4.engr.scu.edu X-Spam-Level: X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME autolearn=no version=2.60-rc3 This is a spoofed message.

    18. Email Protocols: SMTP • SMTP Headers: • Each mail-server adds to headers. • Additions are being made at the top of the list. • Therefore, read the header from the bottom. • To read headers, you usually have to enable them in your mail client.

    19. URL Obscuring • Internet based criminal activity that subverts web technology: • Phishing (fraud) • Traffic redirection • Hosting of illegal sites • Child pornography

    20. URL Obscuring • Internet based fraud is gaining quickly in importance. • Phishing: The practice of enticing victims with spoofed email to visit a fraudulent webpage. http://www.antiphishing.org/

    21. URL Obscuring • Technical Subterfuge: • Plants crimeware onto PCs. • Example: Vulnerable web browser executes remote script at a criminal website. • Just staying away from porn no longer protects you. • Payload: • Use Trojan keylogger spyware. • Search for financial data and send it to an untraceable email address

    22. URL Obscuring • Social Engineering: • Target receives e-mail pretending to be from an institution inviting to go to the institutions website. • Following the link leads to a spoofed website, which gathers data. • It is possible to establish a web-presence without any links: • Establish website with stolen / gift credit card. • Use email to send harvested information to an untraceable account, etc. • Connect through public networks.

    23. URL Obscuring: Phishing Example Visible Link: https://www.usa.visa.com/personal/secure_with_visa/index.html?t=h1_/index.html Actual Link: http://www.verified-web-us.com/Visa%20USA%20%20Personal%20%20Protect%20Your%20Card.htm Actual website IP: 209.35.123.41 Uses Java program to overwrite the visible address bar in the window:

    24. URL Obscuring:Phishing Example

    25. URL Obscuring • Phishs need to hide web-servers • URL Obscuring • Javascript or other active web-technology overwrites URL field • no longer possible in latest browsers • Other techniques to hide web-server address • Use hosts file • Hiding illegal web-server at legal site • Hijacking site to host pages.

    26. URL Basics • Phishs can use obscure features of URL. • URL consists of three parts: • Service • Address of server • Location of resource. http://www.cse.scu.edu/~tschwarz/coen252_03/Lectures/URLObscuring.html

    27. URL Basics • Scheme, colon double forward slash. • An optional user name and password. • The internet domain name • RCF1037 format • IP address as a set of four decimal digits. • Port number in decimal notation. (Optional) • Path + communication data. http://tschwarz:fiddlesticks@www.cse.scu.edu/~tschwarz/coen252_03/Lectures/URLObscuring.html http://www.google.com/search?hl=en&ie=UTF-8&q=phishing

    28. Obscuring URL Addresses • Embed URL in other documents • Use features in those documents to not show complete URL http://www.usfca.edu@www.cse.scu.edu/~tschwarz/coen252_03/index.html URL rules interpret this as a userid. Hide this portion of the URL.

    29. Obscuring URL Addresses • Use the password field. • www.scu.edu has IP address 129.210.2.1. • Some browsers accept the decimal value 129*256**3 + 210*256**2 + 2*256 + 1 = 2178023937 for the IP address. • http://www.usfca.edu@2178023937 • Works as a link. • Does not work directly in later versions of IE

    30. Obscuring URL Addresses • http://www.usfca.edu@129.210.2.1 works. • Hide the ASCI encoding of @: • http://www.usfca.edu%40129.210.2.1 • Or just break up the name: • http://www.usfca.edu%40%127%167w.scu.edu • Or use active page technologies (javascript, …) to create fake links.

    31. 'Enroll your card with Verified By Visa program' • 2004 Phish sends SPAM consisting of a single image:

    32. 'Enroll your card with Verified By Visa program' • The whole text is a single image, linked to the correct citi URL. • If the mouse hovers over the image, it displays the correct citi URL. • But surrounded by an HTML box that leads to the phishing website.

    33. 'Enroll your card with Verified By Visa program' • Target webpage has an address bar that is overwritten with a picture with a different URL. • Go to www.antiphishing.org .

