CloudCamp Chicago - March 2nd 2015 - Cloud Security

CloudCamp Chicago

“Cloud Security”

#cloudcamp@CloudCamp_CHI

Sponsored by

Hosted by

Emcee

Margaret WalkerCohesive Networks

Tweet: @CloudCamp_Chi #cloudcamp


Sponsored by

Hosted by

… sponsored by you!

Chacko Kurian - Complete Health Systems,LCJoshua Beckman - ThreadMeUpAlex Connor - Advisory Board CompanyLynn Diegel - USGJoshua Inglis - PropllrJoAnn Becker - ARCWilliam Knowles - Evident.ioTaylor Speaker - Nexum Inc.Ron Zirkin - XO CommunicationsWalter Torres - SearsPaul Flig - Heartland Technology GroupCorey Yates - Datalogics, Inc

Mark your calendars - CloudCamp Chicago on April 8

6:00 pm Introductions6:05 pm: Lightning Talks

"The Chicago Electronic Crimes Task Force" - Patrick Hogan, Assistant to the Special Agent in Charge at U.S. Secret Service "Information Security Breach Trends" - Michael Roytman, Data Scientist at Risk I/O @mroytman“Keeping hardware secure, even after its useful life” - Jim Tarantino, VP Global Sales at MarkITx @JimTarantino

7:00 pm: Unpanel 7:45 pm: Unconference / Networking, drinks and pizza

Agenda


Sponsored by

Hosted by

“The Chicago Electronic Crimes Task Force"

Patrick HoganAssistant to the Special Agent in Charge at U.S. Secret Service

Tweet: #cloudcamp


Sponsored by

Hosted by

United States Secret Service Chicago Electronic Crimes Task Force ATSAIC Patrick Hogan [email protected]

rev. 03/02/15

History / Statutory Authority

1865 - Secret Service created to fight counterfeit currency 1901 - Assigned Presidential Protection duties 1948 - Title 18 USC § 470-474 (Counterfeiting & Forgery) 1984 - Title 18 USC § 1029-1030 (Access Device Fraud, Computer Hacking) 1986 - Title 18 USC § 1030 (Computer Hacking, Expanded) 1990 - Title 18 USC § 1344 (Bank Fraud) 1996 - Title 18 USC § 514 (Fictitious Obligations) 1998 - Title 18 USC § 1028 (Identity Theft, Expanded) 2001 - USA PATRIOT Act (Expanded Cyber Investigations & ECTFs) 2003 – Title 18 USC § 1037 (CAN-SPAM Act) 2004 - Title 18 USC § 1028A (Aggravated Identity Theft)

USSS Cyber Organization Overview

Field Office Investigations – Field agents conduct investigations of cyber crimes with venue and impact within their local districts. Training available to field agents includes: • BICEP – Basic Investigation of Computers and Electronic Crimes Program: One week

instruction provided to all USSS Special Agents as part of their initial academy training program.

• BNITRO – Basic Network Intrusion Responder Program: Three week training course focused on the knowledge, skills, and tools necessary to conduct network intrusion investigations.

• ECSAP – Electronic Crimes Special Agent Program: Initial training comprised of five weeks instruction in computer forensics, with extensive continuing education to follow.

• Continuing Education and Other – Numerous courses are available to agents covering topics such as advanced network intrusion, electronic evidence, mobile wireless, and others.


• Run by the USSS and the Alabama Office of Prosecution Services. • Attendees receive advanced tuition-free training in forensics and

network intrusion. • Graduates are eligible to participate in USSS ECTF program. • Other training program topics include mobile wireless, computer

evidence, judge and prosecutor training and others.

• National Computer Forensics Institute: The nation’s only federally funded training center dedicated to instructing state and local officials in digital evidence and cyber crime investigations.

NCFI, Hoover, Alabama. http://www.ncfi.usss.gov

• USSS Electronic Crimes Task Force (ECTF): 36 Regional ECTF locations throughout the United States; 2 International • ECTF members support federal, state, and local investigations.



Working Groups – Agents volunteer for temporary overseas assignments to work in concert with foreign counterparts. Typical duties include assisting with the execution of Mutual Legal Assistance Treaty (MLAT) requests. • Dutch – Partnership with the Dutch National High Tech Crime Unit

• 30 day assignment, increasing to 90 days in 2015 • Baltic – State Police of Latvia

• 3 week assignment, increasing to 30 days in 2015

• Europe – Wiesbaden, Germany. Partnership with the German Federal Criminal Police Office (BKA) • 90 day assignment

BKA Building, Wiesbaden, Germany http://www.bka.de


Foreign Offices – Liaison and work with foreign counterparts worldwide

VANCOUVER

MEXICO CITY

LIMA

BOGOTA

OTTAWA

MONTREAL

BRASILIA

MADRID

LONDON

PARIS

MADRID

THE HAGUE

FRANKFURT

ROME

TALLINN

BUCHAREST

SOFIA

PRETORIA

AMMAN

MOSCOW

BANGKOK

HONG KONG

BEIJING

SYDNEY

Cyber Intelligence Investigations Overview

Pro-active investigations • Historical tracking of known / identified suspects • Targeting of financially motivated cyber criminals with significant

impact or threat to the financial infrastructure of the United States

• Identification of offenders, gathering of evidence and intelligence

Investigative tactics • Cooperating sources • Undercover operations

Intelligence gathering • Open source • Historical data mining • Inter-agency cooperation

Charging, apprehension, extradition, prosecution

Anatomy of a Hack

21

Point of Sale

Port 5631

Port 3389

Ports 5800 & 5900

U.S. Secret Service Cyber Crime Targets

Card Vending Sites

Automated websites for the sale of stolen credit cards • Advertised on forums • Administered by cyber

criminals • Sell stolen cards obtained

through skimming operations, online retailer breaches, large scale point of sale breaches, etc

• Customer support • Refund policies

U.S. Secret Service Case Study: Maksik

As of 2006, “Maksik” has been identified as a prolific vendor of stolen credit card data. • Operates and advertises on several high-level forums • Operates a card vending site


Undercover operation leads to Maksik • Undercover USSS agent

conducts multiple purchases of stolen credit cards from an associate of Maksik

• The associate eventually introduces the UC agent to Maksik

• The UC agent conducts purchases from Maksik and establishes a rapport.

