1 / 73

Fighting Cyber Crime in a Post-9-11 World: Yesterday, Today and Tomorrow

Fighting Cyber Crime in a Post-9-11 World: Yesterday, Today and Tomorrow. A Review of the latest laws that allow for investigation of cyber-criminals, a demonstration of how law enforcement gathers evidence from a hack, and a briefing on current trends in cybercrime . Joel Schwarz

ike
Télécharger la présentation

Fighting Cyber Crime in a Post-9-11 World: Yesterday, Today and Tomorrow

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fighting Cyber Crime in a Post-9-11 World: Yesterday, Today and Tomorrow A Review of the latest laws that allow for investigation of cyber-criminals, a demonstration of how law enforcement gathers evidence from a hack, and a briefing on current trends in cybercrime Joel Schwarz Computer Crime and Intellectual Property Section, U.S. Department of Justice (202) 353-4253; Joel.Schwarz@usdoj.gov

  2. Overview Investigative Legal Tools Pre and Post 9-11 (PATRIOT and Homeland Security Acts) Hackers Exposed: A demonstration of how law enforcement learns about a hacker and gathers evidence State of the Hack: Emerging Trends (public briefing)

  3. The Electronic Investigative Tools Used by Law Enforcement (and how they have changed post 9-11): • Real-time Interception of Content • Real-time Interception of Header/Traffic Information • Accessing of Stored Electronic Communications (text , voice, etc.) • Changes to our cybercrime laws post 9-11: • Attacks on systems used for national defense, national security or the administration of justice • Expanding criminal jurisdiction to explicitly include computers located outside the United States (in certain instances) • Increased penalties for causing injury or death through viruses, worms, etc.

  4. Real Time Monitoring of Content (a/k/a a Wiretap) • Involves reading the content of communications in real-time • Phone– install a device to listen in on the line • Ex. listen in on a phone conversation planning a bank job • Computer– install a sniffer • Ex. read E-mail and IM of a kidnapper to learn where he is at the moment and what his plans are • If law enforcement wishes to do this • Must secure a court order – this is a choice of last resort • high burden of proof

  5. Real Time Monitoring; Generally • Without a court order - cannot intercept contents unless an exception applies; it’s a wiretap. • Three key exceptions (no REP): • Provider Exception, 18 U.S.C. § 2511(2)(a)(i) • To protect the rights and property of the system under attack • Consent, 18 U.S.C. § 2511(2)(c) • Consent from one of the parties to the communication • Computer Trespasser Exception, 18 U.S.C. § 2511(2)(i) -- Trespasser – accesses computer w/o authorization • Can intercept information “transmitted to, through or from the protected computer”

  6. Real Time Monitoring During an Incident; Trespasser Exception • Allows law enforcement to intercept communications to or from “computer trespassers” 18 U.S.C. 2510(21) • Pre-PATRIOT ACT • system owners could monitor systems to “protect property” • was unclear whether they could use/disclose information to LE • would be as counterintuitive as requiring a warrant to assist a burglary victim

  7. PATRIOT Act Change • PATRIOT Act created the “trespasser” exception: • Even if trespasser is using system as a pass-through to other down-stream victims • A “computer trespasser” Is a person who accesses network “without authorization” and “thus has no reasonable expectation of privacy…” • Excludes a person known by the provider to have an existing contractual relationship with the provider for use of the system (even if contract is to access a different part of the system) • Trespasser Exception is due to sunset on December 31, 2005

  8. Tracing Traffic Data During an Incident • Real-time tracing of traffic data (e.g. most e-mail header information, source and destination IP address and port) • Ex. A hacker hacking into a U.S. military base. We read the Internet routing information to trace the path back, through 3 systems, to a hacker in Germany • Especially important when cybercafes are used • If LE wishes to get a court order, the burden of proof is lower than for reading content

