USSS History

1
USSS History

• Investigations
• Secret Service Division began on July 5, 1865 in
  Washington, D.C., to suppress counterfeit
  currency.
• In 1867 Secret Service responsibilities were
  broadened to include "detecting persons
  perpetrating frauds against the government." This
  appropriation resulted in investigations into the
  Ku Klux Klan, non-conforming distillers,
  smugglers, mail robbers and land frauds.
• Protection
• In 1901, Congress informally requested
• Secret Service Presidential protection
  following the
• assassination of President William McKinley.
  
• In 1902, The Secret Service assumed full-time
• responsibility for protection of the
  President.
• Two operatives were assigned full time to
  the
• White House Detail.

2
USSS History

• In 1984 Congress authorized the Secret Service to
  further investigate Financial Crime violations
  relating to
• Credit/Debit cards
• Computer and Telecommunications Fraud
• Fraudulent Identification documents
• Bank Fraud (access device fraud, advance fee
  fraud, electronic funds transfers, and money
  laundering)
• Financial Institution Fraud
• Core Treasury Violations still under USSS
  jurisdiction under Homeland Security
• Counterfeit checks
• Treasury Checks
• Counterfeit Bonds
• Counterfeit Money
• P Notes
• OMC Notes
• Off-set

3

• On October 26, 2001, President Bush signed into
  law H.R. 3162, the Uniting and Strengthening
  America by Providing Appropriate Tools Required
  to Intercept and Obstruct Terrorism (PATRIOT) Act
  of 2001.
• In drafting this particular legislation,
  Congress, recognized the Secret Service
  philosophy that our success resides in the
  ability to bring academia, law enforcement and
  private industry together to combat crime in the
  information age.
• As a result, the U.S. Secret Service was mandated
  by this Act to establish a nationwide network of
  Electronic Crimes Task Forces.

4
Electronic Crimes Special Agent Program - ECSAP

• Early 1990s saw the need for Computer
  Specialists
• Treasury Computer Forensics Training Program
• ATF (Now under DOJ)
• ICE
• IRS
• USSS

5
Electronic Crimes Special Agent Program - ECSAP

• Training
• A Certification
• Six weeks at FLETC
• Hard Drive geometry
• Operating Systems
• Forensic programs
• Practical Exercises
• Court Testimony
• Exams

6
Electronic Crimes Special Agent Program - ECSAP

• Advanced Certifications
• ACERT/ Network
• CISSP
• NASA
• Ernst and Young Hacking School
• EnCase
• FTK Boot Camps
• ILook IRS
• Yearly training conferences

7
Electronic Crimes Special Agent Program - ECSAP

• 200 Deployed to the Field
• All sworn personnel
• Forensic Computer Exams
• Assistance for State and Local Law Enforcement
• Train state and local agencies
• Expert Witness Testimony
• Search Warrant Assistance

8
Electronic Crimes Task Force

• The concept of the ECTF is unique
• in that it brings together not only
• federal, state, and local law enforcement,
• but also prosecutors, private industry,
• and academia.
• The common purpose is the prevention, detection,
  mitigation, and aggressive investigation of
  attacks
• Currently over 20 Electronic Crimes Task Forces
  and Electronic Crimes Working Groups spanning the
  entire nation.

9
New EnglandElectronic Crimes Task Force

• USSS (MA, NH, RI, VT, ME)
• ICE
• DOT
• IRS
• ATF
• DOD
• Local Departments
• Norwood, Medford, Boston, Cambridge.

10
Special Programs

• CERT Carnegie Mellon
• Best Practices Guide for
• Law Enforcement
• Critical Systems
• Protection Initiative
• National Center for Missing
• and Exploited Children

11
High Tech Crime Trends

• Credit Card Skimming/Parasitic Devices
• Phishing Scams
• Network Intrusion
• Identity Theft

12
Phishing
13
Phishing

• A form of identity theft in which deception is
  used to trick a user into revealing confidential
  information with economic value
• Term phishing coined in 1996 by hackers
  stealing AOL accounts by scamming passwords
• Origin of the term phishing comes from the fact
  that cyber attackers are fishing for data,
  while the ph is derived from Password
  Harvesting
• Involves harvesting of personal and financial
  account information

14
Phishing

• Usually accomplished through a response to
  un-solicited e-mail
• Victim believes the e-mail is from his/her bank
  or other institution accessed online
• Criminals take over accounts, transfer funds,
  duplicate credit cards, assume identities of
  victims, open new accounts, etc..

