Anda di halaman 1dari 22

SECURITY BREACH ANALYSIS & INVESTIGATION

REPORT

VERSION 1.3
MARCH 26, 2014















Submitted to:

Deepwater Horizon Economics Claim Center (DHECC)
935 Gravier St., 19
th
Floor
New Orleans, LA 70112


Submitted by:

IBM Global Business Services - CyberSecurity and Privacy
2300 Dulles Station Blvd.
Herndon, VA 20171-6133

Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 ii March 26, 2014
IBM and DHECC Confidential


TABLE OF CONTENTS
1 EXECUTIVE SUMMARY .............................................................................................. 3
2 INVESTIGATION SUMMARY...................................................................................... 5
2.1 Investigation Scope ............................................................................................................. 5
2.2 Methodology and Timeline ................................................................................................. 5
2.3 Participants .......................................................................................................................... 5
3 ATTACK HOSTS ............................................................................................................. 6
3.1 External ............................................................................................................................... 6
3.2 3
rd
Party ............................................................................................................................... 7
3.3 Internal ................................................................................................................................ 8
4 LESSONS LEARNED ..................................... ERROR! BOOKMARK NOT DEFINED.
5 EVIDENCE AND ARTIFACTS .................................................................................... 12
5.1 Exhibit A ........................................................................................................................... 12
5.2 Exhibit B ........................................................................................................................... 13
5.3 Exhibit C ........................................................................................................................... 15
5.4 Exhibit D ........................................................................................................................... 18
5.5 Exhibit E ........................................................................................................................... 19
5.6 Exhibit F............................................................................................................................ 21
5.7 Exhibit G ........................................................................................................................... 22


Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 3 March 26, 2014
IBM and DHECC Confidential

1 EXECUTIVE SUMMARY

For the past year and a half, Jason Brad Berry, an independent investigative journalist for the
American Zombie website, has published numerous reports on issues dealing with the BP oil spill
multi-district litigation settlement and the Claims Administration Office (CAO) of the Deepwater
Horizon Economics Claims Center (DHECC). Mr. Berry stated he had multiple sources make
claims of fraud and manipulation, especially involving allegations stemming from the Plaintiff
Steering Committee (PSC). However, none of his sources would come forward and provide
evidence to his allegations.

On March 11, 2014, Mr. Berry published another article including 3 distinct e-mail dialogues from
the CAO. These DHECC proprietary e-mails were alleged to have been given to Mr. Berry in an
anonymous unmarked envelope. During the week of March 17 to March 21, 2014, the CAO
requested IBM to perform an independent investigation surrounding the nature and likely scenarios
leading to the security breach.

The IBM on-site delivery team, previously engaged to assist with technical aspects of Claims
Management Processing, engaged the IBM CyberSecurity & Privacy (CS&P) practice to execute
the analysis. To perform this investigation, the IBM CS&P team met with a variety of stakeholders
directly involved with the processing and storage of the leaked e-mails. These stakeholders were
either internal to the program or were appointed as a 3
rd
party entity to undertake a contract
providing labor in performing a service. The IBM CS&P team also investigated the possibility of
an external security breach. All the scenarios identified were assigned three statuses: Apparent,
Not Apparent, or Inconclusive. For purposes of this report, each term is defined as follows.

Apparent: Likely, but not definite, based on the evidence collected and analyzed
Not Apparent: Not likely, based on the evidence collected and analyzed
Inconclusive: Possible, but without direct indication due to lack of evidence

The following entities were investigated and were given one of the three statuses:

External Attack
- Hacker (Status Not Apparent)

3
rd
Party Attack
- The Freeh Group (Status Not Apparent)
- IBM on-site delivery team (Status Not Apparent)
- McGladrey (Status Not Apparent)

Internal Attack (DHECC)
- IT Administrators (Status Not Apparent)
- All Employees and Attorneys (Status Not Apparent)
- Former Employees
o Christine Reitano (Status Apparent and Inconclusive)
Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 4 March 26, 2014
IBM and DHECC Confidential

o Lionel Tiger Sutton (Status Inconclusive)

The limitations on this investigation stemmed from the age of the e-mails, delivery of printed
materials to Mr. Berry, inability to trace all relevant user activities on DHECC issued devices, and
not being able to interview the former employees in question. Given these circumstances, DHECC
and IBM agreed the investigation would primarily help the CAO narrow down the possible
scenarios leading up to who and how the e-mails got leaked.

