CLAIMS INVESTIGATIONS IN THE AGE OF THE INTERNET OF THINGS - LARRY DANIEL, ENCE, ACE, AME, CTNS, CTA, CWA, DFCP, BCE
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
CLAIMS INVESTIGATIONS IN THE AGE
OF THE INTERNET OF THINGS
LARRY DANIEL, ENCE, ACE, AME, CTNS, CTA, CWA, DFCP, BCE
© 2017 Envista Forensics
Outline
• Internet of Things • Security Risks
• What is it? • Bugs (Undocumented Features)
• History • Hacking
• Types of IoT • Ransomware
• Always on devices • Investigations
• Smart home devices • When the data is created
• Wearable technology • Where the data is located
• Vehicles • How the data is acquired
• Industrial/Business applications • How the data can be used
2 of 19 © 2017 Envista Forensics
Internet of Things (IoT)
• What is the Internet of Things?
• 1980’s
• Carnegie Melon University
• Programmers would connect via the internet to
the Coke machine to see if a drink was available,
and if it was cold.
© 2017 Envista Forensics
https://www.cs.cmu.edu/~coke/history_long.txt
3 of 19
Internet of Things (IoT)
• What is the Internet of Things?
• Any device with an on/off switch
that is connected to the internet
• The Internet of Things (IoT) is the
network of physical objects—devices,
vehicles, buildings and other items
embedded with electronics, software,
sensors, and network connectivity—that
enables these objects to collect and
exchange data
Petchatz.com
4 of 19 © 2017 Envista Forensics
Internet of Things (IoT)
• Milestones
• Barcode Reader
• 1952
• First ever built in a New York
apartment by Norman Joseph and
Bernard Silver
• Ability to create and store data for
retailers, shipping, inventory
management…powerful when coupled
with RFID
5 of 19 © 2017 Envista Forensics
Internet of Things (IoT)
• Milestones
• RFID
• 1990
• Olivetti Badge System is invented to
track a person’s location.
6 of 19 © 2017 Envista Forensics
Internet of Things (IoT)
• Milestones
• Big Data / Cloud
• 2008-2009
• According to Cisco Internet Business
Solutions Group (IBSG), the Internet of
Things was born in between 2008 and 2009
at simply the point in time when more
“things or objects” were connected to the
Internet than people.
• 12.5 billion connected devices in 2010
• Why is needed
• Ability to store and transmit massive
amounts of data generated by devices,
sensors, websites, applications, etc.
7 of 19 © 2017 Envista Forensics
Internet of Things (IoT)
• Cellular Network
• Big Data / Cloud
• The company (Ericcsson) also expects IoT device shipments to swell from 4.6 billion in 2015 to 15.7
billion in 2021, which represents a 22% six-year compound annual growth rate…This would mean that
approximately 1.5 billion IoT devices would be connected to cellular networks by 2021.
• Near global access
• 90% of the world covered by cellular signal
• LTE and Beyond
http://www.businessinsider.com/cellular-networks-key-to-internet-of-things-2016-6
8 of 19 © 2017 Envista Forensics
IoT Devices
• Always on devices
• Always listening…?
• Data collection
• Data stored on local devices
• Cell phones, computers
• Data stored in the cloud
• Association accounts
9 of 19 © 2017 Envista Forensics
IoT Devices
• Vehicles
• Cellular connection
• Autonomous
• Semi-autonomous
• Tesla “Summon”
10 of 19 © 2017 Envista ForensicsIoT Devices
• Wearable technology
• Beyond fitness!
• Medical
• Athletic performance, medical
analytics
• Logistics
• People movement, animal
movement
• Livestock are one of the first uses
of IoT, including tracking movement,
fertility, behavior, lactation…
• Government
• Tracking, monitoring
11 of 19 © 2017 Envista ForensicsInternet of Things (IoT)
• What the Future Holds
• Hyper-connection is the
future, and it is coming fast.
