Cyber ID Sleuth Data Security Forensics

Data Security Compliance Advisors
Certified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501
Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
CyberID-Sleuth™
Data Security Forensics
Prepared by: Robert A. Listerman, CPA, CITRMS

610-444-5295
Robert Listerman (Bob) is a licensed Certified Public Accountant, State of Michigan and has over 30 years
of experience as a process improvement business consultant. He graduated from Michigan State
University and became a CPA while employed at Touche Ross & Co., Detroit, now known as a member
firm of Deloitte & Touche USA LLP
Bob added the Certified Identity Theft Risk Management Specialist (CITRMS) designation issued by The
Institute of Fraud Risk Management in 2007. The designation is in recognition of his knowledge and
experience in identity theft risk management. Today Bob focuses his practice on data security compliance.
Over 50% of identity theft can be traced back to unlawful or mishandling of non-public data within the
workplace.
Currently Bob serves his professional community as an active Board Member for the Institute of
Management Accountants (IMA), Mid Atlantic Council “IMA-MAC.” He is currently servicing as President
of IMA-MAC (2011-2013). He is a regular seminar presenter for the IMA, Pennsylvania Institute of CPAs
(PICPA), and the Michigan Association of CPAs (MACPA). Bob serves on, and is a past chair of the
MACPA’s Management Information & Business Show committee which enjoys serving over 1000 CPAs in
attendance each year. He is Continuing Education Chair of the PICPA’s IT Assurance Committee.
Bob serves his local community as a member of the Kennett Township, PA Planning Commission,
Communications, Business Advisory, and Safety Committees. He is an active board member of the
Longwood Rotary Club. He serves his Rotary District 7450 as their Interact Club Chair (Rotary in High
School) since 2010.
Past professional and civic duties include serving on the Board of Directors for the Michigan Association of
Certified Public Accountants (1997-2000), past board member of the Delaware Chapter of the IMA and
past Chapter president for the IMA Oakland County, Michigan (1994-1995).
www.linkedin.com/in/boblistermanidriskmanager/

610-444-5295

610-444-5295
A DATA BREACH of “PII” IS DEFINED AS A FIRST NAME, FIRST INITIAL OR LAST NAME PLUS:
A Social Security Number
A Driver’s License Number or State-Issued ID Number
An Account Number, Credit Card Number or Debit Card Number
Combined with any Security Code, Access Code, PIN or Password

610-444-5295
A REAL“BREACH” IS DEFINED AS ANY INTRUDER TO YOUR ENTERPRISE
Your Trade Secrets
Access To Your Servers By a “Hactivism” Criminal
Whatever Is Important To Your Enterprise

610-444-5295
 When a hacker gets anyone’s credentials, it is easy for them to build a
profile of the individual to gain even more information from social media
sites.
 From there they can “spearPhish” more information from the victim OR
THEIR CONTACTS!
 Examples of profile building follow:

610-444-5295
LOST CREDENTIALS PUT YOU UNDER ATTACK
Name: Lucas Newman
Extraction
Date:
12/30/20XX
Email: lnewman@firstrepublic.com Hometown: Portland, Oregon
Hashed
Password:
16b90b178faff0e3e2f92ec647b50b1
1
Occupation:
Managing Director and
Portfolio Manager
Extraction
Type:
Hack Source:

610-444-5295
Name: Robyn Mondin
Extraction
Date:
12/30/20XX
Email: robyn.mondin@firstcitizens.com Hometown:
Asheville, North
Carolina
Clear
Password:
36f76603a2212c7fc6ff4fb8ec77a64
c
Occupation: Mortgage Banker
Extraction
Type:
Hack Source:

610-444-5295
EVERY EMPLOYEE, PARTNER, AND SYSTEM IS A WEAK LINK
Name: Pat Grundish
Extraction
Date:
8/13/20XX
Email: pat.grundish@53.com Hometown: Englewood, Ohio
Clear
Password:
p_grundish Occupation: Mortgage Loan Officer
Extraction
Type:
Hack Source:
Name: Mandy Knerr
Extraction
Date:
8/13/20XX
Email: mandy.knerr@53.com Hometown: Huber Heights, Ohio
Clear
Password:
m_knerr Occupation:
Sr. Marketplace Loan
Officer
Extraction
Type:
Hack Source:

610-444-5295
STOLEN CREDENTIALS REPEATEDLY USED TO BREACH FINSERV
16 Financial Services
institutions publically
reported a data breach in
2012, totaling 1.1M
breached records.
We harvested 6
credentials belonging to
Independent Capital
Management in
December 2011.
As recently as 4/1/2013,
we have found Citi
credentials for a total of
1,688
February 22, 2012
• An unauthorized party
misused Accucom
credentials to make
fraudulent $1.00 charges
March 2, 2012
• A user ID assigned to
Independent Capital
Management used to
access consumer credit
reports
March 13, 2012
• Hacker logged onto Citi's
credit card online account
access system by using
passwords and user IDs
October 29, 2012
• Hackers use stolen
employee credentials to
hack Abilene Telco,
resulting in the theft of 847
credit reports

610-444-5295
THE LONG-TERM EFFECTS OF LOST CREDENTIALS
2005
•An employee of a Kansas
City investment bank
registers for the free
Stratfor newsletter
December 2011
•Stratfor becomes aware of
its breach
January 2012
Stratfor initiates a massive
breach response, including
removing all related data
from the Web
February 2013
•Hactivist group identifies
the credential/password
combo that still accesses the
investment banks’s webmail
February 2013
•Hacktivist group publishes
the investment bank’s
client information on the
it’s home page
It took nearly eight years
to feel the full effect of a
duplicate password.
Over 300,000 individuals
had their personal
information leaked, such
as credit card numbers,
addresses, phone
numbers, and more.
Employee used same
password to access the
Stratfor newsletter as his
password to the
investment bank’s
webmail account.

610-444-5295
MULTIPLE VECTORS OF ATTACK RESULT IN BREACHES
Data
Breaches
Point of
Sale
Systems Email
Web
Mobile
Lost/
Stolen
DeviceFTP
Cloud
Services
Employees
Hacking
Social
Media

610-444-5295
THREE PRIMARY CAUSES DRIVE DATA BREACHES
Data Breaches
Monetization
NegligenceEgo

610-444-5295
USA Breaches*
* From 2005 to June 11, 2014 Source: http://www.PrivacyRights.Org
867,525,654*
Records Known to Have Been Breached in The USA!

610-444-5295
IT Administrators
harden their networks by building
walls with Anti-Virus software to keep
out the bad guys
The Result
is that Anti-Virus software can’t keep
up and the bad guys are already
inside your walls
The Problem
is that 76,000 new
malware strains are
released into the wild
every day
The Problem
is that 73% of online
banking users reuse
their passwords for non-
financial websites
PROVIDING VISIBILITY BEYOND THE IT WALLS

610-444-5295
STOLEN CREDENTIALS EXPOSE YOU TO UNKNOWN RISK
30,000
The number of new malicious websites
created every day 1
80%Of breaches that involved
hackers used stolen
credentials
14%
Of data breaches were due to
employees using personal email
accounts 2
SOURCES: 1. Sophos, 2012; 2. Verizon Data Breach Investigations
Report, 2013
76%of network intrusions
exploited weak or stolen
credentials. 2

610-444-5295
MALWARE EVADES TRADITIONAL ANTI-VIRUS SOFTWARE
200,000 – 300,000
The estimated number of new viruses
discovered each day 1
52%
Of malware in a recent study
focused on evading security 2
24.5%
Antivirus software’s average
detection rate for e-mail based
malware attacks 3
40%Of malware samples in a
recent study went
undetected by leading
antivirus software 2
SOURCES: 1. Comodo Group, 2012; 2. Palo Alto Networks, 2013
3. Krebs on Security, 2012

610-444-5295
DO YOU KNOW WHAT THESE ARE?
"automatedtest",
"automatedtester",
"bagle-cb",
"c_conficker",
"c_confickerab",
"c_confickerc",
"c_pushdo
",
"c_trafficconverter",
"c_zeroaccess",
"childpredator",
"citadel",
"condo",
"cutwail",
"d_tdss",
"darkmailer",
"darkmailer2",
"darkmailer3",
"darkmailer4",
"darkmailer5",
"deai",
"esxvaql",
"fakesendsafe",
"festi",
"fraud",
"gamut",
"gheg",
"grum",
"hc",
"kelihos",
"lethic",
"maazben",
"malware",
"manual",
"mip",
"misc",
"netsky",
"ogee",
"pony",
"relayspammer",
"s_kelihos",
"s_worm_dorkbot",
"sendsafe",
"sendsafespewage",
"slenfbot",
"snowshoe",
"spamaslot",
"spamlink",
"spamsalot",
"special",
"spyeye",
"ss",
"synch",
"w_commentspammer",
"xxxx",
"zapchast",
"zeus"
Prewritten Malware coding
available to hackers to
modify enough to get
through your security

