Cyber ID Sleuth Data Security Forensics

Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists

873 East Baltimore Pike #501Kennett Square, PA 19348

610-444-5295

www.BTR-Security.com

CyberID-Sleuth™ Data Security Forensics

Prepared by: Robert A. Listerman, CPA, CITRMS

http://www.btr-security.com/



610-444-5295


Robert Listerman (Bob) is a licensed Certified Public Accountant, State of Michigan and has over 30 years of experience as a process improvement business consultant. He graduated from Michigan State University and became a CPA while employed at Touche Ross & Co., Detroit, now known as a member firm of Deloitte & Touche USA LLP

Bob added the Certified Identity Theft Risk Management Specialist (CITRMS) designation issued by The Institute of Fraud Risk Management in 2007. The designation is in recognition of his knowledge and experience in identity theft risk management. Today Bob focuses his practice on data security compliance. Over 50% of identity theft can be traced back to unlawful or mishandling of non-public data within the workplace.

Currently Bob serves his professional community as an active Board Member for the Institute of Management Accountants (IMA), Mid Atlantic Council “IMA-MAC.” He is currently servicing as President of IMA-MAC (2011-2013). He is a regular seminar presenter for the IMA, Pennsylvania Institute of CPAs (PICPA), and the Michigan Association of CPAs (MACPA). Bob serves on, and is a past chair of the MACPA’s Management Information & Business Show committee which enjoys serving over 1000 CPAs in attendance each year. He is Continuing Education Chair of the PICPA’s IT Assurance Committee.

Bob serves his local community as a member of the Kennett Township, PA Planning Commission, Communications, Business Advisory, and Safety Committees. He is an active board member of the Longwood Rotary Club. He serves his Rotary District 7450 as their Interact Club Chair (Rotary in High School) since 2010.

Past professional and civic duties include serving on the Board of Directors for the Michigan Association of Certified Public Accountants (1997-2000), past board member of the Delaware Chapter of the IMA and past Chapter president for the IMA Oakland County, Michigan (1994-1995).

www.linkedin.com/in/boblistermanidriskmanager/


http://www.linkedin.com/in/boblistermanidriskmanager/



610-444-5295





610-444-5295


A DATA BREACH of “PII” IS DEFINED AS A FIRST NAME, FIRST INITIAL OR LAST NAME PLUS:

1 A Social Security Number

2 A Driver’s License Number or State-Issued ID Number

3 An Account Number, Credit Card Number or Debit Card Number Combined with any Security Code, Access Code, PIN or Password




610-444-5295


A REAL“BREACH” IS DEFINED AS ANY INTRUDER TO YOUR ENTERPRISE

4 Your Trade Secrets

5 Access To Your Servers By a “Hactivism” Criminal

6 Whatever Is Important To Your Enterprise




610-444-5295


When a hacker gets anyone’s credentials, it is easy for them to build a profile of the individual to gain even more information from social media sites.

From there they can “spearPhish” more information from the victim OR THEIR CONTACTS!

Examples of profile building follow:




610-444-5295


LOST CREDENTIALS PUT YOU UNDER ATTACK

Name: Lucas NewmanExtraction Date:

12/30/20XX

Email: [email protected] Hometown: Portland, Oregon

HashedPassword:

16b90b178faff0e3e2f92ec647b50b11 Occupation: Managing Director and

Portfolio Manager

Extraction Type:

Hack Source:




610-444-5295


Name: Robyn MondinExtraction Date:

12/30/20XX

Email: [email protected] Hometown:Asheville, North Carolina

Clear Password:

36f76603a2212c7fc6ff4fb8ec77a64c

Occupation: Mortgage Banker

Extraction Type:

Hack Source:




610-444-5295


EVERY EMPLOYEE, PARTNER, AND SYSTEM IS A WEAK LINK

Name: Pat GrundishExtraction Date:

8/13/20XX

Email: [email protected] Hometown: Englewood, Ohio

Clear Password:

p_grundish Occupation: Mortgage Loan Officer

Extraction Type:

Hack Source:

Name: Mandy KnerrExtraction Date:

8/13/20XX

Email: [email protected] Hometown: Huber Heights, Ohio

Clear Password: m_knerr Occupation:

Sr. Marketplace Loan Officer

Extraction Type:

Hack Source:




610-444-5295


STOLEN CREDENTIALS REPEATEDLY USED TO BREACH FINSERV16 Financial Services institutions publically reported a data breach in 2012, totaling 1.1M breached records.