  9. Tracing Traffic Data During an Incident; Generally • Akin to the Wiretap Act, Pen/Trap also grants provider and consent exceptions to the general restrictions on intercepting header info. • There is no Trespasser Exception • Exceptions: • Provider exception is broad: can intercept if “relating to the “operation, maintenance, and testing,” of the service, or to protect the rights or property of the provider, or to protect users of that service from abuse of service or unlawful use of service • Consent of user • to record the fact that a wire or electronic communication was initiated or completed

  10. Securing the Order: Pre-PATRIOT Act • Had to go to the court located in the district where the company you are ordering to do the interception is located • Had to explicitly name the company in the Order • Problems: • With the split up of Baby Bells, a single communication can involve 2, 3 or more companies --- each located in a different district • Since you may not know which company will carry the communication until it is active, it was very difficult to name all the companies in the chain • Result: Very difficult to trace a communication in real-time from beginning to end

  11. Post-PATRIOT Act • Now - - - any district court or court of appeals “having jurisdiction over the offense being investigated” can issue an order • If party is not named in the original order – it is still required for that party to facilitate the execution of the order and the tracing of the communication • - upon request of the party, the government can provide a written certification that the order applies to that entity • No further invasion of privacy – merely restores playing field from before Baby Bells split up • Will not sunset

  12. Homeland Security Act Changes -Tracing Traffic Data • In emergency situations, law enforcement may intercept header information without a court order (emergency authorization lasts 48 hours - after which order is needed) • Pre-Homeland Security Act emergencies under this provision included: • an immediate danger of death or serious bodily injury; • conspiratorial acts of organized crime; • Post-Homeland Security Act the following were added: • an immediate threat to a national security interest; • an ongoing attack on a “protected computer” that constitutes a crime punishable by a term of imprisonment of more than a year

  13. Disclosing Stored Communications and Documents • ECPA (18 U.S.C 2701-11) governs access to and disclosure of stored files. • Provider/Customer/Government roles • Cannot necessarily share stored files with others, including government • Three main categories are covered • Communications/content (e.g., e-mail, voicemail, other files) • Transactional Data (e.g., logs reflecting with whom users communicated) • Subscriber/Session Information

  14. Voluntary Disclosure of Stored Communications and Documents • When providing E-mail services, or other stored communication services (such as letting a student store files, web pages, etc.) what records can network operators voluntarily disclose? • If you are a private provider (i.e. non-public) may voluntarily disclose all without violating ECPA (ECPA doesn’t apply) • Content (e.g., the stored e-mail or voice mail) • Transactional data • User information • Private providers may voluntarily disclose to government and non government alike

  15. Pre-PATRIOT Act – Voluntarily Disclosing Stored Communications and Documents • A public provider must look to statutory exceptions before disclosing a user’s content or non-content to government • Public provider may voluntarily disclose the content of communications when: • Consent to do so exists (e.g., via banner or TOS) • Necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service • Contents inadvertently obtained & pertain to commission of a crime (to law enforcement)

  16. Pre-PATRIOT Act Problem • In cases involving immediate threat of serious harm or death, there was no mechanism for public providers to disclose information content or traffic information to LE • ECPA barred voluntary disclosure, and thus, LE had to go to court and secure appropriate process • In cases of kidnap victims, victims abducted by a rapist, terrorism, etc., hours and minutes can potentially mean the difference between life and death • No matter how quickly one acts, it takes time to draft papers, file, secure judicial review, etc. • Was sometimes done, but at risk of civil liability to provider

  17. Post-PATRIOT and Homeland Security Act • Change under PATRIOT Act: • If a provider “reasonably” believes that an emergency involving immediate danger of death or serious physical injury . . . requires disclosure of the information without delay • Change under Homeland Security Act: • Provider has “good faith” belief that an emergency involving immediate danger of death or serious physical injury requires disclosure (may disclose to a governmental entity) • the “reasonably” standard potentially allowed courts to second guess an ISP’s/provider’s reasonableness • previously an ISP could only disclose to law enforcement agencies; now they can disclose to any government entity • This provision sunsets on December 31, 2005