15
Phishing
16
Phished Information Includes

• Name, address, phone numbers
• Social Security number
• Date of birth
• Mothers maiden name
• Account number
• Bank name
• Bank login information
• Login password
• Card expiration date
• Card Verification Value (CVV)

17
What Happens to The Phished Information?

• Account takeovers
• Identity theft
• Money laundering (through wire transfers)
• Credit card/ATM fraud (using duplicated cards)
• Fictitious online auctions
• Credit card number harvesting/internet posting

18
Typical Bank Phishing Scheme

• Website is created and placed on the internet
  (2-8 days)
• E-mails are generated
• Data is collected (54 hours)
• Accounts are taken over
• Funds are electronically transferred
• Funds are cashed out via Western Union, E-Gold
  account, or ATM card
• Funds are then re-deposited into accounts in
  Eastern Europe

19
Current Phishing Statistics

• Fastest growing and largest fraud scheme in U.S.
  history
• 65 of all phishing attacks occur against
  financial institutions
• The average phishing website is active less than
  3 days after phisher e-mail launched
• Current phishing success rate is 5
• Phishers adapting techniques to defeat security

20
Carding Websites and Networks

• Former Soviet Union and Eastern European States
  produce and launch malicious software
• Mal-ware intrudes into private financial
  networks and government institutions
• Mal-ware then extracts personal data and
  carding websites and networks used to traffic in
  stolen information

21
Carding Portals

• Carding Portals are like on-line bazaars some
  with several thousand registered users
• Administrators screen potential members
• Potential members must prove worth before allowed
  entry
• Most based in Former Soviet Union or Eastern
  European States

22
Carding Portals

• Activity occurs in forums similar to bulletin
  boards or on Internet Relay Chat (IRC)
• Registered users may post announcements of goods
  or services
• Portals allow users to contact one another
  through the site
• Hierarchical organization structure similar to
  Mafia organizations

23
Evolution of Card Data Sold

• 1990s Plain Cards (Card Number, Expiration Date,
  Cardholder Name and Address)
• Early 2000s CVV Data also Present
• Roughly 2002 On Full Track Data (Dumps)
• Roughly 2004 On Full-info Cards
• Response to Increased Anti-fraud Measures
• Allow Online Enrolls
• 2005 Increased Traffic Referencing Verified by
  Visa and MasterCard SecureCode Cards

24
Network Intrusion Attack Techniques

• Information Gathering Attacks
• Snooping - Simple traffic monitoring can yield
  tremendous amounts of information if the traffic
  is not encrypted. Done by compromising a router
  or other key infrastructure device that traffic
  flows through.
• 2. Man in the Middle - Attacker redirects
  traffic to equipment the attacker owns,
  intercepts each message, reads such, and
  retransmits intercepted message to the intended
  recipient.
• Trojan - Programs that masquerade as a benign
  tool. When executed, capable of mimicking
  standard login prompts that fool the user into
  thinking they are logging into their real
  account. After the username and password are
  entered, the Trojan records the information.

25
Network Intrusion Attack Techniques

• Denial of Service Attacks
• A single host can be used to generate large
  quantities of traffic, causing a target, or the
  network to which it is connected, to become so
  flooded that the target host becomes incapable of
  responding to valid requests.
• Spoofing Attacks
• Faking an IP address can allow firewalls to be
  bypassed, causing the traffic to appear to have
  originated from a source authorized to pass
  through the firewall.
• Spoofed IP address can allow an attacker to
  conceal their own IP address, making it more
  difficult to trace.

26
Threats Can be From Internal Sources
InternalMost expensive attacks come from inside
(Up to 10x more costly)
Source CSI / FBI Security Study 2003
27
Threats Also Come from External Sources
External78 of Attacks Come fromInternet
Connection (up from 57 in 1999)
Source CSI / FBI Security Study 2003
28
How to Report an Attack

• Initiate companys incident response plan.
• Make appropriate contacts within the company
  (i.e. management, legal, public relations, IT,
  etc.).
• Contain the attack.
• a) secure the area using physical security.
• b) victim company may backup the system.
• c) collect and preserve electronic evidence
  (floppy disks, CDs, skimmers, caller ID boxes,
  network activity logs!).
• Report the attack to US Secret Service.

29
Network Incident Report

• Assistance that is being requested.
• Type of incident (denial of service, malicious
  code or virus, intrusion).
• Type of service, information, or project
  compromised.
• Damage done (system downtime, cost of incident,
  number of systems affected).

