What can you learn from reading the exploits of the most successful hacking ring ever brought to justice? Last week, the US Attorney’s Office in NJ unsealed their indictment against a mostly Russian—one American co-conspirator was also named—gang of cyber-criminals who are alleged to have snatched over 160 million credit card numbers resulting in more than $300 million in losses over seven years. In scanning through the indictment, I was left with the strong impression that this group had a rock-solid business model, excelled at executing on their plans, and was actually good at following IT security principles—better than their victims.
According to the government’s investigation—based heavily on chat sessions between the hacking principals—stolen credit card numbers were sold through wholesale networks: US numbers would go for $10, Canadian for $15, and European for $50. The hacking gang, which the government more accurately referred to as an organization, would offer bulk discounts—i.e., corporate payment schedules. The distribution network would then resell stolen data through their channels to end users.
By the way, this hacking organization did not take credit card payments for their services—just bank wire transfers and Western Union. Good move, on their part, because, don’t you know, credit card numbers are vulnerable to theft.
Their hack craft was a little more advanced than the common cyber thief’s. They relied heavily on SQL injection attacks to break into websites, rather than brute force password guessing. The retailer, banking, and credit card company victims validate yet again the stats from Verizon’s Data Breach Investigations Report on the most heavily hacked sectors. In a few cases, the hackers chose retailers based on the type of point of sale or POS equipment, because they could install specially configured software sniffers to vacuum up unencrypted card numbers. And yet again, these mostly food and clothing retailers were PCI compliant.
After breaking in, the hackers then had the more complex problem of where to find the credit card number and other personal identifying data. In hack terminology, this is known as post exploitation.
To get a better understanding of post-exploitation methodology, you’ll need go over to the dark, or at least the gray, side. So I decided to take a look through the archives of Defcon—“the world’s longest running and largest underground hacking conference.”
I came across a good presentation on this subject written by two penetration testers (or pen testers as it’s known in the business). They note that the job of the hacker is to “hide in plain site”, and in bold red font on one of their slides is the command, “Don’t be an anomaly”. Another slide points out that getting root access is not necessarily a desirable goal for a hacker because it’s also a user-level that is most likely audited.
This is generally solid advice, but of course the hackers can’t know ahead of time the long-term average behaviors of users, and there is, ahem, software that can spot atypical file access patterns.
Anyway, the two pen testers suggest you come in as ordinary user and selectively hijack credential and sessions. So which user should a hacker pick? Their overall advice is to “know the target environment”, then learn “who has access to what”, and find out “where is the data.”
Hmmm, where have I seen these words before? Obviously, this is core IT data governance wisdom that every sys admin should be applying in their daily work. It’s perhaps a bit counter-intuitive that we have pen testers to thank for making a solid governance case in a presentation on post-exploitation techniques. But in the upside-down world of hacking, it’s the cyber thieves who are doing a better job than the targeted companies at seeing the value in the data and applying good IT practices.
I have—and you should as well—little patience for those who want to scrimp on data governance as part of a security mitigation program. Ultimately, you want to be better than a cyber-gang at really knowing your data.
(By the way, Defcon 21 starts up this week in Las Vegas, and there’ll be more papers presented on post exploitation.)