Transcript United States Secret Service

USSS History
Investigations:
• Secret Service Division began on July 5, 1865 in Washington,
D.C., to suppress counterfeit currency.
• In 1867 Secret Service responsibilities were broadened to
include "detecting persons perpetrating frauds against the
government." This appropriation resulted in investigations into
the Ku Klux Klan, non-conforming distillers, smugglers, mail
robbers and land frauds.
Protection:
• In 1901, Congress informally requested
Secret Service Presidential protection following the
assassination of President William McKinley.
• In 1902, The Secret Service assumed full-time
responsibility for protection of the President.
Two operatives were assigned full time to the
White House Detail.
USSS History
• In 1984 Congress authorized the Secret Service to further
investigate Financial Crime violations relating to:
–
–
–
–
Credit/Debit cards
Computer and Telecommunications Fraud
Fraudulent Identification documents
Bank Fraud (access device fraud, advance fee fraud, electronic
funds transfers, and money laundering)
– Financial Institution Fraud
• Core Treasury Violations still under USSS jurisdiction under
Homeland Security:
– Counterfeit checks
– Treasury Checks
– Counterfeit Bonds
– Counterfeit Money
• P Notes
• OMC Notes
• Off-set
• On October 26, 2001, President Bush signed into law
H.R. 3162, the “Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism (PATRIOT) Act of 2001.”
• In drafting this particular legislation, Congress,
recognized the Secret Service philosophy that our
success resides in the ability to bring academia, law
enforcement and private industry together to combat
crime in the information age.
• As a result, the U.S. Secret Service was mandated by
this Act to establish a nationwide network of Electronic
Crimes Task Forces.
Electronic Crimes
Special Agent Program - ECSAP
• Early 1990’s saw the
need for Computer
Specialists
• Treasury Computer
Forensics Training
Program
– ATF (Now under
DOJ)
– ICE
– IRS
– USSS
Electronic Crimes
Special Agent Program - ECSAP
• Training
– A+ Certification
– Six weeks at FLETC
– Hard Drive geometry
– Operating Systems
– Forensic programs
– Practical Exercises
– Court Testimony
– Exams
Electronic Crimes
Special Agent Program - ECSAP
• Advanced Certifications
– ACERT/ Network +
– CISSP
– NASA
– Ernst and Young “Hacking” School
– EnCase
– FTK Boot Camps
– ILook – IRS
– Yearly training conferences
Electronic Crimes
Special Agent Program - ECSAP
•
•
•
•
200 Deployed to the Field
All sworn personnel
Forensic Computer Exams
Assistance for State and Local Law
Enforcement
• Train state and local agencies
• Expert Witness Testimony
• Search Warrant Assistance
Electronic Crimes
Task Force
• The concept of the ECTF is unique
in that it brings together not only
federal, state, and local law enforcement,
but also prosecutors, private industry,
and academia.
• The common purpose is the prevention, detection,
mitigation, and aggressive investigation of attacks
• Currently over 20 Electronic Crimes Task Forces and
Electronic Crimes Working Groups spanning the entire
nation.
New England
Electronic Crimes Task Force
•
•
•
•
•
•
•
USSS (MA, NH, RI, VT, ME)
ICE
DOT
IRS
ATF
DOD
Local Departments:
Norwood, Medford, Boston, Cambridge.
Special Programs
• CERT – Carnegie Mellon
• Best Practices Guide for
Law Enforcement
• Critical Systems
Protection Initiative
• National Center for Missing
and Exploited Children
High Tech Crime Trends
•
•
•
•
Credit Card Skimming/Parasitic Devices
Phishing Scams
Network Intrusion
Identity Theft
Threat
Affected Users
Damage Potential
Adware/ Consumers using Complete disruption of online experience possible;
personal data & account numbers could be stolen
Spyware the internet
$
Phishing Consumers using Individual consumers harmed, accounts compromised.
$
the internet
Spam
$
Everyone using
email
Carrying costs for
ISPs
Mostly frustration and carrying cost. Focus on spam
shielding, however 70 – 80percent of spam generation
comes from infected computers.
Targeted
Hacking
Enterprises,
Governments
Valuable targets exist but targeted hacking would not
bring down e-commerce.
Virus/
Malware
Everyone not up-todate with patches &
AV
Pandemic worms can cause disruption; vicious
malware could cause destruction.
BotNets
Everyone using the
internet
All of the above.
DDoS could cause large-scale, long term disruption; Spam
causes frustration; Spyware steals account numbers; used as
a distribution mechanism it may aid quick virus spread.
