20121026 info pme threats on cyber
-
Upload
infopme-un-service-de-lidea -
Category
Documents
-
view
1.680 -
download
4
description
Transcript of 20121026 info pme threats on cyber
Risks on your information and
on your ICT infrastructure InfoPME information security seminar 26 October 2012 @LucBeirens © Luc Beirens - Federal Computer Crime Unit - Direction economical and financial crime
Topics - overview
An analysis of the eSociety situation
Who is threating eSociety and how ? Inside threat / outside threats
Possible damage to eGov and eSociety
Which response to give to this ?
End user Roaming user
Internal network
Externally hosted website
DMZ own webserver
Backup server
e-Architecture
Cloud service center
SCADA
Process control
Firewall
Internet VPN
© Luc Beirens
Externally managed infrastructure
General trends today
Evolution towards e-society
replace persons by e-applications
Interconnecting all systems (admin, industrial, control)
Mobile systems – Cloud
Social networks
IP is common platform offered by many ISPs integrating telephony / data / VPN & all new apps =opportunities / Achilles tendon / scattered traces
Poor security in legacy applications and protocols (userid+pw)=> identity fraud is easy
Enduser is not yet educated to act properly
What do criminals want ?
Become rich / powerfull rapidly, easily, very big ROI in an illegal way if needed
Destabilaze (e-)society by causing troubles
What is there to protect ?
Your company image
Your market share
Your business activity / products
Your existance as such
Cybercrime threats © Belgian Federal Computer Crime Unit
What is there to protect ?
Data (stored or in transmission)
Our personal data
Data on citizens / customers
Info on the organisation (policy/functioning/financial)
Our information infrastructure
Internal / external systems
Network connexions
Storage and backup systems
Privacy law requires measures organisational and technical to protect personal data
Cybercrime threats © Belgian Federal Computer Crime Unit
The inside threats
Cybercrime threats © Belgian Federal Computer Crime Unit
Theft of data and carriers
SME service sector :
server + backups stolen
=> reason theft unclear => SME had to close the books
SME in construction sector
laptop stolen on professional congress
=> more difficulties to give the best offer => customers are addressed by several other firms
Cybercrime threats © Belgian Federal Computer Crime Unit
Theft of industrial secrets
Multinational high tech software development New experienced employee during his test period DB with all functional and technical specs on internet space Person left company : screen showed evidence
SME CRM software developper Several employees quit at the same time New firm => same kind of product : source code ? customers beeing transferred to the new company
Multinational Metal industry Director R&D quits and goes to the competitor R&D information concerning specific handling of waste
Cybercrime threats © Belgian Federal Computer Crime Unit
Theft of commercial and strategic information
Firm in service sector
In financial department : installation keylogger on PC financial analyst : info via e-mail
Illegally ordered by shareholders
Detection by IDS
Firm in distribution sector
Theft of 15 PC in dep of development and expansion
Chained to the desk but not encrypted
During weekend – seen on monday Cybercrime threats © Belgian Federal Computer Crime Unit
Theft security related data
Multinational financial sector New experienced employee helpdesk 3rd level After test period not accepted =>
leaves with copy of DB problems on USB key contact police => interception
End user victim infected with trojan horse Take over of userid + passwords => mailbox consultation + ADSL use Take over codes and certificates for commercial transactions
Multinational security sector Break in over remote administration access Cursor moves over the screen and opens critical DBs No immediate reaction : only after 3rd incident reported
Cybercrime threats © Belgian Federal Computer Crime Unit
Theft of personal data
Multinational credit cards hacking website with cc-info international criminal organisation abuses data
SME in discussion about a possible take over Systemadministrator reads mail of the board ?
Public institution System admin reads mails and documentation in private
network share Discovers a “secret relationship” => “extorsion”
End User in eductation institution Hacking : intimate pictures distributed to collegues
Cybercrime threats © Belgian Federal Computer Crime Unit
Analysis of incidents
Cybercrime threats © Belgian Federal Computer Crime Unit
Which data ?
