ACFE PresentationNovember 4th, 2009 By: Mark Lachniet, CDW Security Engineer
About Me Mark Lachniet, Security Engineer at CDW Current secretary of the Michigan HTCIA Licensed Private Investigator in the State of Michigan Numerous security and technology certifications: Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) GIAC Certified Forensic Analysts Gold (GCFA) Microsoft MCSE, Novell MCNE, Linux LPIC, CheckPoint, etc. Previously worked at Analysts International as a Solutions Architect, as an instructor Walsh College’s MSIA program and as a technician and technology director at Holt Public Schools
Agenda Discuss a few cases I have seen in the last few months Discuss current threat landscape Discuss compensating controls to emerging threats Discuss a few forensic best practices in fraud examinations Leave time for Q&A
Recent Case – Financial Fraud One recent case I’ve worked on deals with a fairly large financial fraud at a Michigan-based company One of their computer workstations had been hacked, and the user of that workstation used it to log into a web banking system to process their regular payroll The user was somehow directed away from the official banking web site to a phishing web site The web site looked “different” to the user so they contacted the web banking company’s technical support. Their tech support was unable to determine the problem (which in this case was the wrong URL) and told them “it must be an I.T. problem on your end”) The user then entered their user ID, password, and code from a two-factor authentication token into the site and did payroll The next day they were contacted regarding what appeared to be fraud – their payroll (approximately $700,000) had been hijacked
Recent Case – Financial Fraud This is especially troubling given the fact that two-factor authentication was used – these devices use a code that changes every few minutes, giving a very small window of opportunity to exploit This implies to me that the criminals either had some very sophisticated software that could “automagically” log into the web banking system, or they had a fully staffed 24/7 NOC with people waiting for events The criminals then changed the account numbers that the payroll was going to, and routed sums of approximately $9,000 to a number of different bank accounts ($10,000 is the cut off for OFAC reporting) This also implies that the criminals were very well versed in the banking system, because they were smart enough to change all of the ACH numbers very quickly
Recent Case – Financial Fraud According to at least one report, individuals who were looking for a job online were offered jobs as “ACH processors” by some shady Internet company Their job was to open a bank account, wait for money to be deposited, and then withdraw the money as cash They would then use a wire transfer service such as Western Union to wire transfer $4,000 each to a couple different people or accounts overseas, and keep $1,000 for their trouble. Thus, the people who were doing the conversion of virtual to physical cash and were assisting in the crime were most likely unknowing dupes They, themselves might find their info (SSN, bank number) sold at a later date
Recent Case – Financial Fraud I was then called in to help with incident response We began by taking a forensic image of the user’s workstation using a firewire “write blocker” to preserve the integrity of the data While that was happening, we worked on analyzing available log sources (there weren’t any, so we had to configure firewall logging) We put a stop to all non-essential Internet access while we were investigating We also began installing WebRoot Anti-Spyware software on a number of workstation – this turned up more infected machines Using a firewall log analysis tool known as Sawmill, we were able to find other network activity that seemed suspicious (traffic to eastern Europe and Asia) and analyze those workstations for additional malware FBI later came in and took an image of the workstation as well
Recent Case – Financial Fraud We started drafting a list of recommendations to help them improve their overall security posture, and presented them to senior management, including: Install WebRoot everywhere Purchase an intrusion prevention module for the firewall Implement Websense Internet content filtering Etc. Around this time I began performing a forensic investigation of the image copy of the computer workstation I had taken These investigations can be very time consuming, even if all the time is not billable due to the amount of time required to do keyword searches, etc. This one took weeks. Knowing the approximate date that machine was last “known good” (e.g. was last rebuilt) I was able to start looking at the computer workstations filesystem history
Recent Case – Financial Fraud On the workstation I found six different pieces of malware that WebRoot had identified and removed These were put into a quarantine directory, and then “wrapped” with some header information about the identification WebRoot had made Aside from these pieces of malware, I manually found another 6 or so pieces of malicious software that their anti-virus or anti-spyware program was unable to find I submitted these samples to an online service known as virustotal.com, which ran them through about 30 different AV programs While only a portion of the AV programs identified each piece, it helped me identify what they were, and possibly what they did
Recent Case – Financial Fraud At that time, I stopped doing analysis (well, sorta) and documented what I had found Wish I could have analyzed the malware to see what it did….. Presented the document to the customer, and suggested that we give it to law enforcement (in this case the out of state FBI who were handling the case) This project had some interesting “lessons learned”: Two-factor authentication not as secure as we thought Criminals are extremely organized and motivated Organizations not keen on sharing info for fear that it would become a public record and make them look bad Organizations only invest in security when they are “burned” Organizations not really interested in paying to figure out what happened Antivirus / Anti-Malware / Anti-Spyware can NOT keep up with threats!
