10 May Instructions In order to complete assignment #5 you will need to answer the below questions. Please complete the questions in a Word document and
In order to complete assignment #5 you will need to answer the below questions. Please complete the questions in a Word document and then upload the assignment for grading. When assigning a name to your document please use the following format (last name_Assignment #5). Use examples from the readings, lecture notes and outside research to support your answers. The assignment must be a minimum of 4-full pages in length with a minimum of 3-outside sources. Please be sure to follow APA guidelines for citing and referencing source.
1) We have started the process to extradite the people responsible for the OPM incident. We need to cross all of our Ts and dot all of our Is. So, you need to use the information from your readings this week to put together the key facts of the key, search warrants should be discussed, evidence collected etc. In essence, this is a continuation of your Week 2, 3, and 4 work, so I am looking for an executive summary of the information we can submit to the proper authorities to start the process. We are going to have to convince all parties involved that the suspects are not being railroaded and all proper procedures have been followed.
2) In addition, while you are working through this, does Rule 41, have any effect on the investigation, i.e. will it help or hinder our investigation?
United States Office of Personnel Management (OPM) Incident
Steven A. Bruner (4151593)
American Military University
17 April 2022
The US Office of Personnel Management (OPM) announced in July 2015 that it had been the target of a successful cyber-attack. The data that was leaked included extensive information about background investigations, security clearance applications and investigations, and fingerprint cards. The digital data breach was one of the most significant in history and its effects continue to be felt by both federal employees and their families. This post will provide a summary of the key aspects surrounding the case as well as some key or critical pieces of data found by investigators. Next, it will analyze what could have been done differently during this investigation based on this specific situation as well as share insight into investigative procedures. Lastly, it will give a few suggestions on what could be done better in terms of future such incidents.
Summary of Key Aspects of the Case
The OPM hack was an attack that began at least as far back as October 2014. It wasn't until May 2015 that the US government publicly acknowledged it had occurred. The hackers were able to obtain personal data on more than 22 million individuals. This included the names, addresses, and Social Security numbers of 4.2 million people; information regarding 1.1 million background investigations; and approximately 21.5 million sets of fingerprints, including 1.1 million that were not available elsewhere in federal databases or other sources (Finklea et al., 2015). In June 2015, the Office of Personnel Management announced that it had begun work to implement new security protocols and that the breach had not been fully contained.
Key or Critical Pieces of Data Found
Investigators were able to retrieve the malware used by the hackers. This "malware" had a unique signature; this is like when you have a computer virus, just as with malware, it will have some type of "signature" that identifies it. With this specific cyber-attack, it was a set of tools used known as "Dewdrop." They were able to identify those responsible for the attack by looking at the digital footprints they left behind. This included where they came from and where they went after they committed their crime or crimes. One of the more interesting things found was the way in which they were able to keep this breach under wraps for so long. They had been able to mask their tracks and hide their locations. It wasn't until they tried to move their data that they were caught (Finklea et al., 2015). They were moving it over the internet, something that normally is an easy task with all the tools available today. However, because of how clean this hackers work was, it made it easier for them to be caught as every time you go online you have a unique identifier (IP address). Investigators were able to identify four people responsible for this attack, three from China and another from Pakistan.
In terms of what could have been done differently, investigators were able to identify the individuals responsible for the attack and locations they were based out of. However, to stop this type of crime from happening again, it would be helpful to get a better understanding as to why they are doing this. Their reasoning is most likely going to give us some insight into how we can prevent similar attacks in the future. It is difficult to say whether investigators will ever be able to uncover a motive for this attack (Finklea et al., 2015). Even though they were able to identify who committed the attack and where they were located, they were unable to get any information as far as why they did it or how much data was taken before it was discovered.
In terms of search warrants and evidence that would be collected, investigators would need to gather certain types of information. Their first step is to identify the malicious code and who created it as well as where it originated from. Once they have determined who is responsible for this breach, they will gather all available digital data related to the case. This includes phone logs, financial records, emails, IP addresses used, social media accounts/profiles (Facebook and Twitter), and device data such as computer fingerprints or any digital artifacts left behind on a computer or mobile device.
Suggestions for Future Investigations
In terms of future investigations and how they could be improved, the OPM should make sure they have adequate security measures in place to prevent future breaches. They could also improve their communication with investigators to make sure they know when things happen and provide adequate information as soon as possible. Investigators should also make sure that an investigation has enough manpower to expeditiously complete a project.