After the 5-day investigation, the IBM CS&P team was not able to definitively identify a single
entity responsible for leaking the internal documentation, but reduced the scenarios of the attacks
origination. The responsible entity has clearly demonstrated possession of internal e-mails and
documents from their former employment at DHECC. The common sender and recipient in the
e-mail communications was Christine Reitano. Through evidence displayed in this document, it
can be shown that she has had continuing possession of DHECC confidential materials beyond
her period of employment, though it cannot be definitively demonstrated that she provided these
materials to the American Zombie blog. As demonstrated in this document, this possession of
internal documentation is most likely not an on-going ability to access DHECC systems, but
rather an off-line access means such as documents printed or electronically saved from
authorized DHECC systems to personal media during the period of employment.

It is the IBM CS&P teams recommendation DHECC should hold a lessons learned meeting to
review the effectiveness of the incident handling process and identify necessary improvements to
existing security controls and practices. Lessons learned meetings can also be held periodically for
lesser incidents as time and resources permit. The information accumulated from all lessons
learned meetings should be used to identify and correct systemic weaknesses and deficiencies in
policies and procedures. Follow-up reports generated for each resolved incident can be important
not only for evidentiary purposes but also for reference in handling future incidents and in training
new team members.

Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 5 March 26, 2014
IBM and DHECC Confidential

2 INVESTIGATION SUMMARY
2.1 INVESTIGATION SCOPE
The IBM CyberSecurity & Privacy team was engaged to help the CAO for DHECC
investigate a security breach concerning exposure of the programs proprietary information.
On March 11, 2014, Jason Brad Berry, an independent investigative journalist from the
American Zombie website, published an article titled DHECC Proof Positive of Claims
Being Expedited by the PSC. The content of the article included allegations and DHECC
proprietary e-mails, which were alleged to have been delivered to the journalist in an
anonymous package. There were a total of 3 distinct e-mail dialogues and the recipients
ranged from various firms to CAO (Exhibit A, B, and C). Following the incident, CAO was
able to verify the authenticity of the exposed e-mails.

The scope of this investigation targeted all individuals that had direct access to the e-mails
in question, as well as considering the possibility of an unauthorized internal and/or external
security breach. There were several stakeholders involved in this 5-day investigation, which
primarily consisted of interviews, evidence gathering, and analysis.

The IBM CS&P teams analysis will ultimately assist the CAOs internal investigation in
narrowing the possible security breach scenarios that led to the leakage of the e-mails. As
there were limitations to the investigation, the IBM CS&P team could not identify the sole-
source of the security breach without performing a more thorough analysis. The CAO may
use the information in this report to determine if further investigation is warranted.
2.2 METHODOLOGY AND TIMELINE
During the 1-week assessment, IBM followed a schedule to perform information gathering,
interviews, evidence collection, and security analysis. The IBM CS&P team was onsite at
DHECC to perform the investigation from March 17 to March 21, 2014.

2.3 PARTICIPANTS
IBM interviewed a number of stakeholders, participants, and vendors involved in the process
of supporting CAO operations to identify and further investigate all possible scenarios
leading to the security breach.

IBM interviewed, collaborated with, and collected information from the following parties:

Name Agency/Role
Patrick Juneau DHECC / Claims Administrator
Mike Juneau DHECC / Counsel
Chris Reade DHECC / Chief Information Officer (CIO)
Jack Ware DHECC / IT Specialist
Duane Carkum DHECC / Network Technician
Greg Paw Freeh Group / Counsel
Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 6 March 26, 2014
IBM and DHECC Confidential

Name Agency/Role
Dennis Shenberger Freeh Group / IT Specialist
Danny Kiper Allfax Specialities / Digital Imaging Consultant
Marc McCallister IBM / Project Executive
Wayne Lin IBM CS&P team / Security Lead Investigator



3 ATTACK HOSTS
3.1 EXTERNAL
The attack host listed in this section was an external entity who has no affiliation with
DHECC and would gain access to the computer or network server for unauthorized access
of data.

External Breach

Hacker (Status Not Apparent)

DHECC recently completed several external audits in the past year, along with their
vendors, that evaluated their internal claims management system, IT practices,
underlying system, and data flows.