  18. Compelling Production of Unretrieved Contents - Pre-PATRIOT Act • If unretrievedcontent of E-mail (or voice mail) for less than 180 days (i.e. it’s fresh), LE needs a search warrant to secure the data • Pre-PATRIOT Act, LE had to secure the warrant in the district where the E-mail resided: • - e.g. for AOL E-mail, had to go to the applicable District court in Virginia • - e.g. for Yahoo, had to go to the applicable District court in California

  19. Compelling Production of Unretrieved Contents - Pre-PATRIOT Problem • Approximately 80%+ of the world’s E-mail traffic flows through the United States • A large portion of that traffic is probably attributable to a few of the major U.S. providers • such as AOL, Earthlink, MSN, Hotmail, Yahoo!, etc. • The District Courts in those few districts were being inundated with search warrant requests from all over the country • since the warrant had to come from the district where the information sat • regardless of where the investigation took place

  20. Compelling Production of Unretrieved Contents - Post-PATRIOT Act • If unretrievedcontent of E-mail (or voice mail) for less than 180 days (i.e. it’s fresh), LE needs a search warrant to secure the data • Can secure the warrant from any “court with jurisdiction over the offense being investigated” • thereby allowing court’s in district where investigation is occurring to issue warrant • has split the load amongst a larger number of courts • Increases privacy by encouraging review and familiarity with case Will sunset December 31, 2005

  21. Attacks on Natl. Security Systems, etc. - Pre-PATRIOT Act • Prior to the PATRIOT Act, there was not a special provision providing for enhancement of punishment for hackers who damage computers used for “administration of justice, national defense, or national security” • If attack caused less than $5,000 in provable loss, however, could potentially only be prosecuted as a misdemeanor • Yet those systems serve critical functions and merit strong penalties, even where damage is slight, because threat to life and limb can be severe • e.g. attack on a computer used for national defense that occur during active military engagement • they could disrupt war-fighting capabilities, which require preciseness • even without significant damage or disruption of capabilities, an attack diverts time and attention away from military’s proper objective

  22. Attacks: post-PATRIOT Act • Under the PATRIOT Act, a new section was added to the Computer Fraud and Abuse Act to make it clear that a hacker who damages a computer: • “ used by or for a government entity in furtherance of the administration of justice, national defense, or national security” • is deemed to violate federal law, even if the damage does not result in provable loss over $5,000

  23. Computers in Foreign Countries – Pre-PATRIOT Act • Before the PATRIOT Act, the definition used for computers generally covered under the Computer Fraud and Abuse Act did not explicitly include computers outside the U.S. • Why would we care to include computers outside the U.S.? • increasingly, hackers from within the U.S. are targeting systems entirely outside the country • individuals in foreign countries often route their communications through multiple computers, in multiple countries, in an attempt to mask their trail (or to make it harder to prosecute them) • often their hope is that the lack of a U.S. victim would either discourage or prevent U.S. LE from assisting in foreign prosecutions

  24. Computers in Foreign Countries – Post-PATRIOT Act • The PATRIOT Act amended this definition to make it clear that this term includes computers outside of the United States, so long as they “affect” interstate or foreign commerce or communication of the United States” • By clarifying that a domestic offense still exists, the U.S. can now use speedier domestic procedures to join in international hacker investigations • As these crimes often involve investigators and victims in more than 1 country, fostering international LE cooperation is essential. • especially as violent criminals, organized crime and terrorists begin to move to online activities, which often span national borders • U.S. has been urging other countries to ensure they can vindicate the interests of U.S. computer crime victims that originate in their nations • this provision will allow for the U.S. to provide reciprocal coverage

  25. Cybercrime – Punishment: Pre-Homeland Security Act • Problem: Computers control our critical infrastructures, such as water, electric, transportation, serve our medical profession, etc. • Lives can be placed at risk, or taken, using computers as a weapon • e.g. Australia – toxic sewage dumped into the water supply • e.g. NYC hospitals during 9-11 attacks • Maximum penalty for cyber-criminal act was 10 years (20 for recidivist) -- failed to account for potential of injury/death

  26. Cybercrime – Punishment: Pre-Homeland Security Act • Interesting Stat: Within 15 minutes after Slammer Worm was introduced to the Internet: • 27 million people in S. Korea lost cell and Internet access • 300,000 cables in Portugal went dark • Level 3 (major telecomm provider in the world) was shut off • Continental Airlines had to cancel flights (b/c it lost Internet access) • 911 in Seattle had to go to paper • What was the risk to life if 911 did not operate? How many hospitals, traffic control systems, transportation sectors, or critical infrastructure sectors might’ve been affected?