Customer list / price lists Strategic vision / financial situation Industrial secrets / source code programs Security procedures Access codes Transfert codes
=> necessity to classify data according
to the level of importance to continue bussiness handle each level accordingly
Cybercrime threats © Belgian Federal Computer Crime Unit
Where and how stored ?
Stored in ICT-infrastructure server / end user equipment / data carriers
In transmission on intranet / internet / between keyboard and PC
Often only password protected but not encrypted / very few logs
=> need for encryption and strong authentication Cybercrime threats © Belgian Federal Computer Crime Unit
How
Physical theft By burglary : servers desktop
Of mobile equipment : voyages, hotel, car
Digital copy Of complete database
During normal use / consultation
By Trojan => via internet connection
By keylogger => keyboard => passwords
By sniffer in network => all transmissions
rootkit => completely adapted operating system Cybercrime threats © Belgian Federal Computer Crime Unit
When ?
During office hours but very often
At night
During weekends
=> need for detection & alarmsystems
Cybercrime threats © Belgian Federal Computer Crime Unit
Server is well secured ...
Then it is perhaps easier to
Copy data from logfiles
Copies in test environment
backup disks / tapes (in trunc of sysadmin ?)
Very often access to this information is not controlled
Cybercrime threats © Belgian Federal Computer Crime Unit
Who ?
Employees / management
Temporary employees / stagiairs
Suppliers / maintenance
External parties via external access
=> need for screening of persons in key functions
=> eventually external audit on these persons
=> reduce acces on need to have basis : also for sysadmin
Difficulty : privacy regulations
Cybercrime threats © Belgian Federal Computer Crime Unit
Consequences of information theft
transactions / moneytransferts => direct damage
extorsion espionage Loss of market share Discussion on owner rights of source code No longer access to data security incidents in real world indirect damage: loss of trust in the e-system
Cybercrime threats © Belgian Federal Computer Crime Unit
Victim yes but also ...
Penal liaibility if privacy is not protected ! Organisational and technical mesures
Access / use of private data
Civil liaibility if Negligence or fault
Damage caused
Cybercrime threats © Belgian Federal Computer Crime Unit
Do you give it away ?
When old equipment is
sold in second hand market
donated to a school
...
Formatting is not enough to remove data => wiping => magnetische schok
Cybercrime threats © Belgian Federal Computer Crime Unit
Cybercrime threats © Belgian Federal Computer Crime Unit
The outside threats
© 2006-2010 Luc Beirens – Federal Computer Crime Unit - Belgian Federal Judicial Police – Direction economical and financial crime
Cybercrime threats © Belgian Federal Computer Crime Unit
Who is threating us ?
Script kiddies
Insider ICT guy in your company
Loosely organized criminals
Firmly organized criminal groups
Terrorists / hacktivists
Foreign states / economical powers
Nation warfare troups
What are the outside threats ?
Cybercrime threats © Belgian Federal Computer Crime Unit
Threats in messages on hackersites
Wiping away the websites in your state
Infiltration in servers of the Public Treasury
disrupting tax collection
Infiltration in bank accounts
Attacks on media websites
Attacks on e-commerce websites
Distribution of personnel data and
credit card information
Targetting also in the end of the year period Cybercrime threats © Belgian Federal Computer Crime Unit
Overview of threats
Hacking into websites / webservers
Denial of service : blocking internetconnections / webservers
Interfering with internet transactions
Hacking into computer systems Spying altering / deleting data
Destabilazing e-society by causing some havoc Cybercrime threats © Belgian Federal Computer Crime Unit
Cybercrime threats © Belgian Federal Computer Crime Unit
Hacking webservers
Motives of criminal :
Perform defacement
Use as storage platform for illegal content (childporn)
Use as intermediate platform for criminal activity
Get sensitive information and do extortion (idiot tax)
Get financial information (credit cards)
To do :
Updates SW, strong admin access, no pers data on srvr
Follow up pastebin.com : a hackers drop off
Cybercrime threats © Belgian Federal Computer Crime Unit
Security : encrypted data !
