20121026 info pme threats on cyber

Risks on your information and

on your ICT infrastructure InfoPME information security seminar 26 October 2012 @LucBeirens © Luc Beirens - Federal Computer Crime Unit - Direction economical and financial crime

Topics - overview

An analysis of the eSociety situation

Who is threating eSociety and how ? Inside threat / outside threats

Possible damage to eGov and eSociety

Which response to give to this ?

End user Roaming user

Internal network

Externally hosted website

DMZ own webserver

Backup server

e-Architecture

Cloud service center

SCADA

Process control

Firewall

Internet VPN

© Luc Beirens

Externally managed infrastructure

General trends today

Evolution towards e-society

replace persons by e-applications

Interconnecting all systems (admin, industrial, control)

Mobile systems – Cloud

Social networks

IP is common platform offered by many ISPs integrating telephony / data / VPN & all new apps =opportunities / Achilles tendon / scattered traces

Poor security in legacy applications and protocols (userid+pw)=> identity fraud is easy

Enduser is not yet educated to act properly

What do criminals want ?

Become rich / powerfull rapidly, easily, very big ROI in an illegal way if needed

Destabilaze (e-)society by causing troubles

What is there to protect ?

Your company image

Your market share

Your business activity / products

Your existance as such

Cybercrime threats © Belgian Federal Computer Crime Unit

What is there to protect ?

Data (stored or in transmission)

Our personal data

Data on citizens / customers

Info on the organisation (policy/functioning/financial)

Our information infrastructure

Internal / external systems

Network connexions

Storage and backup systems

Privacy law requires measures organisational and technical to protect personal data


The inside threats


Theft of data and carriers

SME service sector :

server + backups stolen

=> reason theft unclear => SME had to close the books

SME in construction sector

laptop stolen on professional congress

=> more difficulties to give the best offer => customers are addressed by several other firms


Theft of industrial secrets

Multinational high tech software development New experienced employee during his test period DB with all functional and technical specs on internet space Person left company : screen showed evidence

SME CRM software developper Several employees quit at the same time New firm => same kind of product : source code ? customers beeing transferred to the new company

Multinational Metal industry Director R&D quits and goes to the competitor R&D information concerning specific handling of waste


Theft of commercial and strategic information

Firm in service sector

In financial department : installation keylogger on PC financial analyst : info via e-mail

Illegally ordered by shareholders

Detection by IDS

Firm in distribution sector

Theft of 15 PC in dep of development and expansion

Chained to the desk but not encrypted

During weekend – seen on monday Cybercrime threats © Belgian Federal Computer Crime Unit

Theft security related data

Multinational financial sector New experienced employee helpdesk 3rd level After test period not accepted =>

leaves with copy of DB problems on USB key contact police => interception

End user victim infected with trojan horse Take over of userid + passwords => mailbox consultation + ADSL use Take over codes and certificates for commercial transactions

Multinational security sector Break in over remote administration access Cursor moves over the screen and opens critical DBs No immediate reaction : only after 3rd incident reported


Theft of personal data

Multinational credit cards hacking website with cc-info international criminal organisation abuses data

SME in discussion about a possible take over Systemadministrator reads mail of the board ?

Public institution System admin reads mails and documentation in private

network share Discovers a “secret relationship” => “extorsion”

End User in eductation institution Hacking : intimate pictures distributed to collegues


Analysis of incidents


Which data ?

Customer list / price lists Strategic vision / financial situation Industrial secrets / source code programs Security procedures Access codes Transfert codes

=> necessity to classify data according

to the level of importance to continue bussiness handle each level accordingly


Where and how stored ?

Stored in ICT-infrastructure server / end user equipment / data carriers

In transmission on intranet / internet / between keyboard and PC

Often only password protected but not encrypted / very few logs

=> need for encryption and strong authentication Cybercrime threats © Belgian Federal Computer Crime Unit

How

Physical theft By burglary : servers desktop

Of mobile equipment : voyages, hotel, car

Digital copy Of complete database

During normal use / consultation

By Trojan => via internet connection

By keylogger => keyboard => passwords

By sniffer in network => all transmissions

rootkit => completely adapted operating system Cybercrime threats © Belgian Federal Computer Crime Unit

When ?

During office hours but very often

At night

During weekends

=> need for detection & alarmsystems


Server is well secured ...

Then it is perhaps easier to

Copy data from logfiles

Copies in test environment

backup disks / tapes (in trunc of sysadmin ?)