12 of 19 © 2017 Envista ForensicsIoT Devices
• Garmin Fenix 5X
• Tracks my performance metrics
• Can keep history of my activity spanning
years
• Third party application integration
13 of 19 © 2017 Envista ForensicsIoT Devices
• Garmin Fenix 5X
• Tracks my performance metrics
• Daily steps and when they were taken
14 of 19 © 2017 Envista ForensicsIoT Devices
• Garmin Fenix 5X
• Tracks almost everything about me
• Heart rate throughout the day
15 of 19 © 2017 Envista ForensicsIoT Devices
• Garmin Fenix 5X
• Tracks almost everything about me
• Down to the minute heartrate tracking
16 of 19 © 2017 Envista ForensicsIoT Devices
• Garmin Fenix 5X
• Tracks almost everything about me
• Stress analytics based upon heart rate
and HRV (heart rate variability)
17 of 19 © 2017 Envista ForensicsIoT Devices
• Garmin Fenix 5X
• Tracks almost everything about me
• Location activity, routes, maps, saved
segments
• Can contain maps inside the watch for
almost the entire world
18 of 19 © 2017 Envista ForensicsIoT Devices
• Smart home
• Next wave in home design
• Convenience
• Automated HVAC
• Integrated multimedia
• “Security”
• Video cameras
• Video doorbells and intercoms
• Smart locks
• Accessibility
• Voice commands
• Scheduling tasks (lawncare, sprinklers)
• Efficiency
• Auto shot off lights
• Smart appliances
19 of 19 © 2017 Envista ForensicsIoT Devices
• Industrial Controls / Business Applications
• Automation
• Precision
• Logistics
• Data Analytics
20 of 19 © 2017 Envista ForensicsIoT Security Risks
• Ransomware
• Will become more widespread
• Greater probability of holding
physical assets ransom
21 of 19 © 2017 Envista ForensicsRansomware • What is it? • How do you get it? • What is the purpose? • Best practices to remove? • Best practices to avoid it? 22 of 19 © 2017 Envista Forensics
Ransomware
• What is it?
• Malware that locks computer in some way
• Comes in different flavors
23 of 19 © 2017 Envista ForensicsRansomware
• It comes in different flavors
• The not good
• User still has rudimentary control of system / popups, etc.
24 of 19 © 2017 Envista ForensicsRansomware
• It comes in different flavors
• The not good
• User still has rudimentary control of system / popups, etc.
• Fake Antivirus
• Goal is to be very annoying and scare the user
• Pay to go away
25 of 19 © 2017 Envista ForensicsRansomware
• It comes in different flavors
• Fake Antivirus
26 of 19 © 2017 Envista ForensicsRansomware
• It comes in different flavors
• Fake Antivirus
• Not even the Macolytes
• are safe!
27 of 19 © 2017 Envista ForensicsRansomware
• It comes in different flavors
• The bad
• System locked
28 of 19 © 2017 Envista ForensicsRansomware
• It comes in different flavors
• The bad
• System locked
• Prevents access to computer files and programs
• Typically, underlying files are left alone
29 of 19 © 2017 Envista ForensicsRansomware
• It comes in different flavors
• The really ugly
• Encryption
30 of 19 © 2017 Envista ForensicsRansomware
• It comes in different flavors
• The really ugly
• Cryptoransomware
31 of 19 © 2017 Envista ForensicsRise of the Ransomware
• Ransomware Infections
• Jan 2015 – Apr 2016
Symantec: An ISTR Special Report: Ransomware and Businesses 2016
32 of 19 © 2017 Envista ForensicsRise of the Ransomware
• Ransomware type by year
• Takeover of the ugliest
Symantec: An ISTR Special Report: Ransomware and Businesses 2016
33 of 19 © 2017 Envista ForensicsRise of the Ransomware
• Ransomware infections by
region
• Jan 2015 – Apr 2016
Symantec: An ISTR Special Report: Ransomware and Businesses 2016
34 of 19 © 2017 Envista ForensicsRise of the Ransomware
• Consumer vs. Organization Infections
• Jan 2015 – Apr 2016
Symantec: An ISTR Special Report: Ransomware and Businesses 2016
35 of 19 © 2017 Envista ForensicsRise of the Ransomware
• Infections by Organization
Sector
• Jan 2015 – Apr 2016
Symantec: An ISTR Special Report: Ransomware and Businesses 2016
36 of 19 © 2017 Envista ForensicsCryptoransomware Life Cycle
• Typical Scenario
• AKA Cryptware
• Arrives as an email attachment
• Looks innocuous
• Cryptware Attached to a ZIP or
other common file
37 of 19 © 2017 Envista ForensicsCryptoransomware Life Cycle
• Typical Scenario
• ZIP file
"UPDATED: All You Need to Know About CTB Locker, the Latest Ransomware Generation - Heimdal Security Blog." Heimdal Security Blog. N.p., 27 Sept. 2016. Web. 08 Nov. 2016.