Infection of workstations and servers in company LAN
Using targetted e-mails / social media messages
Malicious encryption of all user data files
Ransom to get decryption key
From those that paid : some got key some didn’t
Others had a recent backup not connected!
Cybercrime threats © Belgian Federal Computer Crime Unit
Intrusions in your LAN
Intrusion in your system to intercept data that allows to take away products from your stock
WIFI interception from parking
Infection by trojan (e-mail)
(unreported) burglary in the company to place
hardware keyloggers
complete small computer system WIFI intercept 3G transmit
With valid ticket go fetch cargo
To Do :
Encrypt WIFI transmissions
Patch only active workstation connections
Cybercrime threats © Belgian Federal Computer Crime Unit
Intrusion in your trading account
Carbon dioxide certificates trade
Open data : contact persons of companies
Spear phishing mail + phishing website
Access to trading account
Millions of € sold in few hours all over EU
Sold far under price & immediately resold
To do : Awareness
Cybercrime threats © Belgian Federal Computer Crime Unit
Intrusion in your partner’s LAN
Intrusion in LAN of foreign partner (Chinese) and get information on your business and invoices to pay
You get mail with
Slightly different e-mail adresses
Change of bank account number to pay (Due to audit ...)
To do : verify thouroughly any changes before paying
Cybercrime threats © Belgian Federal Computer Crime Unit
Attacking infrastructure
Remote managed infrastructures in your buildings
Central heating
Elevator
Creating disruption of this infrastructure => leads to high cost
To do : verify if this applies to you and your infrastructure managing company
Cybercrime threats © Belgian Federal Computer Crime Unit
Hacking into cloud accounts
SME’s that have all their information in cloud accounts
Hacking into these account
Taking over access control
Sending of SOS-e-mails (Robbed money needed)
Deleting all contact information in the account => preventing warning e-mails after getting back access to account
To do :
enforce strong authentication and second ways to access the account
Have backups of these systems
Cybercrime threats © Belgian Federal Computer Crime Unit
What are the criminals tech tools to hack and attack ?
Malware attacks (viruses, worms, trojans, ...) fast spreading day zero infections => no immediate cure => lot of victims (especially home PC’s – 24 / 365 available)
Abuse of infected computers to create botnets (large “armies” of PC’s under control of 1 master) => used to make massive attacks on webservers or network nodes => high risk for your critical ICT infrastructure
Cybercrime threats © Belgian Federal Computer Crime Unit
Webserver / node
Internet
Command & Control Server
Hacker
Access line blocked
Computer Crash
Botnet attack on a webserver / node
My IP is x.y.z.z
Info
Cmd
Webserver / node
Internet
Command & Control Server
Hacker
Malware update / knowledge transfer
Knowledge server
Malware update server
MW update
Very frequent MW update request
trigger event
Why ? Making money !
Sometimes still for fun (scriptkiddies)
Spam distribution via Zombie
Click generation on banner publicity
Dialer installation on zombie to make premium rate calls
Spyware installation
Espionage => banking details / passwords / keylogging
Ransom bot => encrypts files => money for password
Capacity for distributed denial of service attacks DDOS => disturb functioning of internet device (server/router)
Cybercrime threats © Belgian Federal Computer Crime Unit
How big is the problem ?
Already criminal cases in several countries
Botnets detected
Several hundreds of botnets worldwide
Several thousands of C&C worldwide
Thousands upto millions of zombie computers online
generated huge datatraffic upto 40 Gbps
Dismantling / crippling botnets
e-Crime underground business
Underground fora and chatrooms
Restricted access – on invitation
Secured by encryption
Botnets for hire
Control over bot for spam : 0,04 $ / bot / day Small scale attack 20 Mbps : 50 – 100 $ / day
Large scale attack 10Gbps : 1000 $ / day
Malware development on demand
Cybercrime threats © Belgian Federal Computer Crime Unit
Important DDOS cases
UK 2004 : gambling website down (+ hoster + ISP)
NL 2005 : 2 botnets : millions of zombies
BE 2005 : DDOS on chatnetwork of Media firms
BE 2005 : DDOS on Firm (social conflict)
US 2006 : Blue security firm stops activity
SE 2006 : Website Gov and Police down due to DDOS after police raid on P2P
EE 2007 : Widespread DDOS attack on Estonia after incidents on moving soldier statue
Georgia 2008 : cyber war during military conflict
World 2010 : Wikileaks case : Visa Mastercard paypal
World 2012 : CIA FBI USDOJ EU Arcelor Mittal ...