30
Details for Denial of Service

• Apparent source IP address.
• Primary systems involved (IP address, Operating
  Systems versions).
• Method of operation
• a) tool used
• b) packet flood
• c) malicious packet
• d) ports attacked
• Remediation performed
• - application moved to another system.
• - memory or disk space increased.

31
Details for Malicious Code

• Apparent source (diskette, CD, email attachment,
  software download).
• Primary systems involved (IP address, Operating
  Systems versions).
• Type of malicious code (virus, Trojan horse,
  worm).
• Remediation performed
• - Anti-virus product obtained, updated,
  installed.
• - New policy instituted on attachments.
• - Firewalls, routers, or email servers updated
  to detect and scan attachments.

32
Details for Unauthorized Access

• Apparent source (IP address, host name).
• Primary systems involved (IP address, Operating
  Systems versions).
• Avenue of attack
• a) cracked password
• b) trusted host access
• c) vulnerability exploited
• d) hacker tool used
• e) social engineering
• 4. Remediation performed
• - Patches applied.
• - Operating System reloaded.

33
System Analysis

• Mirror image of system
• Compare with previous back-up if available
• wtmp files
• History logs
• Message logs
• syslog
• Firewall logs
• Router logs
• Proxy server logs

34
System Analysis

• Examine all files run with cron
• cron is an automation tool for logging
• Review the /etc/passwd file for alterations
• Unauthorized services
• Backdoor access through known versions of finger,
  rsh, rlogin, telnet, etc.

35
System Analysis

• Check for sniffer programs
• Check for trojan horses
• Search for setuid and setgid files
• Allow hacker to obtain root
• Search for entries on non-local host systems
• These would indicate incoming connection from a
  trusted system

36
System Analysis

• Look for unusual or hidden files
• Review all the processes currently running on
  system
• Verify the above information with the system
  administrator of previous back-up

37
Useful Information

• Network topology
• Configure to prevent as many security holes as
  possible
• Observe and detect anomalous behavior
• Prevent the attacker from capitalizing on the
  attack
• Eliminate the attackers access to the system
• Recover the integrity of the network
• Follow-up with lessons learned

38
Operation Firewall

• Case involving the illegal sale of financial
  account information, credit cards, passports,
  drivers licenses, birth certificates, Social
  Security cards, insurance cards and diplomas
  using the internet.
• 33 Arrests (24 US, 9 overseas)
• 27 Search Warrants
• 11 Plant seizures
• 100 Individual Computers Seized
• Anticipated future arrests and search warrants
  both within the United States and overseas

39
Case Study 1 Wholesale ClubWireless Access
Vulnerability

• Inventory Control system used wi-fi bar code
  readers
• System installed did not utilize built-in
  encryption or security features.
• Access to network was wide-open to any user in
  store parking lot with laptop computer and wi-fi
  access.

40
Case Study 1

• Access to inventory system allowed mainframe
  access.
• Exploit posted by criminal groups on forums
• Hundreds of thousands credit cards and accounts
  stolen and information used for identity theft
  and counterfeit CCs

41
Case Study 2 Law School

• Rogue employee (Office Manager) who was a prior
  felon and had access sensitive data.
• Access to employee accounts and school credit
  cards
• Used information obtained to apply for more
  credit cards
• Employee ran travel agency, used stolen funds to
  purchase airlines tickets and cruises
• Was hired even though she had prior felony
  convictions

42
Case Study 3 Boston based Investment Firm

• Employee who was employed in the mailroom had
  access to customer account information from
  documents he observed
• Used information to transfer money out of
  customer accounts
• Had gambling addiction, used stolen funds to pay
  off debts
• Several thousand dollars of customer funds were
  stolen

43
Case Study 4 Boston based Real Estate Investment
Firm

• Employee stole legitimate corporate checks from
  employer
• Checks were counterfeited using the bank account
  of the corporation
• Hundreds of thousands of dollars was taken over a
  period of time
• Money was used to purchase Mercedes vehicles and
  properties in New York and Massachusetts

44
Prevention

• The guiding principle of the Electronic Crime
  Task Forces approach to both our protective and
  investigative missions is our focus on
  prevention.
• Harden the target through preparation,
  education, training and information sharing.

45
Prevention

• Proper development of business policies and
  procedures before the incident.
• Strong documentation and reporting practices
  starting at the beginning of the incident.
• Internal computer forensics and log analysis.
• Technical briefings for law enforcement during
  the entire course of the investigation.
• Victim loss documentation and assistance in trial
  preparation.

46
Security Suggestions

• Capture logs on another system
• Rename logs periodically
• Encrypt log files
• Analyze logs on routing basis
• Use additional monitoring programs to collaborate
  log information