Very often access to this information is not controlled


Who ?

Employees / management

Temporary employees / stagiairs

Suppliers / maintenance

External parties via external access

=> need for screening of persons in key functions

=> eventually external audit on these persons

=> reduce acces on need to have basis : also for sysadmin

Difficulty : privacy regulations


Consequences of information theft

transactions / moneytransferts => direct damage

extorsion espionage Loss of market share Discussion on owner rights of source code No longer access to data security incidents in real world indirect damage: loss of trust in the e-system


Victim yes but also ...

Penal liaibility if privacy is not protected ! Organisational and technical mesures

Access / use of private data

Civil liaibility if Negligence or fault

Damage caused


Do you give it away ?

When old equipment is

sold in second hand market

donated to a school

...

Formatting is not enough to remove data => wiping => magnetische schok



The outside threats

© 2006-2010 Luc Beirens – Federal Computer Crime Unit - Belgian Federal Judicial Police – Direction economical and financial crime


Who is threating us ?

Script kiddies

Insider ICT guy in your company

Loosely organized criminals

Firmly organized criminal groups

Terrorists / hacktivists

Foreign states / economical powers

Nation warfare troups

What are the outside threats ?


Threats in messages on hackersites

Wiping away the websites in your state

Infiltration in servers of the Public Treasury

disrupting tax collection

Infiltration in bank accounts

Attacks on media websites

Attacks on e-commerce websites

Distribution of personnel data and

credit card information

Targetting also in the end of the year period Cybercrime threats © Belgian Federal Computer Crime Unit

Overview of threats

Hacking into websites / webservers

Denial of service : blocking internetconnections / webservers

Interfering with internet transactions

Hacking into computer systems Spying altering / deleting data

Destabilazing e-society by causing some havoc Cybercrime threats © Belgian Federal Computer Crime Unit


Hacking webservers

Motives of criminal :

Perform defacement

Use as storage platform for illegal content (childporn)

Use as intermediate platform for criminal activity

Get sensitive information and do extortion (idiot tax)

Get financial information (credit cards)

To do :

Updates SW, strong admin access, no pers data on srvr

Follow up pastebin.com : a hackers drop off


Security : encrypted data !

Infection of workstations and servers in company LAN

Using targetted e-mails / social media messages

Malicious encryption of all user data files

Ransom to get decryption key

From those that paid : some got key some didn’t

Others had a recent backup not connected!


Intrusions in your LAN

Intrusion in your system to intercept data that allows to take away products from your stock

WIFI interception from parking

Infection by trojan (e-mail)

(unreported) burglary in the company to place

hardware keyloggers

complete small computer system WIFI intercept 3G transmit

With valid ticket go fetch cargo

To Do :

Encrypt WIFI transmissions

Patch only active workstation connections


Intrusion in your trading account

Carbon dioxide certificates trade

Open data : contact persons of companies

Spear phishing mail + phishing website

Access to trading account

Millions of € sold in few hours all over EU

Sold far under price & immediately resold

To do : Awareness


Intrusion in your partner’s LAN

Intrusion in LAN of foreign partner (Chinese) and get information on your business and invoices to pay

You get mail with

Slightly different e-mail adresses

Change of bank account number to pay (Due to audit ...)

To do : verify thouroughly any changes before paying


Attacking infrastructure

Remote managed infrastructures in your buildings

Central heating

Elevator

Creating disruption of this infrastructure => leads to high cost

To do : verify if this applies to you and your infrastructure managing company


Hacking into cloud accounts

SME’s that have all their information in cloud accounts

Hacking into these account

Taking over access control

Sending of SOS-e-mails (Robbed money needed)

Deleting all contact information in the account => preventing warning e-mails after getting back access to account

To do :

enforce strong authentication and second ways to access the account

Have backups of these systems


What are the criminals tech tools to hack and attack ?

Malware attacks (viruses, worms, trojans, ...) fast spreading day zero infections => no immediate cure => lot of victims (especially home PC’s – 24 / 365 available)

Abuse of infected computers to create botnets (large “armies” of PC’s under control of 1 master) => used to make massive attacks on webservers or network nodes => high risk for your critical ICT infrastructure


Webserver / node

Internet

Command & Control Server

Hacker

Access line blocked

Computer Crash

Botnet attack on a webserver / node

My IP is x.y.z.z

Info

Cmd

Webserver / node

Internet

Command & Control Server

Hacker

Malware update / knowledge transfer

Knowledge server

Malware update server

MW update

Very frequent MW update request

trigger event

Why ? Making money !