Cybercrime threats © Belgian Federal Computer Crime Unit
Latest malware developments
Stuxnet : very complex and elaborated trojan
Several replication vectors :
Networks
USB keys
Connects to C&C botnet server
Focused on industrial control system
Searches for systems with this control system
Collects information on Siemens PLC systems
Changes process logic on infected machines
Duqu based upon Stuxnet : spying purposes © Luc Beirens
Cybercrime threats © Belgian Federal Computer Crime Unit
Biggest threat ? Criminal’s Knowledge database
SQL (standard query language) databases
Several backup servers
Content Keylogging (everything also userids, passwords)
Screenshots (of all opened windows, websites,...)
URL
IP-addresses
Base for reverse R&D to counter new security
Cybercrime threats © Belgian Federal Computer Crime Unit
Cases ?
e-Banking fraud
Hacking of large institutions / firms
Long time unaware of hacking
Keylogging
Encrypted files on PC
Internal botnet
Intermediate step to other networks
Often no complaint
Cybercrime threats © Belgian Federal Computer Crime Unit
Internet
Hacker
Company network
Large firm hacking using internal botnet
© Luc Beirens
Cybercrime focusing individuals Individuals are
also working in companies / gov Use social networks / webmail
Often used to exchange business related info Containing access code information
Hacking of these profiles / webmails Abuse to infect people you know Get personal information of you and your contacts Commit fraud
Internet fraud of all kinds Webcam sex interception to do extortion
Luc Beirens - FCCU -2012
And the victims ?
Who ?
Transactional websites
Communication networks
ISPs and all other clients
Reaction
Unaware of incidents going on
ISPs try to solve it themselves
Nearly no complaints made – even if asked ...
Result ? The hackers go on developing botnets
Combined threat
What if abused by terrorists ? ... simultaniously with a real world attack?
How will you handle the crisis ? Your telephone system is not working !
Cybercrime threats © Belgian Federal Computer Crime Unit
Risks
Economical disaster
Large scale : critical infrastructure
Small scale : enterprise
Individual data
Loss of trust in e-society
Cybercrime threats © Belgian Federal Computer Crime Unit
Who investigates ICT crime ?
Prosecutors / Examining Judges
Specialised police forces (nat’l & Internat’l)
Legal expert witnesses
Specialised forensic units of consulting firms
Associations defending commercial interests
Security firms => vulnerabilities
Activist groups => publish info on « truth »
© Luc Beirens
E-Police organisation and tasks Integrated police
Federal Police National
Level
35 persons
1 Federal Computer Crime Unit 24 / 7 (inter)national contact
Policy
Training Equipment FCCU Network
Operations : Forensic ICT analysis
ICT Crime combating
Intelligence Internet & ePayment fraude Cybercrime
www.ecops.be hotline
Internat internet ID requests
Federal Police Regional
level
170 persons
25 Regionale Computer Crime Units (1 – 2 Arrondissementen)
Assistance for housesearches,
forensic analysis of ICT, taking
statements, internet investigations
Investigations of ICT crime case
(assisted by FCCU)
Local Level
Federal Police
Local Police
First line police
“Freezing” the situation until the arrival of CCU or FCCU
Selecting and safeguarding of digital evidence
© 2012 - Luc Beirens - FCCU - Belgian Federal Police
Our services
Help to take a complaint
Descend on the scene of crime
Make drawing of architecture of hacked system
Image backup of hacked system (if possible)
Internet investigations (Identification, location)
House searches
Taking statements of concerned parties
Forensic analysis of seized machines
Compile conclusive police report
© Luc Beirens
Investigative problems - tracking
Victims : Unfamiliar and fear for “Corporate image” => belated complaints – trashed / no more traces
Rather “unknown” world for police & justice => Delay before involvement specialised units Limited ICT investigation capacity (technical & police skills)
Multiplication and integration of services / providers / protocols / devices
Lack of harmonised international legislation & instruments
Anonymous / hacked connections – subscriptions - WIFI
Intermediate systems often cut track to purpetrator
© Luc Beirens
Investigative problems – evidence gathering
Delocalisation of evidence : the cloud ?