Small Targets – The New Trend? About a month after this event we started hearing about this happening on a massive scale from the FBI and other sources: http://voices.washingtonpost.com/securityfix/2009/10/fbi_cyber_gangs_stole_40mi.html?wprss=securityfix Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week. According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim's online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company's online account in sub-$10,000 chunks to avoid banks' anti-money-laundering reporting requirements. From there, the funds are sent to so-called "money mules," willing or unwitting individuals recruited over the Internet through work-at-home job scams.
Recent Case – Computer Theft In another case that I recently worked on, a local company that deals with medical insurance was broken into, and 8 laptops were stolen The customer had camera footage of the criminal – they had exploited a slowly-closing handicap perimeter door to enter the building in the 30 minutes AFTER the end of the business day but BEFORE the security system was enabled They then went to an open office area and carried the laptops out These laptops contained sensitive regulated data (financial and medical, potentially regulated by GLBA, HIPAA and PCI) and were unencrypted Due to this, it might be necessary for them to give notification to their customers or regulators that the data was potentially stolen The I.T. manager was immediately fired (as a scapegoat?), presumably for not having had encryption on every machine in the place
Recent Case – Computer Theft Customer initiated a project to encrypt ALL workstations with Whole Disk Encryption (which gives you a “safe harbor” type exception so you usually don’t have to report if encrypted machines are stolen”) I was brought in to help look at their security and workstation practices Created a scaled-back assessment survey that focused specifically on workstations, and the practices, procedures and physical security surrounding them Did this survey and a physical walkthrough fo the organization and began documenting recommendations with a “cost” and “gain” metric
Recent Case – Computer Theft Physical Security: Slow-closing front doors Employees not locking offices and workgroup areas Badge system didn’t require PIN number entry on exterior Weak physical key management (e.g. master keys) Power cut-offs could be engaged by anyone Exterior lights not on 24/7 No motion sensors or window break sensors in building Hinges on the outside of the door could be broken off to gain entry
Recent Case – Computer Theft Practices and Procedures: Users still saving sensitive data to local workstations, even though told not to No data classification and handling system (e.g. to categorize data and detail how each category is created, handled and destroyed for both physical and electronic media) No formal system of assigning access rights with badge system and keys (thus no easy way to audit) Weak acceptable use policy detailing user responsibilities, practices and requirements
Recent Case – Computer Theft Technical: Inadequate patching for non-Microsoft apps such as Acrobat, Flash, Quicktime, WinZip, etc. making it easy for malware to be introduced Shared local admin password on all workstations – if you steal one, you can crack the local admin PW with a rainbow table attack No encryption or restriction of media and I/O ports No regular vulnerability assessments of internal hosts and web applications Weak passwords – no complexity required And many many more….
Recent Case – Computer Theft Customer response: Encrypt ALL hard drives Hire consultants to do an analysis of their new workstation image (verify that encryption works, they are not easily “hackable”, verify build procedures, etc.) Consider a fuller analysis of other security controls, possibly a “security needs” analysis Lessons learned: People get fired! Often for bad reasons Security is only a priority when people get burned Lack of planning (e.g. data classification and handling) and lack of training are a huge problem
Recent Case – Insecure Web App Web applications are another major vector of attack for criminals See my previous technical session on web app security for the ACFE for technical details Web applications are tasty targets because: Developers tend to be woefully uneducated about security Development projects are usually under massive time constraints Requirements definition rarely includes “real” security controls Quality assurance processes usually do not test security Many of the most common security tools (Intrusion Prevention Systems, firewalls, anti-virus, etc.) do not protect against web application attacks such as SQL injection Bad web applications are relatively easy to exploit Successful exploitation leads to full access of all database contents and possibly even the hosting servers
As part of a recent external assessment, I came across some vulnerabilities in a web application The application was used to host web-based training content The application was written by a vendor, and purchased by the customer The application ran on Windows, and used a back-end SQL database for storage of data (including SSN#’s which were presumably tracked so users could get CPE credits) During the assessment, the scanning tool noted that a number of cookies were being set, one of which was something like “IS_Admin=0” The tool found no other vulnerabilities on that host Based on this crumb of information, I started looking at the app Recent Case – Insecure Web App
