Credit Card Compromise
Download
Report
Transcript Credit Card Compromise
Credit Card Compromise
Case Scenario by John Mallery
Scenario
Client calls says they have an issue
They have been notified by the USSS they
have had credit cards compromised through
a “common point of purchase” investigation
They provide you with a hard drive only
They want to identify if a “hack” has taken
place
What do you do?
Process
Initial Issues and Questions
How do you know whether you have the correct
drive?
What about date and time stamps? Are they
valid?
Why
or why not?
Process
Where do you begin?
Forensically image drive
Develop an approach
What do you look for?
Investigation
Forensically copy drive
Run Searches on the following:
Credit card numbers – identify if they are in
plain text
IP addresses of System
Logs
Software installed
Internet History
Investigation
On line storage sites
Removable drives
Test SAM database for missing passwords
Credit Card Numbers
Grep Expression
Identifies possible credit card numbers
How can they be validated?
Which one is a valid credit card number?
4012 8888 8888 1881
5432 1234 5411 1111
5454 5454 5454 5454
Credit Card Numbers
Adhere to a strict format
Card Type
Prefix
Length
Visa
4
16
MasterCard
51, 55
16
American
Express
Discover
35, 37
15
6011, 65
16
Luhn Algorithm (Mod10)
Starting with the rightmost digit (which is
the check digit) and moving left, double the
value of every second digit.
If a product results in two digits, subtract 9
Add all numbers together.
The result should be divisible by 10
An example
4012 8888 8888 1881
4 0 1 2 8 8 8 8 8 8 8 8 1 8 8 1
Multiply by 2
8 0 2 2 16 8 16 8 16 8 16 8 2 8 16 1
Double Digits (Subtract Nine)
8 0 2 2 7 8 7 8 7 8 7 8 2 8 7 1
Sum equals 90
Valid Number
Who is the issuer?
Online Credit Card Validator – would you use it?
Credit Card Validator
Credit Card Verifier Software
Test and verify its functionality before using
on suspect credit card numbers.
Disconnect from Internet
Start Process Monitor
..\..\CCN\ProcessMonitor\Procmon.exe
Test on dummy CCN’s
Initial Results
Found numerous numeric strings in plain
text that appeared to be credit card
numbers
Publicly routable IP Address
Nothing of relevance in logs
No functioning antivirus applications
PCAnywhere
Initial Results
Internet History – lots of visits to nonbusiness sites – YouTube, MySpace, eBay
and personal surfing.
Removable drives had been used.
Administrator account with no password.
Answer Found?
Have we identified whether the system had
been hacked?
What is the next step?
Boot the Image
Boot the image
How?
LiveView - http://liveview.sourceforge.net/
LiveView
Live View is a Java-based graphical forensics
tool that creates a VMware virtual machine
out of a raw (dd-style) disk image or
physical disk. This allows the forensic
examiner to "boot up" the image or disk and
gain an interactive, user-level perspective of
the environment, all without modifying the
underlying image or disk.
LiveView
What Do I Need To Run Live View?
VMware Server Full Install (Free Download) or
VMware Workstation 5.5 (30 Day Trial)
Java Runtime Environment
(http://www.java.com/getjava/)
VMware Disk Mount Utility
(http://www.vmware.com/download/eula/diskmou
nt_ws_v55.html)
A Microsoft Windows Machine (XP, 2000, or 2003)
Some Bit-for-Bit Disk Images
LiveView
Demo (Maybe)
SIFT Workstation
SANS Investigative Forensic Toolkit
https://forensics.sans.org/community/downloads/
index.php
Need SANS portal account for downloads
Large file (1.35 GB)
VFC – Virtual Forensic Computing
Commercial Product
VFC
Mount Image Pro
http://www.mountimage.com/
VMWare Player, Workstation or Server
Demo
Benefits of Booting Image
Identify Open ports
netstat and fport
Identify running processes
Pslist
Identify services
Psservice
Programs scheduled to run at startup
Autoruns and msconfig
Additional Results
Port 80 open
Additonal Ports Open – remote control
programs
Opened PC Anywhere – identified
configuration settings and cracked password
no security mechanisms implemented
In addition – no firewall on system or on
network
Router – default username and password.
End Result
18,880 credit card numbers compromised
POS application known to have stored CCN’s
in plain text. Patch existed, vendor never
applied patch.
Costs – fines, investigation, legal fees
Client hopes to recover costs from vendor’s
insurance company.
Toys
WFA
User Assist :
The data about frequently used programs is
kept in the registry under this key:
HKEY_CURRENT_USER\Software\Microsoft\Win
dows\CurrentVersion\Explorer\UserAssist
This program decrypts and displays the data
found in the registry under the UserAssist key
http://blog.didierstevens.com/programs/userass
ist/.