    34. Phishing • Phishers now use bogus https techniques. • Exploiting browser flaws to display secure icon. • Hacking legitimate sites or frames from these sites directly. • Purchase and present certificates for sites that are named in resemblance of the target sites. • The SSL lock icon is no longer a guarantee for a legitimate site.

    35. Hiding Hosts • Name Look-Up: • OS checks HOST file first. • Can use HOST file to block out certain sites • adservers • Affects a single machine.

    36. Subverting IP Look-Up • In general, not used for phishing. • Economic Damage • Hillary for Senate campaign attack. • Hiding illegal websites. (Kiddie Porn) • DNS Server Sabotage • IP Forwarding

    37. Subverting IP Look-Up • Port Forwarding • URLs allow port numbers. • Legitimate business at default port number. • Illegitimate at an obscure port number. • Screen clicks • Embed small picture. • Single pixel. • Forward from picture to the illegitimate site. • Easily detected in HTML source code. • Password screens • Depending on access control, access to different sites.

    38. Phisher-Finder • Carefully investigate the message to find the URL. • Do not expect this to be successful unless the phisher is low-tech. • Capture network traffic with Ethereal to find the actual URL / IP address. • Use Sam Spade or similar tools to collect data about the IP address.

    39. Phisher-Finder • Capture network traffic with Ethereal when going to the site. • This could be dangerous. • Disable active webpages. • Do not use IE (too popular). • Look at the http messages actually transmitted. • Expect some cgi etc. script.

    40. Phisher-Finder • Investigation now needs to find the person that has access to the website. • This is were you can expect to loose the trace. • The data entered can be transmitted in various forms, such as anonymous email. • For example, they can be sent to a free email account. • IPS usually has the IP data of the computer from which the account was set up and from which the account was recently accessed. • Perpetrator can use publicly available computers and / or unencrypted wireless access points. • Investigator is usually left with vague geographical data.

    41. Email Investigation • Email investigations derive evidence from: • Internal data; • Headers. • Contents. • External data; • Server logs. • Sending machine itself • As we will see.

    42. Email Investigation • Header Analysis: • Most recent entries are on the top of the header. • Resolve all inconsistencies of information. • Resolve all IP addresses. • Create timeline. • Allow for clock drift between different sites. • Compare entries generated (allegedly) by known servers with previous ones.

    43. Email Investigation • Law Enforcement (LE) can use subpoenas for investigation of log files. • The same is true for private entities through the use of John Doe lawsuits.

    44. Phishing Investigation • Find the true URL to identify the server with which a potential victim interacts. • Difficult since phishers change sites frequently. • Using network tracer when accessing a website can speed things up. • Use subpoena process to obtain • log records of email • Contact infos for web-sites, redirection services, etc. • Try to obtain information amicably as often as possible. • Outside of US. • To guard volatile information

    45. Case Examples:1. A Kornblum, Microsoft • A. Kornblum: Searching for John Doe: Finding Spammers and Phishers • Used John Doe lawsuit to obtain sub-poenas for phisher that became active in September 2003.

    46. Case Examples:1. A Kornblum, Microsoft • Originating emails • Traced ultimately to ISP in India, from where not enough data could be obtained. • Traced websites: • At each round, a subpoena request would yield the IP address of a controlling website. • Hosting company in San Francisco. • Another hosting company in San Francisco. • Redirection Server in Austria. • Owner did not like spammers and handed out record voluntarily. • IP controlled by Quest. • 69 year old quest customer in Davenport, Iowa. • Who had grandson Jayson Harris living with him. • MS involved FBI who raided household and obtained three machines. • MS sued Jayson Harris and obtained a 3M$ default judgment against him. • Criminal charges are pending.

    47. Case Examples:2. Highschool Death Threads • Blog sites allow comments by anonymous friends. • Death threads were made on a high-school related blog anonymously. • XPD (name altered) was informed by principal.

    48. Case Examples:2. Highschool Death Threads • XPD contacted blog site, but owner/operator did not have valid contact data. • However, blog site operator gave out the IP address from which the comment originated. • XPD went to ISP to obtain the address of the computer to which the IP was assigned at the time of the thread. • XPD obtained a search warrant for the premises of the owner of the address. • The owner was a respectable, older community member. • XPD assumed that there was a grandson involved.