We harvested 6 credentials belonging to Independent Capital Management in December 2011.

As recently as 4/1/2013, we have found Citi credentials for a total of 1,688

February 22, 2012• An

unauthorized party misused Accucom

credentials to make

fraudulent $1.00

charges

March 2, 2012

• A user ID assigned to Independent Capital

Management used to

access consumer

credit reports

March 13, 2012

• Hacker logged

onto Citi's credit card

online account access

system by using

passwords and user

IDs

October 29, 2012

• Hackers use stolen

employee credentials

to hack Abilene Telco,

resulting in the theft of 847 credit reports




610-444-5295


THE LONG-TERM EFFECTS OF LOST CREDENTIALS2005

• An employee of a Kansas

City investment

bank registers for

the free Stratfor

newsletter

December 2011

• Stratfor becomes

aware of its breachJanuary 2012

Stratfor initiates a massive breach

response, including

removing all related data from

the Web

February 2013

• Hactivist group

identifies the credential/password combo

that still accesses the investment

banks’s webmail

February 2013

• Hacktivist group

publishes the investment

bank’s client information on the it’s

home page

It took nearly eight years to feel the full effect of a duplicate password.

Over 300,000 individuals had their personal information leaked, such as credit card numbers, addresses, phone numbers, and more.

Employee used same password to access the Stratfor newsletter as his password to the investment bank’s webmail account.




610-444-5295


MULTIPLE VECTORS OF ATTACK RESULT IN BREACHES

Data Breaches

Point of Sale

Systems

Email

Web

MobileLost/

Stolen Device

FTP

Cloud Services

Employees

Hacking

Social Media




610-444-5295


THREE PRIMARY CAUSES DRIVE DATA BREACHES

Data Breaches

Monetization

Negligence

Ego




610-444-5295


USA Breaches*

* From 2005 to June 11, 2014 Source: http://www.PrivacyRights.Org

867,525,654* Records Known to Have Been Breached in The USA!


http://www.privacyrights.org/

http://www.privacyrights.org/



610-444-5295


IT Administratorsharden their networks by building

walls with Anti-Virus software to keep out the bad guys

The Resultis that Anti-Virus software can’t keep

up and the bad guys are already inside your walls

The Problemis that 76,000 new malware strains are released into the wild every day

The Problemis that 73% of online banking users reuse their passwords for

non-financial websites

PROVIDING VISIBILITY BEYOND THE IT WALLS




610-444-5295





610-444-5295


STOLEN CREDENTIALS EXPOSE YOU TO UNKNOWN RISK

30,000 The number of new malicious websites created every day 1

80% Of breaches that involved hackers used stolen credentials

14%Of data breaches were due to employees using personal email accounts 2

SOURCES: 1. Sophos, 2012; 2. Verizon Data Breach Investigations Report, 2013

76%of network intrusionsexploited weak or stolencredentials. 2




610-444-5295


MALWARE EVADES TRADITIONAL ANTI-VIRUS SOFTWARE

200,000 – 300,000 The estimated number of new viruses discovered each day 1

52% Of malware in a recent study focused on evading security 2

24.5%Antivirus software’s average detection rate for e-mail based malware attacks 3

40%Of malware samples in a

recent study went undetected by leading

antivirus software 2

SOURCES: 1. Comodo Group, 2012; 2. Palo Alto Networks, 20133. Krebs on Security, 2012




610-444-5295


DO YOU KNOW WHAT THESE ARE? "automatedtest", "automatedtester", "bagle-cb", "c_conficker", "c_confickerab", "c_confickerc", "c_pushdo", "c_trafficconverter", "c_zeroaccess", "childpredator", "citadel", "condo", "cutwail", "d_tdss", "darkmailer", "darkmailer2", "darkmailer3", "darkmailer4", "darkmailer5", "deai", "esxvaql",

"fakesendsafe", "festi", "fraud", "gamut", "gheg", "grum", "hc", "kelihos", "lethic", "maazben", "malware", "manual", "mip", "misc", "netsky", "ogee", "pony", "relayspammer", "s_kelihos", "s_worm_dorkbot", "sendsafe", "sendsafespewage", "slenfbot",

