Hacking Exposed
Page 46
By the end of 2006, the SEC had launched several hundred formal and informal probes into the alleged stock option backdating, and hundreds, if not thousands, of other companies had launched their own internal investigations into past stock option granting practices. In addition to obvious concerns of potential fraud involved in purposely backdating option grants, especially where false statements or misrepresentations were made in support of the granting practices, many of these practices also violated the accounting practices at these companies, leading to the need to restate their financials and amend their financial disclosures for many years.
What to Understand
When investigating potential stock option backdating, you must understand the stock option grants in question. Stock options became a popular form of compensation and incentive compensation in the 1990s during the tech boom, as options offered companies a cheap alternative compensation to cash with the potential for significant reward if the company was successful and its stock price increased relative to the time it was granted. As such, many companies (especially in the high-tech industry) routinely granted stock options to new employees, to promoted employees in lieu of bonuses and raises, to directors for their service on the company’s board as a reward for outstanding performance or to provide recognition for some achievement, or as a routine component of merit pay increases. As such, you need to understand whether all of the company’s option grant practices are in question or just certain types (such as those to officers and directors).
Stock option grants are typically awarded pursuant to a defined stock option plan that has been approved by the company’s board and its shareholders. The relevant stock option plan will generally describe the terms upon which options are to be granted, including often defining when the grant date occurs and how the exercise or strike price is determined on that grant date.
Stock option grants are generally approved by a company’s board of directors. However, it is not uncommon for the board to delegate its authority to a committee of directors, usually the compensation committee, or even to management. With regard to the specific grant type (officer, director, new hire, and so on), it is important that you understand who had the authority to approve such grants.
In addition, certain types of stock option grants are discretionary and occur at random or infrequent intervals, while others are specifically planned to occur at certain points in time (such as the beginning of a quarter, last business day of the year, and so on). Obviously, option grants that have defined dates for being approved and granted preclude the idea of backdating to a more preferable date.
In summary, the key question with regard to the potential for backdated stock option grants is whether an individual or group of individuals determined that stock option grants were to be awarded on one date but decided to “look back” to a different date when the company’s stock price was lower to provide some benefit to those who received the option grants. During the course of investigations into these matters, various other schemes or improper practices can be identified in addition to the simple question of backdating, but the primary questions remain: Were the options granted in accordance with the company’s stock option plan? Was the grant date the date when all the required granting actions and approvals had been completed and the exercise price was known?
What to Look For
Start with any contemporaneous evidence that may exist surrounding the stock option granting and approval process. Stock option approvals are typically evidenced by board or compensation committee meeting minutes or other documents executed by directors and known as unanimous written consents (UWCs) that are used in between scheduled board and committee meetings. However, questions often exist as to the veracity of certain board minutes or other documented evidence of decisions when the timing of option grants appears fortuitous. In such situations, additional investigation with the assistance of computer forensics specialists is often required to identify the existence of various contemporaneous documents prepared in support of the option grants, including when the documents were prepared and by whom, if they were modified and when, and when they were sent to others for review and approval. In more egregious situations, concerns can be raised as to the falsification of documents to support a grant date different from the original. The following areas have required detailed review in a number of our stock option backdating investigations.
Detecting Modification of Documents
Computer forensics will be called upon in these investigations for one primary purpose: to determine whether the documentation and timing around stock option grants were on the up and up or if things were changed after the fact. The core skills needed to perform such an investigation are the same ones we have discussed throughout the book: Looking at the metadata, seeing how the file changed over time, and comparing versions to see what was added and removed.
What to Look For
Again, these are techniques that have been largely discussed previously. However, you have some advantages due to the scale and timeframe of these investigations. Generally these investigations span large periods of time, and you will have access to many years’ worth of backup tapes. Since the files you will review are company records, more often than not they will be backed up on tape. Make sure that you not only perform the review on the document you are asked to look at, but also look to the backup tapes to see if the document exists on any earlier backups. For instance, if a grant was made in April 2004, and the tape backups show that the file changed size and content in June 2004, that can be a big indicator that backdating may have occurred. Create a report showing when the document was modified and what was taken out/added and work with the financial investigators to determine the importance. They can also help point you toward other supporting documents that may need to be reviewed as well, based upon the information you have provided.
