Cybercrime, Digital Society: Trends, new Exposures

Transcription

Security Summit
Milano - March the 17th, 2010
Pascal LOINTIER
President, Clusif
Regional IS Risks Advisor, Chartis
CLUSIF: Committed to information security
Non-profit association (created in the early 1980s)
> 600 members (50% suppliers and goods and/or service providers, 50% CISO, CIO,
managers)
Sharing information
Exchanges among officially recognized experts, collective know-how, document
database
Develop its positioning
Feedback, increased visibility, Directory of Offering Members
Anticipate trends
The “network”, inform offering members of expectations
Promote IS security
Join…
clusif@clusif.asso.fr
+ 33 1 5325 0880
March the 17th, 2010
2
Working group dynamics
Free documentation Translations (in English, German…)
Public stands taken on issues and consultation responses
Forums for ongoing exchange: MEHARI, threats, CISO
+ 33 1 5325 0880
3
Regional initiatives
International joint efforts
+ 33 1 5325 0880
4
Objectives of the overview:
Evaluate the emergence of new risks and determine current trends in
existing risks
Put into perspective events that have made headlines
Include high-technology crime as well as more traditional felonies
New feature in 2009, review includes digital risks
events
Accidental
Accidental events
News events and societal trends which could lead to/increase
cybercriminal activity
Society
+ 33 1 5325 0880
5
Selection of media events
Illustration of:
an emerging risk,
a trend,
a volume of incidents.
Specific cases:
impact or stakes,
Case study.
Images are all rights reserved.
Information provided was taken from public sources.
Companies are sometimes quoted for accuracy and because their names have already been mentioned in the media.
+ 33 1 5325 0880
6
Contributions to the 2009 overview
Selected by a diverse working group: insurers, scientists, journalists, law
enforcement officers, goods and services providers, CISO…
Best Practices-SI
The French Network and Information
Chartis
Security Agency (FNISA, ANSSI in French)
Embassy of Romania in France – Office of the
HSC
internal security attaché
McAfee
National Criminal Investigation Directorate
RATP
(OCLCTIC)
National Gendarmerie (France)
Québec Provincial Police
SNCF
Telindus
Choice of topics/ contributions do not reflect
the opinions of businesses and organizations that participated in the working group.
+ 33 1 5325 0880
7
Agenda:
Based on Cybercrime Overviews (including webography)
To put into perspective
Modus Operandi: professionalized, commercialized, sophisticated
From skimming to compromised ATM networks
Viruses to make profit
Marketing of malware
Actors: Cyberterrorism (?), Infowar, Hacktivism
Exposures:
Infrastructures, from SCADA to Data centers globalization
Facility Management over IP
Social Networks, from Usenet to a 5th Power ?
+ 33 1 5325 0880
8
2000 (and cont’d), yescarding
+ 33 1 5325 0880
9
Skimming and criminal organizations
+ 33 1 5325 0880
10
Massive theft of bank card numbers:
RBS Worldpay scam
RBS Worldpay: U.S. subsidiary of Royal Bank of Scotland
9 million dollars in fraudulent withdrawals (end 2008):
With cloned cards
In a short space of time
From 2,100 cash machines
In 280 cities, 8 countries (U.S., Russia, Ukraine,
Estonia, Italy, Hong Kong, Japan and Canada)
Highly-organized network of mules
+ 33 1 5325 0880
11
New threats involving ATMs:
Cash machines in Eastern Europe compromised
In March 2009, Sophos identifies first malware specifically designed
for cash machine
In May 2009, security experts at Trustwave confirm the discovery
This malware was designed for a specific brand
and model of ATM
Inspections were carried out to repair infected machines: Eastern
Europe (Russia, Ukraine) mainly affected
Patch developed by the industry
+ 33 1 5325 0880
12
New threats involving ATMs:
Cash machines in Eastern Europe compromised
