620 likes | 637 Views
Random Topics in Infosec and Forensics. Cooley Law School 1/2/2020 Mark Lachniet mark.lachniet@cdw.com (847-968-0155). About The Speaker. Several terms on the board of the Michigan chapter of the High Technology Crime Investigation Association (MIHTCIA)
E N D
Random Topics in Infosec and Forensics Cooley Law School 1/2/2020 Mark Lachniet mark.lachniet@cdw.com (847-968-0155)
About The Speaker • Several terms on the board of the Michigan chapter of the High Technology Crime Investigation Association (MIHTCIA) • Member of the Michigan Council of Private Investigators (MCPI) • Licensed Private Investigator in the State of Michigan #3701-205679 • Currently: Information Security Solutions Manager at CDW • Previous jobs: • Holt Public Schools (IT Director) • Sequoia / Analysts Intl. (Consultant) • Walsh College (instructor) • CDW (Security engineer that did actual work) • 15+ years in security consulting • Many tech certifications – CISA, CISSP, blah blahblah | Security solutions
About The Speaker • M.S.U. English Major™ | Security solutions
Information Security – We Are At War • “War is the continuation of politics by other means.” –Admiral Carl von Clausewitz, famous Prussian general and military theorist • Hacking is modern warfare, as well as modern crime • “Following the teachings of Sun Tzu, all warfare is asymmetric because one exploits an enemy’s strengths while attacking his weaknesses” -David L. Buffaloe, Association Of The United States Army • Hacking favors the agile and creative (but budget is good too) • “When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. We reserve the right to use all necessary means — diplomatic, informational, military, and economic” - International Strategy for Cyberspace, The White House, 2011 • The US Military recognizes this and retains the right to respond with bombs | Security solutions
It’s not a matter of if but of when • “Companies have done a lot of things right, but it is not a matter of if but when they will come under attack. Attacks are becoming larger and more scalable, and because of the success of ransomware attacks that trend is likely to continue” -Alliance Manchester Business School • We are all at risk, and the risk is will be with us forever • “It is the doctrine of war not to assume the enemy will not come, but rather to rely on one’s readiness to meet him; not to presume that he will not attack ; but rather to make one’s self invincible” –Sun Tzu, The Art of War • All organizations have something that attackers want! • Personal information – to steal your money or to blackmail you (see: OPM breach) • Company information – to take your research and techniques and defeat you in the marketplace • Political information – to embarrass you or for political advocacy • Resources – to assist in attacking other targets, to create digital currency, digital contraband | Security solutions
THIS ISN’T OUR BIGGEST EXTERNAL THREAT… | Security solutions
OR THIS… | Security solutions
IT’S THIS! “Hackers are breaking the systems for profit. Before, it was about intellectual curiosity and pursuit of knowledge and thrill, and now hacking is big business.” -Kevin Mitnick | Security solutions
AND THIS! | Security solutions
THE PROBLEM IS ALSO OURSELVES – OUR EDUCATIONAL SYSTEM • “Educators are ‘failing computer science students by deprioritizing cybersecurity training’ and ‘are inadvertently contributing to the lack of cybersecurity readiness in the U.S.’” – CloudPassage, National Cybersecurity Institute • “Teaching cybersecurity is difficult in of itself. The technology, threats, and attack methods rapidly shift. It seems every eight to twelve months, the industry swings to an entirely new focus. A fellow security professional stated “if they are learning from a book, it is already outdated”. -McAfee | Security solutions
AND OUR COMPLEXITY • “When [the enemy] prepares everywhere he will be weak everywhere” -Sun Tzu, The Art of War Artificial Intelligence | Security solutions
AND OUR ASSUMPTIONS • “The force which confronts the enemy is the normal; that which goes to the flanks is extraordinary. No commander of an army can wrest the advantage from the enemy without extraordinary focus” –Sun Tzu, The Art of War | Security solutions
Hackers, Phones and Social Engineering • “Hackers” have always been interested in ways to manipulate people and systems in order to achieve their ends • This has historically included telephones, harkening back to the “phone phreaking” days of free long distance phone calls, conference bridges and phone system hacking • A few interesting examples: • War Dialing – repeated phone calls with a computer and a modem to find other modems, fax machines and valid calling card codes • Blue Boxing / Red Boxing – using specific sounds to take control of a phone switch as an operator or make free long distance calls from a pay phone | Security solutions
Hackers, Phones and Social Engineering • A diverse kind of online culture • Black Hats, Grey Hats, White Hats, Toques • There are special events at infosec conferences like DefCon (https://www.defcon.org/) and Black Hat (https://www.blackhat.com/) • Includes social engineering competitions (being given a target such as a specific company and having to extract sensitive information over the phone – pretexting) • Another popular conference feature is the “lockpick village” where you can practice your lock picking skills with increasingly difficult locks • I went to a lockpick village this year…. | Security solutions
