Upload
jermaine-bible
View
213
Download
2
Embed Size (px)
Citation preview
"International" Hacking: When the cooperation is the only cure.
Dario Forte, CFE, CISM
Security AdvisorEECTF - European Electronic Crime Task Force
Abstract BACKGROUND: In August 2002, fourteen
Italian hackers — almost all information security professionals — were arrested by the Italian Financial Police. They were charged with hacking the networks of NASA, U.S. Army, U.S. Navy and various universities around the world. This session will illustrate the generality of techniques used by the contemporary attackers with a particular reference to the “insider’s threat.” In addition, the speech itself will demonstrate how international cooperation is fundamental in hacking investigations.
European Hacking Scenario
Classified by territory, the European hacking scenario is Est Europe: malicious mobile code
(MMC), CreditCard Frauds, CyberExtorsions
Center/North Europe: defacements (script kiddies), Distributed Denial of Service (DDoS) and distributed information theft
Western Europe: crypto attacks
European Hacking Scenario (2)
Platforms used by the attackers Linux BSD
Best target’s platforms Windows *Nix (xBSD, Sun Solaris, Linux)
September 2001/August 2002: Operation Rootkit
International hacking case More than 1,000 compromised
machines worldwide 20% are military/goverment in the U.S. 20% are military/goverment in Europe Others are universities/companies
worldwide Operation details under a Non-
Disclosure Agreement (NDA)
The New Malicious Hacker’s Frontier: Attacking Strategic Target
International hacking case — main features Most case histories have demonstrated
that the “grey hat” phenomenon is growing
Grey hat use their own tools (no script kiddies)
They are inclined to acquire many critical/strategic files from goverment/military and very important financial/enterprise networks
Contemporary Hacking Lifestyle
Distributed information gathering, using already compromised machines as stepping stones and/or: Directly from the hacker machines Using “flat rate dial-up connections”
owned by foreign ISPs with toll-free numbers
Using a flat-rate account, stolen from “normal” users via Trojan horses
Caller ID hidden
Mentors and Reservoir Dog’s “Features”
Preferred targets: mainly Linux/Irix machines Break-in is done within 24 hours from a vulnerability discovery/disclosure
Once inside, they use to Steal files (mainly docs and source
codes) Use the computer as a stepping stone for
further operations (more hacking and DoSNET construction)
Use the computer for IRC traffic
General Scenario: How Crackers Exchange Information
Reservoir Dog’s techniques are consolidated in the cracker arena
The “most trusted” components of the hacker’s group used to set up a VPN between their machines — in alternative Secure Shell (SSH) Encrypted Irc IpV6 Tunnels
All the workload (such as scanning, exploit finding and testing, and attack) is shared by the components
A “skilled” hacker makes only a few defacements
Malicious Hacker’s “Modus Operandi” (cont.)
Typical Scenario: Hacking Tools Used
Information gathering: large use of nmap (with extended expressions) hping (for firewalled machines) Passive Fingerprinting
Attack phase Public available exploits (eventually
customized) Self-made rootkit, both “cross” and locally
compiled (depending on the target) Large use of log wipers and obfuscators
Master (with an XML engine)
Agents
Target
The link between masterand agent is encrypted
The scanning activity is shared between the agent (workload)
Information Gathering (Typical Scenario)
More than 300 GB of log were examined
for intrusion analysis purposes Five police/government agencies
involved Dozens of forensics exams were
conducted So a “practictioner coordinator was
needed”
Operation Rootkit: the Backtracing
A year-long investigation 14 people charged (four minors) More than 40 computers seized Almost one TB data seized Thousands of various
CD-ROMs/DVDs seized Many credit card files recovered
Operation Rootkit: Results
The “Insider Threat”
A portion of the group was working as infosecurity managers in big consulting firms/ISPs (even in the Italian branches of U.S. companies)
The remaining people were freelance security consultants
White hat @ day then black hat @ night (most customer’s machines used as stepping stones)
Initial Attack Analysis
• IDS Logs revealed hack originated from a German ISP’s Web Server.
•Began Coordination directly with German Authorities.
•IDS logs showed transfer of Root Kit from a Hacked University of Pennsylvania Computer.
•Began Coordination directly with University Officials
German Web Server
Hacked Army computer
Hacked University
Next Hop: Investigating University Computers
University officials gave system logs and image of the compromised computer.
Matched the compromise of the US University to the Compromised Army Computer.
Computer was used as “tool box” Identified numerous other compromised
systems including US Government Systems
Search of physical level revealed connection from Dial-up
HD Analysis found intruder’s rootkit.
German Web Server
Compromised Army Computer
Additional Compromised systems
Italian ISPUniversity Computer
The German Investigation German source computer belonged to a large corporation – it
had also been hacked. The German corporation identified the compromise of their
server. Hired an forensic firm in Germany to do forensic analysis.
The forensic analysis matched the fingerprint of the Redstone Arsenal and University of Pennsylvania. Source was in Italy. Hacker’s nick was Pentoz.
German Web Server
Hacked US Army Computer
Hacked University
Additional Compromised systems
Italian ISP
Thanks to the cooperation between Gdf, Nasa OIG, Usss Milan, Army Cid and Navy Nccis, it was possible to conduct one of the largest backtracing operations in the world. In this period EECTF has started his activity
Without international cooperation, it wouldn’t have been possible to achieve a good “event correlation rate”
The Importance of International Cooperation
Very simple …
Free flow of investigative related information without the usual bureaucratic entanglements
• Build up the organization to 100 members
• Develop training and certification specific to the task force
• Expand the free flow of information to reach not just Europe but Asia as well
Our members
EECTF is not affiliated with EU govt. Initiatives
is a technical/incident response group
our members are from law enforcement, military, accademia, financial and trusted private sector
Some case study
Reservoir Dogs Case Cyprus Credit Card Case Cyberfraud case involving
Europe and US Most of them are still under
NdA
The cyprus case
Through our network of contacts EECTF Was advised that leader of a worldwide credit card trafficking ring had been arrested in Cyprus.
We were able to arrange the travel of both the evidence and the police officers involved in the case to our forensic lab in Italy.
In Italy we were able to quickly conduct an initial forensic exam which recovered enough evidence to keep the defendants in jail until such time as the complete forensic exam could be completed in the U.S.
Lessons Learned
Operation Rootkit: Operation Rootkit: Companies should increase control on
the IT security personnel Customers should “think twice” before
leaving their IT systems in the hands of potentially untrustworthy consultants
All operations:All operations: International cooperation is essential in cybercrime enforcement
Know your enemy
Share information with your peers
test your knowledge and skill
avoid Burocracy whenever you can, but respect and interact with the laws.