"snowshoe",

"spamaslot",

"spamlink", "spamsalot", "special", "spyeye", "ss", "synch", "w_commentspammer", "xxxx", "zapchast", "zeus"

Prewritten Malware coding available to hackers to modify enough to get through your security




610-444-5295


CASE STUDY: Sony PlayStation®Network

April 19, 2011

• Sony discove

rs its network had been

compromised but did

not annou

nce anythin

g

April 20, 2011

• Sony closed down

the network but

did not disclose what

it already knew

April 22, 2011

• Sony reveals that an “extern

al intrusi

on” caused

the networ

k outage

s

April 26, 2011

• Sony release

d a detaile

d accoun

t of incident and reveal for the

first time

that PII was

leaked

April 29, 2011

• Sony shares drop 4.5% and the

company

reveals 2.2

million credit card

numbers were stolen

March 2014

• Sony is still

attempting to resolve issues from

the 50+ different class actions

law suits

brought

against it

Current estimates of the total financial impact to

Sony is $171 million

Sony provided affected individuals with 12

months of identity theft protection and insurance

coverage

100M user accounts compromised , exposing

Full Name, Address, Phone Number, Date of Birth,

Credit Card Number, User Name, and Password




610-444-5295


CASE STUDY: Target Corporation

Nov. 27 – Dec.

15 2013• Hacke

r execu

te extended

attach agains

t Target

’s point-

of-sale syste

m

Dec. 18, 2013

• News of the breach is

reported by data and

security

blog KrebsOnSecurity

Dec. 20, 2013

• Target acknowledges the breac

h, saying

it is under investigatio

n

Dec. 21, 2013• JP

Morgan

announces it is

placing

daily spend

ing caps on

affected

customer

debit cards

Dec. 22, 2013

• Customer

traffic drops over the

holiday

season,

resulting in a 3-4%

drop in

customer

transactions

Jan. 10, 2014

• Target lowers its

fourth-

quarter

financial

projections, saying sales were “meaningfu

lly weak

er-than-expected”

Current estimates of the total financial impact to

Target is $200 million

Target provided affected individuals with 12 months of identity theft protection

and insurance coverage

110M user accounts compromised , exposing

credit and debit card numbers, CVN numbers,

names, home addresses, e-mail addresses and or

phone numbers




610-444-5295


“Ongoing forensic investigation has indicated that the intruder

stole a vendor's credentials which were used to access our system.”

Molly Snyder, Target Corporation

January 2014




610-444-5295


Email Attack on Vendor Set Up Breach at Target*

* Source: http://krebsonsecurity.com/

The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation.

KrebsOnSecurity reported that investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical, a heating, air conditioning and refrigeration firm in Sharpsburg, Pa.




610-444-5295


ANATOMY OF A SPEARPHISHING ATTACK

TargetVictim

1

InstallMalware

2

AccessNetwork 3

Collect & Transmit

Data

4

BreachEvent

5




610-444-5295


THE PROFILE OF AN ATTACKER

The malware used to hack Target’s POS system was written by a Ukrainian teen

• Andrey Hodirevski from southwest Ukraine carried out the attack from his home

• The card details that he stole were sold through his own forum as well as other communities

• CyberID-Sleuth™ investigated the breach when it occurred and was able to verify various discussions and identifiers pointing to this suspect




610-444-5295





610-444-5295


An Internet service provider (ISP, also called Internet access provider) is a business or organization that offers users access to the Internet and related services.

Source: http://en.wikipedia.org/wiki/Internet_service_provider#Access_providers

Definition


http://en.wikipedia.org/wiki/Internet_service_provider

http://en.wikipedia.org/wiki/Internet_service_provider



610-444-5295


a.k.a: the “CLOUD”




610-444-5295





610-444-5295


The Internet “Web”

Topography




610-444-5295


Can you identify what these numbers are?




610-444-5295


IP Tracer Source: http://www.ip-adress.com/ip_tracer/


http://www.ip-adress.com/ip_tracer/



610-444-5295


An IP Address gives the hacker access to your computer to run command and control botnet malware – you have been breached!