Malware characteristics
Once activated, it injects code into a process in memory to
recover data from past transactions
It recovers the necessary data (including the entered PIN), and
stores everything in a file
It filters only the valid transactions, exclusively in Russian,
Ukrainian and American currencies
It relies on instructions undocumented by the builder, which
points to inside accomplices
Not spread via networks: installed one incident at a time
Several new developments in malware have been identified
+ 33 1 5325 0880
13
By the way:
Second-hand cash machines
Possible to purchase second-hand cash
machines on auction sites or through
classified ads:
To develop viruses or malware
To recover data on the hard
drive
To transform them into dummy
machines
Ex: 2009 DefCon Conference
+ 33 1 5325 0880
14
Virus to make profit: Bugbear virus in 2003
W32/BUGBEAR.B@MM
The virus contains an EXTENSIVE list of banking
domain names (France, Britain, Germany, Australia,
Italy, Greece, Denmark, New Zealand, Spain, Brazil,
Romania, Poland, Argentina, Switzerland, Finland,
Taiwan, Turkey, Iceland, Slovakia, South Korea,
United States, South Africa, The Baltic Republics,
Austria, Hungary, Norway, the Czech Republic).
When the machine boots up, if it belongs to one of
the target domains, the registry key responsible for
the automatic telephone dialing process is
deactivated.
The virus looks for passwords in the cache memory
and sends them to a pre-defined address chosen at
random from a list.
Once the task has been completed, the virus
restores the registry key.
+ 33 1 5325 0880
banquepopulaire.fr
bics.fr
bpic.fr
bpnord.fr
bred.fr
ca-alpesprovence.fr
ca-alsace-vosges.fr
ca-midi.fr
ca-normand.fr ccbonline.com
ccf.fr
cin.fr
covefi.fr
cpr.fr
credit-agricole.fr
credit-du-nord.fr
creditlyonnais.fr
creditmutuel.fr
-epargne.fr
eurocardmastercard.tm.fr
nxbp.fr
smc.fr
transat.tm.fr
15
Viruses : professionalization
and the search for gain
2003, W32/SOBIG@MM targets the banking sector
if specific character chains are detected on Internet Explorer a
keystroke logger is activated :
W32/Sobig.A@MM (Lala.A)
PayPal, paypal, iFriend, E-Bullion, EZCardinc, gold,
Gold, Account Access, orders, Nettler, Chase, Evocash,
Intimate Friends Network, Bank, My eBay, WebMoney,
Washington Mutual, LloydsTSB online, My Online
Accounts, Web Money, Rekeningnummer bank
W32/Sobig.E@MM (Lala.E)
E-gold Account Access, Account Access, Bank, My
eBay, Online Service, bank, E*TRADE Financial, PayPal
Distribution of hidden proxy servers using non-standard ports.2/3
of all spam is passed on through proxy servers created by the
virus (source : MessageLabs).
+ 33 1 5325 0880
16
2006, Anserin (Trojan) and Virtual Keyboards
A number of virtual keyboards are already vulnerable.
New versions of Anserin know how to hack into 562
predetermined bank sites.
+ 33 1 5325 0880
17
2005, Cell phone virus evolution
The first on
Symbian
No payload
Bluetooth
distribution
The first on
Win CE
No payload
Downloaded
via com
services
Action: multiple
skull icons
Action: blocks
new updates
Downloadable
in newsgroups
Targets
Symbian series
60
Action: makes calls at
overly expensive
rates
Downloadable in
newsgroups
Targets Symbian
series 60
Call generator
Blockage
POC
POC
Exploit
CABIR
Dust CE
Skulls
15 June2004
15 June 2004
From 30 Dec 2004 to 11 Jan 2005
Publication of the
Cabir Source Code
Variant D of Skulls,
which carries Cabir:
infection via file and
bluetooth
Lasco virus/worm.
Infection via file and
bluetooth
http://news.zdnet.com
/2100-1009_225520003.html?tag=def
ault
…
spam tool?
Mosquito
Late 2004
Early 2005
Any similarity to the robots slide is intentional as this helps to see the progression
+ 33 1 5325 0880
18
From PoC to real money
05/2007, $M$ Trojan :
Viver, high rate calls
(1 to $10)
01/2008: Kiazha
01/2009: Yxe.A in China,
Indonesia
Kiazha-A, worm
+ 33 1 5325 0880
