NetSecure Conference & Expo

Protecting Digital Assets from Hackers and Thieves…

Lee M. Neubecker

Computer Forensics Expert and President of Forensicon, Inc.

www.forensicon.com

lneubecker@forensicon.com

888-427-5667

Presents…

Recent Cases in the News Where Computer Forensics is Relevant

• Fraud, Embezzlement & Kickback Schemes

• Hacker Investigations

• Counterfeiting

• Misappropriation of Trade Secrets

Fraud, Embezzlement & Kickback Schemes

• Jury awards SC Johnson $147 million in trucking kickback case– The company uncovered the massive bribery scheme in 2004.

Transportation carriers gave Morris hundreds of thousands of dollars in cash, lavish travel and expensive jewelry in exchange for business with SCJ. In order to cover up the scheme, Morris is accused of inflating transportation rates across the board, costing SCJ even more money.

– Morris, Scheller, Thomas Buske, Tom Russell and their companies were all on trial, accused of fraud, conspiracy to commit bribery and fraud and violating the Wisconsin Organized Crime Control Act. The jury found them liable for damages based on those actions.

– http://www.journaltimes.com/articles/2008/02/27/local_news/doc47c49609d5e33765818271.txt

Hacker Investigations

• Accused Sarah Palin email hacker David Kernell pleads not guilty to three more charges– http://www.nydailynews.com/news/politics/2009/03/09/2009-03-

09_accused_sarah_palin_email_hacker_david_k-1.html#ixzz0FVMZTg7R&A

– Identify and trace IP headers

– Validate user’s access of website on local computer

– Validate registration of IP address on computers

Hacker Investigations

• Obama and McCain campaigns hacked by the Chinese / Russians – Nov 2008– Hackers broke into the computer systems of the Barack Obama

and John McCain campaign teams during the US presidential race and stole a ''serious amount of files" in an operation that US government cyber experts believe originated from China.

– http://www.guardian.co.uk/global/2008/nov/07/obama-white-house-usa

Hacker Investigations

• Hackers steal UC Berkeley health records – May 2009– The University of California at Berkeley started warning students

and alumni on Friday that online thieves infiltrated the school's restricted servers and stole medical records on more than 160,000 individuals.

– http://www.securityfocus.com/brief/960?ref=rss

Hacker Investigations

• San Francisco IT worker arrested in hijacking of city network – July 2008– Terry Childs, who has worked for the city for five years, is

accused of tampering with the new Fiber Wide Area Network after allegedly being disciplined for poor performance. He is accused of electronically spying on his supervisors and their attempt to fire him, according to authorities.

– http://news.cnet.com/8301-1009_3-9991769-83.html

Hacker Investigations

• Spies hacked into U.S. electricity grid – April 2009– The Wall Street Journal published a report saying that Chinese

and Russian spies sought ways to navigate and control the power grid as well as the water and sewage infrastructure. It's part of a rising number of intrusions, the article said, quoting former and current national security officials.

– http://news.cnet.com/8301-11128_3-10214898-54.html

Counterfeiting

More Than $5 Million Awarded in Counterfeiting Case

• Counterfeiting involving the sale of knock-off Newport Cigarettes– Lorillard Tobacco Company v. Canstar (U.S.A.), Inc., Cam-Kat,

Inc., Uniglobe International Import/Export, Inc., Mohamed Aref, Edward Saad, Mustapha Kechtban

– Forensicon Recovered Data From a Reformatted Hard Drive Including Web Mails Identifying Panama Bank Accounts Used To Divert Funds Raised by Selling Counterfeit Products

– http://www.usdoj.gov/usao/nj/press/files/pdffiles/Rico2final.pdf

– http://74.125.95.132/search?q=cache:LcjXX6k98zcJ:www.yuki-inc.com/news.asp%3Fid%3D10+%22newport%22+cigarettes+mohamed+aref&cd=2&hl=en&ct=clnk&gl=us

Misappropriation of Trade Secrets

• Swedish Hacker charged with Cisco and NASA break-in - May 2009– A 21-YEAR-OLD SWEDE, Philip Pettersson, AKA ―Stakkato‖

charged with computer intrusion and misappropriating trade secrets – re: hacking into the computer systems of NASA and US networking giant Cisco.

– Apparently his 2004 attack on Cisco involved breaking in and stealing high-end router operating system code. He is also suspected of breaking into computers at NASA's Jet Propulsion Laboratory at CalTech.

– http://www.theinquirer.net/inquirer/news/1052034/swede-charged-hacking-cisco-nasa

Misappropriation of Trade Secrets

• David Yen Lee charged with Trade Secret Theft, March 2009– http://www.enewspf.com/index.php?option=com_content&view=article&i

d=6590:fbi-arlington-heights-man-charged-with-theft-of-trade-secrets&catid=88888909&Itemid=88888905

– An Arlington Heights man was charged Friday with the theft of trade secrets from the Wheeling company where he worked, authorities said.

– Lee, a naturalized U.S. citizen, worked for Minneapolis-based Valspar Corp., a maker of paints and industrial coatings. Lee, former technical director of new product development for Valspar’s architectural group, quit March 16—two weeks after returning from a business trip to China, the FBI said.

– When Valspar workers examined the company laptop computer and BlackBerry device he turned in when he resigned, they found that all temporary files had been deleted, suggesting he had ―taken steps to clean his computer user history,‖ a criminal complaint stated.