610-444-5295
CASE STUDY: Sony PlayStation®Network
April 19, 2011
•Sony discovers its network
had been compromised
but did not announce
anything
April 20, 2011
•Sony closed down the
network but did not
disclose what it already
knew
April 22, 2011
•Sony reveals that an
“external intrusion”
caused the network
outages
April 26, 2011
•Sony released a detailed
account of incident and
reveal for the first time
that PII was leaked
April 29, 2011
•Sony shares drop 4.5% and
the company reveals 2.2
million credit card
numbers were stolen
March 2014
•Sony is still attempting to
resolve issues from the
50+ different class actions
law suits brought against
it
Current estimates of the
total financial impact to
Sony is $171 million
Sony provided affected
individuals with 12
months of identity theft
protection and insurance
coverage
100M user accounts
compromised , exposing
Full Name, Address, Phone
Number, Date of Birth,
Credit Card Number, User
Name, and Password

610-444-5295
CASE STUDY: Target Corporation
Nov. 27 – Dec. 15 2013
•Hacker execute extended
attach against Target’s
point-of-sale system
Dec. 18, 2013
•News of the breach is
reported by data and
security blog
KrebsOnSecurity
Dec. 20, 2013
•Target acknowledges the
breach, saying it is under
investigation
Dec. 21, 2013
•JP Morgan announces it is
placing daily spending caps
on affected customer debit
cards
Dec. 22, 2013
•Customer traffic drops
over the holiday season,
resulting in a 3-4% drop in
customer transactions
Jan. 10, 2014
•Target lowers its fourth-
quarter financial
projections, saying sales
were “meaningfully
weaker-than-expected”
Current estimates of the
total financial impact to
Target is $200 million
Target provided affected
individuals with 12 months
of identity theft protection
and insurance coverage
110M user accounts
compromised , exposing
credit and debit card
numbers, CVN numbers,
names, home addresses, e-
mail addresses and or
phone numbers

610-444-5295
“Ongoing forensic investigation
has indicated that the intruder
stole a vendor's credentials which
were used to access our system.”
Molly Snyder, Target
Corporation
January 2014

610-444-5295
Email Attack on Vendor Set Up Breach at Target*
* Source: http://krebsonsecurity.com/
The breach at Target Corp. that exposed credit card and personal data on
more than 110 million consumers appears to have begun with a malware-
laced email phishing attack sent to employees at an HVAC firm that did
business with the nationwide retailer, according to sources close to the
investigation.
KrebsOnSecurity reported that investigators believe the source of the Target
intrusion traces back to network credentials that Target had issued to Fazio
Mechanical, a heating, air conditioning and refrigeration firm in Sharpsburg,
Pa.

610-444-5295
ANATOMY OF A SPEARPHISHING ATTACK
Target
Victim
1
Install
Malware
2
Access
Network
3
Collect &
Transmit
Data
4
Breach
Event
5

610-444-5295
THE PROFILE OF AN ATTACKER
The malware used to hack Target’s POS system was
written by a Ukrainian teen
• Andrey Hodirevski from southwest Ukraine
carried out the attack from his home
• The card details that he stole were sold through
his own forum as well as other communities
• CyberID-Sleuth™ investigated the breach when
it occurred and was able to verify various
discussions and identifiers pointing to this
suspect

610-444-5295
An Internet service provider (ISP, also called Internet
access provider) is a business or organization that offers
users access to the Internet and related services.
Source: http://en.wikipedia.org/wiki/Internet_service_provider#Access_providers
Definition

610-444-5295
a.k.a: the “CLOUD”

610-444-5295
The Internet “Web”
Topography

610-444-5295
Can you identify what these numbers are?

610-444-5295
IP Tracer Source: http://www.ip-adress.com/ip_tracer/

610-444-5295
An IP Address gives
the hacker access
to your computer to
run command and
control botnet
malware – you have
been breached!

