1 / 34

"International" Hacking: When the cooperation is the only cure. Dario Forte, CFE, CISM Security Advisor EECTF

"International" Hacking: When the cooperation is the only cure. Dario Forte, CFE, CISM Security Advisor EECTF - European Electronic Crime Task Force. Abstract.

shae
Download Presentation

"International" Hacking: When the cooperation is the only cure. Dario Forte, CFE, CISM Security Advisor EECTF

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. "International" Hacking: When the cooperation is the only cure.Dario Forte, CFE, CISM Security AdvisorEECTF - European Electronic Crime Task Force

  2. Abstract • BACKGROUND: In August 2002, fourteen Italian hackers — almost all information security professionals — were arrested by the Italian Financial Police. They were charged with hacking the networks of NASA, U.S. Army, U.S. Navy and various universities around the world. This session will illustrate the generality of techniques used by the contemporary attackers with a particular reference to the “insider’s threat.” In addition, the speech itself will demonstrate how international cooperation is fundamental in hacking investigations.

  3. European Hacking Scenario • Classified by territory, the European hacking scenario is • Est Europe: malicious mobile code (MMC), CreditCard Frauds, CyberExtorsions • Center/North Europe: defacements (script kiddies), Distributed Denial of Service (DDoS) and distributed information theft • Western Europe: crypto attacks

  4. European Hacking Scenario (2) • Platforms used by the attackers • Linux • BSD • Best target’s platforms • Windows • *Nix (xBSD, Sun Solaris, Linux)

  5. September 2001/August 2002: Operation Rootkit • International hacking case • More than 1,000 compromised machines worldwide • 20% are military/goverment in the U.S. • 20% are military/goverment in Europe • Others are universities/companies worldwide • Operation details under a Non-Disclosure Agreement (NDA)

  6. The New Malicious Hacker’s Frontier: Attacking Strategic Target • International hacking case — main features • Most case histories have demonstrated that the “grey hat” phenomenon is growing • Grey hat use their own tools (no script kiddies) • They are inclined to acquire many critical/strategic files from goverment/military and very important financial/enterprise networks

  7. Contemporary Hacking Lifestyle • Distributed information gathering, using already compromised machines as stepping stones and/or: • Directly from the hacker machines • Using “flat rate dial-up connections” owned by foreign ISPs with toll-free numbers • Using a flat-rate account, stolen from “normal” users via Trojan horses • Caller ID hidden

  8. Mentors and Reservoir Dog’s “Features” • Preferred targets: mainly Linux/Irix machines Break-in is done within 24 hours from a vulnerability discovery/disclosure • Once inside, they use to • Steal files (mainly docs and source codes) • Use the computer as a stepping stone for further operations (more hacking and DoSNET construction) • Use the computer for IRC traffic

  9. General Scenario: How Crackers Exchange Information • Reservoir Dog’s techniques are consolidated in the cracker arena • The “most trusted” components of the hacker’s group used to set up a VPN between their machines — in alternative • Secure Shell (SSH) • Encrypted Irc • IpV6 Tunnels

  10. Malicious Hacker’s “Modus Operandi” (cont.) • All the workload (such as scanning, exploit finding and testing, and attack) is shared by the components • A “skilled” hacker makes only a few defacements

  11. Typical Scenario: Hacking Tools Used • Information gathering: large use of • nmap (with extended expressions) • hping (for firewalled machines) • Passive Fingerprinting • Attack phase • Public available exploits (eventually customized) • Self-made rootkit, both “cross” and locally compiled (depending on the target) • Large use oflog wipers and obfuscators

  12. Information Gathering (Typical Scenario) Master (with an XML engine) Agents The link between master and agent is encrypted The scanning activity is shared between the agent (workload) Target

  13. Operation Rootkit: the Backtracing • More than 300 GB of log were examined for intrusion analysis purposes • Five police/government agencies involved • Dozens of forensics exams were conducted • So a “practictioner coordinator was needed”

  14. Operation Rootkit: Results • A year-long investigation • 14 people charged (four minors) • More than 40 computers seized • Almost one TB data seized • Thousands of various CD-ROMs/DVDs seized • Many credit card files recovered

  15. The “Insider Threat” • A portion of the group was working as infosecurity managers in big consulting firms/ISPs (even in the Italian branches of U.S. companies) • The remaining people were freelance security consultants • White hat @ day then black hat @ night (most customer’s machines used as stepping stones)

  16. Hacked University German Web Server Hacked Army computer Initial Attack Analysis • IDS Logs revealed hack originated from a German ISP’s Web Server. • Began Coordination directly with German Authorities. • IDS logs showed transfer of Root Kit from a Hacked University of Pennsylvania Computer. • Began Coordination directly with University Officials

  17. Additional Compromised systems University Computer German Web Server Compromised Army Computer Next Hop: Investigating University Computers • University officials gave system logs and image of the compromised computer. • Matched the compromise of the US University to the Compromised Army Computer. • Computer was used as “tool box” • Identified numerous other compromised systems including US Government Systems • Search of physical level revealed connection from Dial-up • HD Analysis found intruder’s rootkit. Italian ISP

  18. Additional Compromised systems Hacked University German Web Server Hacked US Army Computer Italian ISP The German Investigation • German source computer belonged to a large corporation – it had also been hacked. • The German corporation identified the compromise of their server. Hired an forensic firm in Germany to do forensic analysis. • The forensic analysis matched the fingerprint of the Redstone Arsenal and University of Pennsylvania. Source was in Italy. Hacker’s nick was Pentoz.

  19. The Importance of International Cooperation • Thanks to the cooperation between Gdf, Nasa OIG, Usss Milan, Army Cid and Navy Nccis, it was possible to conduct one of the largest backtracing operations in the world. In this period EECTF has started his activity • Without international cooperation, it wouldn’t have been possible to achieve a good “event correlation rate”

  20. European Electronic Crime Task Force Who are we?

  21. EECTF Mission

  22. Very simple … Free flow of investigative related information without the usual bureaucratic entanglements

  23. Goals for this year

  24. Build up the organization to 100 members • Develop training and certification specific to the task force • Expand the free flow of information to reach not just Europe but Asia as well

  25. Communication between members

  26. What do we use? - Cybercop Secure & encrypted communication

  27. NON-DISCLOSURE AGREEMENT

  28. Our members • EECTF is not affiliated with EU govt. Initiatives • is a technical/incident response group • our members are from law enforcement, military, accademia, financial and trusted private sector

  29. Some case study • Reservoir Dogs Case • Cyprus Credit Card Case • Cyberfraud case involving Europe and US • Most of them are still under NdA

  30. The cyprus case • Through our network of contacts EECTF Was advised that leader of a worldwide credit card trafficking ring had been arrested in Cyprus. • We were able to arrange the travel of both the evidence and the police officers involved in the case to our forensic lab in Italy. • In Italy we were able to quickly conduct an initial forensic exam which recovered enough evidence to keep the defendants in jail until such time as the complete forensic exam could be completed in the U.S.

  31. Lessons Learned • Operation Rootkit: • Companies should increase control on the IT security personnel • Customers should “think twice” before leaving their IT systems in the hands of potentially untrustworthy consultants • All operations: International cooperation is essential in cybercrime enforcement

  32. Know your enemy • Share information with your peers • test your knowledge and skill • avoid Burocracy whenever you can, but respect and interact with the laws.

  33. Thanks

More Related