Unit VI Case Study
Headnote
In addition to knowing how to follow the bits of evidence, forensic detectives must know how to work with law enforcement.
IN SPRING OF 2003, several credit card associations and major credit card issuers began to notice increasing instances of fraud over a three-or four-month stretch. By looking at the patterns and types of fraud and tying that information back to common points, they believed they had identified one company (we'll call them Company A) as the source of the fraud. While the patterns of evidence pointed to Company A, it was still too circumstantial to call in law enforcement. Hard evidence was needed. So the associations and credit card issuers joined forces and contacted Ubizen (the author's company), which conducts cybercrime investigations. They also contacted Company A and asked them to cooperate with forensic examiners from Ubizen who would be sent to their site to investigate the possibility that a security breach had occurred within their production network environment. Company A officials said that they were not aware of any security breach, but they agreed to work with the investigators.
Company A is a software company that provides electronic payment software to numerous retail outlets, including restaurants, retail stores, and Internet companies. Company A's core business is its payment gateway service that processes credit card and check transactions. While the majority of Company A's transactions come from the Internet, wireless transactions are also common. The two different types of transactions are routed through two separate payment gateways, and together they often account for more than 200,000 electronic payment transactions daily.
The primary objective of the forensic investigations "was to determine the source and full extent of the breach. If sufficient evidence was found to prove that a crime had been committed, another objective would be to assist law enforcement in gathering additional evidence for prosecution.
Discovery. Before arriving at the company's site, the forensic team conducted an exhaustive discovery process. This advance work would enable the forensic team to hit the ground running when they went on to the company site.
Stolen data. The team conducted an in-depth analysis of the fraud patterns and found that the fraud resulted from duplicated credit cards used in "card-present transactions." These are seenarios where legitimate account numbers are fraudulently reproduced on unauthorized duplicate cards and used by criminals to purchase goods or services in person, often using matching falsified information.
For a criminal to duplicate a credit card with account information that will pass muster, he or she must have gotten access to the data contained in the magnetic stripe on the back of a card. A credit card magnetic stripe contains two separate tracks of information. Track 1 data contains information printed on the card, such as the cardholder's name, bu ...
Unit VI Case StudyHeadnoteIn addition to knowing how to fo.docx
1. Unit VI Case Study
Headnote
In addition to knowing how to follow the bits of evidence,
forensic detectives must know how to work with law
enforcement.
IN SPRING OF 2003, several credit card associations and major
credit card issuers began to notice increasing instances of fraud
over a three-or four-month stretch. By looking at the patterns
and types of fraud and tying that information back to common
points, they believed they had identified one company (we'll
call them Company A) as the source of the fraud. While the
patterns of evidence pointed to Company A, it was still too
circumstantial to call in law enforcement. Hard evidence was
needed. So the associations and credit card issuers joined forces
and contacted Ubizen (the author's company), which conducts
cybercrime investigations. They also contacted Company A and
asked them to cooperate with forensic examiners from Ubizen
who would be sent to their site to investigate the possibility that
a security breach had occurred within their production network
environment. Company A officials said that they were not aware
of any security breach, but they agreed to work with the
investigators.
Company A is a software company that provides electronic
payment software to numerous retail outlets, including
restaurants, retail stores, and Internet companies. Company A's
core business is its payment gateway service that processes
credit card and check transactions. While the majority of
Company A's transactions come from the Internet, wireless
transactions are also common. The two different types of
transactions are routed through two separate payment gateways,
and together they often account for more than 200,000
electronic payment transactions daily.
2. The primary objective of the forensic investigations "was to
determine the source and full extent of the breach. If sufficient
evidence was found to prove that a crime had been committed,
another objective would be to assist law enforcement in
gathering additional evidence for prosecution.
Discovery. Before arriving at the company's site, the forensic
team conducted an exhaustive discovery process. This advance
work would enable the forensic team to hit the ground running
when they went on to the company site.
Stolen data. The team conducted an in-depth analysis of the
fraud patterns and found that the fraud resulted from duplicated
credit cards used in "card-present transactions." These are
seenarios where legitimate account numbers are fraudulently
reproduced on unauthorized duplicate cards and used by
criminals to purchase goods or services in person, often using
matching falsified information.