38 of 19 © 2017 Envista Forensics
"Blocking the Locky Ransomware Virus - Update and Tips." Greenview Data Blog. N.p., 20 June 2016. Web. 08 Nov. 2016.Cryptoransomware Life Cycle
• Arrival and Infection
• Fake document
"UPDATED: All You Need to Know About CTB Locker, the Latest Ransomware Generation - Heimdal Security Blog." Heimdal Security Blog. N.p., 27 Sept. 2016. Web. 08 Nov. 2016.
39 of 19 © 2017 Envista Forensics
"Blocking the Locky Ransomware Virus - Update and Tips." Greenview Data Blog. N.p., 20 June 2016. Web. 08 Nov. 2016.Cryptoransomware Life Cycle
• The Effect
• Ransomware executes itself in “hidden” areas.
• Memory
• Registry
SysTracer, a utility tool that was
monitoring a computer when a
Ransomware .exe file was run
40 of 19 © 2017 Envista Forensics
TrendMicroInc. "Ransomware 101: Digital Extortion in Action." YouTube. YouTube, 08 July 2015. Web. 08 Nov. 2016.Cryptoransomware Life Cycle
• The Effect
• Ransomware executes
itself in “hidden” areas.
• Files appended
• encrypted
41 of 19 © 2017 Envista Forensics
TrendMicroInc. "Ransomware 101: Digital Extortion in Action." YouTube. YouTube, 08 July 2015. Web. 08 Nov. 2016.Cryptoransomware Life Cycle
• The Effect
• Ransomware executes
itself in “hidden” areas.
• Files appended
• encrypted
42 of 19 © 2017 Envista Forensics
TrendMicroInc. "Ransomware 101: Digital Extortion in Action." YouTube. YouTube, 08 July 2015. Web. 08 Nov. 2016.Cryptoransomware Life Cycle
• The Effect
• Ransom note displayed
• In new window
• Desktop wallpaper
43 of 19 © 2017 Envista Forensics
TrendMicroInc. "Ransomware 101: Digital Extortion in Action." YouTube. YouTube, 08 July 2015. Web. 08 Nov. 2016.Cryptoransomware Life Cycle
• The Effect
• Ransom note displayed
• Example: Locky
44 of 19 © 2017 Envista Forensics
Rogueamp. "Locky Ransomware Demonstration." YouTube. YouTube, 20 Feb. 2016. Web. 08 Nov. 2016.Cryptoransomware Life Cycle
• The Effect
• Ransom note displayed
• Example: Jigsaw
45 of 19 © 2017 Envista Forensics
ThePCSecurity. "Scariest Ransomware Ever? | Meet Jigsaw." YouTube. YouTube, 09 Sept. 2016. Web. 08 Nov. 2016.Cryptoransomware Life Cycle
• The Effect
• Ransom note displayed
• Example: Cryptolocker
46 of 19 © 2017 Envista Forensics
PBSNewsHour. "Ransomware Attack Takes down LA Hospital for Hours." YouTube. YouTube, 29 Feb. 2016. Web. 08 Nov. 2016.Cryptoransomware Life Cycle
• The Effect
• Scare tactics – or truth?