610-444-5295


CyberID-Sleuth™ PROVIDES MORE THAN AUTOMATED ALERTS

Credential Monitoring

Identifying email addresses from a corporate domain that have been hacked, phished, or breached

IP Address Scanning

Identifying devices in a corporate network connected

to a known malware command and control server

Doxing awareness and hacktivist activity monitoring

Locating the individuals and exchanges involved in intellectual property theft

Hacks, exploits against networks,

glitches, leaks, phishing/keylogging

monitoring

Identification of communities targeting brands, networks or IP addresses

Identification of intellectual property distribution

Identification of individuals posing a risk to any IP address




610-444-5295


CyberID-Sleuth™ IDENTIFIES-PROVIDES EARLY WARNING AT TWO POINTS

CyberID-Sleuth™ scours botnets, criminal chat rooms, blogs, websites and bulletin boards, Peer-to-Peer networks, forums, private networks, and other black market sites 24/7, 365 days a year

CyberID-Sleuth™ harvests 1.4 million compromised credentials per month

DarkWeb CyberID-Sleuth™

identifies your data as it accesses criminal command-and-control servers from multiple geographies that national IP addresses cannot access

CyberID-Sleuth™ harvests 7 millioncompromised IP addresses every two weeks




610-444-5295

www.BTR-Security.comCyberID-Sleuth™




610-444-5295


REMEMBER WHAT THESE ARE? "automatedtest", "automatedtester", "bagle-cb", "c_conficker", "c_confickerab", "c_confickerc", "c_pushdo", "c_trafficconverter", "c_zeroaccess", "childpredator", "citadel", "condo", "cutwail", "d_tdss", "darkmailer", "darkmailer2", "darkmailer3", "darkmailer4", "darkmailer5", "deai", "esxvaql",

"fakesendsafe", "festi", "fraud", "gamut", "gheg", "grum", "hc", "kelihos", "lethic", "maazben", "malware", "manual", "mip", "misc", "netsky", "ogee", "pony", "relayspammer", "s_kelihos", "s_worm_dorkbot", "sendsafe", "sendsafespewage", "slenfbot",

"snowshoe",

"spamaslot",

"spamlink", "spamsalot", "special", "spyeye", "ss", "synch", "w_commentspammer", "xxxx", "zapchast", "zeus"




610-444-5295


Zeus Infection targeted towards multiple entities within the Hotel Industry within India

CyberID-Sleuth™ identified a targeted Zeus campaign which appears to have been focused and distributed to Hotel chains, mainly within the India region. The attack in question caused active compromises against a number of systems.

CyberID-Sleuth™ ’s main focus is the type of data often held within Reservation and other Hotel systems. Personal information such as credit card data, as well as passport scans or copies, are often held on Hospitality systems and the data identified next highlights that these same systems are compromised and under direct control of malicious actors.

CyberID-Sleuth™ CASE STUDY ACTUAL CREDENTIAL DATA




610-444-5295


CyberID-Sleuth™ IDENTIFIES ACTUAL MALWARE VARIANT

Infection Type: Zeus Infection - V2.1 Payload: Theft of all credentials, Key logging of all data,

Remote access to devicesTotal Infection Count: 487Total Credential Count: 12894 ( including duplicates )Command and Control (C2) Domain: matphlamzy.com


http://matphlamzy.com/



610-444-5295


CyberID-Sleuth™ IDENTIFIES ACTUAL CREDENTIAL DATA

bwstarhotel.com - 111.68.31.202

,('92', 'RSV1_E532648A3D69E5DE', '-- default --', '33619969', '', '', '1394590108', '7557047', '0', '±\0\0', '1033', 'C:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE', 'RSV1\\owner', '101', 'pop3://[email protected]:starrsv1*@116.251.209.92:110/', '111.68.31.202', 'ID', '1394590104')

Date extracted and listed below is related to valid and legitimate accounts which are still active. These are not passwords taken from Breach events or other untrusted sources. They are taken directly from devices that are still infected/compromised!


http://bwstarhotel.com/

smb://Program/

pop3://[email protected]:starrsv1*@116.251.209.92:110/'

pop3://[email protected]:starrsv1*@116.251.209.92:110/'



610-444-5295



bwmegakuningan.com - 139.0.16.90

('447', 'USER-PC_E532648A9824115F', '-- default --', '33619969', '', '', '1394593039', '162643491', '0', '±\0\0', '1033', 'C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE', 'user-PC\\user', '101', 'pop3://[email protected]:[email protected]:110/', '139.0.16.90', 'DE', '1394593037')


http://bwmegakuningan.com/

smb://Program/

pop3://[email protected]:[email protected]:110/'




610-444-5295



townsquare.co.id - '180.250.172.36

('453', 'RESERVATION_1F3D59E96522DF69', '-- default --', '33619969', '', '', '1394592970', '14267024', '0', '± \0', '1033', 'C:\\Program Files (x86)\\Microsoft Office\\Office12\\OUTLOOK.EXE', 'TSPDC\\vitha', '101', 'pop3://[email protected]:[email protected]:110/', '180.250.172.36', 'ID', '1394593095')


smb://Program/

smb://Microsoft/





610-444-5295


Over 257 unique credit cards were stolen during the attack.CyberID-Sleuth™ identified the botnet, which was made up of infected devices.