The Garden City Group, Inc. Report on Managements Description of the
Garden City Group, Inc.s Claim Administration System and the Suitability
of the Design of Controls Relevant to Security, Availability, Processing
Integrity, Confidentiality and Privacy. 21 Dec. 2013
IBM. Claims Management System Assessment Report. 20 Dec. 2013
CliftonLarsonAllen (CLA). Independent Evaluation of the Internal Control
Environment. 17 May, 2013

As a result, the CAO continues to strengthen their technical infrastructure and
remediate any findings that may arise. The IBM CS&P team reviewed the external
audit reports, as well as CAOs response/mitigation to the findings, and it was
evident that measures are taken to protect the internal network from an external
intrusion. More specifically, the vulnerabilities were not critical or high-level risks
as defined by security standards. The IBM CS&P team observed the policies and
procedures in the specific areas investigated, and they were in line with industry
standard best practices. CAO has also implemented security measures, such as the
installation of an Intrusion Detection System, to reduce the likelihood of an attack
from occurring.


Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 7 March 26, 2014
IBM and DHECC Confidential

3.2 3
RD
PARTY
The attack hosts listed in this section are neither internal to DHECC, nor are they outsiders
to the program. Instead, these entities have either been appointed by the court or DHECC
to undertake a contract that provided labor in performing a service. These entities were
investigated as they worked closely with the CAO and may have had access to the leaked e-
mails.

Freeh Group International Solutions, LLC

Reitano Suit Discovery Materials (Status Not Apparent)

The Office of the Special Masters Freeh Group was investigated because they were
in possession of the 3 e-mails that got exposed. Upon initial review of the e-mails,
IBM and the CAO noticed Exhibit D had a redaction of a claim number performed
by hand. It also became evident that the Freeh Group had to turn over a set of
documents to Christine Reitanos counsel during discovery and would have
redacted any sensitive information such as claim number. On March 18, 2014, Greg
Paw responded to this inquiry and stated the 3 e-mails in question were not turned
over during discovery and the Freeh Group never redacts anything manually.
Instead, they use a blocking feature in the Adobe software. The redaction
performed in the blog entries is clearly done by hand.


DHECC E-mail Access (Status Not Apparent)

On March 18, 2014, the IBM CS&P team interviewed Dennis Shenberger and
verified the Freeh Group did have access to the 3 e-mails in question. These, along
with several other e-mails, were obtained during a previous case and had the
approval of the CAO. The Freeh Group then proceeded to showing the IBM CS&P
team that all e-mails were stored and tracked through the Intella software, which
has the auditing capability to track all relevant information if the e-mails were ever
accessed internally. In the 3 distinct e-mail dialogues, there were a total of 10 sub-
e-mails and were all individually tracked in Intella. When these e-mails were
individually accessed, the IBM CS&P team visually verified 9 out of the 10 e-mails
were not accessed by the Freeh Group prior to the story being published by
American Zombie. In Exhibit E, the IBM CS&P team randomly selected 3 of the
10 e-mails in question (Intella #464955, #365251, #317623) and Freeh Group
provided evidence that they were not accessed prior to the publication.


IBM on-site delivery team

DHECC E-mail Access (Status Not Apparent)

Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 8 March 26, 2014
IBM and DHECC Confidential

The IBM on-site delivery team does not have access to any of DHECCs e-mails
(i.e. the 3 leaked e-mails) or administrative privileges to obtain access into the
DHECCs e-mail system.

McGladrey

DHECC E-mail Access (Status Not Apparent)

Chris Reade verified McGladrey does not have access to any of DHECCs e-mails
(i.e. the 3 leaked e-mails) or administrative privileges to obtain access into the
DHECCs e-mail system.

3.3 INTERNAL
The attack hosts listed in this section were relevant because these entities either had direct
access or an effortless approach to obtaining the e-mails.