610-444-5295
CyberID-Sleuth™ PROVIDES MORE THAN AUTOMATED ALERTS
Credential
Monitoring
Identifying email addresses from a corporate domain
that have been hacked, phished, or breached
IP Address Scanning
Identifying devices in a
corporate network connected
to a known malware command
and control server
Doxing awareness and
hacktivist activity monitoring
Locating the
individuals and
exchanges
involved in
intellectual
property theft
Hacks, exploits
against networks,
glitches, leaks,
phishing/keylogging
monitoring
Identification of communities targeting brands,
networks or IP addresses
Identification of intellectual property distribution
Identification of individuals posing
a risk to any IP address

610-444-5295
CyberID-Sleuth™ IDENTIFIES-PROVIDES EARLY WARNING AT TWO POINTS
CyberID-Sleuth™
scours botnets, criminal
chat rooms, blogs, websites and
bulletin boards, Peer-to-Peer
networks, forums, private
networks, and other black market
sites 24/7, 365 days a year
CyberID-Sleuth™
harvests 1.4 million
compromised credentials per
month
Dark
Web CyberID-Sleuth™
identifies your data
as it accesses criminal command-
and-control servers from multiple
geographies that national IP
addresses cannot access
CyberID-Sleuth™
harvests 7 million
compromised IP addresses every
two weeks

610-444-5295
CyberID-Sleuth™

610-444-5295
REMEMBER WHAT THESE ARE?
"automatedtest",
"automatedtester",
"bagle-cb",
"c_conficker",
"c_confickerab",
"c_confickerc",
"c_pushdo
",
"c_trafficconverter",
"c_zeroaccess",
"childpredator",
"citadel",
"condo",
"cutwail",
"d_tdss",
"darkmailer",
"darkmailer2",
"darkmailer3",
"darkmailer4",
"darkmailer5",
"deai",
"esxvaql",
"fakesendsafe",
"festi",
"fraud",
"gamut",
"gheg",
"grum",
"hc",
"kelihos",
"lethic",
"maazben",
"malware",
"manual",
"mip",
"misc",
"netsky",
"ogee",
"pony",
"relayspammer",
"s_kelihos",
"s_worm_dorkbot",
"sendsafe",
"sendsafespewage",
"slenfbot",
"snowshoe",
"spamaslot",
"spamlink",
"spamsalot",
"special",
"spyeye",
"ss",
"synch",
"w_commentspammer",
"xxxx",
"zapchast",
"zeus"

610-444-5295
Zeus Infection targeted towards multiple entities within the Hotel Industry within India
CyberID-Sleuth™ identified a targeted Zeus campaign which appears to have been focused
and distributed to Hotel chains, mainly within the India region. The attack in question
caused active compromises against a number of systems.
CyberID-Sleuth™ ’s main focus is the type of data often held within Reservation and other
Hotel systems. Personal information such as credit card data, as well as passport scans or
copies, are often held on Hospitality systems and the data identified next highlights that
these same systems are compromised and under direct control of malicious actors.
CyberID-Sleuth™ CASE STUDY ACTUAL CREDENTIAL DATA

610-444-5295
CyberID-Sleuth™ IDENTIFIES ACTUAL MALWARE VARIANT
Infection Type: Zeus Infection - V2.1
Payload: Theft of all credentials, Key logging of all data,
Remote access to devices
Total Infection Count: 487
Total Credential Count: 12894 ( including duplicates )
Command and Control (C2) Domain: matphlamzy.com

610-444-5295
CyberID-Sleuth™ IDENTIFIES ACTUAL CREDENTIAL DATA
bwstarhotel.com - 111.68.31.202
,('92', 'RSV1_E532648A3D69E5DE', '-- default --',
'33619969', '', '', '1394590108', '7557047', '0', '±00',
'1033', 'C:Program FilesMicrosoft OfficeOffice14OUTLOOK.EXE',
'RSV1owner', '101',
'pop3://reservation@bwstarhotel.com:starrsv1
*@116.251.209.92:110/', '111.68.31.202', 'ID', '1394590104')
Date extracted and listed below is related to valid and legitimate accounts which are still
active. These are not passwords taken from Breach events or other untrusted sources.
They are taken directly from devices that are still infected/compromised!

610-444-5295
bwmegakuningan.com - 139.0.16.90
('447', 'USER-PC_E532648A9824115F', '-- default --', '33619969', '', '',
'1394593039', '162643491', '0', '±00', '1033',
'C:Program FilesMicrosoft OfficeOffice12OUTLOOK.EXE',
'user-PCuser', '101',
'pop3://reservation@bwmegakuningan.com:
79r2mz5xrx@116.251.209.92:110/', '139.0.16.90', 'DE', '1394593037')