  27. Cybercrime – Punishment: Post-Homeland Security Act • Congress increased punishment for certain cybecrime acts that lead to serious injury or death: • causing or attempting to cause serious bodily injury by the transmission of a “program, information, code, or command,” raises the potential penalty up to 20 years • causing or attempting to cause death by the transmission of a “program, information, code, or command,” raises the potential penalty up to life in prison

  28. Overview Investigative Legal Tools Pre and Post 9-11 (PATRIOT and Homeland Security Acts) Hackers Exposed: A demonstration of how law enforcement learns about a hacker and gathers evidence State of the Hack: Emerging Trends (public briefing)

  29. Let’s Hack One for the Gipper . . . ## logging gipper on local university at 06.12-05:29:25## using ttyp0 from green.dgf.edu.fr port 100306##--last login: Wed May 11 20:12:17 from green.dgf.edu.fr > w 5:29am up 2 days, 23:28, 7 users, load average: 2.24, 2.08, 2.01 User tty login@ idleJCPU PCPU what gipper ttyp0 5:29am 1 1 w mandiak ttyp1 12:14pm 17:08 20 19 pine dykstra ttyp4 Wed 9am 13:21 11:05 16 vi forDoug rusty ttyp6 Mon 9am 3days 4 3 -tcsh shoemake ttyp7 Mon 8am 3days 14 13 pine ohea ttyp8 Tue 6pm 5 45 16 elm baldwin ttyq5 Mon11am 4:37 2:41 54 pine Pine and Elm = E-mail programs • First action – see who is logged into the system – don’t want to be in there if the SysAd (or possibly someone else with root) is logged in

  30. If you’d like to make a call . . . Note: He first types “telnet” and gets a telnet prompt, and then types the telnet address at the prompt. This way, if a sys ad logs into the system and sees the gipper account, all the sys ad will see is he’s using telnet, not where he’s telnetting to. > cd z • > telnet • telnet> 111.222.111.23 • Trying 111.222.111.23 ... • Connected to 111.222.111.23. • Escape character is '^]'. • Once in the system, the hacker now connects to another computer system using “telnet” • Where is he connecting? . . . . .

  31. UNIX(r) System V Release 4.0 (Fort Knox) • login: guest • Password: • Last login: Wed May 11 15:31:11 from EUR • W A R N I N G • You have reached a Federal Government computer. It is a violation of federal statutes to access or use federal computer resources without specific authorization. All actions on this system are subject to auditing, and intruders are subject to prosecution. Do not discuss or transmit classified information on nonsecure telecommunications. DoD telecommunications are provided for the transmission of official U.S. Government information and are subject to communications security monitoring at all times. Use of official DoD telecommunications constitutes consent to communications security monitoring IAW DoDD 4640.6. • Solaris Release 2.4 (): Thu Oct 12 16:00:00 MST 1995 • Fort Knox.ARMY.MIL 111.222.111.23 • Note the “login” of “guest” – failure to lock out default accounts? • Note the banner gives “consent” for monitoring Is this a European? Need to check host entry table to figure out more? “lastlog” file

  32. At least they’ll give you the time of day . . . ARMY:/export02/home/guest> date Thu May 12 05:27:35 MST 1997 Question: First thing he does is check the date. Why? Possibility 1: Because he doesn’t know where Fort Knox, or the computer server is located? Possibility 2:If he’s logging in from Europe, he’ll want to get his bearings on local time and time zone Possibility 3:A good hacker will want to make sure to cover his tracks by checking all files that he’s touched and changed date/time stamps. By checking the local date and time when he first logs in, he will allow himself to later on find out what he’s touched and modified to this date and time