Administrator / Privileged User

Barracuda Network Message Archiver 350 (Status Not Apparent)

The Barracuda system had an archive of all the DHECC inbound/outbound e-mails
and can only be accessed by administrators with a shared 11-alphanumeric
character password. Furthermore, the tool had an auditing capability to log all
pertinent activities of the Barracuda administrators (i.e. configuration change,
message download, message export, message forward, and search). IBM CS&P
team reviewed all logs prior to the American Zombie publication on March 11,
2014. IBM CS&P team attempted to establish a connection of an administrator
searching and obtaining access to the 3 e-mails through keywords such as
expedite, Reitano, expedited claims, Expedited_Claims_Report.pdf, and
other words of that nature. The review and analysis of the audit logs did not
implicate any evidence against the administrators. Upon further review, the
Barracuda tool only logged administrator activities dating back to October 15,
2013, where it was noted that the tool had crashed and the audit logs were not
transferred.


Sharp MX-5111N Multifunction Copier (Status Inconclusive)

Prior to the publication of the American Zombie article, DHECC had two active
Sharp MX-5111N machines on the 14
th
and 19
th
floor of the building. These
multifunction copiers were the most frequently used printing devices by employees
as it has the ability to scan, fax, e-mail, Xerox, and print. Furthermore, these Sharp
devices retained an audit history of all the jobs (i.e. job type, date, DHECC user ID,
source, destination, file name, page numbers, and file size). IBM and DHECCs
Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 9 March 26, 2014
IBM and DHECC Confidential

Network Technician, Duane Carkum, exported these logs into a .csv file for IBMs
review. The IBM CS&P teams approach was to search and investigate any activity
that contained the keywords Re: BP-Expedited Claim, FW: URGENT!, Re:
List of Expedited Claims, and Expedited_Claims_Report.pdf. As an additional
review, The IBM CS&P team also wanted to look at all print jobs executed by the
former employees Christine Reitano and Lionel Sutton.

The investigation of the Sharp devices proved inconclusive as the 14
th
floor printer
logs (asset ID #C7385) did not contain any of the keywords listed in the latter, while
the 19
th
floor printer logs (asset ID #C6408) did not have any information pre-
December 9, 2013. This posed an issue because all the DHECC recipients of the
leaked e-mails would have used the 19
th
floor printer, and the suspected former
employees (i.e. Christine Reitano and Lionel Sutton) were terminated / resigned
well before the last print log. The IBM CS&P team contacted the service technician
from Allfax Specialities, Danny Kiper, and was informed the print logs could not
be retrieved due to the 19
th
floor machines auto-erase feature after it reached
50,000 jobs. Please note, on March 19, 2014, due to DHECC policies, Allfax
technicians came after the Sharp device logs were investigated and permanently
erased all job logs on both machines.


DHECC Employees

Barracuda E-mail Logs (Status Not Apparent)

The IBM CS&P team reviewed and analyzed 20,000+ filtered DHECC e-mails to
identify any possible connections with Jason Brad Berry, American Zombies,
additional e-mail traffic of the leaked e-mails, suspicious e-mails to non-DHECC
accounts, and any transfers of the attachment Expedited_Claims_Report.pdf. The
IBM CS&P team began the portion of this investigation by acquiring all available
information on Jason Brad Berry from the internet including his drivers license,
home address, telephone, Facebook, e-mail, known aliases, and affiliated
organizations. Next, the IBM CS&P team cross-referenced a series of combinations
of the keywords to identify any unauthorized line of communications with Mr.
Berry, but was not able to make a connection. The only CAO employee that was
authorized to speak directly to Mr. Berry was the CAOs Media Relations, Nick
Gagliano. Barracuda e-mail logs were limited to inbound/outbound e-mails within
the DHECC e-mail server, so if communications were made from a personal e-mail
address to Mr. Berrys personal e-mail address, it would not appear in any
Barracuda logs.




Christine Reitano
Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 10 March 26, 2014
IBM and DHECC Confidential


DHECC Workstation Forensics (Status Inconclusive)

On March 18, 2014, the IBM CS&P team worked with Dennis Shenberger to view
an image of all the files extracted from Christine Reitanos computer during a
previous investigation. The lead forensics investigator, Brad Merriman, from
Merriman & Associates performed this task following Ms. Reitanos termination
on June 21, 2013. The IBM CS&P team was able to look through the files, but could
not identify any clear indication of malicious behavior such as having a duplicate
copy of her e-mails, a soft copy of the Expedited_Claims_Report.pdf, and items
along that nature. The IBM CS&P team hoped to examine Ms. Reitanos Microsoft
Outlook and .pst files to see if she made any noticeable changes to the files prior to
her termination. This portion of the investigation proved to be inconclusive as the
integrity of the files were not an accurate replica of Ms. Reitanos computer, where
the Dates Modified fields were altered during the file extraction process by
Merriman & Associates. In order to thoroughly perform this investigation, the IBM
CS&P team and Mr. Shenberger would have to re-extract the hard drive and create
a forensic image. However, due to the 1-week time constraint, this activity did not
occur.