19
2003, new hi-tech opportunities for espionage
The hard disks of photocopiers
December 2003 : a Norwegian company specializing in data
retrieval published a report which underscored the
vulnerability of information stored on copiers and
multifunctional machines. The affair began when a
dishonest employee retrieved information from a digital
copier and passed it on to a competing company.
Copiers are increasingly vulnerable. Even so, different
solutions are available : removable disks, deletion of data
(not overwrite) after photocopying or digitization, use of
proprietary algorithms (but not necessarily encryption…)
etc.
+ 33 1 5325 0880
20
The importance of Trojan horses
Michaël and Ruth Haephrati
Discovered in 2005, the swindle
lasted more more than a year.
Each target was the subject of an
attack through a single Trojan horse
created for this reason.
The antivirus was ineffective (at the
time of the facts) because the
program did not circulate on the
web.
The Trojan horse was sent by e-mail
or was integrated into CD containing
an imaginary commercial proposal .
Once installed, and in exchange for 3000€, the originator provided to his
customer an IP address, the user name and a password so that they could
access the PC of the victim.
+ 33 1 5325 0880
21
(Software) Keyloggers in 2004
4000
600
3000
400
2000
200
1000
0
0
19
99
20
00
20
01
20
02
20
03
20
04
19
99
20
00
20
01
20
02
20
03
20
04
800
RAT
Keylogger
RAT: Remote Administration Tool
Number accumulated since 1999
(source: pestPatrol, http://research.pestpatrol.com/graphs/form.jsp)
+ 33 1 5325 0880
22
Physical Keyloggers
Commercially available
+ 33 1 5325 0880
23
Spyphones, GSM jammers…
+ 33 1 5325 0880
24
Robots in 2004
1000
900
800
700
600
500
400
300
200
100
0
A pr
03
M ay
03
Jun
03
Jul
03
A ug
03
Sep
03
Oct
03
No v
03
Gaobot
Dec
03
Jan
04
Spybot
Feb
04
M ar
04
A pr
04
M ay
04
Jun
04
Jul
04
A ug
04
Sep
04
Oct
04
Randex
Source: Symantec (Kaoru Hayahi – AVAR 2004)
+ 33 1 5325 0880
25
2004, Robots… available to all.. Need to speak English!
+ 33 1 5325 0880
26
2007, MPack, updated versions
Commercialized
tool for distributed
Denial of Service
attacks (dDoS)
+ 33 1 5325 0880
27
StormWorm: P2P Botnet
+ 33 1 5325 0880
28
Russian Business Network
October 2007: An empire…
Several sites selling fake security
products (anti-virus, anti-spyware,
codecs).
Sites selling malware, specialized
forums (contacts, sales,
purchases).
11 million
million sites,
sites, several
several million
million IP
IP
addresses
addresses available
available and
and 44 million
million visitors
visitors
aa month.
month.
Sites offering money for
questionable activities (iFramer)
Several decoy sites sent by
IFrames (with exploits, MPack),
mirror sites (RockPhish), relay sites
for self-replicating malware
(W32/Nuwar), etc.
Collector (phishing) and
administrator (botnet) sites.
Adult sites (XXX) and child
pornography sites.
+ 33 1 5325 0880
(Source:
(Source: Verisign)
Verisign)
29
Commercial banners
+ 33 1 5325 0880
30
Some comments
Commercial crimeware offer is more and more
regionalized
Tools are designed for criminal use: no more a
”perverted” use of hacking tools and/or modus
operandi
This is not an incentive to stop using new equipments
and/or software. Any new technology will generate
specific risks and perverted criminal use.
Email : bombing, spam, phishing and Monica
Lewinsky case
Picture of the tie, I couldn’t
access to email ;-)
+ 33 1 5325 0880
31
Agenda:
Exposures:
+ 33 1 5325 0880
32
2004, Cyber-terrorism - a recurrent term
for nearly 10 years
United States- the FBI: “The unlawful use of force against persons or
property to intimidate or coerce a government, the civilian population or
any segment thereof, in the furtherance of political or social objectives…”
The French Penal Code -Art. 321-1 “the following offenses constitute an act