CHAPTER 20
CORPORATE FRAUD
Much has been made lately of identity theft, bot-nets, and good, old-fashioned malicious hacking. Increasing globalization and the spread of capitalism has brought about a new day in malicious hacking, where threats no longer involve the kid in the basement, but organized, multinational corporations and crime syndicates that have one goal in mind: to use technology to defraud the western society. Many books have been written on the art of incident response and how to investigate these attacks. The purpose of this chapter is not to reiterate what those books discuss, but to look at the issue from the perspective of a computer forensics examiner to see what additional information you can gather by adding proper computer forensic techniques to the arsenal of weapons used to combat malicious hackers. That being said, let’s start with a historical perspective on where these groups came from and what kind of methods they typically use.
THE CHANGING LANDSCAPE OF HACKING
Most of us have heard the stereotype by now: Sitting in a dark room, the solitary, antisocial hacker is working away, the only light the dim glow of the monitor, quietly spending the nights breaking into your computer network. In the past, this stereotype rang true. However, with the changing global landscape and the advancement of the Internet into developing third-world countries, the solitary American hacker is becoming a wistful memory. Today’s hacker has evolved into large, multinational corporations, based in emerging capitalist societies, whose bottom line depends upon the exploitation of American networks.
To understand what is driving this change, let’s look at the example of the former Soviet Union. Under the former system of Soviet communism, bureaucracy and byzantine rules were the norm. This, combined with the lack of economic prosperity under this system, bred a culture in which it was acceptable to find ways to work around the system. This was further compounded by the fact that the best and brightest in the USSR were driven to science and mathematics.
When capitalism broke out, the counties that formed the Soviet Union went through the normal growing pains of emerging capitalist societies. Even for the most educated indi
viduals, it was hard to find work that would pay the bills. Couple this economic desperation with a fundamental distrust of rules and regulations, and you get the seeds of the modern hacking culture. These educated, well-connected individuals realized that there was money to be made in the Western world, no matter the legal ramifications, and with good reason. More often than not, the countries in which they reside shield these companies.
There are many reasons for this. First, the governments are resource strapped and don’t have the money to go after these types of command-and-control, brutally efficient corporations. Second, as a complication for the West, these governments do not go after hackers due to corruption or other more nefarious reasons. Somewhat replacing the cloak and dagger of times past, these organizations provide countries a level of deniability they’ve never before experienced.
The Russian Business Network
A primary example of this new type of organization is the Russian Business Network (RBN). On the surface, the RBN appears to be an Internet service provider (ISP) that hosts Web sites and e-mail accounts. However, a bit of digging reveals its intent to be a bit more nefarious. It serves as the launching point for everything from spam to coordinated cyber-military strikes against countries such as Estonia and Georgia. Using the railroad industry as an analogue, RBN is the Union Pacific of the cyber-crime industry. It supplies the underlying infrastructure that allows these crimes to take place, and it takes infrastructure fees from the spoils of fraud. This can be incredibly profitable, as shown by the estimated $150 million profit made from just one instance of crime documented by Verisign. Without knowing it, most of us have come across a RBN-based scheme. They are some of the most prevalent schemes on the Internet, ranging from nuisances to events that can destroy companies and worse, people’s lives.
Infrastructure and Bot-Nets
RBN does have traditional network infrastructure, like a telecommunications company or ISP, where its power resides—but it doesn’t have wires in the ground or a interconnected network of company-owned computers. The true power of the Internet lies in its distributed and decentralized nature, an idea not lost on the RBN. The RBN exerts its power through a bot-net that works like this: A user unknowingly downloads a piece of software to her computer. This software then “phones home” and turns a person’s computer into what is known as a “zombie” or “slave computer.” A zombie lives on the bot-net, awaiting further instructions, which can be anything from sending out spam e-mail, to hacking a network, to collecting proprietary information from the computer it lives on. RBN’s bot-net, Storm, is thought to be the largest bot-net in the world. By some estimates, the Storm bot-net had taken over from 1 million to 50 million computers in September 2007. Through that September, it was estimated that Storm had sent more than 1.2 billion spam e-mails that were infected with the bot-net software, designed to infect other computers and turn them into zombies.
The complexity of the Storm bot-net does not reside just in its infection rate, size, and reach. It was designed with commercial viability in mind. Like any good network design, fault tolerance and survivability are key aspects of Storm. It can also be partitioned by task and volume. Clients pay for use of a specific section of the bot-net—say, 10,000 machines—with an option for custom design for a specific task. The admins of the bot-net then designate a unique encryption key that allows only that client to access that portion of the bot-net during their allotted time. Depending on the task, they then allow either the existing code to execute (such as sending out e-mails) or put together custom code packages (such as attacks on foreign governments) and deploy them to the network for execution.