Phishing
• A form of identity theft in which deception is used
to trick a user into revealing confidential
information with economic value
• Term “phishing” coined in 1996 by hackers
stealing AOL accounts by scamming passwords
• Origin of the term phishing comes from the fact
that cyber attackers are “fishing” for data, while
the “ph” is derived from “Password Harvesting”
• Involves harvesting of personal and financial
account information
Phishing
• Usually accomplished through a response
to un-solicited e-mail
• Victim believes the e-mail is from his/her
bank or other institution accessed online
• Criminals take over accounts, transfer
funds, duplicate credit cards, assume
identities of victims, open new accounts,
etc…..
“Phishing”
“Phished” Information Includes:
•
•
•
•
•
•
•
•
•
•
Name, address, phone numbers
Social Security number
Date of birth
Mother’s maiden name
Account number
Bank name
Bank login information
Login password
Card expiration date
Card Verification Value (CVV)
What Happens to The Phished
Information?
•
•
•
•
Account takeovers
Identity theft
Money laundering (through wire transfers)
Credit card/ATM fraud (using duplicated
cards)
• Fictitious online auctions
• Credit card number harvesting/internet
posting
Typical Bank Phishing Scheme
• Website is created and placed on the internet (28 days)
• E-mails are generated
• Data is collected (54 hours)
• Accounts are taken over
• Funds are electronically transferred
• Funds are cashed out via Western Union, EGold account, or ATM card
• Funds are then re-deposited into accounts in
Eastern Europe
Current Phishing Statistics
• Fastest growing and largest fraud scheme in
U.S. history
• 65% of all phishing attacks occur against
financial institutions
• The average phishing website is active less than
3 days after phisher e-mail launched
• Current phishing success rate is 5%
• Phishers adapting techniques to defeat security
Carding Websites and Networks
• Former Soviet Union and Eastern
European States produce and launch
malicious software
• “Mal-ware” intrudes into private financial
networks and government institutions
• “Mal-ware” then extracts personal data
and carding websites and networks used
to traffic in stolen information
Carding Portals
• Carding Portals are like on-line bazaars
some with several thousand registered
users
• Administrators screen potential members
• Potential members must prove worth
before allowed entry
• Most based in Former Soviet Union or
Eastern European States
Carding Portals
• Activity occurs in forums similar to bulletin
boards or on Internet Relay Chat (IRC)
• Registered users may post
announcements of goods or services
• Portals allow users to contact one another
through the site
• Hierarchical organization structure similar
to “Mafia” organizations
Evolution of Card Data Sold
• 1990s: Plain Cards (Card Number, Expiration
Date, Cardholder Name and Address)
• Early 2000s: CVV Data also Present
• Roughly 2002 On: Full Track Data (“Dumps”)
• Roughly 2004 On: Full-info Cards
– Response to Increased Anti-fraud Measures
– Allow Online Enrolls
• 2005: Increased Traffic Referencing “Verified by
Visa” and “MasterCard SecureCode” Cards
Network Intrusion Attack Techniques
Information Gathering Attacks:
1. Snooping - Simple traffic monitoring can yield
tremendous amounts of information if the traffic is not
encrypted. Done by compromising a router or other
key infrastructure device that traffic flows through.
2. Man in the Middle - Attacker redirects traffic to
equipment the attacker owns, intercepts each
message, reads such, and retransmits intercepted
message to the intended recipient.
3. Trojan - Programs that masquerade as a benign tool.
When executed, capable of mimicking standard login
prompts that fool the user into thinking they are logging
into their real account. After the username and
password are entered, the Trojan records the
information.
Network Intrusion Attack Techniques
Denial of Service Attacks:
A single host can be used to generate large quantities
of traffic, causing a target, or the network to which it is
connected, to become so flooded that the target host
becomes incapable of responding to valid requests.
Spoofing Attacks:
Faking an IP address can allow firewalls to be
bypassed, causing the traffic to appear to have
originated from a source authorized to pass through
the firewall.
Spoofed IP address can allow an attacker to conceal
their own IP address, making it more difficult to trace.
Threats Can be From Internal
Sources
Internal
Most expensive attacks come
from inside (Up to 10x more costly)
Source: CSI / FBI Security Study 2003
Threats Also Come from
External Sources
External
78% of Attacks Come from
Internet Connection
(up from 57% in 1999)
Source: CSI / FBI Security Study 2003
How to Report an Attack
1.
2.
3.
4.
Initiate company’s incident response plan.
Make appropriate contacts within the company (i.e.
management, legal, public relations, IT, etc.).
Contain the attack.
a) secure the area using physical security.
b) victim company may “backup” the system.
c) collect and preserve electronic evidence (floppy
disks, CDs, skimmers, caller ID boxes, network
activity logs!).
Report the attack to US Secret Service.
Network Incident Report
1.
2.
3.
4.
Assistance that is being requested.