Lock Picking Diagrams… • From: http://www.blackscoutsurvival.com/p/lockpicking-101.html • The long and short of it – keep a small but constant pressure on the tension wrench to rotate the cylinder so that when a pin goes into place it stays there, and poke with the picks to get the pins in place. Jiggle occasionally. • I have brought a lock and picks for you to play with when you get bored of my presentation | Security solutions
Locks I picked when I got home… • So it turns out that many locks are easy to pick (if I can do it… anyone can) • This is what I was able to pick with 2 minutes of training and a cumulative hour or so of dinking around The fire “safe” I keep my important documents The “Master” lock I previously used to lock my pelican case for transporting forensic equipment & firearms | Security solutions
Telephone Social Engineering scams • Some are fairly obvious… • <heavy accent> “Hello, I am calling from Microsoft Tech Support, we have detected a virus and need you to run some cleaner software for us”. I have personally gotten about 5 of these calls, and know many people that have also gotten them • Then there is the old set up a fake “you have malware” web page with the Symantec logo on it, with a number to call, where the caller is bamboozled into thinking they have malware and should buy Symantec software (to be provided by this company at a significant markup) to take care of it See: http://news.softpedia.com/news/symantec-disavows-business-partner-caught-running-a-tech-support-scam-499310.shtml • I got a call from a family friend that had this happen at the exact time I was writing this presentation! • Let me tell you about my son’s new hobby…. | Security solutions
My own experience • First indication of something odd was that for about the span of a day our telephones didn’t work • After they started working again we got some kind of automated AT&T message, didn’t think much of it • A few days later, I am asked by wife “did you just transfer all the money out of our savings account?” • Contacted credit union to inquire and was asked by a young clerk if I hadn’t recently authorized it, to which I said no, and was put on hold, came back saying they would look into it • Obtained a copy of the wire transfer, it is for an amount just below the account balance, wiring the money to what looks like a construction company in Illinois • The wire transfer had a copy of my signature from some source, but it was an old signature that I no longer use, at least 10 years old | Security solutions
My own experience • It turns out that the scammers had gotten AT&T to disconnect my phone line and connect it to them somehow • They then used a fax machine from my stolen “home phone” line to fax in the wire transfer (this number is what showed up on the fax machine’s caller ID) • The CU, as per procedure, called to verify the large amount • Unfortunately they verified it with the criminal that answered on my behalf on my phone number • Entered my info at http://www.ic3.gov/default.aspx (it didn’t help me but maybe it will help make a case some day) • My losses were too small for federal investigators, the MSP refused to take a report, so I ended up working with my township (a nice guy but very pessimistic about even getting results from telcos, and too late by that point) | Security solutions
My own experience • Put extra security and passwords on CU systems • Changed all my important passwords • Ended up being reimbursed through the CU’s insurance, but did not vigorously pursue law enforcement help due to the trail going cold and no firepower • Consider the amount of funding, planning and research that had to go into that attack, not to mention the amount of employee time • The attack wouldn’t have been possible without telephone tomfoolery! • Quite likely the scammers were from another country entirely and just using the Chicago company as a shell • All made possible with the Power Of Telco! | Security solutions
The Internet of things Fail • So how about we connect everything in our lives to the Internet like refrigerators, ovens, thermostats, door locks, pet doors and surveillance cameras? • What could go wrong? HUMANS! • Enter the search engine Shodan.io! • http://search.slashdot.org/story/16/01/24/0256224/iot-security-is-so-bad-theres-a-search-engine-for-sleeping-kids • My Shodan Search: port:554 has_screenshot:truecountry:"US" org:"Comcast Cable“ • i.e. show me all the systems running a system on port 554 for which a screen shot is available, for US systems originating on Comcast Cable • The following data was pulled from a fresh search 1/26/16 | Security solutions
The Internet of Fail • So how about we connect everything in our lives to the Internet, like this office in Tracy California, and not require a password? | Security solutions
The Internet of Fail • The screen capture has a caption of CDC and we can see (if you reverse the image in a mirror) the word dentistry in the window • A little searching in yelp finds us a convenient match when we search for dentists in Tracy, CA: California Dental Care (CDC) • Is this a HIPAA compliance issue? It may depend on the resolution of the camera! In this case it seems to suck but very high resolution ones CAN read documents from a distance, certainly see faces • http://www.yelp.com/biz/california-dental-care-tracy | Security solutions
The Internet of Fail • Yelp gives some nice pictures of the inside… sure looks like the same desk! Note the Dell monitor and paper thingy | Security solutions