• Data analysis identifies Maksik as Maksym Yastremskiy, a Ukrainian

• Maksik discusses interest in vacationing in Thailand, agent offers to meet and serve as tour guide.


Undercover operation continues • UC agent travels with

Maksik for a second vacation in Dubai, UAE

• At the suggestion of the UC agent, they go on a 6 hour safari

• During this time, other agents and local law enforcement execute a search warrant and surreptitiously image Maksik’s computer


Apprehension in Turkey • Maksik agrees to meet the UC agent in Turkey for another vacation • MLAT submitted to Turkish authorities requesting arrest of Maksik • Upon Maksik’s arrest he is possession of a laptop computer containing extensive credit

card data • Based up the possession of that data, on January 8, 2008, Maksik is convicted in Turkey

and sentenced to 24 years in prison.


Johnny Hell • Known to have been active in the

carding underground since 2002. • Hacked dozens of U.S. companies

to obtain stolen credit cards. • Identified as Estonian national

Aleksandr Suvorov • Also involved with real estate –

built a restaurant and hotel in Tallinn, Estonia.

• Arrested in Frankfurt, Germany in 2008 at USSS request

• Extradited to the United States, convicted and currently serving 10 year sentence.



End of Story?...

Not Quite… • In 2012, Ukraine authorities arranged for a “prisoner swap.” • Maksik is extradited to the Ukraine in October 2012. • December 2012 – Ukraine court reviews the Turkish conviction, finds the sentence to be inappropriate

under Ukraine law, reduces the sentence to five years imprisonment and unspecified fines, allows for time served in Turkey and releases Maksik.

Now, End of Story?...

Not Yet It’s Not… • Maksik is still wanted on charges filed in the United States • Any travel outside of Ukraine to an extraditable country will result in likely apprehension

• We can be patient.

United States Secret Service Chicago Electronic Crimes Task Force ATSAIC Patrick Hogan [email protected]

"Information Security Breach Trends"

Michael Roytman Data Scientist at Risk I/O

Tweet: @mroytman #cloudcamp


Sponsored by

Hosted by

Attacker BehavioralAnalysis

BREACHES by CVE 2014

2014

Q1 Q2

Q3

Q4

CVEsover time

CVEsover time(normalized)

Thanks!@mroytman

"Keeping hardware secure, even after its useful life"

Jim TarantinoVP Global Sales at MarkITx

Tweet: @JimTarantino #cloudcamp


Sponsored by

Hosted by

© MarkITx, Inc. 2014 All rights reserved. Confidential.

TM


IT hardware is a commodity. It should trade like one.


IT investments directly impact organization’s ability to innovate and compete.

Changes in software & cloud

Hardware commoditization & increased refresh rates

IT demands skyrocketing but budgets remain flat

Preventing organizations from innovating at faster rates

Directly impacting organizations ability to compete

0%!

5%!

10%!

15%!

20%!

IT Budget! IT Demand!

15%

1.8%


Inefficient secondary markets are holding back enterprises from realizing the full return on their IT investments.


No reliable fair market value

Poor resale value by selling to few vendors/brokers

Brokers get majority value; enterprises write-off assets quickly

Data security concerns remain

Unclear commitment to environment

Enterprises unaware of true market value and wary of risks


What do buyers & sellers expect from the market?

Transparent, market driven pricing

Seamless trading

Guaranteed quality & security


What to look for in your IT partner?


Seamless trading


• Neutral, never taking a position on a trade • Maximize ROI by recouping up to 40% of initial investment • Numerous buyers and not just 1-2 actively bidding on products




Seamless trading

Guaranteed quality & security • Guarantee end to end process in terms of quality and security • Works only with Tier 1 partners to deliver all aspects of after market

and reverse logistics services including audit, DOD certified data destruction, refurbishing & shipping • Environmentally friendly recycling with green certification • Source-certified refurb gear minimizing risk of counterfeits • Anonymous




Seamless trading


• Quick pickup of gear along with full tracking & transparency throughout process • Easy web and mobile tools to trade • Comprehensive product lifecycle management services


Example: Equipment that retain over 30% of original value after 3 years or more Category Item New Price Current FMV % value retained Age of equipment

Storage Dell PowerVault MD3220i $14,356 $5,250 37% 4.5 years

Server Dell PowerEdge R620 $7,100 $2,924 41% 3 years

Router Cisco ASR1002 $9,500 $3,000 32% 4.5 years

Switch Juniper EX2200-48P-4G $2,100 $675 32% 4.5 years


Thank you.

Un-panel Discussion

volunteer to join the panel & ask questions from the floor!


Sponsored by

Hosted by

Unconference

Small groups & discussions, network

Pizza’s almost here!


Sponsored by

Hosted by

CloudCamp Chicago - March 2nd 2015 - Cloud Security

Technology

calendars cloudcamp

electronic crimes program

investigations of cyber

training program topics

usss special agents

electronic evidence

usss ectf program

initial training