Again, like a traditional ISP, uptime and the guarantee of service is vital to retaining customers. As such, the Storm bot-net is designed with uptime in mind. If a node goes down, another will pick up where it left off. It also has a sophisticated security mechanism. In our research, we have identified that the bot-net software is able to manipulate virus and malware scanners, the primary mechanism for detecting and removing the bot-net software. These scanners have a database of “electronic fingerprints” of nefarious software. The bot-net will change itself to hide from the scanner, and it will sabotage the scanner software itself to prevent detection. In addition, the bot-net software has the capability to know when someone is attempting reverse-engineer or remove it and will call for help. This help typically comes in the form of some kind of secondary external attack, such as a large scale Distributed Denial of Service (DDoS) or some type of hackback such as attempts at massive infection of internal networks. In addition to isolated attacks, the bot-net is constantly going after anti-spam services and sites designed to help bring it down.
All of this implies a network infrastructure that is incredibly powerful. By some estimates, this network is as powerful as some of the world’s best supercomputers. The amount of bandwidth—the most valuable resource on the Internet—that this network is able to corral and use is staggering. Traditional companies and ISPs are limited by the connection of bandwidth to cost. The bigger the pipe, the higher the cost. Since Storm doesn’t own any of the infrastructure, cost is of no concern. Locality is also an issue for ISPs. If you are serving clients in the United States who want their site accessed in Australia, you have to find a way to get the information to Australia. The bot-net has zombies all over the world, which allows for massive economies of scale and profit margins that are powerful enough to literally take entire countries off the Internet for periods of time.
The Russian-Estonian Conflict
In May 2007, a conflict erupted between Russia and Estonia as a result of Estonia’s refusal to allow a Baltic oil pipeline to be built through Estonia to Germany. The Russian government launched an effort to destabilize the Estonian economy. In addition to using traditional methods such as cutting off supply lines and transportation routes, a new tactic was used: cyber warfare. Using bot-nets, hackers performed DOS attacks on the Estonian government, preventing Estonia from functioning normally and inhibiting the government’s ability to respond to Russian-created propaganda. While there is speculation about indirect Russian government involvement in these attacks, a group of pro-Kremlin hackers in Moldova and Transnistria have claimed responsibility. Due to the legal status of Transnistria (it is not an Estonian-recognized country, so it is not bound to any mutual legal assistance treaties, a problem common in this part of the world), serious legal hurdles are involved in tracking down the individuals who were directly responsible for these attacks.
Effects on Western Companies
The impact on US companies from these organized hacker networks has been realized to some extent already. But it has the potential to get much worse. We are seeing the targets of these attacks shifting from the individual to the corporation, particularly companies with publicly traded stock. For instance, these bot-nets are being outfitted to send spam relating to a “pump-and-dump” scam. In this scam, after a penny stock is identified, the scammers use US brokerages to purchase shares of the stock at the penny value. Then an e-mail is crafted that extols (falsely, usually) the virtues of the stock. This e-mail is sent out using these massive spam networks to millions of e-mail accounts. And while most readers won’t give pause to the e-mail when it arrives in their inbox, some will. They will then purchase the stock, raising the stock price. One or two people doing this won’t have much effect. But this coordinated, worldwide transaction can falsely raise the stock price as much as 100 times in a matter of days. When the stock has reached the scammer’s identified rate of return, the scammer then sells the stock and collects the money. This becomes damaging to the individuals who bought into the company and to the company itself. As the company settles to its fair market value stock price, individuals who bought in at 10 or 50 times are getting pennies back on the dollar—not to mention the damage to the reputation of the company. If you extrapolate this one example into the thousands of weekly pump-and-dump schemes, you can see the effect this can have on the markets
at large.
TYPES OF HACKS AND THE ROLE OF COMPUTER FORENSICS
As stated at the beginning of this book, copious resources are out there, including some very good Hacking Exposed books on the topics of hacking and how to detect hackers. However, you can gain additional value by looking at these events from the perspective of a forensics investigator. Advanced computer forensics techniques, coupled with traditional incident response techniques, can add a dimension to what you can determine after something has occurred, and they can even help to prevent it from occurring in the first place. Let’s take a look at several common hack methodologies and how computer forensics can supplement an investigation.
Bot/Remote Control Malware
Malware can be especially dangerous to corporate networks and information assurance. These types of bots can usually lie in wait, taking over a computer and waiting a set interval for instructions. Once activated, these bots can allow hackers to take complete control of the system and run amok on the network without having to deal with the firewall or other IDS/IPS type systems. Once one of these bots does become active and noticed, a whole slew of questions will follow: Who put this on the computer? How did it get there? How long has it been there? What else on the computer did it affect? Did it affect any other computers on the network? Let’s look at some of these questions and how computer forensics can help provide answers.