  33. ARMY:/export02/home/guest> cd /var/mail • ARMY:/var/mail> ls -l • total 792 • drwxrwxr-x 2 root mail 512 Mar 13 08:29 :saved • -rw-rw---- 1 agatling mail 697 Dec 17 09:35 agatling • -rw-rw---- 1 bsimon mail 604 Jan 27 06:56 bsimon • -rw-rw---- 1 dmadmin mail 155710 May 14 13:06 dmadmin • -rw-rw---- 1 eng01 mail 1021 Apr 2 15:18 eng01 • -rw-rw---- 1 johnsonp mail 2227 Mar 7 12:22 johnsonp • -rw-rw---- 1 lp mail 4498 Feb 16 03:15 lp • -rw-rw---- 1 mjurik mail 23798 Feb 11 07:40 mjurik • -rw-rw---- 1 root mail 15910 May 8 08:00 root • -rw-rw---- 1 mail 109095 May 12 00:01 • -rw-rw---- 1 sklaboug mail 38714 May 9 21:16 sklaboug • -rw-rw---- 1 smldba mail 17620 Mar 28 07:14 smldba • Very suspicious a mail file without a name and without an owner account assigned – yet the account has a lot of data in it. What is it? Who knows? We know he must’ve had root access to configure this • NOTE: It would’ve stood out less if he gave it a name, rather than to leave it as a blank

  34. My buffer runneth over . . . • ARMY:/var/mail> pwd • /var/mail • Print the working directory he’s in – switching around directories can become confusing • Verifying that he’s in the “/var/mail” directory, the hacker goes right to his file • The hacker has obviously been in the system before • ARMY:/var/mail> .t • À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À¦À- ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0ïð0 • Execute a file (a single letter file) – “.t” (appears to be a buffer overflow program) • How could we verify that it was a buffer overflow? Interesting – to execute a file you usually preface with a “./” – but didn’t do here. Thus, he must have altered the path for the guest account in the profile settings.

  35. “Houston, we have root” • # w • 5:28am 1 user, load average: 3.02, 3.02, 3.02 • User tty login@ idle JCPU PCPU what • guest pts/3 5:27am w • Notice the pound sign - - - while you can have a pound sign without having root, usually the pound sign indicates root. Whatever program the hacker ran appears to have given him root access to the system • Ever cautious, the hacker apparently wants to make sure that no-one else is on the system, especially not a sys ad who will wonder why he has root access Interestingly, the hacker now has root, but is still listed as using the guest account. The program he used to gain root possibly configures it this way so if a sys ad logs in, the sys ad doesn’t become suspicious that someone else has root

  36.  Ch…Ch…Ch…Changes …  • # chmod 777 /tmp/1.z • Change the permissions on a file called “1.z,” in the “tmp” directory • allows for read write and executable privileges • Question: If this is his file, why not just create the file with all these privileges? • Possible answer: Anyone with access to the box can access the “temp” directory, regardless of privileges. It’s therefore unusual to leave a file with all read, write and execute privileges activated in the temp directory, since the whole world can access that directory. • Thus, perhaps he didn’t want to set up the file and leave it there with full privileges since it might’ve called attention to itself (like if a sys ad came across it)? • But what’s in the file? We don’t know now – but we can speculate that maybe its was a file to catch sniffer information, such as passwords.

