[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Cyberforensik boomt

To: "Infowar.de" <infowar - de -! - infopeace - de>
Subject: [infowar.de] Cyberforensik boomt
From: Ralf Bendrath <bendrath -! - zedat - fu-berlin - de>
Date: Fri, 18 Jan 2002 15:43:33 +0100
Organization: http://www.fogis.de
Reply-to: infowar - de -! - infopeace - de
Sender: bendrath -! - zedat - fu-berlin - de
Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------

... nicht nur beim FBI, sondern vor allem bei privaten Anbietern.

http://www.cnn.com/2002/TECH/internet/01/16/cyber.sleuthing.idg/index.html

Firms increasingly call on cyberforensics teams

                            By Deborah Radcliff

(IDG) -- Businesses with intellectual property and online customers to
protect
are increasingly calling on cyberforensics investigators to get to the
bottom of
cases of employee wrongdoing and electronic crimes. "People are calling
us
when they find malicious software installed on their servers, when
they're
leaking sensitive information, when they suspect employee harassment --
even in cybersquatting cases," says Ed Skoudis, vice president of
ethical
hacking at Predictive Systems Inc., a technology services firm in New
York.

Forensic techniques vary depending on the type of investigation. For
example, some
investigative firms, like Brandon Internet Services, simply track and
trace over the
Internet and sort through other publicly available electronic records.
Large businesses use cyberinvestigators to set up alarms and traps to
watch and catch intruders and criminals within their networks.

To show a cross-section of different types of cyberinvestigations and
the tools used
to conduct them, Computerworld profiles three ways that organizations
have dealt with crime -- and sometimes criminals -- in their midst.

The Case of the Freaky Accounts

How techniques of Internet and database investigations thwarted two
prolific
Russian "carders" (credit card thieves):

There were too many Hudsens and Stivensons opening accounts with PayPal
Inc.,
an online payment processing company in Palo Alto, California. John
Kothanek,
PayPal's lead fraud investigator (and a former military intelligence
officer),
discovered 10 names opening batches of 40 or more accounts that were
being used
to buy high-value computer goods in auctions on eBay.com. So PayPal
froze the
funds used to pay for the eBay goods (all to be shipped to an address in
Russia) and
started an investigation.

Then, one of PayPal's merchants reported that it had been redirected to
a mock site
called PayPaI. Kothanek's team set up sniffer software, which catches
packet
traffic, at the mock site. The software showed that operators of the
mock site were
using it to capture PayPal user log-ins and passwords. Investigators
also used the
sniffer to log the perpetrators' own IP address, which they then used to
search
against PayPal's database. It turned out that all of the accounts under
scrutiny were opened by the same IP address.

Using two freeware network-discovery tools, TraceRoute and Sam Spade,
PayPal
found a connection between the fake PayPal server address and the
shipping
address in Russia to which the accounts were trying to send goods.
Meanwhile,
calls were pouring in from credit card companies disputing the charges
made from
the suspect PayPal accounts. The perpetrators had racked up more than
$100,000
in fraudulent charges using stolen credit cards -- and PayPal was fully
liable to
repay them.

"Carders typically buy high-value goods like computers and jewelry so
they can
resell them," says Ken Miller, PayPal's fraud control director.

PayPal froze the funds in those accounts and began to receive e-mail and
phone
calls from the perpetrators, who demanded that the funds be released.

"They were blatant," says Kothanek. "They thought we couldn't touch them
because
they were in Russia."

Then PayPal got a call from the FBI. The FBI had lured the suspects into
custody
by pretending to be a technology company offering them security jobs.

Using a forensics tool kit called EnCase, Kothanek's team helped the FBI
tie its case to PayPal's by using keyword and pattern searches familiar
to the PayPal
investigators to analyze the slack and ambient space -- where deleted
files remain
until overwritten -- on a mirror-image backup of the suspects' hard
drives.

"We were able to establish a link between their machine's IP address,
the credit
cards they were using in our system and the Perl scripts they were using
to open
accounts on our system," Kothanek says.

The alleged perpetrators, Alexey Ivanov and Vassili Gorchkov, were
charged with
multiple counts of wire fraud in May. Gorchkov was convicted in
September on 20
counts of wire fraud and is awaiting sentencing. Ivanov is still
awaiting trial.

