Friday 6 December 2013

Standard Chartered 'Hacked'

Hack, Evidence, Prosecution, Processes, Trust and Moving on.....



In a recent incident involving James Raj allegedly known as The Messiah, Standard Chartered client statements were found on James Raj's laptop. This quickly escalated to the readers on the journey to hate the Anonymous group that James Raj was supposedly part of. 

While we have no visibility as to how the data got into James Raj laptop, one thing i would questioned is the evidence gathered. It is not just simply about blaming him since the data was on his laptop. Investigators must find evidence that can illustrate that it was indeed James Raj who stole the information. This must be in the form of logs from both the laptop and Fuji Xerox. A company like Fuji Xerox would surely have all the log gatherings and management in place and investigators must ensure that the log tallies confirming that there was indeed a network connection being made from James Raj IP address to the Fuji Xerox's server. 

Cyber forensic investigators must also be able to retrieve the logs from the laptop to confirm that his laptop was not just being used but to confirm that there were no other connections made from other sources connecting to James Raj's machine and used it as a proxy to attack FX. Timing of connections made must be in sync. Metadata of logs should not be tampered (especially by amateurs evidence handlers)

Below is a high level graphical example as how James Raj's machine could be used in the stealing of data.



How could this be possible?

During #OpTunisia, there were alot of protests against the Tunisian government. This led to outsiders wanting to take part as well. As they were outside of Tunisia, they relied on the internet to voice out their unhappiness against the Tunisian government. Government websites were hacked and defaced (no information was stolen) by hackers. The Tunisian government fought back by blocking all connections outside of Tunisia to connect to the government websites. A hacker known as Sabu managed to find a Tunisian citizen machine to use as a proxy to connect to the government website. All he had to do was to connect to that machine as a proxy and attack the Tunisian government website from that machine. Reports stated that due to little pool of experts in handling such incidents, the owner of that machine was arrested and left the hacker free.  

Source: From the Book 'We are Anonymous' by Parmy Olson. Page 143 - 146

Lesson that we can Learn

Skillful hackers do not connect and hack directly to the target from their own machines but that does not mean that n00b hackers do not know how to hide their tracks as well. Investigators will need to identify the logs properly and securely and ensure that in no way the evidence are tampered during the course of investigation. These logs must be in both the machine and the server to ensure that the evidence that connections made are true and in sync. If logs or files are suspected to be deleted,  investigators should clone the entire image of the hard disk, use a data recovery tool and identify the evidence from there. The operating system itself should be checked whether ports such as telnet and other shell like services or vulnerabilities were opened/present. This could be another evidence to suggest that James Raj's laptop were already vulnerable to have other machines connecting to his laptop possibly using his machine to leverage on the attack. Until all these are gathered, only then will the public be confident of the methodologies, processes and techniques used during the gathering of the evidence and cover all possible factors of external party using Raj's machine as a proxy to attack.

Recent News may give Govt a Hard Time

Recent news about a government chemist in the States who was found guilty on tampering with evidence which resulted in many innocents going to jail will definitely be running in many minds questioning about the genuinity of the evidence and prosecution of James Raj should James Raj be found guilty of the charges made against him.




Moving Forward

In order for organizations and companies to know whether they are ready for such an attack is to perform vulnerability assessments on their network and servers. Only then will they know how they can fare against a potential attack. One of the mistakes made by organizations is trusting their own security department on handling such assessments but as they always say, its better to have a new pair of eyes to see what their own internal team may be blinded to (similarly like doing an audit). Hire ethical hackers/pentesters to simulate a real world attack on your servers and networks and see how deep they could penetrate into. Of course, rules of engagements and non disclosure agreement must be made to maintain confidentiality and integrity of the assessment with both parties involved. 

No comments:

Post a Comment