  37. # cd /tmp # ls -l 1* -rwxrwxrwx 1 root sys 89707 May 12 05:29 1.Z • Now that he changed the privileges on the file “1.z,” the hacker goes to the “temp” directory and verifies that the file permissions have been changed on the “1.z” file (note all the “rwx” on the file) • Keep this file in mind – he’ll come back to it

  38. Cleanliness is Next to G-dliness • # cd /var/adm • Now that he’s finished in here, the final step is to cover his tracks • So he heads to the “/var/adm” directory, where all of the log files are stored, to clean all evidence of his activities

  39.  # ls -l • total 134 • drwxrwxr-x 5 adm adm 512 Oct 12 1995 acct • -rw------- 1 uucp bin 0 Dec 21 1994 aculog • -r--r--r-- 1 root root 16828 May 12 05:27 lastlog • drwxrwxr-x 2 adm adm 512 Dec 21 1994 log • -rw-r--r-- 1 root other 76 May 9 15:53 messages • -rw-r--r-- 1 root other 347 May 6 13:45 messages.0 • -rw-r--r-- 1 root other 0 Apr 30 19:24 messages.1 • -rw-r--r-- 1 root other 0 Apr 17 04:05 messages.2 • -rw-r--r-- 1 root other 23336 Apr 16 11:10 messages.3 • drwxrwxr-x 2 adm adm 512 Dec 21 1994 passwd • drwxrwxr-x 2 adm sys 512 May 7 02:37 sa • -rw-rw-rw- 1 bin bin 11 Apr 24 1996 spellhist • -rw------- 1 root root 165 May 12 02:49 sulog • -rw-r--r-- 1 root bin 180 May 12 05:27 utmp • -rw-r--r-- 1 root bin 1860 May 12 05:27 utmpx • -rw-rw-rw- 1 root root 15619 Apr 29 07:55 vold.log • First he lists all the files in the directory • note the log files, and the times, dates and file sizes

  40. A quick log file refresher . . . • aculog - logs use of dial-out facilities of the system • sulog - people who have logged into the system with someone else’s identity (switch user log) • utemp - logs successful logins by a person, if that person is still logged in • utempx – an extended version of the utemp log

  41. # cp aculog sulog (copy aculog to sulog) • # cp sulog utmp (then copy sulog to utmp log) • # cp utmp utmpx (then copy utmp log to utmpx log) • He first copies the aculog to the sulog. Recall the aculog looked like this: • rw------- 1 uucp bin 0 Dec 21 1994 aculog • With 0 bytes, the aculog is empty. So by copying the aculog to the sulog, he copies an empty file and wipes out the sulog (setting it to 0 bytes) Question: This indicates he’s not a pro at this – why? Answer: Because by setting the logs to zero, ALL data is wiped out, not just the info about his activities. This will more quickly raise suspicion and be a definite indicator of something amiss.

  42. # ls -l | grep 12 total 126 drwxrwxr-x 5 adm adm 512 Oct 12 1995 acct -r--r--r-- 1 root root 16828 May 12 05:27 lastlog drwxrwxr-x 2 adm adm 512 Dec 21 1994 log drwxrwxr-x 2 adm adm 512 Dec 21 1994 passwd drwxrwxr-x 2 adm sys 512 May 7 02:37 sa -rw------- 1 root root 0 May 12 05:30 sulog -rw-r--r-- 1 root bin 0 May 12 05:30 utmp -rw-r--r-- 1 root bin 0 May 12 05:30 utmpx All the logs have now been zeroed out • Recall that he first checked the date of the system and found it was May 12th. • Now he does a search on the number “12” to see all files that he’s touched and altered the date on – which are the log files. This way he can make sure that all evidence is covered up. Question: He missed something – what was it?

  43. Ya missed One!! # ls -l | grep 12 total 126 drwxrwxr-x 5 adm adm 512 Oct 12 1995 acct -r--r--r-- 1 root root 16828 May 12 05:27 lastlog drwxrwxr-x 2 adm adm 512 Dec 21 1994 log drwxrwxr-x 2 adm adm 512 Dec 21 1994 passwd drwxrwxr-x 2 adm sys 512 May 7 02:37 sa -rw------- 1 root root 0 May 12 05:30 sulog -rw-r--r-- 1 root bin 0 May 12 05:30 utmp -rw-r--r-- 1 root bin 0 May 12 05:30 utmpx • Lastlog – which will show the last time a given user logged on • The next time the “guest” account logs on, he’ll see that the account was logged on on May 12th, by someone other than himself. This could raise alarms • However, if the person doesn’t pay attention to the information, it will then be overwritten by his own log-in information (since the file only keeps the most recent log-in)