610-444-5295
townsquare.co.id - '180.250.172.36
('453', 'RESERVATION_1F3D59E96522DF69',
'-- default --', '33619969', '', '', '1394592970', '14267024', '0', '±
0', '1033',
'C:Program Files (x86)Microsoft OfficeOffice12OUTLOOK.EXE',
'TSPDCvitha', '101',
'pop3://reservation.seminyak@townsquare.co.id:tsbali1234@
103.31.232.210:110/', '180.250.172.36', 'ID', '1394593095')

610-444-5295
Over 257 unique credit cards were stolen during the attack.
CyberID-Sleuth™ identified the botnet, which was made up of infected devices.
CyberID-Sleuth™ CASE STUDY ANATOMY OF THE FINDINGS
Q. How many credit cards were captured?
Q. Specifically what data did it steal and report back that you could see?
CyberID-Sleuth™ could see EVERYTHING that was entered on a user’s device
or saved as a password or credential.
Q. How much did this breach cost the client?
No “price” could be put on the damage caused to a victim after a fraudster has stolen
their credentials. The data stolen would allow the fraudster access to internal
systems, either via the stolen credentials or via backdoor access to affected systems.

610-444-5295
Q. What data about the attacker were we able to find?
Limited details. Any information about the attackers are not shared with clients
unless a directed attack, and is only shared with US and UK Law Enforcement.
Q. How did the authorities use the data to capture the intruders
The individual responsible for running the botnet in question is so far still at large.
CyberID-Sleuth™ CASE STUDY ANATOMY OF THE FINDINGS

610-444-5295
CyberID-Sleuth™ Credential Monitoring Demo *
* Let us see if your credentials are for sale, at no obligation
Tier I

610-444-5295
A STANDARD RESPONSE TIMELINE SHOULD BE FOLLOWED
Incident Detection / Discovery Incident Notification & Resolution
RemediationEfforts
Internal and External Communication of Event, Reaction, and Remediation
Notification Capabilities
Go Live
Coordinate Breach Notification Copy
and Distribution with Breach
Remediation Vendor
Establish internal or third
party communication
channel to affected
population
Contact and or activate contract with
Data Breach Remediation Vendor
Prepare Internal and External Communication Plan & Copy
Determine Organization’s Public Response Plan (including
notification type, verbiage, and remediation offering if any)
Implement
Breach
Response
Plan
Determine total scope of event, size of affected population, type of data lost or compromised, necessary legal and
industry specific guidelines
Activate technical / security focused breach response team processes
and procedures based on Data Breach Plan
Initial Internal Reporting, notifications, and security triage of the “event”
AssessmentEfforts
Plan Ahead
By Forming
a Breach
Response
Plan
CyberID-Sleuth
Tiers II & III

610-444-5295
THE COSTS OF A DATA BREACH ARE VARIED
• Detection or Discovery—”Activities that enable a company to
reasonably detect the breach of personal data either at risk (in
storage) or in motion”
• Escalation—”Activities necessary to report the breach of
protected information to appropriate personnel within a
specified time period.”
• Notification—physical mail, e-mail, general notice, telephone
• Victim Assistance—card replacement, credit monitoring offer,
identity theft protection offer, access to customer service
representatives
• Churn of existing customers / personnel
• Future Diminished Acquisition of customers or employees

610-444-5295
RECOMMENDATIONS TO REDUCE DATA BREACH EXPOSURE & COSTs
• Promote Employee Data
Management Training & Education
• Require GC / CISO and their teams
to understand industry, state,
federal, and event specific data
breach response guidelines and
recommendations
• Establish an internal data breach
response plan and process flow
• Prior to a data breach event
contract with a data breach
remediation, notification, and or
forensics provider
• Utilize and maintain available data
loss prevention technologies such
as CyberID-Sleuth™
• Require advance encryption and
authentication solutions be in place
across the organization
• Contractually require notification
from vendors who manage data
from your organization to alert you of
they incur a breach of any data
• Support enactment of legislation that
clearly dictates rules and guidelines
for organizations to follow in
advance of, and following a data
breach event

610-444-5295
Take this 20 Question Assessment to Score Your Risk Level
Give us a call and we can even do this over the phone!

610-444-5295
1. Remember to ask us for a no-obligation credential search for your enterprise
2. Allow us to give you your 20 Question Assessment Score on your risk level
Email your questions to CyberIDSleuth@BTR-Security.com or to get two
no-obligation services mentioned below

Cyber ID Sleuth Data Security Forensics

More Related Content

What's hot (20)

Viewers also liked (15)

Similar to Cyber ID Sleuth Data Security Forensics (20)

Recently uploaded (20)

Cyber ID Sleuth Data Security Forensics