For a criminal to duplicate a credit card with account
information that will pass muster, he or she must have gotten
access to the data contained in the magnetic stripe on the back
of a card. A credit card magnetic stripe contains two separate
tracks of information. Track 1 data contains information printed
on the card, such as the cardholder's name, but this data is not a
component of the transaction authorization-it merely verifies
that the name on the card has not been changed. Track 2
contains more sensitive information, including the CVV code
(the card verification value, a number string that is printed, not
embossed, on a card), which helps verify that a transaction is
authorized.
Sophisticated fraud could be perpetrated by skimming this
information from individual cards. But the fraud pattern in this
case made it likely that theft of data in large batches had
occurred. In fact, the investigation revealed that full mag-stripe
information had been taken from Company A's network.
Because mag-stripe information allows criminals to duplicate a
credit card, the payment service industry stipulates that this
type of information not be stored subsequent to authorization.
3. The finding of theft at Company A raised questions about
whether the mag-stripe information was being handled properly,
according to the payment service industry's commonly accepted
security standards. The fact that mag-stripe information was
involved in this breach meant that the information was likely
stored despite the standard against doing so.
Investigators needed to locate where on the customer's network
this type of information resided. They could then identify the
most likely avenues of intrusion through the network.
Lay of the land. To accomplish this, the forensic experts studied
diagrams to learn the layout of Company A's computer network
and determine whether it was vulnerable and which parts of the
network were most likely to be exposed if a hacker had been
able to penetrate the system. Frequently, the most likely targets
are Internet-visible systems, such as Web servers and FTP
servers, or weakly configured wireless network access points.
The team found that, indeed, Company A's network -was not
sufficiently hardened against an attack, making it likely that
hackers could have penetrated the system and stolen the account
information.
FBI assistance. Given these findings, the forensic team
recognized that it was time for law enforcement to be brought
into the process. This was a point sometimes overlooked by
private firms: It was vital that the appropriate government
agents be on the scene to help in the assembling of evidence
that could lead to the capture and eventual prosecution of the
attacker. In this case, because of the nature of the crime and the
magnitude of the fraud, FBI agents were contacted.
In early June, FBI agents from the Atlanta field office -were the
first to visit the site, although they were soon replaced by
agents from the Chicago field office, who had much more
extensive experience investigating cybercrimes. These agents
had in fact worked with Ubizen investigators on previous
investigations. Ubizen s forensic experts also visited the FBI
field office to hold discussions over the specifics of the
investigation, such as what forensic tools would be used to
4. ensure the integrity of any data taken and how chain of custody
would be maintained.
At the scene with the FBI agents, Ubizeris investigators began
data collection; they first collected mirror images of Company
A's payment gateway, which they shared with the FBI
investigators. Together the two teams then interviewed
Company A's staff for additional information on how the breach
could have occurred, determining, for example, who in the
organization had access to particular servers. Track 2
information had been compromised, so it was important to
understand where in the network such data sat, which would
indicate to the team what systems must have been touched by
the attacker. This information could also help answer other
questions, such as whether it could have been an inside job or
whether the Internet was the avenue of attack.
After interviewing the staff and examining the organizations
network diagram, several systems were identified that seemed
likely avenues of attack based on their proximity to the Internet
and lack of suitable security controls. The team investigated
several servers where they suspected a significant point of
exposure and found on one of the systems a number of files that
had not been installed by Company A's administrators. These
files included keystroke loggers and a common backdoor
program called HackerDefender. This made it clear that the
system had indeed been compromised, leading the team to rule
out an inside job.
Footprints. FBI agents and the Ubizen team looked at files and
audit logs to find the hacker's footprint and attack signature-that
is, how the hacker broke in and what the hacker did once he or
she had access. Without more in-depth analysis it would be
impossible to determine how the intruder was first able to gain
access to the systems.
However, based on the immediately visible footprint left behind
by the intruder, it became clear that the server had become the
staging point through which the intruder could continually gain
access into other components of Company A's production
5. network environment. Once the intruder had gained a foothold
into the environment from the outside, he or she placed hacking
tools and utilities within the systems, effectively exploiting the
breach.
