Presentation on theme: ""International" Hacking: When the cooperation is the only cure. Dario Forte, CFE, CISM Security Advisor EECTF - European Electronic Crime Task Force."— Presentation transcript:
"International" Hacking: When the cooperation is the only cure. Dario Forte, CFE, CISM Security Advisor EECTF - European Electronic Crime Task Force
Abstract n BACKGROUND: In August 2002, fourteen Italian hackers — almost all information security professionals — were arrested by the Italian Financial Police. They were charged with hacking the networks of NASA, U.S. Army, U.S. Navy and various universities around the world. This session will illustrate the generality of techniques used by the contemporary attackers with a particular reference to the “insider’s threat.” In addition, the speech itself will demonstrate how international cooperation is fundamental in hacking investigations.
European Hacking Scenario n Classified by territory, the European hacking scenario is u Est Europe: malicious mobile code (MMC), CreditCard Frauds, CyberExtorsions u Center/North Europe: defacements (script kiddies), Distributed Denial of Service (DDoS) and distributed information theft u Western Europe: crypto attacks
European Hacking Scenario (2) n Platforms used by the attackers u Linux u BSD n Best target’s platforms u Windows u *Nix (xBSD, Sun Solaris, Linux)
September 2001/August 2002: Operation Rootkit n International hacking case u More than 1,000 compromised machines worldwide u 20% are military/goverment in the U.S. u 20% are military/goverment in Europe u Others are universities/companies worldwide u Operation details under a Non- Disclosure Agreement (NDA)
The New Malicious Hacker’s Frontier: Attacking Strategic Target n International hacking case — main features u Most case histories have demonstrated that the “grey hat” phenomenon is growing u Grey hat use their own tools (no script kiddies) u They are inclined to acquire many critical/strategic files from goverment/military and very important financial/enterprise networks
Contemporary Hacking Lifestyle n Distributed information gathering, using already compromised machines as stepping stones and/or: u Directly from the hacker machines u Using “flat rate dial-up connections” owned by foreign ISPs with toll-free numbers u Using a flat-rate account, stolen from “normal” users via Trojan horses u Caller ID hidden
Mentors and Reservoir Dog’s “Features” n Preferred targets: mainly Linux/Irix machines Break-in is done within 24 hours from a vulnerability discovery/disclosure n Once inside, they use to u Steal files (mainly docs and source codes) u Use the computer as a stepping stone for further operations (more hacking and DoSNET construction) u Use the computer for IRC traffic
General Scenario: How Crackers Exchange Information n Reservoir Dog’s techniques are consolidated in the cracker arena n The “most trusted” components of the hacker’s group used to set up a VPN between their machines — in alternative u Secure Shell (SSH) u Encrypted Irc u IpV6 Tunnels
n All the workload (such as scanning, exploit finding and testing, and attack) is shared by the components n A “skilled” hacker makes only a few defacements Malicious Hacker’s “Modus Operandi” (cont.)
Typical Scenario: Hacking Tools Used n Information gathering: large use of u nmap (with extended expressions) u hping (for firewalled machines) u Passive Fingerprinting n Attack phase u Public available exploits (eventually customized) u Self-made rootkit, both “cross” and locally compiled (depending on the target) u Large use of log wipers and obfuscators
Master (with an XML engine) Agents Target The link between master and agent is encrypted The scanning activity is shared between the agent (workload) Information Gathering (Typical Scenario)
n More than 300 GB of log were examined for intrusion analysis purposes n Five police/government agencies involved n Dozens of forensics exams were conducted n So a “practictioner coordinator was needed” Operation Rootkit: the Backtracing
n A year-long investigation n 14 people charged (four minors) n More than 40 computers seized n Almost one TB data seized n Thousands of various CD- ROMs/DVDs seized n Many credit card files recovered Operation Rootkit: Results
The “Insider Threat” n A portion of the group was working as infosecurity managers in big consulting firms/ISPs (even in the Italian branches of U.S. companies) n The remaining people were freelance security consultants n White day then black night (most customer’s machines used as stepping stones)
Initial Attack Analysis IDS Logs revealed hack originated from a German ISP’s Web Server. Began Coordination directly with German Authorities. IDS logs showed transfer of Root Kit from a Hacked University of Pennsylvania Computer. Began Coordination directly with University Officials German Web Server Hacked Army computer Hacked University
Next Hop: Investigating University Computers n University officials gave system logs and image of the compromised computer. n Matched the compromise of the US University to the Compromised Army Computer. n Computer was used as “tool box” n Identified numerous other compromised systems including US Government Systems n Search of physical level revealed connection from Dial-up n HD Analysis found intruder’s rootkit. German Web Server Compromised Army Computer Additional Compromised systems Italian ISP University Computer
The German Investigation n German source computer belonged to a large corporation – it had also been hacked. n The German corporation identified the compromise of their server. Hired an forensic firm in Germany to do forensic analysis. n The forensic analysis matched the fingerprint of the Redstone Arsenal and University of Pennsylvania. Source was in Italy. Hacker’s nick was Pentoz. German Web Server Hacked US Army Computer Hacked University Additional Compromised systems Italian ISP
n Thanks to the cooperation between Gdf, Nasa OIG, Usss Milan, Army Cid and Navy Nccis, it was possible to conduct one of the largest backtracing operations in the world. In this period EECTF has started his activity n Without international cooperation, it wouldn’t have been possible to achieve a good “event correlation rate” The Importance of International Cooperation
European Electronic Crime Task Force Who are we?
Very simple … Free flow of investigative related information without the usual bureaucratic entanglements
Goals for this year
Build up the organization to 100 members Develop training and certification specific to the task force Expand the free flow of information to reach not just Europe but Asia as well
Communication between members
What do we use? - Cybercop Secure & encrypted communication
Our members n EECTF is not affiliated with EU govt. Initiatives n is a technical/incident response group n our members are from law enforcement, military, accademia, financial and trusted private sector
Some case study n Reservoir Dogs Case n Cyprus Credit Card Case n Cyberfraud case involving Europe and US n Most of them are still under NdA
The cyprus case n Through our network of contacts EECTF Was advised that leader of a worldwide credit card trafficking ring had been arrested in Cyprus. n We were able to arrange the travel of both the evidence and the police officers involved in the case to our forensic lab in Italy. n In Italy we were able to quickly conduct an initial forensic exam which recovered enough evidence to keep the defendants in jail until such time as the complete forensic exam could be completed in the U.S.
Lessons Learned n Operation Rootkit: u Companies should increase control on the IT security personnel u Customers should “think twice” before leaving their IT systems in the hands of potentially untrustworthy consultants n All operations: n All operations: International cooperation is essential in cybercrime enforcement
Know your enemy n Share information with your peers n test your knowledge and skill n avoid Burocracy whenever you can, but respect and interact with the laws.