The Internet of Fail • Pull up the web site and get location information including “Next to Mi Pueblo Market” • Its Google Street View time… put in the address, find the market, find the dentist office • If this was a pen-test we’d have an engineer go goof under the camera and take a screen cap Nice and Stalky! | Security solutions
The Internet of Fail • Or how about all of the open VNC screens at MSU? | Security solutions
Government Issues – Fear and Loathing • We are all being tracked… TRUE! But it is as much the marketers as the government. • Even if you use the Ghostery plugin to stop advertising scripts, you are probably uniquely identifiable by just what your browser presents to web servers • Test how unique you are using https://panopticlick.eff.org/ • My work laptop blocked advertising trackers, but my “browser fingerprint appears to be unique among the 6,392,013 tested so far.” • Even if you use a VPN and other services, your computer is still uniquely identifiable • This has implications for law enforcement – this could be used to identify bad actors through proper technical techniques • Path of least resistance for would-be big brothers? Buy marketing services? | Security solutions
Government Issues – OPM • The Office of Personnel Management – The system that maintains all of the data for citizens that have government clearances • Survey: How many people have gotten the OPM oops letter? • Facts: • Contains an estimated 21.5M records, 5.6M fingerprints • Contains detailed background checks covering criminal history and drug use • Contains practically all information about a person’s education, work, place of residences, as well as SSN, Drivers License Numbers, etc. • Includes similar information for spouses • The Electronic Freedom Frontier (EFF) had previously sued them for poor data security and over-collection of data but lost • https://www.eff.org/deeplinks/2015/07/we-told-you-so-opm-data-breach-reveals-not-only-lame-data-security-weak-legal | Security solutions
Government Issues – OPM • FCW.com (“The Business of Federal Government”) has some interesting information at https://fcw.com/articles/2015/08/21/opm-breach-timeline.aspx • I am summarizing their article to create a timeline: • May 7, 2014 – attackers get malware into OPM LAN • July 3, 2014 – attackers begin data exfiltration • October, 2014 – attackers pivot into the interior department where OPM records were stored • Dec. 15, 2014 – attackers exfiltrate OPM records • April 15, 2015 – OPM officials notice problem with anomalous SSL traffic and call for help • April 17, 2015 – CERT team implements new controls • April 24, 2015 – Malware believed to be eliminated • Almost 1 year between initial incident and presumed remediation | Security solutions
Government Issues – OPM • Vendors are blamed… • The Chinese are blamed… • Security in government is simply bad, with a few exceptions • The “guvment work” attitude • Minimal funding and leadership support • Many large applications are developed using contract programmers rather than internal staff, often foreigners • Security is rarely a functional requirement, and when it is a requirement it is not properly tested and retested • My opinion: we have hundreds more important applications that are also insecure that nobody has gotten around to hacking, and the government needs a lot of help with application security. But what do I know…. | Security solutions
Government Issues – OPM “What you saw at OPM, you’re going to see a whole lot more of” (National Security Agency Director Adm. Mike Rogers, 1/21/16) | Security solutions
Government Issues – OPM Thanks Obama Chinese Apathy, Obfuscation and Incompetence!! | Security solutions
Results from a CDW Password Study • Dave Reflexia from CDW’s Security Assessment Team (the hackers) has been compiling a list of passwords from both our customer engagements and from data dumps from hacks • He has performed analysis on this to identify the characteristics of passwords “in the wild” • Contains 933,979,289 password records • This is very helpful for efficiently cracking the passwords using tools such as oclHashCat • https://blog.cdw.com/security/password-security-report • Here are some interesting findings from the top 100 most common passwords: | Security solutions
Results from a CDW Password Study • Passwords based on the season are popular: • Given any especially large user population, it is very likely to find someone who takes this approach • This often allows us to get in over the Internet if we can find enough valid usernames through search tools • Among the most popular are those formatted with the season, capitalized, followed by the full year, such as Summer2014 (3930 occurrences) • Also popular was the same with a two-digit year such as Summer14 (6126 occurrences) • You will note that only one of these variations, such as fall15, is short of the default Windows password length of seven characters | Security solutions
Results from a CDW Password Study • Also popular are variations on the word password: • 21,328 instances of the password “password” • Also popular was a capitalized version, with a one to three digit number at the end, such as Password123 (19,472 instances) • We see the perpetual trick of “leet speak” vowel substitution, which hasn’t been a fresh idea for at least fifteen years (12,134) • Rounding out the top 100, were initial user passwords and help desk passwords. 34,147 passwords containing a variation on the world welcome, with Welcome1 topping out the list at 22,538 instances • 4,105 of passwords based on the word helpdesk, with good old “helpdesk” pulling in 1,629 occurrences. | Security solutions
