Federal Bureau of Investigation - InterSec by wuyunyi


									Federal Bureau of
   Cyber Crime

   56 field offices
   400 satellite offices
   45 legat offices
   12,000 Special Agents
   16,000 specialized support
   Investigate over 300 Federal
          FBI Priorities
(1) Protect the U.S. from terrorist

(2) Protect the U.S. against foreign
   intelligence operations and

(3) Protect the U.S. against cyber-
  based attacks and high-
  technology crimes
    Milwaukee Cyber Crime Task
   Milwaukee Cyber Crime Participants:
     •   Waukesha Sheriff Office
     •   Waukesha Police Department
     •   Milwaukee Sheriff Office
     •   Milwaukee Police Department
     •   Hartland Police Department
     •   Kenosha Police Department
   Wausau Cyber Crime Unit:
     • Wood County Sheriff Office
     • Fond du Lac Police Department
   Others: (Working Groups)
     •Bureau of Immigration and Customs Enforcement (ICE)
     •Wisconsin Department of Criminal Investigations (DCI)
     •Internal Revenue Service
     •Brookfield Police Department        •Franklin Police Department
     •Glendale Police Department          •Wolworth County Sheriff Office
     •Greenfield Police Department        •West Allis Police Department
     •Green Bay Police Department         •New Berlin Police Department
     •Madison Police Department           •Wauwatosa Police Department
     •Sheboygan Police Department         •Jefferson Police Department
     •Port Washington Police Department •Menomonee Falls Police Department
     What uses are there for the
   Communicate with others
    electronically (e-mail)
   Search for information
   Entertainment
   Make new friends (Personal ads,
    chat rooms)
   Engage in illegal activity
   Theft of wallet or purse
   “Dumpster Diving”
   Inside sources
   Mail theft
   Submitting change of address forms
   Finding personal information while
    inside your home
   Shoulder surfing or eavesdropping
   Online data
   Open credit card accounts (43%)
   Start up phone and/or utility service (21%)
   Bank fraud (14%)
   Employment (illegal aliens) (8%)
   Purchase vehicle with fictitious loan
   Evade citation, arrest, criminal record
   Illegal entry into U.S.
   Sky is the limit! Limited only to the
    imagination & greed of the thief
           Cyber Base Attacks
   It is difficult to steal substantial sums
    of money without the use and support
    of computers.
   For instance:
    • In 2000, the Fedwire funds transfer system
      processed more than 108 million internet fund
      transfers worth a combined value of $379.7
    • During the first quarter of 2005, the Fedwire
      funds transfer system processed more than 124
      million internet transactions worth nearly 500
      trillion dollars
    Cyber Crime Overview
   What is Cyber-Crime?

   Definitions/Related terms

   Case Study

Cyber-Crime is the use of
information processing systems,
sophisticated telecommunications
systems, or both, as the principal
facilitating mechanism for the
commission of either a Criminal
Act or a Criminal Enterprise.
    Common Internet Crime
   Computer Intrusions
   Identity Theft
   Credit/Debit Card Fraud
   Phishing
   Mortgage Fraud
   Investment Fraud
   Online Auction Fraud
   Non-Delivery (Merchandise & Payment)
   Business/Employment Schemes
   Freight Forwarding/Reshipping
   Fake Escrow Services
   Ponzi & Pyramid Schemes
    Unauthorized Intrusions

• Hack: Attempted access to a computer or
network through an operating system or
application vulnerability.

  •Mass media refers to someone who illegally
  breaks into a computer and network system
  •Used by those in computing fields to refer to a
  person who is a computer enthusiast.
   Unauthorized Intrusions

• Crack: Unauthorized Access to a computer
or network via successful solution
   •Access via week Login/Passwords or
   software limitation/glitches
          Malicious Code

• Virus: A self-propagating segment of
malicious code which is resident on a
storage media, and propagates on and from
that media to other media.
           Malicious Code

• Worm: A self-propagating segment of
malicious code which is often resident as an
attached document, and is interpreted by an
interpreting application.
         Malicious Code
• Trojan: A non-propagating segment of
malicious code which is resident on a work-
station for the purpose of compromising that
• Trojan horses can masquerade as harmless
software upgrades, programs, help files,
screen savers, pornography, web pages, etc.
• Analysis of the Trojans is essential!
   Denial of Service Attacks

• Denial of Service: An attack from a
single source computer with the intent of
disabling the access and/or processing
ability of the targeted computer.
   Denial of Service Attacks

• Distributed Denial of Service:
A coordinated attack from multiple
computers with the intent of overwhelming
by sheer volume of transmitted data the
access and/or processing ability of the
targeted computer.
 Telecommunications Fraud
• Sniffers: A program that displays the
contents of all packets passing through a
particular network
   •Used to gain passwords and account names
   Telecommunications Fraud

• Phreaking: Fraudulently obtaining Packet
Switch Telephone Network (PSTN) telephone
services by compromising a telephone switch
or central office.
   Telecommunications Fraud

• Spoofing: Fraudulently representing
yourself as someone else or fraudulently
representing a business
   •Spoofed Email – Fraudulent indicator of
   where the email originated
     •Due to ability to manipulate computer
     data, there is no guarantee that the
     “sender” as shown in your in-box is
     actually the person who sent the email.
 Telecommunications Fraud

