Hacking Forensics
Hacking Forensics
Hacking Forensics
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Welcome<br />
<br />
Seminar Agenda<br />
• 7 .00 - 8.00 ( Presentation on Security )<br />
Security Awareness Seminar<br />
Welcome<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Welcome<br />
To Stop a Hacker is to Think Like One!<br />
<br />
About the speaker<br />
• Krishna Rajagopal from Malaysia.<br />
• Industry certifications – various certifications from<br />
Microsoft , Cisco, Sun, Adobe, EC-Council, etc.<br />
• Consultant to the Enforcement body in Malaysia, Saudi<br />
Arabia, Philippines.<br />
• Projects in Asia-Pacific, Europe, Middle East, USA,<br />
Caribbean.<br />
<strong>Hacking</strong><br />
<strong>Forensics</strong> &<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Presented by Krishna Rajagopal<br />
CEO, XtremeSecurity<br />
Objectives<br />
Presentation Outline<br />
<br />
Seminar Objectives<br />
• Provide insight into current efforts and future plans<br />
for corporate network security via Ethical Hackers.<br />
• Provide helpful perspective on nature of today’s<br />
Internet security risk<br />
• Provide guidelines to achieving goals of rock-solid<br />
networks.<br />
• Demonstrations of how simple & dangerous hacking<br />
really is…<br />
Part 1: <strong>Hacking</strong>, Am I A Virgin <br />
Part 2: To Hack or Not to Hack ..<br />
Part 3: <strong>Forensics</strong> – Catch Me If You Can<br />
Part 4: Q & A<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.
Part 1: <strong>Hacking</strong>, Am I A Virgin<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Introduction<br />
Why Security<br />
<br />
<br />
<br />
<br />
Every day, all over the world, computer networks and hosts<br />
are being broken into.<br />
The level of sophistication of these attacks varies widely.<br />
It is generally believed that most break-ins succeed due to<br />
weak passwords, there are still a large number of intrusions<br />
that use more advanced techniques to break in.<br />
Less is known about the latter types of break-ins, because by<br />
their very nature they are much harder to detect.<br />
<br />
<br />
<br />
<br />
90% of large companies & govt.<br />
agencies had computer security<br />
breaches in 2002.<br />
The incidence of hacking, and<br />
associated financial loss, is far greater<br />
than what has been reported in the<br />
media.<br />
The majority of hacking incidents are<br />
covered up to protect reputation.<br />
Even if companies call in investigators<br />
once they suspect their systems have<br />
been infiltrated, they are extremely<br />
reluctant for any external parties to be<br />
aware of how much damage has really<br />
been caused.<br />
Source: 2002 CSI/FBI Computer Crime and Security Survey<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Meet Jim Fountain<br />
He assassinated political leaders<br />
in Vietnam. He monitored Russian<br />
missile silos during the Reagan<br />
administration, and he set up<br />
communications systems in<br />
Eastern Europe during the Cold<br />
War. If you hire Jim Fountain<br />
today, he won't kill people for you,<br />
but he'll do what many<br />
corporations around the world are<br />
asking him to do--spy on the<br />
competition.<br />
“companies are employing former<br />
government and military men like me<br />
more and more to gain a competitive<br />
edge on their rivals.”<br />
Real Instance<br />
<br />
<br />
<br />
Microsoft's main competitor, Bay Area<br />
computer firm Oracle, hired an intelligence<br />
company and a private investigator to<br />
search the trash of its rival. Oracle also tried<br />
to bribe Microsoft janitors for $1,200.<br />
It's our "civic duty," said brazen Oracle CEO<br />
Larry Ellison at the time.<br />
Boeing are being toasted by their<br />
competitor Airbus right now, because of<br />
Airbus' superb intelligence-gathering.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.
