CS3: Cybersecurity Extortion & Fraud

Click to edit Master title style

9/29/2015 1

Cybersecurity Extortion &

Fraud

Goodwin CollegeSeptember 30, 2015Sponsored by:

Top Five Things You Can Do to

Protect Your Clients

and Your Business

UCONN StamfordMarch 30, 2015

Presented by

Bruce CarlsonPresident & CEOConnecticut Technology Council

Introduction



and Your Business


Presented by

Mark ScheinbergPresidentGoodwin College

Welcome



and Your Business


Presented by

Paul SavasVice PresidentComcast Business Western New England Region

Welcome

Extortion &

FraudGoodwin College

September 30, 2015

Sponsored by:

Martin McBride

Presented by

Keynote Speaker:

William P. SheaDeputy Commissioner of Emergency

Services & Public Protection, State of the CT

To Discuss Cybersecurity Extortion and Fraud

Extortion &


September 30, 2015

Sponsored by:

Presen ted by

Patricia FisherPresident & CEO, JANUS AssociatesBoard Member, CTCChair, CTC Cybersecurity Task Force

Introduction of Panelists

Extortion &


September 30, 2015

Sponsored by:

Martin McBride

Presented by

Speaker: Leon A Pintsov

CEOSignitSure

To Discuss Bitcoin and its Security Challenges

BitcoinWhat is Bitcoin and how it is used in cyber extortion

and fraud incidents?

L. A PintsovCTC Seminar on Cybersecurity

September 30, 2015

8

Outline Cyber attacks, extortion and Bitcoin Bitcoin - a little bit of mechanics Properties of Bitcoin Security and Privacy Limitations Future prospects Conclusion

9

Taxonomy of attacks

10

How attacks occurred?

11

Attack Stages

12

How bad guys monetize their cyber exploits?

By selling attackers’ tools By selling stolen data By disabling victim’s internal IT system (e.g. via encryption of

main and back-up business data bases rendering them useless unless a decryption is applied).

By disabling victim’s website for a significant period of time [e.g. by repeated Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks].

Last two attacks can be monetized only by extortion. “Ransoms vary in price and are usually demanded in Bitcoin”.

Note: The cost of attacks to bad guys are increasing and can be quite significant! Thus, we know of a few attacks that are done just to make a point (as it used to be the case with computer viruses sometime ago).

13

July 31, 2015Alert Number I-073115-PSA E-mail Extortion Campaigns Threatening Distributed Denial of Service Attacks

The Internet Crime Complaint Center (IC3) recently received an increasing number of complaints from businesses reporting extortion campaigns via e-mail. In a typical complaint, the victim business receives an e-mail threatening a Distributed Denial of Service (DDoS) attack to its Website unless it pays a ransom. Ransoms vary in price and are usually demanded in Bitcoin.

Victims that do not pay the ransom receive a subsequent threatening e-mail claiming that the ransom will significantly increase if the victim fails to pay within the time frame given. Some businesses reported implementing DDoS mitigation services as a precaution.

Businesses that experienced a DDoS attack reported the attacks consisted primarily of Simple Discovery Protocol (SSDP) and Network Time Protocol (NTP) reflection/amplification attacks, with an occasional SYN-flood and, more recently, Wordpress XML-RPC reflection/amplification attack. The attacks typically lasted one to two hours, with 30 to 35 gigabytes as the physical limit.

Based on information received at the IC3, the FBI suspects multiple individuals are involved in these extortion campaigns. The attacks are likely to expand to online industries and other targeted sectors, especially those susceptible to suffering financial losses if taken offline.

If you believe you have been a victim of this scam, you should reach out to your local FBI field office, and file a complaint with the IC3 at http://www.ic3.gov/. Please provide any relevant information in your complaint, including the extortion e-mail with header information.