Overview of Presentations: Protecting Digital Assets

• Most common breakdowns that occur involving hacker breaches

• Impediments to effective forensic investigations regarding hacker attacks

• What can an organization do to more proactively protect their digital assets

• What to do when a hacker attack or suspected theft of digital assets occurs

• What to do when an employee is suspected of misappropriating company digital assets

• What a computer forensics investigation may reveal

Most common breakdowns that occur involving hacker breaches

• Servers un-patched

• Network security not configured correctly – back doors open behind the firewall

• Compromise from internal staff

• Lack of regular audits that would enable

• Enforcement of strong password policies

• Unlimited employee access to storage devices and the internet

Impediments to effective forensic investigations regarding hacker attacks

• Lack of change management documentation that would enable easy detection of hacker activity vs. normal activity

• Logs that would enable tracking deleted or not configured correctly

• Lack of effective monitoring tools to provide alerts when irregular conditions apply

• Destructive activities by internal IT staff

• Vulnerability dissemination to the hacker community

What can an organization do to more proactively protect their digital assets

• Regular audits by third parties

• Remote posting of log files to third party

• Usage of audit tools and change management tracking tools

• Automated Patch Deployment

• Track and issue connected storage devices

• Use proxy logging monitoring services / malware site detection

• Create a data map and computer map of the network using automated tools (Verify and identify each connected device)

What to do when a hacker attack is suspected or occurs

• Stop backup tape rotations (buy new tapes, keep the old)

• Preserve key computers – pull the hard drives or image the computers forensically

• Verify logging configuration settings on all key computers

• Force password rotation network wide

• Audit data map and connected storage devices to look for any unknown devices

• Check all phone lines for connected modems

• Scan for wireless networks and visually inspect facilities and all Ethernet port connection

• Contact corporate counsel and HR

Investigating Suspected Trade Secret Misappropriation…

What to do when an employee is suspected of Misappropriating Company Digital Assets

PRESERVE RELEVANT ELECTRONIC DATA FIRST

• Preservation of employees computer and data stores

• Employee storage media devices

• Company telephone records

• Security surveillance camera records

• Employee passcard records

• Cell Phone

• Network Profile

• Target Mail storage containers including OST and PST files from computer and network stores

Forensic Preservation of Electronic Evidence

• Rule #1: Keep Computers Turned Off; Do Not Use Media!

• Document All The Specifics of The Computer

• Use a Qualified Individual When Creating the Forensic Imaging To Preserve Admissibility of Evidence (EnCase, FTK, Paraben)

• Create a Bit-Stream (Forensic) Image of the Media

• Generate Hash Values for Authentication

• Doing this Ensures All Data Has Been Preserved Including ―Electronic Information‖

SIMPLE SOLUTION – Pull the Hard Drive and Seal

Targeting the relevant sources of data

Targeting the relevant sources of data

• Employee electronic devices– work computer

– Cell phones, I-pods, PDA’s, thumb drives, cameras

• Employee’s network accessible storage

• Email Servers

• Access and authentication servers

• Third party logs and data stores (Yahoo mail, Vonage, GMAIL, TMOBILE, etc..)

Targeting the relevant sources of data

• Finding the Smoking Gun– Computers Used by Suspect

• Old Computer While Employee

• Personal Home Computer

• New Employer Computer

• Other devices connected to corporate computers

• Servers That May Have Replica or Cached Copies of The Desktop or Laptop Computer– Profile Server

– Internet Cache Server or Firewall

– Email Server

– Network File Server

– Backup or Disaster Recovery Server

Target Most Likely Sources First

• Hash Set Compare to Find Perfect Match

• File Name Compare to Find Near Matches

• Signature Compare to Find Key File Types– I.e., Engineering File Misappropriation -> Cad File Types

– Theft of Client Information -> CSV, PDF, TIF, ZIP, EXE Files That Are Self Extracting Zip Files

– Focus on Dates (Created, Modified, Last Accessed, Last Written)

• Link Files Referencing Other Media Devices With File Names in Common to Your IP Hash Set File Names

• Personal Web Mail

Target Most Likely Sources First – Other Targets

• Recently Deleted Information

• Large Files (Especially the Recently Created Zip and Archival Files That are Deleted But Recoverable!)

• Any Hits, Then Export All Related Files By In Common META Data

• Folder Path In Common

• Access, Create or Modify Date In Common

• Other Relevant Meta Data In Common

What a Computer Forensics Investigation May Reveal – Sample Report Follows

File creation activity over time

File Deletion Activity – File Entries

Link Files Depicting Recent External Storage Devices and Files Referenced

Internet History

Recent Users Logged On

Recently Run Programs – Prefetch Entries

Recycle Bin Records of Deletion

Making the Case

• Start with Computer Used by the Former Employee– Correlate Activity to Notable Real World Events

– Define Plausible Argument That an Identifiable Set of Your Data Was Very Likely Transferred to Another Party

– Forensic Analysis Culminating With Affidavit Regarding Significant Activity on a Key Computer (Archiving, Deletion or Transfer)

• Motion to Compel Examination of Likely Downstream Media: Request Preservation First

• Targeted Searches Following Where the Trail Leads

A picture can speak 1,000 words

Judge ordered employee to hand

over home computer

Recap and Q&A

NetSecure Conference & Expo

Protecting Digital Assets from Hackers and Thieves…

Lee M. Neubecker

Computer Forensics Expert and President of Forensicon, Inc.

www.forensicon.com

lneubecker@forensicon.com

888-427-5667

Presents…