Statistics<br />
Hey !<br />
<br />
Fortune 1,000 companies lost more than $45 billion<br />
from the theft of proprietary information in 2002<br />
<br />
<br />
The majority of those hacking incidents hit tech<br />
companies.<br />
67 individual attacks with average theft of $15 million<br />
in losses.<br />
<br />
Hey ! That’s old statistics ! What<br />
happened in 2003, 2004, etc <br />
<br />
The reported damage estimate from the<br />
LoveLetter virus is as much as $10 Billion.<br />
<br />
The reported damage estimate from the<br />
Melissa virus was $385 Million.<br />
<br />
Including hard and soft dollar figures, the true<br />
cost of virus disasters is between $100,000<br />
and $1 Million per company.<br />
From ICSA.Net, 23 October 2000, http://www.securitystats.com/reports.asp , Computer Virus Prevalence Survey<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Unauthorized Use of Computers<br />
Financial Implications of Security<br />
Breaches<br />
Source: CSI/FBI Survey 2005<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal. Source: CSI/FBI Survey 2005<br />
Action adopted by the Victims<br />
Reasons Why Organizations did not<br />
Report the Crime<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.
Befriending the insider<br />
External Attacks Most Frequent<br />
<br />
<br />
<br />
Teaming up with an insider<br />
or planting someone within<br />
the organization.<br />
A recent U.S. Treasury<br />
Department analysis noted<br />
that more than 60 percent<br />
of reported computer<br />
intrusions involved an<br />
insider.<br />
One kind of insider is a<br />
person who may have<br />
stumbled upon a glitch<br />
unknown to system<br />
administrators.<br />
Internet<br />
connection<br />
Internal<br />
systems<br />
Frequent Points of Attack<br />
38<br />
Source: 2000 CSI/FBI Computer Crime and Security Survey<br />
59<br />
0 20 40 60 80<br />
Percent of respondents<br />
<br />
<br />
Greater use of<br />
Internet<br />
Tools & techniques<br />
evolve to enable<br />
new opportunities<br />
for attack<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
20-Year Trend: Stronger Attack Tools<br />
Trend Has Continued<br />
Relative Technical Complexity<br />
self-replicating<br />
code<br />
password<br />
guessing<br />
exploiting<br />
known<br />
vulnerabilities<br />
password<br />
cracking<br />
back<br />
doors<br />
disabling<br />
audits<br />
sniffer /<br />
sweepers<br />
hijacking<br />
sessions<br />
packet forging /<br />
spoofing<br />
GUI<br />
stealth<br />
diagnostics<br />
<strong>Hacking</strong><br />
Tools<br />
Average<br />
Intruder<br />
Relative Technical Complexity<br />
Windows<br />
Remote<br />
Control<br />
Trinoo<br />
Melissa<br />
DDoS<br />
Insertion<br />
Tools<br />
Stacheldraht<br />
PrettyPark<br />
<br />
<strong>Hacking</strong><br />
Tools<br />
Kiddie<br />
Scripter<br />
1980 1985 1990 1995<br />
Source: GAO Report to Congress, 1996<br />
1998 1999 2000<br />
2001<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Part 2: To Hack Or Not To Hack …<br />
Hacker Skills<br />
<br />
<br />
A Skilled hacker will possess the following skills:<br />
Hacker Technologies<br />
– Internet Engineering<br />
– TCP/IP, NFS, Wireless networks, GPRS<br />
– System Administration<br />
– Windows 2000, Linux, Solaris, Palm OS etc.<br />
– Network Management<br />
– SNMP, Tivoli, HP OpenView, Switches, Routers etc.<br />
– Reverse Engineering<br />
– Decompiles, circuit breakers<br />
– Distributing Computing<br />
– J2EE, RPC, Corba, Web Services<br />
– Cryptography<br />
– SSL, PKI, Digital Certificates<br />
– Social Engineering<br />
– Charm people, sweet talking, human deception techniques<br />
– Programming<br />
– C++, Java, Perl, JavaScript, HTML, ASP<br />
– Databases<br />
– SQL Server, Oracle, DB2, MySQL<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.