Tips to protect yourself:•Do not open e-mail or attachments from unknown individuals.•Do not communicate with the subject.•If an attack occurs, utilize DDoS mitigation services. 14

Akamai Report dated 9-9-2015

Akamai's Team is warning of increased activity by a group – known as DD4BC – that since 2014 has threatened to take down corporate networks with distributed denial-of-service (DDoS) attacks if a Bitcoin ransom is not paid. Akamai confirmed 141 attacks executed against 124 unique businesses between September 2014 and July 2015.

DD4BC started off small, only executing an average of nearly four DDoS extortion attacks per month from September 2014 to March. Activity started climbing in April with 16 attacks, peaked in June with 41 attacks, and tapered off a bit in July with 31 total attacks.

The organizations being targeted are in a variety of industries, including 58 percent in financial services, 12 percent in media and entertainment, nine percent in online gaming, six percent in retail and consumer goods, five percent in software and technology, and another five percent in internet and telecommunications.

“If a targeted organization pays the ransom, there is no reason to believe that the attackers will not return again, and often for a higher amount.” “Additionally, this could encourage other groups who may use the same name or in some way be associated with this group to threaten your organization and also send attack traffic. These types of attacks only work when the victims make it profitable for them. Not paying the ransom will often lessen the pervasiveness of these attacks.”

One of the group's latest tactics involves threatening to expose organizations via social media, the report mentioned.

15

http://www.scmagazine.com/search/ddos/

Results (from Akamai report)

The data suggests that the individuals involved in the DD4BC operations have received ransom payments from the DDoS threats.

Historically, targets of ransom demands are selected based on their anticipated reluctance to involve law enforcement.

DD4BC is expanding its targets to enterprise-level organizations.

23

Why Bitcoin is a seemingly preferred payment extortion tool?

(Perceived) Anonymity /Unlinkability/Untraceability

Relative Ease of Use (for both the extortionist and the victim)

• Remember instructions in the ransom email? Ubiquity/Popularity as a payment method within

the Community of Bad Guys BTC can be easily transferred from one member of the

community to another Value in BTC can be dormant/stored for a

considerable period of time, i.e. the value cannot be frozen or confiscated as long as it is in the Block Chain.

24

25

Bitcoin (n.): A revolutionary digital currency free of central banks, deposits, or stable concepts of ownership and value.

The New Devil’s Dictionary

Paper Money

In US are issued by the US Central Bank in accordance with an economic policy.

When Alice wishes to give a coin to Bob (in return for some goods or services) Bob can examine the coin to ensure that it is valid (i.e., not counterfeit).

Double spending is not a concern because Alice cannot give the same (valid) coin/bill to two different parties.

Payer anonymity, payment unlinkability (no link between payer and payee), and untraceability are provided 26

Bitcoin (BTC) An electronic cash scheme invented by Satoshi Nakamoto (a

pseudonym) in 2008. Bitcoin is decentralized, i.e., there is no “Bank” or a Central

Authority(but there is a committee of 5-6 key developers who maintain the BTC system as Open Source Software)

Payer anonymity and payment untraceability are not primary goals of Bitcoin.

Anyone can use Bitcoin: Download a wallet from bitcoin.org.

Obtain bitcoins by “mining” or from an exchange such as VirtEx, BTC China (and, until recently, MtGox).

How can the creation of coins be regulated? How does the recipient of a coin ensure it has not been previously

spent?27

Bitcoin The first bitcoins were generated by Satoshi Nakamoto on Jan 3

2009. The basic unit of bitcoin currency is 1 BTC. Each BTC can be

divided into 100 million pieces, the smallest of which, i.e., 0.00000001 BTC, is called a “satoshi”.

Bitcoins can be generated (i.e., mined) in theory by anyone. They are generated at the rate of R BTC every 10 minutes

(approximately). Initially, R = 50. On Nov 28 2012, R was lowered to 25. R will be halved over time (every 212 K transaction or roughly 4

years), until the year 2140, when a total of 21 million BTC will have been generated. This is a hardcoded limit. No BTC inflation!