I am not sure if there were any things that could have been done differently but I think we can all agree it was an incredibly large breach in terms of the amount of people impacted by this attack. It could have been prevented by establishing better security measures. This is concerning to me as more and more sensitive data is stored on the internet and many companies do not have adequate security measures in place. Although OPM worked quickly to notify individuals who were potentially impacted by this breach, I believe they could have done a better job of contacting all those potentially impacted by this attack. It is difficult to say whether investigators will ever be able to uncover a motive for this attack. Even though they were able to identify who committed the attack and where they were located, they were unable to get any information as far as why they did it or how much data was taken before it was discovered.
Finklea, K., Christensen, M. D., Fischer, E. A., Lawrence, S. V., & Theohary, C. A. (2015, July). Cyber intrusion into US office of personnel management: In brief. LIBRARY OF CONGRESS WASHINGTON DC CONGRESSIONAL RESEARCH SERVICE. https://apps.dtic.mil/sti/citations/ADA623611
PSYCHOLOGICAL ASPECTS BEHIND THE OMP ATTACK
Steven A. Bruner (4151593)
American Military University
24 April 2022
PSYCHOLOGICAL ASPECTS BEHIND THE OMP ATTACK
In June 2015, the US OPM stated that their data innovation frameworks had been attacked through cyberspace. The personal information of 4.2 million current and former government employees may have been compromised due to this incident. OPM then discovered a variety of cyber-attacks during the same month that compromised the information of 21.5 million individuals who had records in databases, including background checks on potential housing candidates
This breach was one of the most significant to occur in a governance framework in recent memory. The Einstein framework of the Office of Country Security (DHS) was used to identify this incident. As part of its Einstein framework, the DHS keeps a close eye on government Internet use for any signs of potential cyber threats (Fruhlinger, 2020). The attackers were able to get in using security credentials belonging to a KeyPoint Government Solutions salesperson. This person did “federal background checks and worked on OPM frameworks” to get access to OPM frameworks (Hinck & Maurer,2019).
“At an insights conference, an admiral, executive of the National Security Organization (NSA), and chief of the U.S. Cyber Command, Michael Rogers, did not reveal who may be responsible for the hack (es)” (Hinck & Maurer,2019). However, James Clapper (Chief of National Insights) said the next day in the same speech that China was the leading suspect in the breaches. If China had access to the material gleaned during the attack, it was unclear how it may utilize it.
Only a few experts disagreed with the theory that China is compiling a comprehensive list of government officials to identify US government officials and what their specific roles are. Spearphishing emails may trick recipients into establishing an interface or connection that will provide access to the general computer framework, which is another option for discovering the data.
The FBI charged Chinese malware broker Yu Pingan for his role in distributing malware. The allegations say that Pingan supplied hackers with malware that enabled them to gain access to many US-based computer networks. The Sakula Trojan was also included in this group. On August 21st, at Los Angeles International Airport, he was taken into custody by LAPD officers. Two unidentified hackers were said to have collaborated with Pingan on a harmful attack against U.S. firm networks between April 2011 and January 2014 (Fruhlinger, 2020).
One of the tools used in the OPM attack was also used in an Anthem data compromise in 2015. Pingan pled guilty to his role in the plot. Sakula was used to help him breach OPM, he acknowledged. However, even though he was not explicitly tied to the OPM attack, the same malware he used in Anthem led authorities to suspect him of involvement in that incident.
The deep panda group
Hacker group Deep Panda is supported by the Chinese government. They were thought to have been involved in the OPM issue. “Patterns uncovered in the Internet's address book, known as the domain registration system, connect Deep Panda to the Anthem and Premera breaches” (Finnemore, & Hollis, 2016). Deep Panda often registers similar-looking domains on the web that closely resemble the ones they want to use as a redirect. Wellpoint may be found at we11point.com. Anthem used to be known by this name.
Because of the OPM breach, iSIGHT discovered a trend of similar-sounding names being used to create these bogus domains. According to domain registration data, several similar OPM websites were also found. Despite the evidence discovered, they still had some doubts and other reasons to believe that they weren't responsible.
X1 & X2
The Congressional OPM data breach report named two groups: X1 and X2. They merely called themselves these organizations since they didn't want to say who was responsible or even know who they were. Exfiltrating manuals and the IT system architecture were the only things the X1 gang could not get its hands on. The attackers' attempts to infiltrate the networks of multiple contractors (such as USIS and KeyPoint) doing background checks on federal personnel with access to OPM computers were well-documented by December of that year.