E-mails (Status Inconclusive)

IBM went through all of Ms. Retinos DHECC e-mails during her former
employment and was not able to discover any communications with Jason Berry,
American Zombie, or e-mails implicating her involvement in exposing information
about DHECC. The IBM CS&P team also noticed Ms. Reitano used her personal
AOL e-mail account on several instances, but that did not provide further leads.
The Barracuda system was only able to track her personal e-mails when it
communicated with the DHECC mail server.


Post-Termination Possession of DHECC E-mails (Status Apparent)

Greg Paw provided a filing from Christine Retaino after she had been terminated
from DHECC and is dated December 16, 2013. In this filing (see Exhibit F), Ms.
Reitano included an e-mail from her DHECC account as an attachment.
Considering that Ms. Reitanos access to her DHECC email account was
immediately revoked upon termination, the filing occurred 6 months after her
termination, and the e-mail was never provided by the Freeh Group staff during
discovery, it demonstrates Ms. Reitano still has copies of her DHECC e-mail and
is in clear violation of the programs policies. The nature of Reitanos access is
likely to be an off-line means of access. This means that she no longer has access
to DHECC systems and is likely to have manually off-loaded DHECC documents
Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 11 March 26, 2014
IBM and DHECC Confidential

via printing or saving e-mails and documents to media accessible outside the
DHECC sphere of control prior to termination.


Lionel Tiger Sutton

DHECC Workstation Forensics (Status Inconclusive)

On March 20, 2014, the image of Mr. Suttons computer was reviewed to look for
any large e-mails including the following file extensions: EML, MSG, PST, or
OST. The only messages located were his .ost files, which is further investigated in
the next section.


E-mails (Status Inconclusive)

The IBM CS&P team went through all of Mr. Suttons DHECC e-mails during his
former employment and was not able to discover any communications with Jason
Berry, American Zombie, or e-mails obviously implicating his involvement in
exposing information about DHECC. The IBM CS&P team also noticed Mr. Sutton
used his personal Hotmail e-mail account on several instances, but that did not
provide further leads. The Barracuda system was only able to track his personal e-
mails when it communicated with the DHECC mail server.

According to the Barracuda logs, Mr. Sutton never communicated directly with
Jason Berry, but Mr. Sutton did forewarn CAO management about Mr. Berrys
risky and relentless behavior as an independent journalist (see Exhibit G).

4 POST INCIDENT RECOMMENDATIONS
After this incident has been analyzed, DHECC should consider holding a lessons learned
session to review the effectiveness of the incident handling process, the impacts of potential
risks, and confirm existing security controls and practices. It is a best practice to reevaluate
risk versus the overhead of controls on an on-going basis. The information accumulated from
such reevaluation should be used to identify systemic deficiencies and update policies and
procedures as threat vectors and risk impacts evolve.


Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 12 March 26, 2014
IBM and DHECC Confidential

5 !"#$!%&! (%$ ()*#+(&*,
5.1 EXHIBIT A


Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 13 March 26, 2014
IBM and DHECC Confidential

5.2 EXHIBIT B



Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 14 March 26, 2014
IBM and DHECC Confidential






















Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 15 March 26, 2014
IBM and DHECC Confidential

5.3 EXHIBIT C



Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 16 March 26, 2014
IBM and DHECC Confidential





Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 17 March 26, 2014
IBM and DHECC Confidential


Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 18 March 26, 2014
IBM and DHECC Confidential

5.4 EXHIBIT D

Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 19 March 26, 2014
IBM and DHECC Confidential

5.5 EXHIBIT E




Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 20 March 26, 2014
IBM and DHECC Confidential


Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 21 March 26, 2014
IBM and DHECC Confidential

5.6 EXHIBIT F



Deepwater Horizon Economics Claim Center (DHECC) Analysis & Investigation

Version 1.3 22 March 26, 2014
IBM and DHECC Confidential

5.7 EXHIBIT G