Thanks for helping
UnitVI Case Study
Headnote
In addition to knowing how to follow the bits of evidence, forensic detectives must know how to work with law enforcement.
IN SPRING OF 2003, several credit card associations and major credit card issuers began to notice increasing instances of fraud over a three-or four-month stretch. By looking at the patterns and types of fraud and tying that information back to common points, they believed they had identified one company (we’ll call them Company A) as the source of the fraud. While the patterns of evidence pointed to Company A, it was still too circumstantial to call in law enforcement. Hard evidence was needed. So the associations and credit card issuers joined forces and contacted Ubizen (the author’s company), which conducts cybercrime investigations. They also contacted Company A and asked them to cooperate with forensic examiners from Ubizen who would be sent to their site to investigate the possibility that a security breach had occurred within their production network environment. Company A officials said that they were not aware of any security breach, but they agreed to work with the investigators.
Company A is a software company that provides electronic payment software to numerous retail outlets, including restaurants, retail stores, and Internet companies. Company A’s core business is its payment gateway service that processes credit card and check transactions. While the majority of Company A’s transactions come from the Internet, wireless transactions are also common. The two different types of transactions are routed through two separate payment gateways, and together they often account for more than 200,000 electronic payment transactions daily.
The primary objective of the forensic investigations “was to determine the source and full extent of the breach. If sufficient evidence was found to prove that a crime had been committed, another objective would be to assist law enforcement in gathering additional evidence for prosecution.
Discovery. Before arriving at the company’s site, the forensic team conducted an exhaustive discovery process. This advance work would enable the forensic team to hit the ground running when they went on to the company site.
Stolen data. The team conducted an in-depth analysis of the fraud patterns and found that the fraud resulted from duplicated credit cards used in “card-present transactions.” These are seenarios where legitimate account numbers are fraudulently reproduced on unauthorized duplicate cards and used by criminals to purchase goods or services in person, often using matching falsified information.
For a criminal to duplicate a credit card with account information that will pass muster, he or she must have gotten access to the data contained in the magnetic stripe on the back of a card. A credit card magnetic stripe contains two separate tracks of information. Track 1 data contains information printed on the card, such as the cardholder’s name, but this data is not a component of the transaction authorization-it merely verifies that the name on the card has not been changed. Track 2 contains more sensitive information, including the CVV code (the card verification value, a number string that is printed, not embossed, on a card), which helps verify that a transaction is authorized.
Sophisticated fraud could be perpetrated by skimming this information from individual cards. But the fraud pattern in this case made it likely that theft of data in large batches had occurred. In fact, the investigation revealed that full mag-stripe information had been taken from Company A’s network.
Because mag-stripe information allows criminals to duplicate a credit card, the payment service industry stipulates that this type of information not be stored subsequent to authorization. The finding of theft at Company A raised questions about whether the mag-stripe information was being handled properly, according to the payment service industry’s commonly accepted security standards. The fact that mag-stripe information was involved in this breach meant that the information was likely stored despite the standard against doing so.
Investigators needed to locate where on the customer’s network this type of information resided. They could then identify the most likely avenues of intrusion through the network.
Lay of the land. To accomplish this, the forensic experts studied diagrams to learn the layout of Company A’s computer network and determine whether it was vulnerable and which parts of the network were most likely to be exposed if a hacker had been able to penetrate the system. Frequently, the most likely targets are Internet-visible systems, such as Web servers and FTP servers, or weakly configured wireless network access points. The team found that, indeed, Company A’s network -was not sufficiently hardened against an attack, making it likely that hackers could have penetrated the system and stolen the account information.
FBI assistance. Given these findings, the forensic team recognized that it was time for law enforcement to be brought into the process. This was a point sometimes overlooked by private firms: It was vital that the appropriate government agents be on the scene to help in the assembling of evidence that could lead to the capture and eventual prosecution of the attacker. In this case, because of the nature of the crime and the magnitude of the fraud, FBI agents were contacted.
In early June, FBI agents from the Atlanta field office -were the first to visit the site, although they were soon replaced by agents from the Chicago field office, who had much more extensive experience investigating cybercrimes. These agents had in fact worked with Ubizen investigators on previous investigations. Ubizen s forensic experts also visited the FBI field office to hold discussions over the specifics of the investigation, such as what forensic tools would be used to ensure the integrity of any data taken and how chain of custody would be maintained.