Immediately noticed that encryption (HTTPS) was not used I started by setting up a security proxy server called Paros, so that I could see what all of the browser requests and responses were I then created an account using the self-registration feature, and logged into the application When I logged in, I noticed a couple of cookies being set that looked interesting: Set-Cookie: SystemRights=STUDENT_ID=mlachniet; path=/ Set-Cookie: STUDENT_ID=mlachniet; path=/ This is an example of using client-side variables (e.g. cookie values) in an application, and is not necessarily dangerous For example, CNN.COM does something similar to determine which version of CNN to show you (US or International) Recent Case – Insecure Web App
Using client-side scripting such as this has a valid role in web applications – for example validating input before it is submitted to enhance the end user experience In a well secure application, however, all security features will be validated on the server side as well as the client side For an experiment, I decided to uses my Paros proxy to intercept and change these cookies to the username ‘admin’ Set-Cookie: SystemRights=STUDENT_ID=admin; path=/ Set-Cookie: STUDENT_ID=admin; path=/ The server did not complain about this at all (or even notice) I then went into the “my account” area of the web site, and could see that indeed I was now logged in as the user admin Recent Case – Insecure Web App
At this point I was logged into the user side of the application as ‘admin’ but I did not have access to the administrative side I then noticed on the “my account” page that there was a place to set a new password without knowing the old password This was especially convenient because I had no idea what the old password was So, I changed the password to something I knew, and then tried to log into the administrative side of the application Sure enough it worked, and I had administrator access to the application (which wasn’t particularly interesting anyway) The next step was to try to leverage this administrator access to compromise the back-end SQL database and if possible the server running it Recent Case – Insecure Web App
Upon browsing through the options I had as administrator, I found a few interesting pages – one was user information, and the other was system reporting I tried to pull up user pages to see if it would reveal the users passwords (it didn’t, it masked them) but it did show me their SSN. Looking at the reporting page, I found that it was possible to create custom queries of the database – for example to see all of the users from a specific area code, or that had completed a certain training module Using the Paros proxy, I was able to see that the HTML interface was in fact generating SQL query language request to the back-end database Recent Case – Insecure Web App
For example, a query of first name and last name in the HTML interface created a web request of: GET http://target/Reporting/ReportGenerator/run_report.aspx?SQL=SELECT+STUDENT_LNAME,STUDENT_FNAME+FROM+tblxxx_xxx''&Title=cdwtest HTTP/1.1 Being that this was apparently raw SQL, I decided to tryto bypass the HTML interface entirely and submit hand-crafted SQL queries: GET http://target/Reporting/ReportGenerator/run_report.aspx?SQL=SELECT+STUDENT_LNAME,STUDENT_FNAME,EMPLOYEE_ID+FROM+tblxxx_xxx+WHERE+EMPLOYEE_ID+<>+''&Title=cdwtest HTTP/1.1 This then gave me a report of all users in the system with first name, last name and employee ID (which was in this case SSN!) Recent Case – Insecure Web App
Hence with no prior knowledge of the system and a little bit of security logic, I was able to harvest over 1,500 users’ demographic information including name, address, phone number, SSN, etc. in a couple hours - likely enough to steal their identity At this point I could get any data out of the database that I wanted (including data in other tables not related to this app) The next step was to try to compromise the host operating system using a SQL stored procedure called xp_cmdshell xp_cmdshell allows you to run operating system commands as the user account that SQL is logged in as (some kind of admin) In this case, the access rights in the database blocked this attack, and I did not take over the SQL server directly Given more time and tools to analyze each piece of code, it seems likely that more vulnerabilities would be found Recent Case – Insecure Web App
I informed the customer about what I had found and wrote up a brief report for their technical and compliance people The next step will be to inform the vendor Lessons Learned: Regular vulnerability assessments are essential to long-term security Just because a piece of software is a commercial product does not mean that it is secure! Strong technical app development and DBA functions are critical – in this case the restricted database configuration stopped me from completely compromising the system Requiring vendors to prove that they’ve done a third-party audit of their software is a must Scanning tools don’t know everything! The host came back as clean from Nessus and might have been totally missed Recent Case – Insecure Web App
Michigan Data Breach Notification Law The New Michigan Data Breach Notification Law Friday, May 11, 2007 ANN ARBOR - The burgeoning laws in Michigan that focus on the protection of consumer data takes another step forward this summer. Effective July 2, a security breach of a database or data that includes personal information, such as the last name linked to a Driver license, social security number, or credit card number, may require the person or agency that owns or licenses that data, to provide a notice of the security breach to each individual whose information was accessed or acquired. (445.72a). A violation of the Act is punishable by a fine of $250 for each failure to provide notice, and the aggregate liability for multiple violations that arise from the same security breach shall not exceed $750,000. The new law stems from an amendment to the current Identity Theft Protection Act that was signed into law by Gov. Granholm on Jan. 3. http://www.butzel.com/pdf/070511artTECH.pdf
