slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
"International" Hacking: When the cooperation is the only cure. Dario Forte, CFE, CISM Security Advisor EECTF PowerPoint Presentation
Download Presentation
"International" Hacking: When the cooperation is the only cure. Dario Forte, CFE, CISM Security Advisor EECTF

Loading in 2 Seconds...

play fullscreen
1 / 34

"International" Hacking: When the cooperation is the only cure. Dario Forte, CFE, CISM Security Advisor EECTF - PowerPoint PPT Presentation

  • Uploaded on

"International" Hacking: When the cooperation is the only cure. Dario Forte, CFE, CISM Security Advisor EECTF - European Electronic Crime Task Force. Abstract.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '"International" Hacking: When the cooperation is the only cure. Dario Forte, CFE, CISM Security Advisor EECTF' - shae

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

"International" Hacking: When the cooperation is the only cure.Dario Forte, CFE, CISM Security AdvisorEECTF - European Electronic Crime Task Force

  • BACKGROUND: In August 2002, fourteen Italian hackers — almost all information security professionals — were arrested by the Italian Financial Police. They were charged with hacking the networks of NASA, U.S. Army, U.S. Navy and various universities around the world. This session will illustrate the generality of techniques used by the contemporary attackers with a particular reference to the “insider’s threat.” In addition, the speech itself will demonstrate how international cooperation is fundamental in hacking investigations.
european hacking scenario
European Hacking Scenario
  • Classified by territory, the European hacking scenario is
    • Est Europe: malicious mobile code (MMC), CreditCard Frauds, CyberExtorsions
    • Center/North Europe: defacements (script kiddies), Distributed Denial of Service (DDoS) and distributed information theft
    • Western Europe: crypto attacks
european hacking scenario 2
European Hacking Scenario (2)
  • Platforms used by the attackers
    • Linux
    • BSD
  • Best target’s platforms
    • Windows
    • *Nix (xBSD, Sun Solaris, Linux)
september 2001 august 2002 operation rootkit
September 2001/August 2002: Operation Rootkit
  • International hacking case
    • More than 1,000 compromised machines worldwide
    • 20% are military/goverment in the U.S.
    • 20% are military/goverment in Europe
    • Others are universities/companies worldwide
    • Operation details under a Non-Disclosure Agreement (NDA)
the new malicious hacker s frontier attacking strategic target
The New Malicious Hacker’s Frontier: Attacking Strategic Target
  • International hacking case — main features
    • Most case histories have demonstrated that the “grey hat” phenomenon is growing
    • Grey hat use their own tools (no script kiddies)
    • They are inclined to acquire many critical/strategic files from goverment/military and very important financial/enterprise networks
contemporary hacking lifestyle
Contemporary Hacking Lifestyle
  • Distributed information gathering, using already compromised machines as stepping stones and/or:
    • Directly from the hacker machines
    • Using “flat rate dial-up connections” owned by foreign ISPs with toll-free numbers
    • Using a flat-rate account, stolen from “normal” users via Trojan horses
    • Caller ID hidden
mentors and reservoir dog s features
Mentors and Reservoir Dog’s “Features”
  • Preferred targets: mainly Linux/Irix machines Break-in is done within 24 hours from a vulnerability discovery/disclosure
  • Once inside, they use to
    • Steal files (mainly docs and source codes)
    • Use the computer as a stepping stone for further operations (more hacking and DoSNET construction)
    • Use the computer for IRC traffic
general scenario how crackers exchange information
General Scenario: How Crackers Exchange Information
  • Reservoir Dog’s techniques are consolidated in the cracker arena
  • The “most trusted” components of the hacker’s group used to set up a VPN between their machines — in alternative
    • Secure Shell (SSH)
    • Encrypted Irc
    • IpV6 Tunnels
malicious hacker s modus operandi cont
Malicious Hacker’s “Modus Operandi” (cont.)
  • All the workload (such as scanning, exploit finding and testing, and attack) is shared by the components
  • A “skilled” hacker makes only a few defacements
typical scenario hacking tools used
Typical Scenario: Hacking Tools Used
  • Information gathering: large use of
    • nmap (with extended expressions)
    • hping (for firewalled machines)
    • Passive Fingerprinting
  • Attack phase
    • Public available exploits (eventually customized)
    • Self-made rootkit, both “cross” and locally compiled (depending on the target)
    • Large use oflog wipers and obfuscators
information gathering typical scenario
Information Gathering (Typical Scenario)