OPM intended to perform a system reset in March 2014 to eliminate any intruders from the system. As an alternative, an entirely different group, X2, could gain access to the system by exploiting the credentials of a different resource.
However, this vulnerability went undetected, and as a result, when the whole system was purged, it was not deleted. X1 and X2 have not been identified as belonging to the same organization or even a single individual. They may still work together even if they aren't the same person. THIS BELIEF WAS FORMED because X1 had obtained information that may have been advantageous to X2's goals. Deep Panda (as previously discussed) was also unclear as to whether he was one of them.
Understanding why certain crimes are committed, establishing profiles of prospective suspects, and connecting crimes to individuals or groups will continue to be important to its success. Behavior analysis employs both inductive and deductive approaches. In deductive investigations, a suspect's characteristics may be hypothesized based on the investigation of certain components of the case. According to inductive reasoning, a suspect has the characteristics of an offender because of their generalization from empirical research.
Analyzing behavior patterns and comparing them is an important element of behavioral science. Criminals may not be aware that their actions are comparable to others'. According to the definition, "signature actions are generally indications of some desire or drive the suspect seeks to appease" (Rogers, 2016).
When Deep Panda does criminal conduct, they follow the same procedure. As a result, they were suspected of involvement based on their profile. Although X2's domain names (Steve Rogers', Tony Stark's, etc.) looked to have some wit, it was hard to tell. These names may represent a certain style. Using these names to showcase their work and/or to guarantee that what they produced is remembered by others, they may have done so.
Behavioral analyses may also be used to determine whether a criminal or a group of criminals are responsible for various crimes. An investigator would be looking for a comparable modus operandi (MO) or conduct in these scenarios. MOs have learned behaviors that might alter as a person grows older or improves their abilities.
Because of this, other people may have been led to assume that they are the same person. If OPM was about to do a complete system reset, X1 may have learned of this and could not access the system. The individual or group would then have to develop a new strategy to preserve their position in the system after they realize this may happen.
They may have had to alter their entry strategy to accomplish this. There is a chance that X2 may have been spotted earlier if they had used the same technique. X1 was able to install keyloggers after gaining in using legitimate employees' credentials. There is a possibility that X1 and X2 are the same individuals because X2 had also utilized personnel credentials (Soesanto, 2019). The only way to remain in was to modify at least a portion of their MO. This backdoor and a means of maintaining their access were created with the aid of malware.
The OPM hack was a complex case, as evidenced by the preceding paragraphs. Psychological profiles are a tool for analyzing people's thoughts and feelings. However, they can only help if there is actual evidence to back up their claims. Two people can come to different conclusions based on how they profile. Rather than a fact, an individual's profile is more of a hypothesis in need of verification. It's only a personal viewpoint if that's the case.
It is also possible that those who profile may not consider all of the relevant factors. For example, a profiler unfamiliar with technology may be unable to make certain connections that a profiler knowledgeable about technology can. To facilitate these connections, it may be helpful to have two people working together. Then, it may be easier to reach a conclusion and gather the relevant evidence.
Finnemore, M., & Hollis, D. B. (2016). Constructing norms for global cybersecurity. American Journal of International Law, 110(3), 425-479. retrieved from: Constructing Norms for Global Cybersecurity | American Journal of International Law | Cambridge Core
Fruhlinger, J. (2020). The OPM Hack Explained: Bad Security Practices Meet China’s Captain America| CSO Online. Chief Security Officer (CSO) by International Data Group (IDG), February, 12, 2020.retrieved from: CSO | Security news, features and analysis about prevention, protection and business innovation. (csoonline.com)
Hinck, G., & Maurer, T. (2019). Persistent enforcement: criminal charges as a response to nation-state malicious cyber activity. J. Nat'l Sec. L. & Pol'y, 10, 525. retrieved from: Persistent Enforcement: Criminal Charges as a Response to Nation-State Malicious Cyber Activity 10 Journal of National Security Law and Policy 2019-2020 (heinonline.org)
Rogers, M. K. (2016). Psychological profiling as an investigative tool for digital forensics. In Digital Forensics (pp. 45-58). Syngress. retrieved from: Psychological profiling as an investigative tool for digital forensics – ScienceDirect
Soesanto, S. (2019). The Evolution of US Defense Strategy in Cyberspace (1988–2019). ETH Zurich. retrieved from: The Evolution of US Defense Strategy in Cyberspace (1988 – 2019) – Research Collection (ethz.ch)
BROWSER FINGERPRINTING 1
BROWSER FINGERPRINTING 2
Steven A. Bruner (4151593)
American Military University
1 May 2022
The hacking process is said to have started in the year 2013, November, this is when these attackers were able to first breach the OPM networks. This group or an attacker, was basically referred to as XI. This name was used by the data breach report of the congressional OPM. Though the XI were not capable of accessing any personnel data at that time, they were able to exfiltrate manuals as well as IT system architecture information. In actual life, the fingerprints of an individual are unique to only you. When it comes to the online world, it becomes the browser configurations that might end up pointing to a person. Though most of individuals tend to utilize similar browsers, their hardware or software configurations tend to be quite different in that they are in a position to act effectively as the IDs of the users.
