Presentation on theme: "Credit Card Compromise Case Scenario by John Mallery."— Presentation transcript:
Credit Card Compromise Case Scenario by John Mallery
Scenario Client calls says they have an issue They have been notified by the USSS they have had credit cards compromised through a common point of purchase investigation They provide you with a hard drive only They want to identify if a hack has taken place What do you do?
Process Initial Issues and Questions How do you know whether you have the correct drive? What about date and time stamps? Are they valid? Why or why not?
Process Where do you begin? Forensically image drive Develop an approach What do you look for?
Investigation Forensically copy drive Run Searches on the following: Credit card numbers – identify if they are in plain text IP addresses of System Logs Software installed Internet History
Investigation On line storage sites Removable drives Test SAM database for missing passwords
Credit Card Numbers Grep Expression Identifies possible credit card numbers How can they be validated? Which one is a valid credit card number? 4012 8888 8888 1881 5432 1234 5411 1111 5454 5454 5454 5454
Credit Card Numbers Adhere to a strict format Card TypePrefixLength Visa416 MasterCard51, 5516 American Express 35, 3715 Discover6011, 6516
Luhn Algorithm (Mod10) Starting with the rightmost digit (which is the check digit) and moving left, double the value of every second digit. If a product results in two digits, subtract 9 Add all numbers together. The result should be divisible by 10
An example 4012 8888 8888 1881 Multiply by 2 8 0 2 2 16 8 16 8 16 8 16 8 2 8 16 1 Double Digits (Subtract Nine) 8 0 2 2 7 8 7 8 7 8 7 8 2 8 7 1 Sum equals 90 Valid Number Who is the issuer?
Online Credit Card Validator – would you use it?
Credit Card Validator Credit Card Verifier SoftwareSoftware Test and verify its functionality before using on suspect credit card numbers. Disconnect from Internet Start Process Monitor..\..\CCN\ProcessMonitor\Procmon.exe..\..\CCN\ProcessMonitor\Procmon.exe Test on dummy CCNs
Initial Results Found numerous numeric strings in plain text that appeared to be credit card numbers Publicly routable IP Address Nothing of relevance in logs No functioning antivirus applications PCAnywhere
Initial Results Internet History – lots of visits to non- business sites – YouTube, MySpace, eBay and personal surfing. Removable drives had been used. Administrator account with no password.
Answer Found? Have we identified whether the system had been hacked? What is the next step?
Boot the Image Boot the image How? LiveView - http://liveview.sourceforge.net/
LiveView Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk.
LiveView What Do I Need To Run Live View? VMware Server Full Install (Free Download) or VMware Workstation 5.5 (30 Day Trial)Free Download30 Day Trial Java Runtime Environment (http://www.java.com/getjava/)http://www.java.com/getjava/ VMware Disk Mount Utility (http://www.vmware.com/download/eula/diskmou nt_ws_v55.html)http://www.vmware.com/download/eula/diskmou nt_ws_v55.html A Microsoft Windows Machine (XP, 2000, or 2003) Some Bit-for-Bit Disk Images
LiveView Demo (Maybe)
SIFT Workstation SANS Investigative Forensic Toolkit https://forensics.sans.org/community/downloads/ index.php https://forensics.sans.org/community/downloads/ index.php Need SANS portal account for downloads Large file (1.35 GB)
VFC – Virtual Forensic Computing Commercial Product VFC Mount Image Pro http://www.mountimage.com/ VMWare Player, Workstation or Server Demo
Benefits of Booting Image Identify Open ports netstat and fport Identify running processes Pslist Identify services Psservice Programs scheduled to run at startup Autoruns and msconfig
Additional Results Port 80 open Additonal Ports Open – remote control programs Opened PC Anywhere – identified configuration settings and cracked password no security mechanisms implemented In addition – no firewall on system or on network Router – default username and password.
End Result 18,880 credit card numbers compromised POS application known to have stored CCNs in plain text. Patch existed, vendor never applied patch. Costs – fines, investigation, legal fees Client hopes to recover costs from vendors insurance company.
Toys WFA User Assist : User Assist The data about frequently used programs is kept in the registry under this key: HKEY_CURRENT_USER\Software\Microsoft\Win dows\CurrentVersion\Explorer\UserAssist This program decrypts and displays the data found in the registry under the UserAssist key http://blog.didierstevens.com/programs/userass ist/.