of terrorism when they are intentionally carried out either individually or
collectively with the sole aim of causing a serious breach of the peace
through intimidation or terror… »
A variety of definitions with specific consequences
Within the same state, depending on the services
Qualifying an act with the term allows for others to be disqualified… or
certain police or military actions
A terrorist today may tomorrow be re-labeled a freedom fighter or
liberator… or re-qualified as anonymous special forces units
+ 33 1 5325 0880
33
Terrorism - characterizations
Terrorism can differ:
Depending on the area in question: political (separatism,
liberation), social (or ethnic), cultural, religious
(fundamentalism, apocalyptic)…
Depending on the goal: influence, a claim, repression,
conversion, extermination, nihilism…
Empirical criteria
Sudden, unexpected, a surprise
Violence against an ‘unarmed’ target to terrorize…
The personal involvement of the public (potential victim)
Fear of a repeat attack
Media demands (and the implication that the State can no
longer maintain public order).
+ 33 1 5325 0880
34
Internet and ITC – how they are used
1/ A means of linking up ( happened already)
Electronic mail, newsgroups Usenet, cell phones, PDA,
multimedia data processing and storage
2/ A means of propaganda (websites and newsgroups) (
happened already)
Information and support,
media relay (with increasing use of multimedia)
A weapon to discredit
A weapon to incite hatred
Anti-sites, black propaganda.
+ 33 1 5325 0880
35
3/ A means of financing ( already happened)
To raise funds
To exploit IT systems (credit cards, blackmailextortion), money laundering etc.)
? To engage in phishing
? To access confidential personal data
“Police Arrest Hacker Apparently Linked to Sardinian Anarchist Attacks”,
Corriere della Sierra, 07/01/2005
+ 33 1 5325 0880
36
4/ Means of direct action. What opportunities?
Dependence on digital information
Accidental events leading to financial, material and
bodily damage
Shutdown of electricity-generating turbines during
Y2K tests
Operational safety of general telecom infrastructure
or ticket reservation systems
Unavailability of the service authorizing banking
transactions
Loss of control of the regulating systems for a section
of the gas pipeline network in Russia
Homicide of an individual whose life support system
was computer assisted
Death in a recovery ward following a power outage
…
+ 33 1 5325 0880
37
Information-gathering for an operation (and preselection of targets) ( already happened)
On-line information (almanacs, photos, plans of
public and/or industrial sites)
Cyber-geography (e.g. national routers, network
and telecom infrastructures)
+ 33 1 5325 0880
38
2007: “Cyberwar” in Estonia or “cyber-riot”?
Internet attacks from late April to mid-May after a
monument commemorating Russian soldiers (WWII) was
moved.
Street demonstrations
Defacement of Web sites, DoS (denial of service) attacks
against Estonian government sites and infrastructures
Government program for the development of new
technologies (Estonian Information Society Strategy 2013)
Profusion of neologisms in the press and in blogs: cyberwar,
world war web, etc.
Russia is accused…
+ 33 1 5325 0880
39
2007: “Cyberwar” in Estonia or “cyber-riot”?
Mode of operation: Several waves of
varying length and intensity
As long as 10 heures
An initial “emotional” reaction
(April 27-29)
“Traditional” DoS attacks (ICMP and
TCP-SYN flooding)
More sophisticated use of botnets
during the second wave, (-> May 18)
Geographical delocalization (outside
Russia)
Length of 128 DoS attacks (source: Arbor)
6%
6%
13%
13%
< 1 min.
< 60 min.
1<h<5
5<h<9
>10h
62%
Cyber-demonstration (violent), yes ; militarized attack (cyberwar)...Nothing
established but causes a problem for the State for managing the rapid,