CyberID-Sleuth™ CASE STUDY ANATOMY OF THE FINDINGS

Q. How many credit cards were captured?

Q. Specifically what data did it steal and report back that you could see?

CyberID-Sleuth™ could see EVERYTHING that was entered on a user’s device or saved as a password or credential.

Q. How much did this breach cost the client?

No “price” could be put on the damage caused to a victim after a fraudster has stolen their credentials. The data stolen would allow the fraudster access to internal systems, either via the stolen credentials or via backdoor access to affected systems.




610-444-5295


Q. What data about the attacker were we able to find?

Limited details. Any information about the attackers are not shared with clients unless a directed attack, and is only shared with US and UK Law Enforcement.

Q. How did the authorities use the data to capture the intruders

The individual responsible for running the botnet in question is so far still at large.

CyberID-Sleuth™ CASE STUDY ANATOMY OF THE FINDINGS




610-444-5295


CyberID-Sleuth™ Credential Monitoring Demo *

* Let us see if your credentials are for sale, at no obligation

Tier I




610-444-5295


A STANDARD RESPONSE TIMELINE SHOULD BE FOLLOWED

Incident Detection / Discovery Incident Notification & Resolution

Rem

edia

tion

Effor

ts

Internal and External Communication of Event, Reaction, and Remediation

Notification Capabilities Go Live

Coordinate Breach Notification Copy and Distribution with Breach

Remediation Vendor

Establish internal or third party communication channel to affected

population

Contact and or activate contract with Data Breach Remediation Vendor

Prepare Internal and External Communication Plan & Copy

Determine Organization’s Public Response Plan (including notification type, verbiage, and remediation offering if any)

Implement Breach

Response Plan

Determine total scope of event, size of affected population, type of data lost or compromised, necessary legal and industry specific guidelines

Activate technical / security focused breach response team processes and procedures based on Data Breach Plan

Initial Internal Reporting, notifications, and security triage of the “event”

Asse

ssm

ent E

ffort

s

Plan Ahead By Forming

a Breach Response

Plan

CyberID-Sleuth Tiers II & III




610-444-5295


THE COSTS OF A DATA BREACH ARE VARIED• Detection or Discovery—”Activities that enable a company to

reasonably detect the breach of personal data either at risk (in storage) or in motion”

• Escalation—”Activities necessary to report the breach of protected information to appropriate personnel within a specified time period.”

• Notification—physical mail, e-mail, general notice, telephone

• Victim Assistance—card replacement, credit monitoring offer, identity theft protection offer, access to customer service representatives

• Churn of existing customers / personnel

• Future Diminished Acquisition of customers or employees




610-444-5295


RECOMMENDATIONS TO REDUCE DATA BREACH EXPOSURE & COSTs

• Promote Employee Data Management Training & Education

• Require GC / CISO and their teams to understand industry, state, federal, and event specific data breach response guidelines and recommendations

• Establish an internal data breach response plan and process flow

• Prior to a data breach event contract with a data breach remediation, notification, and or forensics provider

• Utilize and maintain available data loss prevention technologies such as CyberID-Sleuth™

• Require advance encryption and authentication solutions be in place across the organization

• Contractually require notification from vendors who manage data from your organization to alert you of they incur a breach of any data

• Support enactment of legislation that clearly dictates rules and guidelines for organizations to follow in advance of, and following a data breach event




610-444-5295


Take this 20 Question Assessment to Score Your Risk Level

Give us a call and we can even do this over the phone!




610-444-5295


1. Remember to ask us for a no-obligation credential search for your enterprise2. Allow us to give you your 20 Question Assessment Score on your risk level

Email your questions to [email protected] or to get two no-obligation services mentioned below


mailto:[email protected]