Investigations :
• Secret Service Division began on July 5, 1865 in Washington,
D.C., to suppress counterfeit currency.
• In 1867 Secret Service responsibilities were broadened to include "detecting persons perpetrating frauds against the government." This appropriation resulted in investigations into the Ku Klux Klan, non-conforming distillers, smugglers, mail robbers and land frauds.
Protection :
• In 1901, Congress informally requested
Secret Service Presidential protection following the assassination of President William McKinley.
• In 1902, The Secret Service assumed full-time responsibility for protection of the President.
Two operatives were assigned full time to the
White House Detail.

• In 1984 Congress authorized the Secret Service to further investigate Financial Crime violations relating to:
– Credit/Debit cards
– Computer and Telecommunications Fraud
– Fraudulent Identification documents
– Bank Fraud (access device fraud, advance fee fraud, electronic funds transfers, and money laundering)
– Financial Institution Fraud
• Core Treasury Violations still under USSS jurisdiction under
Homeland Security:
– Counterfeit checks
– Treasury Checks
– Counterfeit Bonds
– Counterfeit Money
•
P Notes
• OMC Notes
• Off-set

• On October 26, 2001, President Bush signed into law
H.R. 3162, the “Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism (PATRIOT) Act of 2001.”
• In drafting this particular legislation, Congress, recognized the Secret Service philosophy that our success resides in the ability to bring academia, law enforcement and private industry together to combat crime in the information age.
• As a result, the U.S. Secret Service was mandated by this Act to establish a nationwide network of Electronic
Crimes Task Forces.

• Early 1990’s saw the need for Computer
Specialists
• Treasury Computer
Forensics Training
Program
– ATF (Now under
DOJ)
– ICE
– IRS
– USSS

• Training
– A+ Certification
– Six weeks at FLETC
– Hard Drive geometry
– Operating Systems
– Forensic programs
– Practical Exercises
– Court Testimony
– Exams

• Advanced Certifications
– ACERT/ Network +
– CISSP
– NASA
– Ernst and Young “Hacking” School
– EnCase
– FTK Boot Camps
– ILook – IRS
– Yearly training conferences

• 200 Deployed to the Field
• All sworn personnel
• Forensic Computer Exams
• Assistance for State and Local Law
Enforcement
• Train state and local agencies
• Expert Witness Testimony
• Search Warrant Assistance

• The concept of the ECTF is unique in that it brings together not only federal, state, and local law enforcement, but also prosecutors, private industry, and academia.
• The common purpose is the prevention, detection, mitigation, and aggressive investigation of attacks
• Currently over 20 Electronic Crimes Task Forces and
Electronic Crimes Working Groups spanning the entire nation.

• USSS (MA, NH, RI, VT, ME)
• ICE
• DOT
• IRS
• ATF
• DOD
• Local Departments:
Norwood, Medford, Boston, Cambridge.

• CERT – Carnegie Mellon
• Best Practices Guide for
Law Enforcement
• Critical Systems
Protection Initiative
• National Center for Missing and Exploited Children

• Credit Card Skimming/Parasitic Devices
• Phishing Scams
• Network Intrusion
• Identity Theft

Threat Affected Users Damage Potential
Adware/
Spyware
$
Consumers using the internet
Complete disruption of online experience possible; personal data & account numbers could be stolen
Phishing
$
Consumers using the internet
Spam email
$
Carrying costs for
ISPs
Targeted
Hacking
Enterprises,
Governments
Individual consumers harmed, accounts compromised.
Mostly frustration and carrying cost. Focus on spam shielding, however 70 – 80percent of spam generation comes from infected computers.
Valuable targets exist but targeted hacking would not bring down e-commerce.
Virus/
Malware
Everyone not up-todate with patches &
AV
BotNets Everyone using the internet
Pandemic worms can cause disruption; vicious malware could cause destruction.
All of the above.
DDoS could cause large-scale, long term disruption; Spam causes frustration; Spyware steals account numbers; used as a distribution mechanism it may aid quick virus spread.