“spontaneous” emergence of action groups on the Web, sometimes even linkedsynchronized with street demonstrations. The stakes remain the sabotage of
infrastructures, national and international opinions of the events....
+ 33 1 5325 0880
40
Some comments
Beyond “hypes”
Electronic Pearl Harbor et Manhattan Cyber Project (# 1995)
Cyberjihad (NCIS ?, 2006)
Cybergeddon (FBI & DHS, 2009)
… Political violence, hacktivism is using tools more pro-actively
From G8 men to Carbon Market…
+ 33 1 5325 0880
41
Agenda:
Exposures:
+ 33 1 5325 0880
42
2008, BGP and YouTube
Pakistan Telecom incident and YouTube null route
February 24 2008: Error causes access to YouTube to be cut off
worldwide
More specific null route spread on Internet
PCCW cuts Pakistan Telecom’s access after the error is detected…
Accidental in this case, but potential for fraud
+ 33 1 5325 0880
43
2008, PTA Document
Official document of the
Pakistani government
requesting that access to
YouTube be blocked
within the country
+ 33 1 5325 0880
44
Cybercrime, DigitalenSociety:
Trends, new Exposures
tal events
Accid
Internet is not virtual…
December 22nd, 2008 : 3 cables cut between Sicilia and
Tunisia, unknown cause. Voice traffic disruption - Maldives
: 100 % , India : 82 %, Qatar : 73 %, Djibouti : 71 %S, UAE :
68 % , - Zambia : 62 % , Saoudia : 55 % , etc.
+ 33 1 5325 0880
45
tal events
Accid
Cloud computing, virtualization:
At times, highly...unavailable!
Somewhere out there (cloud ☺) in 2009 – problems for prestigious
companies: Air New Zealand, Amazon, (including EC2), Barclay’s,
eBay (Paypal), Google (Gmail and others), Microsoft, Overblog,
Rackspace, RIM, Twitter...
Power failures (UPS) and system crashes during reboots
Electrical fire, destroyed backup and UPS generators,
electrical switches, etc.
Bugs in patches
Poor router settings between two data centers
dDoS attack on DNS resources in a specific data center
+ 33 1 5325 0880
46
tal events
Accid
At times, highly...unavailable!
2009 may not have been particularly exceptional, but events are
increasingly visible: Alerts via blogs, social networks, Twitter…
Examples:
Server reboot time
Disk crash
Destruction by fire, worsened by flooding to put it out…
Fines (Rackspace forced to pay between 2.5 and 3.5 million dollars
to its clients)
Servers confiscated (FBI at Core IP Networks in Texas)
Loss of contracts (for service provider, but also for commercial
company, with clients)
U.S. State Department “asks” Twitter to not go down for
maintenance on a Sunday election in June...
…
+ 33 1 5325 0880
47
tal events
Accid
At times, highly…unavailable!
+ 33 1 5325 0880
48
Accidental events and
malevolent acts (via I.S.)
2003: Slammer worm and Nuke site (Ohio)
2003: Nachi worm and Diebold ATM network
2003: SoBig virus and railways signaling (Florida)
2005: Zotob worm, downtime for 13 facilities for vehicule
assembly line (USA)
2007: Error of command and accidental contamination
(hydroxide de sodium for Ph) for drinkable water, dozens of
victims, light injuries (Michigan)
+ 33 1 5325 0880
49
Sabotage (via I.S.)
2007: Logic bomb injected by employee into a supervisory
system for water irrigation of a dam (California)
2007: Taking control and disrupting synchronization of traffic
lights (California)
2007 (and 2000 in Australia): Logic sabotage via System
Administrator of a water supply system (California)
2007: Experimental sabotage of an electric generator (IdahoDHS for CNN)
2008: Taking control et 4 wagons derailed, many injured
victims (Poland)
+ 33 1 5325 0880
50
Sabotage (via I.S.)
Poland (Lodz), 4 wagons derailed by a kid
Eletcric generator destruction « simulation », based
on a security hole which has been patched since
http://www.cnn.com/2007/US/09/26/power.at.risk/inde
x.html
+ 33 1 5325 0880
51
IP Migration
After telephones, other types of general infrastructure
are migrating to IP networks:
Full migration (including transport or terminal