Results from a CDW Password Study • Some results on password size: • Having an 8-character password is not surprising as it is the recommended default by Microsoft • If you know what your opponents minimum password size and complexity is you can greatly decrease the amount of time it will take to crack it | Security solutions
Financial Fraud • One case I’ve worked on deals with a fairly large financial fraud at a Michigan-based company • One of their computer workstations had been hacked, and the user of that workstation used it to log into a web banking system to process their regular payroll • The user was somehow directed away from the official banking web site to a phishing web site • The web site looked “different” to the user so they contacted the web banking company’s technical support. Their tech support was unable to determine the problem (which in this case was the wrong URL) and told them “it must be an I.T. problem on your end”) • The user then entered their user ID, password, and code from a two-factor authentication token into the site and did payroll • The next day they were contacted regarding what appeared to be fraud – their payroll (approximately $700,000) had been hijacked | Security solutions
Financial Fraud • This is especially troubling given the fact that two-factor authentication was used – these devices use a code that changes every few minutes, giving a very small window of opportunity to exploit • This implies to me that the criminals either had some very sophisticated software that could “automagically” log into the web banking system, or they had a fully staffed 24/7 NOC with people waiting for events • The criminals then changed the account numbers that the payroll was going to, and routed sums of approximately $9,000 to a number of different bank accounts ($10,000 is the cut off for OFAC reporting) • This also implies that the criminals were very well versed in the banking system, because they were smart enough to change all of the ACH numbers very quickly | Security solutions
Financial Fraud • According to at least one report, individuals who were looking for a job online were offered jobs as “ACH processors” by some shady Internet company • Their job was to open a bank account, wait for money to be deposited, and then withdraw the money as cash • They would then use a wire transfer service such as Western Union to wire transfer $4,000 each to a couple different people or accounts overseas, and keep $1,000 for their trouble. • Thus, the people who were doing the conversion of virtual to physical cash and were assisting in the crime were most likely unknowing dupes • They, themselves might find the info they provided to their “employer” (SSN, bank number) sold at a later date | Security solutions
Financial Fraud • I was then called in to help with incident response • We began by taking a forensic image of the user’s workstation using a firewire “write blocker” to preserve the integrity of the data • While that was happening, we worked on analyzing available log sources (there weren’t any, so we had to configure firewall logging) • We put a stop to all non-essential Internet access while we were investigating • We also began installing WebRoot Anti-Spyware software on a number of workstation – this turned up more infected machines • Using a firewall log analysis tool known as Sawmill, we were able to find other network activity that seemed suspicious (traffic to eastern Europe and Asia) and analyze those workstations for additional malware • FBI later came in and took an image of the workstation as well | Security solutions
Financial Fraud • We started drafting a list of recommendations to help them improve their overall security posture, and presented them to senior management, including: • Install Anti-Virus everywhere • Purchase an intrusion prevention module for the firewall • Implement Websense Internet content filtering • Etc. • Around this time I began performing a forensic investigation of the image copy of the computer workstation I had taken • These investigations can be very time consuming, even if all the time is not billable due to the amount of time required to do keyword searches, etc. This one took weeks. • Knowing the approximate date that machine was last “known good” (e.g. was last rebuilt) I was able to start looking at the computer workstations filesystem history | Security solutions
Financial Fraud • On the workstation I found six different pieces of malware that WebRoot had identified and removed • These were put into a quarantine directory, and then “wrapped” with some header information about the identification WebRoot had made • Aside from these pieces of malware, I manually found another 6 or so pieces of malicious software that their anti-virus or anti-spyware program was unable to find • I submitted these samples to an online service known as virustotal.com, which ran them through about 30 different AV programs • While only a portion of the AV programs identified each piece, it helped me identify what they were, and possibly what they did | Security solutions
Financial Fraud • I was able to see at least one source of infection – there was a malicious Adobe Acrobat PDF file • This file contained exploited the PDF reader program and executed javascript to download a number of different pieces of malware from a server in Russia (you could see the files being created in rapid succession) • One of those appeared to be a keylogger, as I found a number of data files that looked like partially encrypted keylog entries • The PDF file may have come in through e-mail, as there was a remnant of an outlook express file at that time, or may have come through browsing • Unfortunately, by the time I was making real progress with the case, the client wanted to control costs and asked me to stop investigating | Security solutions