• Yes, files are encrypted
• Yes, there is a key to decrypt
• Some allow one file
• Some choose files at random
• Some allow you to choose files
47 of 19 © 2017 Envista Forensics
PBSNewsHour. "Ransomware Attack Takes down LA Hospital for Hours." YouTube. YouTube, 29 Feb. 2016. Web. 08 Nov. 2016.Cryptoransomware Life Cycle
• The Stickup
• Deadline
• Countdown timer
• List of encrypted files
• Explanation of private key encryption
• Ransom amount
• Payment instructions
• Threat to user about trying to remove cryptware
48 of 19 © 2017 Envista ForensicsCryptoransomware Life Cycle
• The Choice
• User chooses between
• Restore to a clean backup
• Pays the ransom and hopefully receives private key
• This is a business!
• Help desks
• FAQs
49 of 19 © 2017 Envista ForensicsCryptoransomware Life Cycle
• The Aftermath
• Assessing the damage
• Once discovered, the damage is already done.
• What was effected?
• LOCAL COMPUTER
• EXTERNAL DRIVES
• SHARED DRIVES
• NETWORKED COMPUTERS
• BACKUP SERVERS
50 of 19 © 2017 Envista ForensicsRansomware
• The Aftermath
• Data Recovery
• Depends on cryptware used.
• Fake antivirus / screen locker
• ROLL BACK TO LAST CLEAN BACKUP
• DELETE RANSOMWARE PROGRAM AND FILES
• Cryptoransomware
• ROLL BACK TO LAST CLEAN BACKUP
• DECRYPTION TOOLS
• BRUTE FORCE TOOLS
• Some encryption types can be broken – but many cannot.
• How the FBI fixes it…
51 of 19 © 2017 Envista ForensicsRansomware 52 of 19 © 2017 Envista Forensics
Cryptoransomware Life Cycle
• The best defense
• Prevention
• Educate users in best practices
• Email attachments
• Trusted sources
• Legitimate businesses almost
never send attachments
• Airlines
• Banks
• Retail stores
• When in doubt, pick up the
phone and verify
53 of 19 © 2017 Envista ForensicsCryptoransomware Life Cycle
• The best defense
• IT protocols
• Disallow some attachment types
• ZIP
• EXE
• Protection software
• Antivirus
• Email scanners
• Backup your data!
• Multiple locations
• Air-gapped
54 of 19 © 2017 Envista ForensicsNext wave
• Connected devices
• Meeting you where you are at
55 of 19 © 2017 Envista ForensicsIoT Security Risks
• Hacking
• Thousands or
millions of insecure
connected devices
• Leaves critical
systems and data
around the world
at risk
56 of 19 © 2017 Envista ForensicsIoT Security Risks
• Hacking
• Connected vehicles
https://www.envistaforensics.com/news/the-most-hackable-cars-on-the-road-1
57 of 19 © 2017 Envista ForensicsIoT Security Risks
• Hacking
• Connected vehicles
https://www.envistaforensics.com/news/the-most-hackable-cars-on-the-road-1
58 of 19 © 2017 Envista ForensicsIoT Security Risks
• Hacking
• Connected vehicles
https://www.envistaforensics.com/news/the-most-hackable-cars-on-the-road-1
59 of 19 © 2017 Envista ForensicsIoT Security Risks
• Hacking
• Connected vehicles
https://www.envistaforensics.com/news/the-most-hackable-cars-on-the-road-1
60 of 19 © 2017 Envista ForensicsIoT Security Risks
• Hacking
• Connected vehicles
https://www.envistaforensics.com/news/the-most-hackable-cars-on-the-road-1
61 of 19 © 2017 Envista ForensicsIoT Security Risks
• Hacking
• MARAI Botnet
• Largest DDOS (Distributed Denial
of Service Attack) in history
against the service provider Dyn
• Used an IoT Botnet
• Once computers were infected with
MIRAI they continually searched for
vunerable IoT devices using known
default usernames and passwords.