Type of incident (denial of service, malicious code or
virus, intrusion).
Type of service, information, or project compromised.
Damage done (system downtime, cost of incident,
number of systems affected).
Details for Denial of Service
1.
2.
3.
3.
Apparent source IP address.
Primary systems involved (IP address, Operating
Systems versions).
Method of operation:
a) tool used
b) packet flood
c) malicious packet
d) ports attacked
Remediation performed
- application moved to another system.
- memory or disk space increased.
Details for Malicious Code
1.
2.
3.
4.
Apparent source (diskette, CD, email attachment,
software download).
Primary systems involved (IP address, Operating
Systems versions).
Type of malicious code (virus, Trojan horse, worm).
Remediation performed
- Anti-virus product obtained, updated, installed.
- New policy instituted on attachments.
- Firewalls, routers, or email servers updated to detect
and scan attachments.
Details for Unauthorized Access
1.
2.
3.
4.
Apparent source (IP address, host name).
Primary systems involved (IP address, Operating
Systems versions).
Avenue of attack:
a) cracked password
b) trusted host access
c) vulnerability exploited
d) hacker tool used
e) social engineering
Remediation performed
- Patches applied.
- Operating System reloaded.
System Analysis
• Mirror image of system
• Compare with previous back-up if available
–
–
–
–
–
–
–
wtmp files
History logs
Message logs
syslog
Firewall logs
Router logs
Proxy server logs
System Analysis
• Examine all files run with cron
– cron is an automation tool for logging
• Review the /etc/passwd file for alterations
• Unauthorized services
– Backdoor access through known versions of
finger, rsh, rlogin, telnet, etc.
System Analysis
• Check for sniffer programs
• Check for trojan horses
• Search for setuid and setgid files
– Allow hacker to obtain root
• Search for + entries on non-local host
systems
– These would indicate incoming connection
from a trusted system
System Analysis
• Look for unusual or hidden files
• Review all the processes currently running
on system
• Verify the above information with the
system administrator of previous back-up
Useful Information
• Network topology
• Configure to prevent as many security holes as
possible
• Observe and detect anomalous behavior
• Prevent the attacker from capitalizing on the
attack
• Eliminate the attacker’s access to the system
• Recover the integrity of the network
• Follow-up with lessons learned
Operation Firewall
Case involving the illegal sale of financial account
information, credit cards, passports, driver’s licenses,
birth certificates, Social Security cards, insurance cards
and diplomas using the internet.
•
•
•
•
•
33 Arrests (24 US, 9 overseas)
27 Search Warrants
11+ Plant seizures
100+ Individual Computers Seized
Anticipated future arrests and search warrants both
within the United States and overseas
Case Study 1: Wholesale Club
Wireless Access Vulnerability
• Inventory Control system used wi-fi bar code
readers
• System installed did not utilize built-in encryption
or security features.
• Access to network was wide-open to any user in
store parking lot with laptop computer and wi-fi
access.
Case Study 1
• Access to inventory system allowed
mainframe access.
• Exploit posted by criminal groups on
forums
• Hundreds of thousands credit cards and
accounts stolen and information used for
identity theft and counterfeit CC’s
Case Study 2: Law School
• Rogue employee (Office Manager) who was a
prior felon and had access sensitive data.
• Access to employee accounts and school credit
cards
• Used information obtained to apply for more
credit cards
• Employee ran travel agency, used stolen funds
to purchase airlines tickets and cruises
• Was hired even though she had prior felony
convictions
Case Study 3: Boston based
Investment Firm
• Employee who was employed in the mailroom
had access to customer account information
from documents he observed
• Used information to transfer money out of
customer accounts
• Had gambling addiction, used stolen funds to
pay off debts
• Several thousand dollars of customer funds
were stolen
Case Study 4: Boston based Real
Estate Investment Firm
• Employee stole legitimate corporate
checks from employer
• Checks were counterfeited using the bank
account of the corporation
• Hundreds of thousands of dollars was
taken over a period of time
• Money was used to purchase Mercedes
vehicles and properties in New York and
Massachusetts
Prevention
• The guiding principle of the Electronic
Crime Task Force’s approach to both
our protective and investigative
missions is our “focus on prevention”.
• “Harden the target” through
preparation, education, training and
information sharing.
Prevention
• Proper development of business policies and
procedures before the incident.
• Strong documentation and reporting
practices starting at the beginning of the
incident.
• Internal computer forensics and log analysis.
• Technical briefings for law enforcement
during the entire course of the investigation.
• Victim loss documentation and assistance in
trial preparation.
Security Suggestions
•
•
•
•
•
Capture logs on another system
Rename logs periodically
Encrypt log files
Analyze logs on routing basis
Use additional monitoring programs to
collaborate log information