• A form of identity theft in which deception is used to trick a user into revealing confidential information with economic value
• Term “phishing” coined in 1996 by hackers stealing AOL accounts by scamming passwords
• Origin of the term phishing comes from the fact that cyber attackers are “fishing” for data, while the “ph” is derived from “ P assword H arvesting”
• Involves harvesting of personal and financial account information

• Usually accomplished through a response to un-solicited e-mail
• Victim believes the e-mail is from his/her bank or other institution accessed online
• Criminals take over accounts, transfer funds, duplicate credit cards, assume identities of victims, open new accounts, etc…..

• Name, address, phone numbers
• Social Security number
• Date of birth
• Mother’s maiden name
• Account number
• Bank name
• Bank login information
• Login password
• Card expiration date
• Card Verification Value (CVV)

• Account takeovers
• Identity theft
• Money laundering (through wire transfers)
• Credit card/ATM fraud (using duplicated cards)
• Fictitious online auctions
• Credit card number harvesting/internet posting

• Website is created and placed on the internet (2-
8 days)
• E-mails are generated
• Data is collected (54 hours)
• Accounts are taken over
• Funds are electronically transferred
• Funds are cashed out via Western Union, E-
Gold account, or ATM card
• Funds are then re-deposited into accounts in
Eastern Europe

• Fastest growing and largest fraud scheme in
U.S. history
• 65% of all phishing attacks occur against financial institutions
• The average phishing website is active less than
3 days after phisher e-mail launched
• Current phishing success rate is 5%
• Phishers adapting techniques to defeat security

• Former Soviet Union and Eastern
European States produce and launch malicious software
• “Mal-ware” intrudes into private financial networks and government institutions
• “Mal-ware” then extracts personal data and carding websites and networks used to traffic in stolen information

• Carding Portals are like on-line bazaars some with several thousand registered users
• Administrators screen potential members
• Potential members must prove worth before allowed entry
• Most based in Former Soviet Union or
Eastern European States

• Activity occurs in forums similar to bulletin boards or on Internet Relay Chat (IRC)
• Registered users may post announcements of goods or services
• Portals allow users to contact one another through the site
• Hierarchical organization structure similar to “Mafia” organizations

• 1990s: Plain Cards (Card Number, Expiration
Date, Cardholder Name and Address)
• Early 2000s: CVV Data also Present
• Roughly 2002 On: Full Track Data (“Dumps”)
• Roughly 2004 On: Full-info Cards
– Response to Increased Anti-fraud Measures
– Allow Online Enrolls
• 2005: Increased Traffic Referencing “Verified by
Visa” and “MasterCard SecureCode” Cards

Network Intrusion Attack Techniques
Information Gathering Attacks:
1.
Snooping - Simple traffic monitoring can yield tremendous amounts of information if the traffic is not encrypted. Done by compromising a router or other key infrastructure device that traffic flows through.
2. Man in the Middle - Attacker redirects traffic to equipment the attacker owns, intercepts each message, reads such, and retransmits intercepted message to the intended recipient.
3.
Trojan - Programs that masquerade as a benign tool.
When executed, capable of mimicking standard login prompts that fool the user into thinking they are logging into their real account. After the username and password are entered, the Trojan records the information.

Network Intrusion Attack Techniques
Denial of Service Attacks:
A single host can be used to generate large quantities of traffic, causing a target, or the network to which it is connected, to become so flooded that the target host becomes incapable of responding to valid requests.
Spoofing Attacks:
Faking an IP address can allow firewalls to be bypassed, causing the traffic to appear to have originated from a source authorized to pass through the firewall.
Spoofed IP address can allow an attacker to conceal their own IP address, making it more difficult to trace.

Internal
Most expensive attacks come from inside (Up to 10x more costly)
Source: CSI / FBI Security Study 2003

External
78% of Attacks Come from
Internet Connection
(up from 57% in 1999)
Source: CSI / FBI Security Study 2003

1.
Initiate company’s incident response plan.
2.
Make appropriate contacts within the company (i.e. management, legal, public relations, IT, etc.).
3.
Contain the attack.
a) secure the area using physical security.
b) victim company may “backup” the system.
c) collect and preserve electronic evidence (floppy disks, CDs, skimmers, caller ID boxes, network activity logs!
).
4.
Report the attack to US Secret Service.