So far we have three examples – an online economic fraud, a real-life theft fraud (with possible information leak), and a potential information leak An information leak has the potential to be just as bad, possibly worse than the other two in terms of overall impact on an organization because: May require the organization to send out “oops letters” to thousands of individuals, possibly offer free credit monitoring services May greatly reduce stakeholder confidence in the organization (from media coverage, etc.) May require significant investment in new technologies and staff to run them as a response to the incident Could even bring about greater oversight (and cost) from a regulating agency The Pain of a Breach
The Pain of a Breach – Examples 8 August 2002 Microsoft and FTC Reach Passport Privacy and Security Settlement: A Federal Trade Commission (FTC) investigation found that Microsoft misrepresented both the level of security provided and amount of data collected by its Passport services. As part of a settlement with the government, Microsoft will refrain from making false claims about the information it collects and will submit to an independent audit of its security program every two years. Microsoft could face fines of $11,000 a day if it fails to comply with the agreement. ChoicePoint: In January 2006, consumer data provider ChoicePoint Inc. agreed to pay $15 million to settle FTC charges that its security and record-handling procedures violated consumers' privacy rights when thieves breached its database.
The Pain of a Breach – Examples “T.J. Maxx Parent Company Data Theft Is The Worst Ever” The intrusion hands the retailer the dubious honor of surpassing the 40 million stolen customers record mark, something that only CardSystems had been able to achieve. TJX later settled Visa's charges against it for $41 million in November 2007, and paid an undisclosed amount to settle a group of lawsuits brought against it by Massachusetts-based banks in December 2007. The FTC ordered TJX to designate an individual responsible for information security, identify risks to personal data, deploy safeguards to mitigate that risk, work out agreements with service providers that handle customer data, and evaluate and adjust its security program to meet operation changes. In addition, TJX must submit to a third-party audit of its security program every two years for the next two decades.
Other Penalties for Breaches In addition, there may be other types of damages for failure to maintain good security and/or alert victims By law: In the State of New York, you can be fined $10 per instance of failed notification not to exceed $150,000 Many other states have similar fines on the books, and more and more states are passing breach notification laws. See http://www.csoonline.com/article/221322 for an interactive map At a federal level, the FTC or SEC may step in By civil suit: Choicepoint: $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges Disciplinary action: Lose job or vacation time An Ohio Department of Administrative Services employee lost a week of vacation as a disciplinary action
States with Breach Laws From: http://www.csoonline.com/article/221322 38 States have them as of February 12, 2008 • Interesting note: In many cases, if the lost data was in an encrypted format, you may not have to make a disclosure due to “safe harbor”
What Happens to that Lost Data??? A lot of times, nothing – the tape or laptop was lost or stolen, and never heard of again. No direct impact was known (but they still had to report it) In some cases, it may be used for identity theft, which is a real problem, but in many cases, it is sold on the black market Computer crime is now within the domain of organized crime such as the “Russian Business Network” There is an entire community and hierarchy of traffickers
The Lucrative World of Malware and “Bot Herding” People are making money! Millions of dollars! There are entire economies based on computer crime: Hackers: Produce new exploits in common software and sell the “0 day” exploits to Bot Herders Bot Herders: Use the new exploits to distribute malware to end users. These are used for Denial of Service extortion, spamming, stealing network or PII information, click advertisement abuse, etc. They sell their harvested information to criminals. Criminals: Use their obtained credit card and bank account information to perpetuate financial crimes and pay for further development
Symantec Threat Report 2009 Symantec publishes a yearly report that is well worth reading: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf See also Cisco’s Security report: http://cisco.com/en/US/prod/vpndevc/annual_security_report.html Especially note the Symantec executive summary for trends: “There are a number of trends noted in previous volumes of the Symantec Internet Security Threat Report that continued in 2008: malicious activity has increasingly become Web-based; attackers are targeting end users instead of computers; the online underground economy has consolidated and matured; and attackers are able to rapidly adapt their attack activities”
Symantec Threat Report 2009 How users are being compromised: “Web-based attacks are now the primary vector for malicious activity over the Internet. The continued growth of the Internet and the number of people increasingly using it for an extensive array of activities presents attackers with a growing range of targets as well as various means to launch malicious activity. Within this activity, Symantec has noted that most Web-based attacks are launched against users who visit legitimate websites that have been compromised by attackers in order to serve malicious content” Note a couple things here – it is end users that are the greatest risk, and attacks can even come from legitimate web sites! (usually through banner ads)