<strong>Hacking</strong> Tools<br />
Hacker Underground Web Site<br />
http://www.cleo-and-nacho.com<br />
<br />
<strong>Hacking</strong> Tools are available at<br />
various camouflaged<br />
underground websites.<br />
<br />
<strong>Hacking</strong> Tools become more<br />
and more sophisticated and<br />
powerful in term of<br />
• Efficiency<br />
• Distributing<br />
• Stealth<br />
• Automation<br />
• User friendliness<br />
Click Here<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
<strong>Hacking</strong> Tools are Available from Google<br />
Host<br />
These hacking tools could be<br />
easily download from the<br />
Internet.<br />
• Hacker tool ability increases.<br />
• Knowledge of hacker decreases<br />
• Population of hacker increases<br />
• Some day, even elementary<br />
school kid may hack into your<br />
system<br />
Your host does not<br />
need to be as famous as<br />
yahoo or ebay to be<br />
targeted<br />
• They need a place to<br />
hide their trace<br />
• They need your host as<br />
a stepping stone to hack<br />
other sites<br />
• They need your host<br />
resource to carry out<br />
their activities<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
The Threats<br />
The Threats<br />
<br />
<strong>Hacking</strong> Tools become more and more<br />
sophisticated and powerful in term of<br />
• Efficiency<br />
• Distributing<br />
• Stealth<br />
• Automation<br />
• User friendliness<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.
The Threats<br />
The Threats<br />
<br />
These hacking tools could be easily<br />
downloaded from the Internet =><br />
– Hacker tool ability increases<br />
– Knowledge of hacker decreases<br />
– Population of hacker increases<br />
– Some day, even elementary school kid may hack into<br />
your system<br />
<br />
Your host does not need to be as famous as<br />
yahoo or ebay to be targeted<br />
– They need a place to hide their trace<br />
– They need your host as a stepping stone to hack other<br />
sites<br />
– They need your host resource to carry out their activities<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
The Threats<br />
How they hack in<br />
<br />
<br />
<br />
Your host security weakness can be<br />
identified by scan tool<br />
Security of any network on the Internet<br />
depends on the security of every other<br />
networks<br />
No network is really secure<br />
<br />
General Steps<br />
• Locate the victim host by some scanning<br />
program<br />
• Identify the victim host vulnerability<br />
• Attack the victim host via this vulnerability<br />
• Establish backdoors for later access<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
General Prevention<br />
How do PCs get infected<br />
Test and apply service packs and hotfixes<br />
Run and maintain antivirus software<br />
Run an intrusion detection system at the<br />
perimeter to your network<br />
Block all messages containing *.exe, *.vbs<br />
or *.dll attachments<br />
Reinstall infected systems<br />
<br />
Trojan horses<br />
• Animations<br />
• Screen savers<br />
• 'Y2K' utils<br />
• Video games<br />
<br />
Manual insertion<br />
• Through shares<br />
• Physical access<br />
Policy:<br />
Control hostile<br />
code on desktop<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.
We’re All in this Together<br />
End users<br />
Network<br />
Security<br />
Service<br />
Providers<br />
Attack : Corporate Espionage<br />
Software and<br />
System Vendors<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Scenario<br />
Demo<br />
Robin is working as a sales executive with a<br />
Drug manufacturing firm. Despite achieving<br />
the set target he fails to get the<br />
remuneration he desires.<br />
He feels his loyalty and commitment is not<br />
valued by his superiors. A frustrated Robin<br />
approaches the rival company for the post<br />
of Associate Manager (Sales) that was<br />
posted on a job site he had visited.<br />
The Manager of a rival company agrees to<br />
offer him the job if he could pass them the<br />
patent information related to a particular<br />
drug.<br />
Robin agrees to the condition.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Part 3: <strong>Forensics</strong> – Catch Me If You Can<br />
What is Computer <strong>Forensics</strong><br />
Computer hacking forensic investigation is<br />
the process of detecting hacking attacks and<br />
properly extracting evidence to report the<br />
crime and conduct audits to prevent future<br />
attacks.<br />
Computer forensics is simply the application<br />
of computer investigation and analysis<br />
techniques in the interests of determining<br />
potential legal evidence.<br />
Extremely important in the banking industry !<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.