equipment) or partial
(supervision, ordering, reporting...)
Surveillance and access (doors, badge
readers, cameras, motion sensors,
fire/moisture detectors...)
Air conditioning, heating, furnishings
(blinds)
Energy (inverters, generators…)
SCADA systems (coordination,
industrial processes…)
+ 33 1 5325 0880
52
2009, SWATTING for Money
Hammond (Indiana, USA), 2009 July :
beginning of trial for young hackers who
were selling online video access
(partyvanpranks.com) to swat action. At
first, they took remote control of video
surveillance
Google Search: camera linksys inurl:main.cgi
Another webcam, Linksys style.
********************************************
* inurl:”ViewerFrame?Mode=
* intitle:Axis 2400 video server
* intitle:”Live View / - AXIS” | inurl:view/view.shtml^
* inurl:ViewerFrame?Mode=
* inurl:ViewerFrame?Mode=Refresh
* inurl:axis-cgi/jpg
*…
+ 33 1 5325 0880
53
2009, Hacking HVAC in Hospital
+ 33 1 5325 0880
54
Cybercrime, Digital Society:
y
Societ
2005, publication of francophobe messages on Internet, and
messages calling for attacks on police stations
+ 33 1 5325 0880
55
y
Societ
2008, Social networking– Social risks – Greece
From inciting violence to ‘webolution’
After violence erupted in French suburbs in November 2005,
bloggers were questioned over “the use of Internet to incite
intentional and dangerous damage”.
Similar events recently occurred in Greece (December 2008),
but here, Internet appears to have served as an information
tool for broadcasting amateur videos criticizing the Greek
government’s official announcements.
+ 33 1 5325 0880
56
2008 Social networking
Motivated and opportunistic criminals
Malware, Vulnerabilities, Spam, Phishing
Worms, Viruses, Trojans, Rogue Widgets
Wall Spam
Cross-Site scripting (XSS) attacks, GIFAR files (GIF + JAR)
Information theft, Espionage
Collection
Clustering
Data concatenation
Attacks on the reputation of businesses and individuals
Manipulation,
Stalking,
Bullying
Risk of non-removability
+ 33 1 5325 0880
57
y
Societ
Web 2.0 – the 5th power?
SPREAD OF INFORMATION
In real time
by everyday citizens
Simple and offering
wide visibility
OUTCOME
Institutions lose their exclusive authority
1. Media => governments
2. Police forces
3. Others
+ 33 1 5325 0880
58
y
Societ
1.
Competing with the media
January 2009
Perfect water landing of a US Airways aircraft
in the Hudson River in New York
Minutes after the accident, Janis
Krums posts her now famous tweet:
"There is a plane on the Hudson.
I am on the ferry to pick up the
people. Crazy."
+ 33 1 5325 0880
59
y
Societ
1.
Competing with the media
Other examples:
Obama's election (November 2008)
The crisis in Iran (June 2009)
In Italy, an anti-Berlusconi protest organized
online attracted over 400,000 people
(December 2009)
Web, a tool for youth revolt
+ 33 1 5325 0880
60
y
Societ
2.
Competing with police forces
Anti-pedophile activities
Perverted Justice
Wikisposure
December 2009
Live manhunt on Google Wave
China:
“Human flesh
search engines”
+ 33 1 5325 0880
CHINA, Monday 19 January 2009
Internet vigilantes in China
defend virtual lynching
Pascale Nivelle - Beijing
They’re known as “renrou sou suo”, “human flesh search engines”.
They hunt down misery and injustice, even if it means subjecting
their targets to public prosecution
61
y
Societ
Some comments
No need for cybersurveillance ;-)
Please,
Stay tuned on
Social Networks!
+ 33 1 5325 0880
62
www.clusif.fr
+ 33 1 5325 0880
63

Cybercrime, Digital Society: Trends, new Exposures

Transcription

Similar documents

Froggy Drawing handout2 - Mid Mon Valley Transit Authority

4* Meteor Hotel - Concorde Travel

House Clearance – Furniture, Accessories and

Andre Rieu concert_17Sep14

The CyberCrime: Facts, Reasons, Trends

Biography - Senator Daylin Leach

Ms. Ayesha Khanna Generative Cities: How Technology Facilitates

OL396 Gunwharf Quay

ST STEPEHNS GREEN MAP