260 likes | 356 Views
Credit Card Compromise. Case Scenario by John Mallery. Scenario. Client calls says they have an issue They have been notified by the USSS they have had credit cards compromised through a “common point of purchase” investigation They provide you with a hard drive only
E N D
Credit Card Compromise Case Scenario by John Mallery
Scenario • Client calls says they have an issue • They have been notified by the USSS they have had credit cards compromised through a “common point of purchase” investigation • They provide you with a hard drive only • They want to identify if a “hack” has taken place • What do you do?
Process • Initial Issues and Questions • How do you know whether you have the correct drive? • What about date and time stamps? Are they valid? • Why or why not?
Process • Where do you begin? • Forensically image drive • Develop an approach • What do you look for?
Investigation • Forensically copy drive • Run Searches on the following: • Credit card numbers – identify if they are in plain text • IP addresses of System • Logs • Software installed • Internet History
Investigation • On line storage sites • Removable drives • Test SAM database for missing passwords
Credit Card Numbers • Grep Expression • Identifies possible credit card numbers • How can they be validated? • Which one is a valid credit card number? • 4012 8888 8888 1881 • 5432 1234 5411 1111 • 5454 5454 5454 5454
Credit Card Numbers • Adhere to a strict format
Luhn Algorithm (Mod10) • Starting with the rightmost digit (which is the check digit) and moving left, double the value of every second digit. • If a product results in two digits, subtract 9 • Add all numbers together. • The result should be divisible by 10
An example 4012 8888 8888 1881 4 0 1 2 8 8 8 8 8 8 8 8 1 8 8 1 Multiply by 2 8 0 2 2 16 8 16 8 16 8 16 8 2 8 16 1 Double Digits (Subtract Nine) 8 0 2 2 7 8 7 8 7 8 7 8 2 8 7 1 Sum equals 90 Valid Number Who is the issuer?
Credit Card Validator • Credit Card Verifier Software • Test and verify its functionality before using on suspect credit card numbers. • Disconnect from Internet • Start Process Monitor..\..\CCN\ProcessMonitor\Procmon.exe • Test on dummy CCN’s
Initial Results • Found numerous numeric strings in plain text that appeared to be credit card numbers • Publicly routable IP Address • Nothing of relevance in logs • No functioning antivirus applications • PCAnywhere
Initial Results • Internet History – lots of visits to non-business sites – YouTube, MySpace, eBay and personal surfing. • Removable drives had been used. • Administrator account with no password.
Answer Found? • Have we identified whether the system had been hacked? • What is the next step?
Boot the Image • Boot the image • How? • LiveView - http://liveview.sourceforge.net/
LiveView Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk.
LiveView What Do I Need To Run Live View? • VMware Server Full Install (Free Download) or VMware Workstation 5.5 (30 Day Trial) • Java Runtime Environment (http://www.java.com/getjava/) • VMware Disk Mount Utility (http://www.vmware.com/download/eula/diskmount_ws_v55.html) • A Microsoft Windows Machine (XP, 2000, or 2003) • Some Bit-for-Bit Disk Images
LiveView • Demo (Maybe)
SIFT Workstation • SANS Investigative Forensic Toolkit • https://forensics.sans.org/community/downloads/index.php • Need SANS portal account for downloads • Large file (1.35 GB)
VFC – Virtual Forensic Computing • Commercial Product • VFC • Mount Image Pro • http://www.mountimage.com/ • VMWare Player, Workstation or Server • Demo
Benefits of Booting Image • Identify Open portsnetstat and fport • Identify running processesPslist • Identify servicesPsservice • Programs scheduled to run at startupAutoruns and msconfig
Additional Results • Port 80 open • Additonal Ports Open – remote control programs • Opened PC Anywhere – identified configuration settings and cracked passwordno security mechanisms implemented • In addition – no firewall on system or on network • Router – default username and password.
End Result • 18,880 credit card numbers compromised • POS application known to have stored CCN’s in plain text. Patch existed, vendor never applied patch. • Costs – fines, investigation, legal fees • Client hopes to recover costs from vendor’s insurance company.
Toys • WFA • User Assist : • The data about frequently used programs is kept in the registry under this key: • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist • This program decrypts and displays the data found in the registry under the UserAssist key • http://blog.didierstevens.com/programs/userassist/.