Live prey. When tracing the hacker's steps, the investigators
looked closely at dates and time stamps to determine when the
hacker last penetrated the company's network. They found files
created by the hacker the day before the investigation began,
proving that there was an ongoing breach, an important
development since it could help the investigators to catch the
attacker in the act.
Sewing up the breaches. The team first needed to repair the
breach. Since the incidents of fraud associated with Company A
were rapidly escalating-as many as hundreds per day-it was
imperative to immediately lock out the hacker's access to
private information.
The team began by purging from the organization's systems
sensitive cardholder data that, under industry standards, should
never have been stored on the systems. With that data removed,
the exposure created by any future unauthorized access would
be much less severe.
The team also took several of Company A's servers offline,
replacing many of the compromised systems. They then enabled
and configured logging and auditing functions to ensure that if
unauthorized access were attempted again, the organization
would be able to detect and respond to the unwanted activity.
All of the information collected on site was preserved,
including hard drives from the compromised systems and logs
from the intrusion detection system, the firewall, and the
routers. The information was shipped back to Ubizeris labs for
in-depth analysis and preservation for evidentiary purposes.
A number of different open-source tools were used to identify
and salvage any other traces left behind by the intruder that
might shed more light on the timeline of the attack or other
systems that might be involved. The tools used included both
Ubizen-proprietary and over-the-counter forensic tools such as
6. Encase. Because these tools had been tested extensively in
court, the FBI team could be sure that any evidence (such as
copies of drives) provided by Ubizen would be admissible.
Setting the trap. With the loss of data stanched, investigators
were ready to catch the hacker in the act. To accomplish this,
the Ubizen team and the FBI set a trap with three components.
The first part was a packet sniffer, a laptop with a software
program called EtherPeek that would watch traffic in and out of
the affected servers. It allowed investigators to monitor any
data the hacker was sending, such as individual keystrokes, the
machines the intruder was attempting to access, and how he or
she was attempting to do so. Also, the sniffer would capture
firsthand evidence of files removed from the network that
would, under normal circumstances, contain sensitive
information or data that could be used for fraud.
Next, the files on those servers were loaded with dummy credit-
card information to prevent additional fraud from occurring and
to keep the hacker unaware that he or she had been noticed. The
third part of the trap was the use of Tripwire, a program that
monitors the integrity of files, which was configured to set off
an alarm the moment any of the date and time-stamps of the
files under observation were changed. That would allow the
investigators to know exactly when the attacker hit so that they
could catch the intruder in the act.
Underlying the trap was the fact that the investigators had
determined precisely how the hacker would attack. The
investigation had shown the particular backdoor the attacker
was using and what port would be used in the compromise. But
with a huge amount of traffic flowing back and forth across the
network (this company also conducts e-commerce business),
waiting for a Tripwire alarm was not necessarily going to allow
the investigators to see the compromise as it happened. So, a
Ubizen technician worked with the FBI's Quantico-based Data
Analysis Team to create a signature that they could look for on
the sniffer to see exactly when and where the hacker was
attacking.
7. Hooked. The trap worked perfectly. When the hacker snuck in
to begin copying what looked like credit-card information that
Company A had backed up, he fell right into the ambush and
was caught red handed. From this point, FBI agents took the
evidence collected by the Ubizen and FBI teams and began the
hunt for the suspect.
They contacted a law enforcement computer-crime liaison group
in the Eastern European country where it was determined that
the hacker was located. Ultimately, the hacker-a college-age
male-was arrested and extradited, and the evidence gathered
against him will be used when the case comes to trial.
Aftermath. While Company A breathed a sigh of relief when the
hacker was caught, the work of the Ubizen investigative team
wasn't over yet. Their mission was not only to help identify the
hacker but also to determine the full extent of the breach and
figure out precisely how many credit cards had been
compromised, and when.
Targets. The complete analysis showed that there were in fact
several intruders who took advantage of the backdoor the
original hacker left, and they seemed to be unaware of each
other's presence. Altogether these attackers maintained some
level of access into Company A for more than six months, two
months longer than the previously recognized fraud dates. The
team was also able to identify other machines on the network
that had been compromised. These included the organizations
two database servers, the mail server, two file and print servers,
and each of the Internet-visible systems.