• Spam: Unwanted and un-requested Email
   • Spam marketing is often used to assist
      •“Phishing” schemes and marketing/type
      financial frauds
      • Viruses and Trojans
   •Criminal spam legislation focuses on
   fraud/deception in sending email
    Telecommunications Fraud

• Identity Theft : Fraudulently obtaining
names, user id’s, social security numbers, credit
card numbers, bank account information, etc. in
order to defraud.
   Telecommunications Fraud

• Phishing: Pretending to be from a
legitimate retailer, bank, or government
agency, where upon the senders asks to
“confirm” personal information from the
victim for some made up reason.
   •Phishing can be in the form of Email, Web
   pages, Phone calls, etc.
   •Associated with Social Engineering
      Signs of an Inexperienced
   Deletes or corrupts data
   Downs the machine
   Shares details of the attack with others
   Fails to clean logs
   Uses well known, automated tools that
    leave numerous log entries behind
      Signs of an Experienced
   Alters logs rather than deletes them
   Alters all relevant logs
   Uses new techniques or gains entry
    through unpublished vulnerabilities
   Installs trojanized code to avoid
    detection (altering commands such as:
    dir, whois, and netstat)
   On and off quickly
   No bragging or sharing accounts
Gathering of Evidence

          Live Analysis vs. Dead
          Log Analysis
          Other Sources of
     What is a Live Analysis?
   A live analysis is an exam of a running
    computer system and more information may
    be lost by shutting the computer(s) down
            Why can’t it be turned off?

•Server connecting the company to the internet
•Active network connections with legitimate customers
•Off site storage/servers
•Running processes which cannot be halted
•Encryption Program running
When is a Live Analysis Used?
    When we need to gather information that
     may be lost by shutting the computer(s)

                 Due to:

 •Data that was displayed on the screen (take photo’s)
 •Active network connections (netstat)
 •Open ports on the system
 •Currently running processes (anything out of the norm)
 How a Live Analysis is done
    Whenever you run a command on a
     live system, use “known good” code


•Have known good code on a clean CD or USB Drive
•Redirect output from commands to removable media
for preservation of data
•Analyze results on another system to minimize
interaction with the evidentiary computer (memory
dumps, trojans opening up ports, etc.)
Dead Analysis: Bit for Bit Level
                        Encase
                        FTK
                        Logicube
                        Hard Copy

• Problems:
     Massive Storage
     Multiple servers
     Multiple location for Storage
                 Log Analysis
   Reviewing logs from:
    •Proxy servers
    •Intrusion Detection Systems (IDS)
    •Domain controllers or NIS servers (Network
    information system)

    •Radius or RAS Servers: (Remote Authentication Dial In
    User Service, Remote Access Service)
      Cyber Base Attacks
             Who to attack?
Corporate Systems:
  1. Always on the internet
    (Static IP)
  2. Expected user names
    (Social Engineering)
  3. Expected default passwords
    (on routers and switches)
             Connectivity vs. Security

   Total                                                   No
Connectivity                                           Connectivity

               E-mail filter or   Router      True        Total
                proprietary        with     Firewall     Security
                  service         Packet
    Points of Attack – Weak Link
   Most Company/Corporate computer
    systems are secure

   End-users (Home System)

    • Less likely to update systems
    • No IDS (Intrusion Detection System) monitoring
    • Authorized users of company/corporate systems
      from home/portable systems
    Network Overview

Communication Channel

    Assume Safe


    Assume Safe

Third Party Authorized User

 New point of attack – Home User

          Vulnerabilities? - Nodes

Point of attack

      Targeted Authorized User
   Attempt to obtain username and

   Most security software not verifying
    MAC address or IP address to allow
    for remote log-in
              Robust tools
   New trojans for harvesting data

   Many are modified for specialized
    applications which change signature

   New signature, no AV flags
Infection – Internet Attacks


            Internet Attacks
   Internet attacks can happen in a
    variety of ways
    • Mainly through Trojans
    • How do they get in?
   Internet attacks can happen in a
     variety of ways: Web Based
                  Phishing Scheme
Hostile Webpage

Internet attacks can happen in a
variety of ways: Infection E-Mail

E-mail with payload

 Internet attacks can happen in a
  variety of ways: Internet Attack

Web based attack (Port 80)

Trojan: Analysis of the Trojans is
      Some Trojans “goes in
       between” Internet
       Explorer and the socket
       used to send the data
      This allows the trojan to
       bypass and intercept the
       data BEFORE it gets
         Trojan: Example

Analysis of the Gozi Trojan showed
 that when a form submission was
 POSTed to the legitimate server,
 another web POST was made to the
 Malware’s home server
                    Gozi Trojan
    Clear text



`                     }0r204kf4g

           Gozi Trojan
    Login appears to
    Be authorized user


                Case Studies

   Chenequa Identity Theft
   Synertrade Counterfeit Goods
   Brookfield Hackers
   Wausau Wireless
   Beaver Dam Child Porn Ring
Cyber Crimes Squad
(414) 276-4684                         Wausau
                     Eau Claire
                                                   Green Bay



To top