Credit Card Compromise

Download Report

Transcript Credit Card Compromise

Credit Card Compromise
Case Scenario by John Mallery
Scenario
Client calls says they have an issue
 They have been notified by the USSS they
have had credit cards compromised through
a “common point of purchase” investigation
 They provide you with a hard drive only
 They want to identify if a “hack” has taken
place
 What do you do?

Process

Initial Issues and Questions
How do you know whether you have the correct
drive?
 What about date and time stamps? Are they
valid?

 Why
or why not?
Process
Where do you begin?
 Forensically image drive
 Develop an approach
 What do you look for?

Investigation
Forensically copy drive
 Run Searches on the following:

Credit card numbers – identify if they are in
plain text
 IP addresses of System
 Logs
 Software installed
 Internet History

Investigation
On line storage sites
 Removable drives
 Test SAM database for missing passwords

Credit Card Numbers
Grep Expression
 Identifies possible credit card numbers
 How can they be validated?
 Which one is a valid credit card number?

4012 8888 8888 1881
 5432 1234 5411 1111
 5454 5454 5454 5454

Credit Card Numbers

Adhere to a strict format
Card Type
Prefix
Length
Visa
4
16
MasterCard
51, 55
16
American
Express
Discover
35, 37
15
6011, 65
16
Luhn Algorithm (Mod10)
Starting with the rightmost digit (which is
the check digit) and moving left, double the
value of every second digit.
 If a product results in two digits, subtract 9
 Add all numbers together.
 The result should be divisible by 10

An example
4012 8888 8888 1881
4 0 1 2 8 8 8 8 8 8 8 8 1 8 8 1
Multiply by 2
8 0 2 2 16 8 16 8 16 8 16 8 2 8 16 1
Double Digits (Subtract Nine)
8 0 2 2 7 8 7 8 7 8 7 8 2 8 7 1
Sum equals 90
Valid Number
Who is the issuer?
Online Credit Card Validator – would you use it?
Credit Card Validator
Credit Card Verifier Software
 Test and verify its functionality before using
on suspect credit card numbers.
 Disconnect from Internet
 Start Process Monitor
..\..\CCN\ProcessMonitor\Procmon.exe
 Test on dummy CCN’s

Initial Results
Found numerous numeric strings in plain
text that appeared to be credit card
numbers
 Publicly routable IP Address
 Nothing of relevance in logs
 No functioning antivirus applications
 PCAnywhere

Initial Results
Internet History – lots of visits to nonbusiness sites – YouTube, MySpace, eBay
and personal surfing.
 Removable drives had been used.
 Administrator account with no password.

Answer Found?
Have we identified whether the system had
been hacked?
 What is the next step?

Boot the Image
Boot the image
 How?
 LiveView - http://liveview.sourceforge.net/

LiveView
Live View is a Java-based graphical forensics
tool that creates a VMware virtual machine
out of a raw (dd-style) disk image or
physical disk. This allows the forensic
examiner to "boot up" the image or disk and
gain an interactive, user-level perspective of
the environment, all without modifying the
underlying image or disk.
LiveView
What Do I Need To Run Live View?
 VMware Server Full Install (Free Download) or
VMware Workstation 5.5 (30 Day Trial)
 Java Runtime Environment
(http://www.java.com/getjava/)
 VMware Disk Mount Utility
(http://www.vmware.com/download/eula/diskmou
nt_ws_v55.html)
 A Microsoft Windows Machine (XP, 2000, or 2003)
 Some Bit-for-Bit Disk Images
LiveView

Demo (Maybe)
SIFT Workstation

SANS Investigative Forensic Toolkit
https://forensics.sans.org/community/downloads/
index.php
 Need SANS portal account for downloads
 Large file (1.35 GB)

VFC – Virtual Forensic Computing
Commercial Product
 VFC
 Mount Image Pro


http://www.mountimage.com/
VMWare Player, Workstation or Server
 Demo

Benefits of Booting Image
Identify Open ports
netstat and fport
 Identify running processes
Pslist
 Identify services
Psservice
 Programs scheduled to run at startup
Autoruns and msconfig

Additional Results
Port 80 open
 Additonal Ports Open – remote control
programs
 Opened PC Anywhere – identified
configuration settings and cracked password
no security mechanisms implemented
 In addition – no firewall on system or on
network
 Router – default username and password.

End Result
18,880 credit card numbers compromised
 POS application known to have stored CCN’s
in plain text. Patch existed, vendor never
applied patch.
 Costs – fines, investigation, legal fees
 Client hopes to recover costs from vendor’s
insurance company.

Toys
WFA
 User Assist :

The data about frequently used programs is
kept in the registry under this key:
 HKEY_CURRENT_USER\Software\Microsoft\Win
dows\CurrentVersion\Explorer\UserAssist
 This program decrypts and displays the data
found in the registry under the UserAssist key
 http://blog.didierstevens.com/programs/userass
ist/.