  44. It’s Been Fun . . . # w 5:30am 0 users, load average: 3.02, 3.02, 3.02 User tty login@ idle JCPU PCPU what # exit • He again checks to see who’s on the system, using the “w” command • Since he deleted the “utmp” log, which shows who’s on the system, it now has no-one registered on the system Question: This too shows he’s somewhat of a novice at this – why? Answer: Because deleting the UTMP log to hide your ID is something you usually do when you first take control of the system, so no-one sees you on there, not when you’re done

  45. A Few Minutes Later . . . • . . . the hacker FTP’s back into the Fort Knox box and does the following: • ftp> cd /tmp • 250 CWD command successful. • ftp> asc • 200 Type set to A. • ftp> get 1.Z • Now the hacker downloads the “1.z” file for which he previously changed the permission. Question: Why couldn’t he just download it before when he telnetted in? Answer: Because you cannot download files via a telnet session Note: Another indication that he’s not sophisticated --- He would’ve been better off cutting and pasting the contents of the file directly from the server. By downloading it, he just created another log record.

  46. Get, while the getting’s good . . . • ftp> get 1.Z • 150 ASCII data connection for 1.Z (171.65.22.2,3257) (89707 bytes). • 226 ASCII Transfer complete. • local: 1.Z remote: 1.Z • 90265 bytes received in 1.5 seconds (61 Kbytes/s) • By downloading the file in Ascii – he just gave us clue that it wasn’t a zip file (which could’ve been indicated by the “.z” extension) – because the file would be corrupted if not transferred in Binary. • Again, a mistake • The sys ad who sees this will know its not a zip file and will also know he does not create one letter file extensions. So he can now go to a backup and look for this file – knowing its suspicious.

  47. We outta here . . . • ftp> del 1.Z • 250 DELE command successful. • Now we also see why he had to change the permissions on the file. Perhaps he wouldn’t have been able to delete the file if the permissions were more restrictive. • So, instead of changing the permission he needed, he just changed them all to 777. • ftp> by • 221 Goodbye. • Question: So what was in the “1.z” file? • We’ll only know by looking at an old copy of the file, or if we had a sniffer monitoring the traffic we would’ve seen the text file information as it passed over the connection.

  48. Top 10 Lessons Learned • Emergency Response Plans • Should be in place prior to incident • Should include procedures for responding to intruder in system • - These hackers can move too quick to start planning when it happens • Backups • Unless you can ID when and how the hacker got into the system, assume BU are also corrupted with the backdoor used • 3. Password files • a. Unless you can ID exactly what the hacker did in the system, you could assume that he might’ve had access to all passwords used on the system (via a sniffer) and should act accordingly • 4. Guest/default accounts • a. Lock them out – they are easy prey

  49. Top 10 Lessons Learned (cont.) • Patches • a. In a 2004 study - exploit code developed and published an average of 5.8 days after announcement of vulnerability • Q: Would this compromise have been successful w/o buffer overflow? • Q: Could this have been patched? • Log files • a. Save to more than one location • b. hacker deleted from var/adm/ directory (where you’d expect to find them) • - if in a second site, hacker’s cleansing actions might’ve been futile • Consider routinely doing searches for suspicious files and directories • - i.e. mail folders without names or associated user names • - i.e. single letter file names, or hidden files • - this hacker was here before, and left these files on the system

  50. Top 10 Lessons Learned (cont.) • Never assume that just because there are no entries in the aculog or ftplog file that the hacker didn’t exfiltrate any information • Could’ve wiped the logs • Could’ve used the cut and paste method • Trespasser exception • a. While a sys ad could’ve probably monitored the hacker under the system owner protecting his property exception, it would not permit a LE officer to assist under that exception • b. But, assuming that the hacker met the definition of a “trespasser,” the trespasser exception would be the statute under which LE could assist and further its investigation

More Related