Exponential growth of storage capacity => time consuming :
backups & verification processes
Analysis
New legislation / jurisprudence imposes more rigorous procedures for evidence gathering in cyber space
Bad ICT-security : give proof of the source and the integrity of evidence
© Luc Beirens
Brussels, we have a problem ...
Complainer
Hello, can you help ?
We are a Belgian hosting firm
We have a problem
Our webservers are hacked
& several websites of our Belgian customers have been defaced
Politie OK
A few questions to start our file …
Who, where, what, when …
© Luc Beirens
Who is where ?
© Luc Beirens
Hacked firm : nothing in Belgium
In the UK Hacker ?
In the Luxemburg Hacker ?
Who / where / what
In Belgium
Hosting firm : nothing in Belgium
Customer : nothing in Belgium
In the USA Hacked webserver
Defaced website
In the Netherlands Hacked server
© Luc Beirens
Conclusions ...
Competence Belgian Justice authorities ? Discussion
viewpoint Public Prosecutor General : not competent
viewpoint lawyer victim : competent
viewpoint suspect’s defence : ????
If choice was made for storage in foreign country
Why ? Cost ? Evade regulations & obligations ?
No (?) protection of Belgian Law
No (?) intervention of Law Enforcement in Belgium
Protection by law & LE in country where server is
© Luc Beirens
Preventive Recommendations Draw up a general ICT usage directive (normal usage)
Awareness program for management & users ICT security policy is part of the global security policy
Appoint an ICT security responsible => control on application of ICT usage & security policy
Keep critical systems separate from the Internet if possible !
Use software from a trusted source
Install recent Anti-virus and Firewall programms (laptops)
Synchronize the system clocks regularly
Activate and monitor log files on firewall, proxy, access
Make & test backups & keep them safe (generations) !
© Luc Beirens
Recommendations for victims of ICT crime
Disconnect from the outside world
Take note of last internet activities & exact date and time
Evaluate : damage more important than restart ? Restart most important: make full backup before restore Damage more important : don’t touch anything
Safeguard all messages, log files in original state
Inform ASAP the Federal Judicial Police and ask for assistance of the Federal or Regional CCU
Force change all passwords
Reestablish the connection only if ALL failures patched
© Luc Beirens
Where to make a complaint ?
Within a police force … Local Police service => not specialised
=> not the right place for ICT-crime (hacking/sabotage/espionage) => place to make complaints on Internet fraud
Federal judicial police (FGP) => better but … Regional CCU => The right place to be for ICT crime
Federal Computer Crime Unit => 24/7 contact Risks on vital or crucial ICT systems => call urgently
Illegal content (childporn, …) => www.ecops.be
… or immediately report to a magistrate ? Local prosecutor (Procureur) => will send it to police
=> can decide not to prosecute
Examining Judge => complaint with deposit of a bail => obligation to investigate the case
© Luc Beirens
For the sys admin
Several layers of protection
Internal firewalls
Encrypted communications
Encrypted data bases
Check active sys admin profiles on svrs
Log and follow up FW, IDS
Cybercrime threats © Belgian Federal Computer Crime Unit
Contact information
Federal Judicial Police Direction for Economical and Financial crime
Federal Computer Crime Unit Notelaarstraat 211 - 1000 Brussels – Belgium
Tel office : +32 2 743 74 74 Fax : +32 2 743 74 19
E-mail : [email protected] Twitter : @LucBeirens
Cybercrime threats © Belgian Federal Computer Crime Unit