At the scene with the FBI agents, Ubizeris investigators began data collection; they first collected mirror images of Company A’s payment gateway, which they shared with the FBI investigators. Together the two teams then interviewed Company A’s staff for additional information on how the breach could have occurred, determining, for example, who in the organization had access to particular servers. Track 2 information had been compromised, so it was important to understand where in the network such data sat, which would indicate to the team what systems must have been touched by the attacker. This information could also help answer other questions, such as whether it could have been an inside job or whether the Internet was the avenue of attack.
After interviewing the staff and examining the organizations network diagram, several systems were identified that seemed likely avenues of attack based on their proximity to the Internet and lack of suitable security controls. The team investigated several servers where they suspected a significant point of exposure and found on one of the systems a number of files that had not been installed by Company A’s administrators. These files included keystroke loggers and a common backdoor program called HackerDefender. This made it clear that the system had indeed been compromised, leading the team to rule out an inside job.
Footprints. FBI agents and the Ubizen team looked at files and audit logs to find the hacker’s footprint and attack signature-that is, how the hacker broke in and what the hacker did once he or she had access. Without more in-depth analysis it would be impossible to determine how the intruder was first able to gain access to the systems.
However, based on the immediately visible footprint left behind by the intruder, it became clear that the server had become the staging point through which the intruder could continually gain access into other components of Company A’s production network environment. Once the intruder had gained a foothold into the environment from the outside, he or she placed hacking tools and utilities within the systems, effectively exploiting the breach.
Live prey. When tracing the hacker’s steps, the investigators looked closely at dates and time stamps to determine when the hacker last penetrated the company’s network. They found files created by the hacker the day before the investigation began, proving that there was an ongoing breach, an important development since it could help the investigators to catch the attacker in the act.
Sewing up the breaches. The team first needed to repair the breach. Since the incidents of fraud associated with Company A were rapidly escalating-as many as hundreds per day-it was imperative to immediately lock out the hacker’s access to private information.
The team began by purging from the organization’s systems sensitive cardholder data that, under industry standards, should never have been stored on the systems. With that data removed, the exposure created by any future unauthorized access would be much less severe.
The team also took several of Company A’s servers offline, replacing many of the compromised systems. They then enabled and configured logging and auditing functions to ensure that if unauthorized access were attempted again, the organization would be able to detect and respond to the unwanted activity.
All of the information collected on site was preserved, including hard drives from the compromised systems and logs from the intrusion detection system, the firewall, and the routers. The information was shipped back to Ubizeris labs for in-depth analysis and preservation for evidentiary purposes.
A number of different open-source tools were used to identify and salvage any other traces left behind by the intruder that might shed more light on the timeline of the attack or other systems that might be involved. The tools used included both Ubizen-proprietary and over-the-counter forensic tools such as Encase. Because these tools had been tested extensively in court, the FBI team could be sure that any evidence (such as copies of drives) provided by Ubizen would be admissible.
Setting the trap. With the loss of data stanched, investigators were ready to catch the hacker in the act. To accomplish this, the Ubizen team and the FBI set a trap with three components.
The first part was a packet sniffer, a laptop with a software program called EtherPeek that would watch traffic in and out of the affected servers. It allowed investigators to monitor any data the hacker was sending, such as individual keystrokes, the machines the intruder was attempting to access, and how he or she was attempting to do so. Also, the sniffer would capture firsthand evidence of files removed from the network that would, under normal circumstances, contain sensitive information or data that could be used for fraud.
Next, the files on those servers were loaded with dummy credit-card information to prevent additional fraud from occurring and to keep the hacker unaware that he or she had been noticed. The third part of the trap was the use of Tripwire, a program that monitors the integrity of files, which was configured to set off an alarm the moment any of the date and time-stamps of the files under observation were changed. That would allow the investigators to know exactly when the attacker hit so that they could catch the intruder in the act.
Underlying the trap was the fact that the investigators had determined precisely how the hacker would attack. The investigation had shown the particular backdoor the attacker was using and what port would be used in the compromise. But with a huge amount of traffic flowing back and forth across the network (this company also conducts e-commerce business), waiting for a Tripwire alarm was not necessarily going to allow the investigators to see the compromise as it happened. So, a Ubizen technician worked with the FBI’s Quantico-based Data Analysis Team to create a signature that they could look for on the sniffer to see exactly when and where the hacker was attacking.
Hooked. The trap worked perfectly. When the hacker snuck in to begin copying what looked like credit-card information that Company A had backed up, he fell right into the ambush and was caught red handed. From this point, FBI agents took the evidence collected by the Ubizen and FBI teams and began the hunt for the suspect.
They contacted a law enforcement computer-crime liaison group in the Eastern European country where it was determined that the hacker was located. Ultimately, the hacker-a college-age male-was arrested and extradited, and the evidence gathered against him will be used when the case comes to trial.