Sometimes still for fun (scriptkiddies)

Spam distribution via Zombie

Click generation on banner publicity

Dialer installation on zombie to make premium rate calls

Spyware installation

Espionage => banking details / passwords / keylogging

Ransom bot => encrypts files => money for password

Capacity for distributed denial of service attacks DDOS => disturb functioning of internet device (server/router)


How big is the problem ?

Already criminal cases in several countries

Botnets detected

Several hundreds of botnets worldwide

Several thousands of C&C worldwide

Thousands upto millions of zombie computers online

generated huge datatraffic upto 40 Gbps

Dismantling / crippling botnets

e-Crime underground business

Underground fora and chatrooms

Restricted access – on invitation

Secured by encryption

Botnets for hire

Control over bot for spam : 0,04 $ / bot / day Small scale attack 20 Mbps : 50 – 100 $ / day

Large scale attack 10Gbps : 1000 $ / day

Malware development on demand


Important DDOS cases

UK 2004 : gambling website down (+ hoster + ISP)

NL 2005 : 2 botnets : millions of zombies

BE 2005 : DDOS on chatnetwork of Media firms

BE 2005 : DDOS on Firm (social conflict)

US 2006 : Blue security firm stops activity

SE 2006 : Website Gov and Police down due to DDOS after police raid on P2P

EE 2007 : Widespread DDOS attack on Estonia after incidents on moving soldier statue

Georgia 2008 : cyber war during military conflict

World 2010 : Wikileaks case : Visa Mastercard paypal

World 2012 : CIA FBI USDOJ EU Arcelor Mittal ...


Latest malware developments

Stuxnet : very complex and elaborated trojan

Several replication vectors :

Networks

USB keys

Connects to C&C botnet server

Focused on industrial control system

Searches for systems with this control system

Collects information on Siemens PLC systems

Changes process logic on infected machines

Duqu based upon Stuxnet : spying purposes © Luc Beirens


Biggest threat ? Criminal’s Knowledge database

SQL (standard query language) databases

Several backup servers

Content Keylogging (everything also userids, passwords)

Screenshots (of all opened windows, websites,...)

URL

IP-addresses

Base for reverse R&D to counter new security


Cases ?

e-Banking fraud

Hacking of large institutions / firms

Long time unaware of hacking

Keylogging

Encrypted files on PC

Internal botnet

Intermediate step to other networks

Often no complaint


Internet

Hacker

Company network

Large firm hacking using internal botnet

© Luc Beirens

Cybercrime focusing individuals Individuals are

also working in companies / gov Use social networks / webmail

Often used to exchange business related info Containing access code information

Hacking of these profiles / webmails Abuse to infect people you know Get personal information of you and your contacts Commit fraud

Internet fraud of all kinds Webcam sex interception to do extortion

Luc Beirens - FCCU -2012

And the victims ?

Who ?

Transactional websites

Communication networks

ISPs and all other clients

Reaction

Unaware of incidents going on

ISPs try to solve it themselves

Nearly no complaints made – even if asked ...

Result ? The hackers go on developing botnets

Combined threat

What if abused by terrorists ? ... simultaniously with a real world attack?

How will you handle the crisis ? Your telephone system is not working !


Risks

Economical disaster

Large scale : critical infrastructure

Small scale : enterprise

Individual data

Loss of trust in e-society


Who investigates ICT crime ?

Prosecutors / Examining Judges

Specialised police forces (nat’l & Internat’l)

Legal expert witnesses

Specialised forensic units of consulting firms

Associations defending commercial interests

Security firms => vulnerabilities

Activist groups => publish info on « truth »

© Luc Beirens

E-Police organisation and tasks Integrated police

Federal Police National

Level

35 persons

1 Federal Computer Crime Unit 24 / 7 (inter)national contact

Policy

Training Equipment FCCU Network

Operations : Forensic ICT analysis

ICT Crime combating

Intelligence Internet & ePayment fraude Cybercrime

www.ecops.be hotline

Internat internet ID requests

Federal Police Regional

level

170 persons

25 Regionale Computer Crime Units (1 – 2 Arrondissementen)

Assistance for housesearches,

forensic analysis of ICT, taking

statements, internet investigations

Investigations of ICT crime case

(assisted by FCCU)