1.
Assistance that is being requested.
2.
Type of incident (denial of service, malicious code or virus, intrusion).
3.
Type of service, information, or project compromised.
4.
Damage done (system downtime, cost of incident, number of systems affected).

1.
Apparent source IP address.
2.
Primary systems involved (IP address, Operating
Systems versions).
3.
Method of operation: a) tool used b) packet flood c) malicious packet d) ports attacked
3.
Remediation performed
- application moved to another system.
- memory or disk space increased.

1.
Apparent source (diskette, CD, email attachment, software download).
2.
Primary systems involved (IP address, Operating
Systems versions).
3.
Type of malicious code (virus, Trojan horse, worm).
4.
Remediation performed
- Anti-virus product obtained, updated, installed.
- New policy instituted on attachments.
- Firewalls, routers, or email servers updated to detect and scan attachments.

1.
Apparent source (IP address, host name).
2.
Primary systems involved (IP address, Operating
Systems versions).
3.
Avenue of attack: a) cracked password b) trusted host access c) vulnerability exploited d) hacker tool used e) social engineering
4. Remediation performed
- Patches applied.
- Operating System reloaded.

• Mirror image of system
• Compare with previous back-up if available
– wtmp files
– History logs
– Message logs
– syslog
– Firewall logs
– Router logs
– Proxy server logs

• Examine all files run with cron
– cron is an automation tool for logging
• Review the /etc/passwd file for alterations
• Unauthorized services
– Backdoor access through known versions of finger, rsh, rlogin, telnet, etc.

• Check for sniffer programs
• Check for trojan horses
• Search for setuid and setgid files
– Allow hacker to obtain root
• Search for + entries on non-local host systems
– These would indicate incoming connection from a trusted system

• Look for unusual or hidden files
• Review all the processes currently running on system
• Verify the above information with the system administrator of previous back-up

• Network topology
• Configure to prevent as many security holes as possible
• Observe and detect anomalous behavior
• Prevent the attacker from capitalizing on the attack
• Eliminate the attacker’s access to the system
• Recover the integrity of the network
• Follow-up with lessons learned

Case involving the illegal sale of financial account information, credit cards, passports, driver’s licenses, birth certificates, Social Security cards, insurance cards and diplomas using the internet.
• 33 Arrests (24 US, 9 overseas)
• 27 Search Warrants
• 11+ Plant seizures
• 100+ Individual Computers Seized
• Anticipated future arrests and search warrants both within the United States and overseas

• Inventory Control system used wi-fi bar code readers
• System installed did not utilize built-in encryption or security features.
• Access to network was wide-open to any user in store parking lot with laptop computer and wi-fi access.

• Access to inventory system allowed mainframe access.
• Exploit posted by criminal groups on forums
• Hundreds of thousands credit cards and accounts stolen and information used for identity theft and counterfeit CC’s

• Rogue employee (Office Manager) who was a prior felon and had access sensitive data.
• Access to employee accounts and school credit cards
• Used information obtained to apply for more credit cards
• Employee ran travel agency, used stolen funds to purchase airlines tickets and cruises
• Was hired even though she had prior felony convictions

• Employee who was employed in the mailroom had access to customer account information from documents he observed
• Used information to transfer money out of customer accounts
• Had gambling addiction, used stolen funds to pay off debts
• Several thousand dollars of customer funds were stolen

• Employee stole legitimate corporate checks from employer
• Checks were counterfeited using the bank account of the corporation
• Hundreds of thousands of dollars was taken over a period of time
• Money was used to purchase Mercedes vehicles and properties in New York and
Massachusetts

• The guiding principle of the Electronic
Crime Task Force’s approach to both our protective and investigative missions is our “focus on prevention”.
• “Harden the target” through preparation, education, training and information sharing
.

• Proper development of business policies and procedures before the incident.
• Strong documentation and reporting practices starting at the beginning of the incident.
• Internal computer forensics and log analysis.
• Technical briefings for law enforcement during the entire course of the investigation.
• Victim loss documentation and assistance in trial preparation.

• Capture logs on another system
• Rename logs periodically
• Encrypt log files
• Analyze logs on routing basis
• Use additional monitoring programs to collaborate log information