Symantec Threat Report 2009 One very real problem is that there is a proliferation of malware, and Anti-Virus simply cannot keep up with all the new versions
The List Not to Be On – dbloss.org Attrition.org used to maintain a list of “hacked” organizations, but they were unable to keep up, changed name and did breaches instead Now they are focusing on data breaches – see: http://datalossdb.org/
As we have seen both from recent cases and from the experts, the greatest emergent threat is (and has been) our users In the old days, we were worried about people “hacking into” our networks. This is still a problem, but this is also a lot of work for the criminals It is much easier to get the malware directly on the computers of users, preferably users who conduct financial transactions Malware is often targeted very specifically – for example a specific bank name, or banks in a specific country Many workstations are infected with malware that never really activates or fulfills its purpose, especially if the user doesn’t use any financial systems So what are users doing, and what are a few ways to mitigate this specific threat Mitigating End User Infections
Mitigating End User Infections From a Cisco Webinar: Q: Which of the following have you done in the past? Taken from Cisco Data Leakage Study – September 30, 2008 43
Most important of all – END USER TRAINING: Be aware of what are (relatively) “safe” sites to visit Be trained to identify strange happenings (hard drive “thrashing” too much, mouse moving on its own, programs opening by themselves, etc.) Be aware of the risks of social networking sites such as Facebook (especially if you run any of those hokey applications on there) Know how to respond to software alerts (e.g. Anti-Virus) and operating system prompts such as User Access Control (UAC) Be aware of the risks of remote computing (home systems, coffee shop wireless, kiosks in stadiums, etc.) Be aware of internal I.T. security support resources and escalation procedures, and use them when something looks odd Mitigating End User Infections
Have an information classification and handling system: Identify what you have, and exactly how it must be handled (with an emphasis on encryption and destruction) Avoid administrative privileges: Do not let users have administrative access to systems unless it is absolutely necessary! Simply being logged in as a non-admin user can stop the majority of attacks from succeeding Use secure passwords: As obvious as it sounds, having good passwords is important. Use a password safe program with encryption rather than a word or excel file (which can be trivially broken) Mitigating End User Infections
Use workstation security software Conventional “signature based” antivirus is now largely useless, and many months behind the curve Need to use behavioral-based anti-x software that looks at what software does not what it looks like Enforce mandatory encryption of hard drives and removable media such as flash drives Avoid chains of trust that can be exploited: Mitigating End User Infections
Investigate Windows 7 Windows 7 (workstation) and Server 2008 have some good security features to look into including: Better (i.e. less annoying) User Access Control prompts (the pop-ups asking permission to do stuff) The ability to do more work as a non-administrative user Group policy ability to block write access to removable media that is not encrypted Disable NTLM authentication on the network except over IPSEC connections (will limit some network credential attacks) Enforce application white-listing (instead of blocking suspected-bad programs, only allow known-good applications) Other stuff…. Talk to a Microsoft tech
Use network controls Content filtering such as Cisco’s Ironport S series or WebSense Mandatory encryption of network communications (e.g. in e-mail) Intrusion prevention systems on networks and hosts Egress filters to limit what internal networks can talk to on the Internet and other networks Segregation of networks (e.g. VLANs) with access control Robust logging and log analysis tools (at a minimum, HTML reports, better yet a SIM product like Cisco’s MARS or Arcsight) Secure remote access and wireless Two factor authentication And many more…. Mitigating End User Infections
Have strong I.T. procedural controls Executive support exists for I.T. staff There is a formal I.T. risk management workgroup that conducts ongoing assessments, tracks findings and remediation, and interfaces with other departments Adequate budget for services, capital outlay, FTEs I.T. staff is well trained and competent in I.T. security Clear and detailed policies and procedures are in place Incident response procedures are documented and understood by the individuals who must use them Manage the risk of vendors, visitors and third-party network connections Monitor end user activity Good software patching systems – especially for third party applications such as Adobe Acrobat, Flash, Quicktime, Google Taskbar, etc. Mitigating End User Infections
Encourage Maturity In Operations In general, the more organized you are, the better your security will be, the less likely you are to suffer a breach, and the less expensive I.T. will be to the organization! Consider adopting the ITIL standards in areas such as documentation, change control, etc. Also formally define your security polices, expectations, procedures (e.g. server hardening, application development, database security, remote access, etc.) Consider the Capability Maturity Model – where are you on security?