Devices like DVR players and digital
https://securityledger.com/2017/12/mirai-botnet-authors-plead-guilty/
cameras.
• Took huge portions of the internet
down including Twitter, The
Guardian, Netflix, Reddit, CNN.
https://www.iotforall.com/5-worst-iot-hacking-vulnerabilities/
62 of 19 © 2017 Envista ForensicsIoT Security Risks
• Hacking
• Cardiac devices
• Early this year, CNN wrote, “The FDA
confirmed that St. Jude Medical’s implantable
cardiac devices have vulnerabilities that could
allow a hacker to access a device. Once in,
they could deplete the battery or administer
incorrect pacing or shocks, the FDA said.
• “The vulnerability occurred in the transmitter
that reads the device’s data and remotely
shares it with physicians. The FDA said hackers
could control a device by accessing its
transmitter.”
https://www.iotforall.com/5-worst-iot-hacking-vulnerabilities/
63 of 19 © 2017 Envista ForensicsIoT Security Risks
• Hacking
• Owlet Baby Monitor
• Alerts parents if baby is having
heart trouble
• Hackers coulc cause false
signals or cause device to stop
reporting
https://www.iotforall.com/5-worst-iot-hacking-vulnerabilities/
64 of 19 © 2017 Envista ForensicsIoT Security Risks
• Hacking
• TRENDnet Webcam Hack
• TRENDnet transmitted user login
credentials in clear, readable text
over the Internet, and its mobile apps
for the cameras stored consumers’
login information in clear, readable
text on their mobile devices, the FTC
said.
• Allowed hackers to watch the video
feed from the camera in real time.
https://www.iotforall.com/5-worst-iot-hacking-vulnerabilities/
65 of 19 © 2017 Envista ForensicsIoT Security Risks
• Hacking
• Industrial Robot Arm
• At the IEEE Security & Privacy
conference later this month, they plan
to present a case study of attack
techniques they developed to subtly
sabotage and even fully hijack a 220-
pound industrial robotic arm capable
of wielding gripping claws, welding
tools, or even lasers.
https://www.wired.com/2017/05/watch-hackers-sabotage-factory-robot-arm-afar/
66 of 19 © 2017 Envista ForensicsIoT Investigations
• Data Repositories
• Evidence collected from sensors and smart devices
• Actual “smart” IoT devices themselves
• Evidence collected between smart devices and outside world
• Computer forensics, cell phone forensics, firewalls, IPS (Intrusion
Prevention Systems), IDS (Intrusion Detection Systems)
• Evidence collected from outside the network
• Cloud data, social networks, ISPs (internet Service Providers), cellular
providers, online application data
67 of 19 © 2017 Envista ForensicsIoT Investigations
• Wearable Technology
• Cell Phone Forensics
• Data contained in apps themselves
• Computer Forensics
• Data contained in online accounts and
local computer
• Wearable Forensics
• Data contained on actual wearable
68 of 19 © 2017 Envista ForensicsIoT Investigations
• Vehicle Forensics
• In-vehicle infotainment
• Vehicle telematics
• Data types
• 3rd part application data
• USB, Bluetooth, WiFi connections
• Call logs, contact lists, messages
• Pictures, videos, social media feeds
• Location data, navigation information
• Event data with associated time and location
69 of 19 © 2017 Envista ForensicsIoT Investigations
• Vehicle Forensics
• In-vehicle infotainment
• Vehicle telematics
• Connected devices
70 of 19 © 2017 Envista ForensicsIoT Investigations
• Vehicle Forensics
• In-vehicle infotainment
• Vehicle telematics
• Track logs
71 of 19 © 2017 Envista ForensicsIoT Investigations
• Vehicle Forensics
• In-vehicle infotainment
• Vehicle telematics
• Velocity Logs
• Vehicle velocity and
corresponding
timestamp
72 of 19 © 2017 Envista ForensicsQUESTIONS?
Envistaforensics.com
73 of 19 © 2017 Envista ForensicsYou can also read