Recommendations. The final step was to provide
recommendations to Company A on how to bolster its security
against future attacks. These included the obvious suggestion of
adapting to industry best practices.
MasterCard and VISA have led the industry in establishing
guidelines to secure customer credit card data. MasterCard's
Site Data Protection Service (SDP) and Visas Cardholder
Information Security Program (CISP) are industry mandates
with serious financial penalties for noncompliance. These
8. programs define a standard of due care for deploying security
compliance programs, ensuring that online merchants and
payment service providers are adequately protected against
hacker intrusions and account data compromises. The
investigative team determined that Company A was far from
fulfilling these requirements and outlined exactly what
measures the company needed to take to be fully compliant.
A key suggestion was for Company A to conduct regular
vulnerability scanning internally or to outsource the scans to an
expert. This inexpensive automated process proactively
identifies vulnerabilities to find out if and where a computer
system can be exploited or is vulnerable.
Finally, the team provided a set of recommendations above and
beyond the established credit card industry standards. The team
advised Company A to either add an internal IT team dedicated
solely to security or to consider outsourcing key elements of its
security program to a managed security services provider. The
amount of data generated by security devices is overwhelming,
and it can only be properly monitored by a dedicated team
whose sole function is to oversee the network data.
Since the attackers had access to stored credit card data, the
team also urged Company A not to retain credit card data longer
than needed. As this case made clear, storing this type of
sensitive information opens up a high risk of exposure.
This case illustrates how private cybercrime investigators and
law enforcement can collaborate to both protect the bottom line
and stem crime. That's good news for long-beleaguered online
businesses, and bad news for online fraudsters.
Sidebar
Forensic detectives can often quickly identify the most likely
targets of a hacker attack on a given network.
Sidebar
Two Teams are Better Than One
Cybercrime investigations are Often initiated by the victimized
company not through a call to the police, but through a call to a
private firm that specializes in computer forensics
9. examinations. These private-sector teams will then call law
enforcement into the process as soon as they confirm that illegal
activity is occurring.
Cooperation between law enforcement and private-sector
investigators is still a fairly new idea, however. Several years
ago, when the author's company first started conducting
forensics investigations, it was often met with distrust by both
their private sector clients, who feared bad publicity or losing
control of company data, and law enforcement agents, who were
reluctant to share information with third-party vendors.
However, this reluctance is diminishing as law enforcement
becomes more accustomed to working with third-party
cyberforensics experts and as clients see that the process can
work. Companies like Ubizen work under strict conditions and
with detailed nondisclosure agreements, which protects clients
and helps allay fears.
Although they need to work together, it is important to
understand that ultimately the two groups of investigators have
different goals. The private-sector team has the ultimate goal of
understanding the full extent of the compromise and helping the
client find and close the vulnerability that led to the breach-in
other words, to protect its reputation and profits. Law
enforcement is focused on the illegal activity and in collecting
any evidence that will lead to the attacker and help in a
prosecution.
The two groups also work differently due to the nature of their
responsibilities. A private forensic firm is doing paid work for a
client and will devote a team to getting the work done in a short
time frame. For example, this case took Ubizen two days on site
and another two weeks to complete the analysis and write a
report. By contrast, law enforcement agents typically are
juggling multiple cases or responsibilities and may take longer
to complete an investigation or may have difficulty devoting
sufficient resources to a specific case.
While the goals are different, the groundwork serves both
objectives. For that reason, the analysis completed by the
10. private-sector team is often useful to law enforcement, saving
them time and giving them a head start in understanding all the
technical details of an investigation so that they can make a
case for protection.
AuthorAffiliation
Bryan Sartin is director of technology for Ubizen, where he is
responsible for all customer-facing issues regarding the
technology of its managed security solution offerings.
Unit VI Case Study
What problem was identified? What steps were taken to solve
the problem?
d on different
goals. Briefly list and describe what these were as the
investigation progressed and what strategies were employed.
purpose for this investigation—what else needed to be done, and
how was it to be accomplished?
Does the identified offender fit the characteristics for this type
of cybercrime?