The Case of Mastering the Zombies

How a systems and network examination helped the University of
Washington kick
a cracker out of 30 of its systems:

The calls started on July 1. Frantic administrators were asking why
subnets and IP
addresses from Dave Dittrich's 50,000-node network were scanning and
flooding
them with denial-of-service (DOS) packets. "We were shutting affected
machines
off as we found them, but at one point, we had over 30 of our systems
scanning
and sending DOS attacks to over 9,000 targets," says Dittrich, senior
security
engineer at the University of Washington in Seattle.

Using Irvine, California-based Foundstone Inc.'s Fport scanner
(www.foundstone.com/rdlabs/tools.php?category=Intrusion+Detection),
Dittrich's
team located directory and file names uncommon to the Windows operating
systems he ran on the network. The program also showed that all of the
unusual
directories and files were running communications through the same
active,
high-level port, which was also uncommon to standard configurations.

"That tipped me off that I should be listening to network traffic to and
from that
port, so I set up sniffers on those ports," Dittrich says.

Dittrich used a freeware sniffer called TCPDump (www.tcpdump.org), which
captured the unusual traffic going to and from Internet Relay Chat
redirectors
commanding his machines to send the scans and DOS attacks. Dittrich
unplugged
the compromised machines from their wall jacks and, with a team of 40
people,
spent two weeks contacting 9,106 downstream targets, reformatting the
hard drives
on compromised machines, and patching the Unicode vulnerability the
attacker used
to get in.

"It takes detailed network and host forensics to determine what type of
malware is
installed on the system and how it functions," he says. "That's why I
post my
findings to the general public: to help improve the training in
forensics."

The Case of the Sneaky Engineer

ð How forensics examinations of many machines helped one company
retrieve its
intellectual property and stop the bad guy from using it again:

An engineer left a West Coast manufacturing company, which we'll call
Company A
due to pending litigation. When that same engineer turned up at Company
B, a
competitor, in September earning $10,000 more than market rate, Company
A's
executives worried that some of their intellectual property had been
transferred to
the competitor. Company A's executives filed a court motion for
discovery, and
then called New Technologies Inc. (NTI), a computer forensics support
and
training firm in Gresham, Ore.

In cases like this one, forensics rules must be strictly followed or
evidence won't be accepted in court. The first rule is to not tamper
with evidence, so NTI's team made a mirror image of Company A's
engineering servers and the perpetrator's old
computer. To do that, they used a tool called SafeBack, which captures
and
time-stamps the perpetrator's hard drive contents without altering the
original, says Paul French, lab manager at NTI.

While NTI investigators found signs of file copying to removable media
in the
engineer's computer at Company A, French's team couldn't find empirical
evidence
of wrongdoing there. So under a court order for discovery, the NTI team
then
searched the suspect's home computer.

Using another NTI file search utility called FileListPro, the NTI team
found that
several product engineering drawings had been copied onto the home
computer
after the engineer had left the company. (FileListPro tells when a file
has been
created, accessed and modified.)

The engineer claimed that the clock on his computer had malfunctioned
and that the
drawings were copied while he was employed at Company A. But simple
deduction
told a different story. The date on a letter written in the same time
period
corresponded with the machine's time stamp on that letter.

This was enough evidence to prompt an investigation of the engineer's
machine at
his new employer. The team found drawings that were similar to those
from
Company A, but with some differences. But through searches using
keywords like
diagrams and the name of Company A, French says his team found an e-mail
trail
on the engineer's new desktop that "cinched it." The e-mails, which
passed between
the engineer and his girlfriend, detailed their mutual possession of the
diagrams in
question. One written by the engineer said that the investigators
wouldn't be able to tie anything back to them. And another, written by
the girlfriend, asked the engineer what he wanted her to do with the
drawings he'd sent her.

The result: "a court injunction against this engineer and his company
developing
products based off our client's intellectual property," French says. "If
they do come out with a widget too similar in design, they'll slap them
with criminal charges."

---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.
Prev by Date: [infowar.de] Politik der Bilder, 20.01.
Next by Date: [infowar.de] Euro-GPS GALILEO so gut wie gestorben
Previous by thread: [infowar.de] Politik der Bilder
Next by thread: [infowar.de] Euro-GPS GALILEO so gut wie gestorben
Index(es):
- Date
- Thread