Casino Security • I received a report that a casino surveillance department was accused of accessing files that they were not supposed to have access to • In casinos, there is a strong separation of duty between surveillance and the rest of the company • No fraternizing • Separate building entrance • Supposed to eat lunch separately • Etc., etc. to minimize the risk of collusion • In this case it was reported someone had “heard” that confidential HR files were unprotected, and had done some poking around in the HR files without approval | Security solutions
Casino Security • What had happened was that the organization had experienced a failure of the system that hosts their user and group file shares, and they were forced to rebuild the shares • After they restored the files, they then went about setting the access permissions on the files so that they should be appropriate • However, they forgot about one system – the Google Cache appliance – which had an AD login and was configured to index their file shares to facilitate searching • Normally the access rights for the cache were configured in accordance with the file shares, but as these were broken the appliance indexed all of the shares and provided access to the information | Security solutions
Casino Security • In this configuration, a user could search for a phase like “contract” and find an excerpt from an employee contract, and then either click on the “cached” link, or directly access the file • I imaged the computer using a write blocker, and started looking around on the computer, with a mandate of analyzing any office documents or scanned documents (images/pdf) that might be on the computer and appear to be inappropriate • The computer contained many casino incident reports, and I thought this would be a very interesting job – SURELY there was all kinds of exciting information in all those incident reports right? Surely there were people being naughty, with pictures! • Alas it turns out that the incident reports which I had to read were uniformly boring and mainly had to do with down on their luck people trying to bilk the casino or its customers | Security solutions
Casino Security • Performed an analysis of the computer using the “Net Analysis” browser history software (commercial) and Reg Ripper • Both tools turned up several UNC references to documents on the HR file share, and there was a copy of an employee contract sitting in the temporary Internet folder • Lessons learned: • Some of the jobs that you would think are incredibly interesting, are in fact really boring if you have to do them day after day • Beware caching appliances! They often cache things you wish they didn’t • Caching appliances often have credentials configured into them, often a domain ID for Active Directory or whatever is being used, and they need to be hardened | Security solutions
The Naughty Fireman • Was brought in to work on a civil action by a law firm representing a county government • The county’s fire department had an incident where a night-shift fire fighter was suspected of viewing pornography • This was complicated by the fact that the pornography was gay, and was discovered by a very religious supervisor • Wanted to fire the employee, but needed a solid case against him in case of a grievance process • I was provided with three computer workstation that were from the firehouse, and asked to analyze them • Imaged using a write blocker, and used Net Analysis HSTEXT to low-level scan the hard drive for Internet history | Security solutions
The Naughty Fireman • Discovered a lot of recreational browsing, starting with normal types of browsing about 3-6 months ago, and ending with very extensive use of gay.com • Could see browsing of gay.com singles ads, followed by URL’s that indicated account creation and setting up of a profile • Profile was cached on the local workstation, including a profile picture of the firefighter that appeared to show the fire house in the background (a recognizable poster) • Scanned the hard drive for naughty pictures like the one the supervisor thought he saw • The workstation had some personal pictures, but no pornography on it. However, the user directory seemed a little bit TOO clean, as if it was sanitized before being handed over | Security solutions
The Naughty Fireman • Decided to grab all the thumbs.db files on the system that were bigger than the default size and analyze them • Sure enough, thumbs.db had created thumbnails for about 15-20 pornographic pictures that were previously in the user’s document directory but had since been deleted and wiped (defragged?) • Was able to document these thumbnails for the lawyers, who presumably had a solid case to work with • Lessons learned: • Its really funny when your job includes getting paid to talk to expensive lawyers who repeatedly ask you if you found “a cock shot” • Thumbs.db doesn’t delete its old thumbnails, but hardly any non-technical people know this – great way to bust people • Sometimes our job involves hanging people out to dry that you actually have some sympathy for – for example in this case I discovered through workstation analysis that the guy had just come out of the closet, was getting divorced from his wife, was in the process of filing for bankruptcy and was getting fired from his job all in about one month | Security solutions