Thought …<br />
<br />
Beautiful ! Finally we have a way to bust those<br />
terrible hackers !<br />
Answer: YES !<br />
But .. Wait a minute !<br />
Don’t the hackers know about <strong>Forensics</strong> <br />
Can they break in a Bank and escape with it <br />
Do you want to know how<br />
the hackers can make<br />
a fool of forensic experts <br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Anti <strong>Forensics</strong><br />
C’mon, I CANT HEAR YOU !<br />
Do you want to know how<br />
the hackers can make<br />
a fool of forensic experts <br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Forensic – a challenge<br />
Data Destruction<br />
• Data is evidence<br />
• Anti-Forensic Principles :-<br />
1. Data<br />
Destruction<br />
2. Data Hiding<br />
3. Data<br />
Contraception<br />
•DFT<br />
•Inode - Necrofile<br />
•Dir -Klismafile<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.
Data Destruction<br />
Data Destruction<br />
# ./ils /dev/hda6<br />
class|host|device|start_time<br />
ils|XXX|/dev/hda6|1026771982<br />
st_ino|st_alloc|st_uid|st_gid|st_mtime|st_atime|st_ctime|st_dtime|st_mode|\<br />
st_nlink|st_size|st_block0|st_block1<br />
12|f|0|0|1026771841|1026771796|1026771958|1026771958|100644|0|86|545|0<br />
13|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|546|0<br />
14|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|547|0<br />
15|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|548|0<br />
16|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|549|0<br />
17|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|550|0<br />
18|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|551|0<br />
19|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|552|0<br />
20|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|553|0<br />
21|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|554|0<br />
22|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|555|0<br />
23|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|556|0<br />
24|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|557|0<br />
25|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|558|0<br />
26|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|559|0<br />
27|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|560|0<br />
28|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|561|0<br />
29|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|562|0<br />
30|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|563|0<br />
31|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|564|0<br />
32|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|565|0<br />
33|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|566|0<br />
34|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|567|0<br />
35|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|568|0<br />
36|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|569|0<br />
37|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|570|0<br />
#<br />
# ./necrofile -v -v -v -v /dev/hda6<br />
Scrubbing device: /dev/hda6<br />
12 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
13 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
14 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
15 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
16 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
17 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
18 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
19 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
20 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
21 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
22 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
23 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
24 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
25 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
26 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
27 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
28 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
29 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
30 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
31 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
32 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
33 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
34 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
35 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
36 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
37 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Data Destruction<br />
Forensic – a challenge<br />
# ./ils /dev/hda6<br />
class|host|device|start_time<br />
ils|XXX|/dev/hda6|1026772140<br />
st_ino|st_alloc|st_uid|st_gid|st_mtime|st_atime|st_ctime|st_dtime|st_mode|\<br />
st_nlink|st_size|st_block0|st_block1<br />
#<br />
• Where is the rest Data<br />
Hiding & Data<br />
Contraception <br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Part 4: Any Questions <br />
Question and Answer<br />
<br />
Q&A<br />
<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.
XtremeSecurity<br />
Questions<br />
<br />
<br />
Further trainings<br />
• Certified Ethical Hacker – March 2007<br />
• Computer <strong>Hacking</strong> <strong>Forensics</strong> Investigator – TBA<br />
• eBusiness (ERP/CRM/SCM/KM/CM) - TBA<br />
Services<br />
• Ethical <strong>Hacking</strong> & Penetration Testing<br />
• Enterprise Security Review<br />
• Computer <strong>Forensics</strong> Investigation<br />
<br />
Please direct your enquiries and questions<br />
to:<br />
• Services, Training and Exams<br />
– Feedback@xtremesecurity.com.hk<br />
• My Personal Email <br />
– Kraj@xtremesecurity.com.hk<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
Thank You<br />
No Man is an Island.<br />
Get Connected!<br />
<br />
Thank you for your time.<br />
Copyright © 2005-2007, Krishna Rajagopal.<br />
It is Break Time! Let’s have some Coffee<br />
Copyright © 2005-2007, Krishna Rajagopal.