Local Level

Federal Police

Local Police

First line police

“Freezing” the situation until the arrival of CCU or FCCU

Selecting and safeguarding of digital evidence

© 2012 - Luc Beirens - FCCU - Belgian Federal Police

http://www.ecops.be/

Our services

Help to take a complaint

Descend on the scene of crime

Make drawing of architecture of hacked system

Image backup of hacked system (if possible)

Internet investigations (Identification, location)

House searches

Taking statements of concerned parties

Forensic analysis of seized machines

Compile conclusive police report

© Luc Beirens

Investigative problems - tracking

Victims : Unfamiliar and fear for “Corporate image” => belated complaints – trashed / no more traces

Rather “unknown” world for police & justice => Delay before involvement specialised units Limited ICT investigation capacity (technical & police skills)

Multiplication and integration of services / providers / protocols / devices

Lack of harmonised international legislation & instruments

Anonymous / hacked connections – subscriptions - WIFI

Intermediate systems often cut track to purpetrator

© Luc Beirens

Investigative problems – evidence gathering

Delocalisation of evidence : the cloud ?

Exponential growth of storage capacity => time consuming :

backups & verification processes

Analysis

New legislation / jurisprudence imposes more rigorous procedures for evidence gathering in cyber space

Bad ICT-security : give proof of the source and the integrity of evidence

© Luc Beirens

Brussels, we have a problem ...

Complainer

Hello, can you help ?

We are a Belgian hosting firm

We have a problem

Our webservers are hacked

& several websites of our Belgian customers have been defaced

Politie OK

A few questions to start our file …

Who, where, what, when …

© Luc Beirens

Who is where ?

© Luc Beirens

Hacked firm : nothing in Belgium

In the UK Hacker ?

In the Luxemburg Hacker ?

Who / where / what

In Belgium

Hosting firm : nothing in Belgium

Customer : nothing in Belgium

In the USA Hacked webserver

Defaced website

In the Netherlands Hacked server

© Luc Beirens

Conclusions ...

Competence Belgian Justice authorities ? Discussion

viewpoint Public Prosecutor General : not competent

viewpoint lawyer victim : competent

viewpoint suspect’s defence : ????

If choice was made for storage in foreign country

Why ? Cost ? Evade regulations & obligations ?

No (?) protection of Belgian Law

No (?) intervention of Law Enforcement in Belgium

Protection by law & LE in country where server is

© Luc Beirens

Preventive Recommendations Draw up a general ICT usage directive (normal usage)

Awareness program for management & users ICT security policy is part of the global security policy

Appoint an ICT security responsible => control on application of ICT usage & security policy

Keep critical systems separate from the Internet if possible !

Use software from a trusted source

Install recent Anti-virus and Firewall programms (laptops)

Synchronize the system clocks regularly

Activate and monitor log files on firewall, proxy, access

Make & test backups & keep them safe (generations) !

© Luc Beirens

Recommendations for victims of ICT crime

Disconnect from the outside world

Take note of last internet activities & exact date and time

Evaluate : damage more important than restart ? Restart most important: make full backup before restore Damage more important : don’t touch anything

Safeguard all messages, log files in original state

Inform ASAP the Federal Judicial Police and ask for assistance of the Federal or Regional CCU

Force change all passwords

Reestablish the connection only if ALL failures patched

© Luc Beirens

Where to make a complaint ?

Within a police force … Local Police service => not specialised

=> not the right place for ICT-crime (hacking/sabotage/espionage) => place to make complaints on Internet fraud

Federal judicial police (FGP) => better but … Regional CCU => The right place to be for ICT crime

Federal Computer Crime Unit => 24/7 contact Risks on vital or crucial ICT systems => call urgently

Illegal content (childporn, …) => www.ecops.be

… or immediately report to a magistrate ? Local prosecutor (Procureur) => will send it to police

=> can decide not to prosecute

Examining Judge => complaint with deposit of a bail => obligation to investigate the case

© Luc Beirens

For the sys admin

Several layers of protection

Internal firewalls

Encrypted communications

Encrypted data bases

Check active sys admin profiles on svrs

Log and follow up FW, IDS


Contact information

Federal Judicial Police Direction for Economical and Financial crime

Federal Computer Crime Unit Notelaarstraat 211 - 1000 Brussels – Belgium

Tel office : +32 2 743 74 74 Fax : +32 2 743 74 19

E-mail : [email protected] Twitter : @LucBeirens


mailto:[email protected]

Date post:	07-May-2015
Category:	Documents
Upload:	infopme-un-service-de-lidea
View:	1,674 times
Download:	4 times

20121026 info pme threats on cyber

Documents