Aftermath. While Company A breathed a sigh of relief when the hacker was caught, the work of the Ubizen investigative team wasn’t over yet. Their mission was not only to help identify the hacker but also to determine the full extent of the breach and figure out precisely how many credit cards had been compromised, and when.
Targets. The complete analysis showed that there were in fact several intruders who took advantage of the backdoor the original hacker left, and they seemed to be unaware of each other’s presence. Altogether these attackers maintained some level of access into Company A for more than six months, two months longer than the previously recognized fraud dates. The team was also able to identify other machines on the network that had been compromised. These included the organizations two database servers, the mail server, two file and print servers, and each of the Internet-visible systems.
Recommendations. The final step was to provide recommendations to Company A on how to bolster its security against future attacks. These included the obvious suggestion of adapting to industry best practices.
MasterCard and VISA have led the industry in establishing guidelines to secure customer credit card data. MasterCard’s Site Data Protection Service (SDP) and Visas Cardholder Information Security Program (CISP) are industry mandates with serious financial penalties for noncompliance. These programs define a standard of due care for deploying security compliance programs, ensuring that online merchants and payment service providers are adequately protected against hacker intrusions and account data compromises. The investigative team determined that Company A was far from fulfilling these requirements and outlined exactly what measures the company needed to take to be fully compliant.
A key suggestion was for Company A to conduct regular vulnerability scanning internally or to outsource the scans to an expert. This inexpensive automated process proactively identifies vulnerabilities to find out if and where a computer system can be exploited or is vulnerable.
Finally, the team provided a set of recommendations above and beyond the established credit card industry standards. The team advised Company A to either add an internal IT team dedicated solely to security or to consider outsourcing key elements of its security program to a managed security services provider. The amount of data generated by security devices is overwhelming, and it can only be properly monitored by a dedicated team whose sole function is to oversee the network data.
Since the attackers had access to stored credit card data, the team also urged Company A not to retain credit card data longer than needed. As this case made clear, storing this type of sensitive information opens up a high risk of exposure.
This case illustrates how private cybercrime investigators and law enforcement can collaborate to both protect the bottom line and stem crime. That’s good news for long-beleaguered online businesses, and bad news for online fraudsters.
Sidebar
Forensic detectives can often quickly identify the most likely targets of a hacker attack on a given network.
Sidebar
Two Teams are Better Than One
Cybercrime investigations are Often initiated by the victimized company not through a call to the police, but through a call to a private firm that specializes in computer forensics examinations. These private-sector teams will then call law enforcement into the process as soon as they confirm that illegal activity is occurring.
Cooperation between law enforcement and private-sector investigators is still a fairly new idea, however. Several years ago, when the author’s company first started conducting forensics investigations, it was often met with distrust by both their private sector clients, who feared bad publicity or losing control of company data, and law enforcement agents, who were reluctant to share information with third-party vendors. However, this reluctance is diminishing as law enforcement becomes more accustomed to working with third-party cyberforensics experts and as clients see that the process can work. Companies like Ubizen work under strict conditions and with detailed nondisclosure agreements, which protects clients and helps allay fears.
Although they need to work together, it is important to understand that ultimately the two groups of investigators have different goals. The private-sector team has the ultimate goal of understanding the full extent of the compromise and helping the client find and close the vulnerability that led to the breach-in other words, to protect its reputation and profits. Law enforcement is focused on the illegal activity and in collecting any evidence that will lead to the attacker and help in a prosecution.
The two groups also work differently due to the nature of their responsibilities. A private forensic firm is doing paid work for a client and will devote a team to getting the work done in a short time frame. For example, this case took Ubizen two days on site and another two weeks to complete the analysis and write a report. By contrast, law enforcement agents typically are juggling multiple cases or responsibilities and may take longer to complete an investigation or may have difficulty devoting sufficient resources to a specific case.
While the goals are different, the groundwork serves both objectives. For that reason, the analysis completed by the private-sector team is often useful to law enforcement, saving them time and giving them a head start in understanding all the technical details of an investigation so that they can make a case for protection.
AuthorAffiliation
Bryan Sartin is director of technology for Ubizen, where he is responsible for all customer-facing issues regarding the technology of its managed security solution offerings.
Unit VI Case Study
What problem was identified? What steps were taken to solve the problem?
Various stages of the investigation were focused on different goals. Briefly list and describe what these were as the investigation progressed and what strategies were employed.
Identifying and catching the criminal was not the only purpose for this investigation—what else needed to be done, and how was it to be accomplished?
What type(s) of cybercrime was/were involved in this article? Does the identified offender fit the characteristics for this type of cybercrime?