The browser fingerprinting enables an individual to acquire the granular information regarding every single parameter of the said configuration. For example, it might make it possible to learn the type of default language that has been set for the browser by the user, get to identify the installed fonts among others. Like the human fingerprint, the browser of an individual is known for having a set of traits that are unique and once that might be traced back to the user as well as anything that they get end up doing on the internet. Whenever a person ends up browsing via the internet, most of the web portals get to capture some amount of the said information, like the size of the screen, the type of the browser to provide an appropriate experience (Durey, et.al, 2021, July).
Additionally, browser fingerprinting might as well be utilized for identification in addition to tracking. Websites can record all sorts of data regarding an individual through use of their fingerprint, then have it connected to other fingerprints that are same with an aim of getting a picture that is precise of the user’s browsing behavior as well as their websites activities.
The main objective of using the fingerprinting browser is to acquire the most information in relation to their identity and personality, getting to know a person’s website visitor depending on their own browser configuration. This becomes quite of great use in case it is put within the context of cybersecurity in addition to prevention of fraud, whereby, specific parameters might be immediately pointing to configurations that are suspicious. For example, the fingerprinting browser might be able to detect when the users depend on spoofing or emulators. Tool, who is supposed to advance one’s suspicions regarding their intentions on the users website.
Since the said fingerprints are quite unique, they as well operate as the user IDs. This permits the advertisers as well as the marketers to monitor the users all over the web in addition to delivering the targeted content depending on the outline activities of a person. It is also of extreme importance to understand that the browser fingerprinting happens to be a practice that is contentious, which is the reason as to why different several privacy advocacies groups have ended up developing anti-fingerprinting as well as anti-tracking tools plus techniques. The actual swirls in addition to lines configuration, known for making up an individual’s fingerprints are perceived to be unique to a person. In a similar way, a user’s browsers fingerprinting can be defined as a set of information that is gathered from a person’s laptop or a phone every time it is utilized, enabling the advertisers to automatically link back to the user (Pugliese, et.al, 2020).
The browser fingerprinting happens to be a permissionless as well as a stateless technique used in generating an identifier on their own server side in addition to using an available, strong to utilize the available storage on the side of the client plus have it stored. As a result of all these, it is very possible to utilize these browser fingerprinting in ensuring that the hackers and any attackers are traced.
The am I unique website is a comprehensive list that is made up of 19 points of data. The attributes that are most significant constitutes of; enabled cookies, the platform that is currently in use, the kind of the browser in addition to its version as well as the computer that is in use by the user, in addition to if the tracking of cookies of the computer have been blocked.
Durey, A., Laperdrix, P., Rudametkin, W., & Rouvoy, R. (2021, July). FP-Redemption: Studying browser fingerprinting adoption for the sake of web security. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 237-257). Springer, Cham. https://link.springer.com/chapter/10.1007/978-3-030-80825-9_12
Iqbal, U., Englehardt, S., & Shafiq, Z. (2021, May). Fingerprinting the fingerprinters: Learning to detect browser fingerprinting behaviors. In 2021 IEEE Symposium on Security and Privacy (SP) (pp. 1143-1161). IEEE. https://ieeexplore.ieee.org/abstract/document/9519502/
Pugliese, G., Riess, C., Gassmann, F., & Benenson, Z. (2020). Long-Term Observation on Browser Fingerprinting: Users’ Trackability and Perspective. Proc. Priv. Enhancing Technol., 2020(2), 558-577. https://sciendo.com/downloadpdf/journals/popets/2020/2/article-p558.pdf