Master (with an

XML engine)


The link between master

and agent is encrypted

The scanning activity is shared

between the agent (workload)


operation rootkit the backtracing
Operation Rootkit: the Backtracing
  • More than 300 GB of log were examined

for intrusion analysis purposes

  • Five police/government agencies involved
  • Dozens of forensics exams were conducted
  • So a “practictioner coordinator was needed”
operation rootkit results
Operation Rootkit: Results
  • A year-long investigation
  • 14 people charged (four minors)
  • More than 40 computers seized
  • Almost one TB data seized
  • Thousands of various CD-ROMs/DVDs seized
  • Many credit card files recovered
the insider threat
The “Insider Threat”
  • A portion of the group was working as infosecurity managers in big consulting firms/ISPs (even in the Italian branches of U.S. companies)
  • The remaining people were freelance security consultants
  • White hat @ day then black hat @ night (most customer’s machines used as stepping stones)
initial attack analysis

Hacked University

German Web Server

Hacked Army computer

Initial Attack Analysis
  • IDS Logs revealed hack originated from a German ISP’s Web Server.
  • Began Coordination directly with German Authorities.
  • IDS logs showed transfer of Root Kit from a Hacked University of Pennsylvania Computer.
  • Began Coordination directly with University Officials
next hop investigating university computers

Additional Compromised systems

University Computer

German Web Server

Compromised Army Computer

Next Hop: Investigating University Computers
  • University officials gave system logs and image of the compromised computer.
  • Matched the compromise of the US University to the Compromised Army Computer.
  • Computer was used as “tool box”
  • Identified numerous other compromised systems including US Government Systems
  • Search of physical level revealed connection from Dial-up
  • HD Analysis found intruder’s rootkit.

Italian ISP

the german investigation

Additional Compromised systems

Hacked University

German Web Server

Hacked US Army Computer

Italian ISP

The German Investigation
  • German source computer belonged to a large corporation – it had also been hacked.
  • The German corporation identified the compromise of their server. Hired an forensic firm in Germany to do forensic analysis.
  • The forensic analysis matched the fingerprint of the Redstone Arsenal and University of Pennsylvania. Source was in Italy. Hacker’s nick was Pentoz.
the importance of international cooperation
The Importance of International Cooperation
  • Thanks to the cooperation between Gdf, Nasa OIG, Usss Milan, Army Cid and Navy Nccis, it was possible to conduct one of the largest backtracing operations in the world. In this period EECTF has started his activity
  • Without international cooperation, it wouldn’t have been possible to achieve a good “event correlation rate”


Electronic Crime Task Force

Who are we?


Very simple …

Free flow of investigative related information without the usual bureaucratic entanglements


Build up the organization to 100 members

  • Develop training and certification specific to the task force
  • Expand the free flow of information to reach not just Europe but Asia as well


between members


What do we use?

- Cybercop

Secure & encrypted communication

our members
Our members
  • EECTF is not affiliated with EU govt. Initiatives
  • is a technical/incident response group
  • our members are from law enforcement, military, accademia, financial and trusted private sector
some case study
Some case study
  • Reservoir Dogs Case
  • Cyprus Credit Card Case
  • Cyberfraud case involving Europe and US
  • Most of them are still under NdA
the cyprus case
The cyprus case
  • Through our network of contacts EECTF Was advised that leader of a worldwide credit card trafficking ring had been arrested in Cyprus.
  • We were able to arrange the travel of both the evidence and the police officers involved in the case to our forensic lab in Italy.
  • In Italy we were able to quickly conduct an initial forensic exam which recovered enough evidence to keep the defendants in jail until such time as the complete forensic exam could be completed in the U.S.
lessons learned
Lessons Learned
  • Operation Rootkit:
    • Companies should increase control on the IT security personnel
    • Customers should “think twice” before leaving their IT systems in the hands of potentially untrustworthy consultants
  • All operations: International cooperation is essential in cybercrime enforcement
know your enemy
Know your enemy
  • Share information with your peers
  • test your knowledge and skill
  • avoid Burocracy whenever you can, but respect and interact with the laws.