By March 2014, 12.1 million BTC had been generated.28

Value of BTC• The dollar value of 1 BTC has fluctuated widely:

(seecoinbase.com/charts)

May 22 2010: $0.0025 Jan 1 2013: $13.30Jul 17 2010: $0.08 Apr 9 2013: $223.10Jan 1 2011: $0.30 Jul 6 2013: $69.31Feb 9 2011: $1.00 Oct 31 2013: $127.25Jun 8 2011: $31.91 Nov 30 2013: $1126.82Jan 2 2012: $ 5.22 Jan 1 2014: $747.56Jul 1 2012: $ 6.63 Mar 23 2014: $563.27

• Apr 20 2015: 1 BTC = $23029

Organization of Bitcoin (basic elements)

Transaction: The transferring of a coin from one user to

another. All transactions are public and are broadcast to

all users.

Peer-to-peer network: The users of Bitcoin are organized

in a peer-to-peer network.

Blocks: Every 10 minutes or so, the latest transactions

are verified and collected into a block. This block is hashed

and (cryptographically) linked with other blocks. The block

is broadcast to the entire peer-to-peer network.30

Organization of Bitcoin (basic elements)

Block chain: The list of blocks is called the Block

Chain. It contains a record of all past transactions.

Mining: The process of verifying transactions and

compiling a block is called mining. A successful miner

receives a reward (new BTCs plus transaction fees).

Proof-of-work: To successfully compile a block and

receive a reward, the miner has to solve a

cryptographic challenge (requiring a very significant

amount of computing power).31

Block Chain

Address of the previous block

H( ) is the Digest of the previous block

Head of the Chain Address and Digest of the Last Block

32

Properties of the Block chain

Block chain is a data structure (a linked list) that allows to append data onto the last existing block.

H ( ) is a hash function, in the case of the Bitcoin H( ) is SHA256

Block chain provides tamper-evident log of data stored in the Block chain Any attempt to modify data in any of the previous

blocks is easily detectable because the Head of the Chain is securely stored (at multiple locations)

33

Digital Signatures

34

Key pairs and Identities in Bitcoin

Each user selects randomly generated number a and using it

computes another number A. This is done by the wallet software. The user’s private key is a; the user’s public key is A.

In Bitcoin, a user’s public key A is used to identify the user.

A user can (and frequently does) select a different key pair for each

transaction. Thus, identity of the user can change with each

transaction.

(Remember extortion emails?)

If a user loses its private key all Bitcoins associated with this key are

lost forever

35

Transaction A transaction is the transfer of a coin (of any value) from one user to another

user. Suppose that Alice has a coin, say of value 1 BTC. The transaction in which Alice obtained this bitcoin is represented by TXA. Suppose Alice wishes to give this coin to Bob.

The transaction of 1 BTC is represented as follows:

TAB = {TXA, A, B, 1 BTC}A, where {M}A denotes a message M and its

signature with respect to the public key A (in other words the message is signed

with Alice’s public key). This transaction is broadcast to the entire peer-to-peer BTC network. Transaction TAB is identified by its SHA-256 bit hash value.

Note: The transaction contains both Alice’s and Bob’s public keys, but not their

names or any other identities. These keys are used to verify that transaction

was initiated by Alice.36

Chain of Transactions

37

First Bitcoins

38

Mining Incentive: The block creator is awarded R BTC (currently, R = 25)

besides transaction fees.

Users form mining pools and share an award.

Work factor: The target t (for the proof-of- work) is updated

every 2016 blocks (2 weeks) to ensure that the average time it

takes to generate a block is about 10 minutes.

Currently, the bitcoin network is generating hashes at the rate of

approximately 254 per second. The hash difficulty is approximately

t = 63.

A PC can do approximately 223 hashes per second. So, one PC

will take about 35,000 years to generate a block.40

Block Chain Mechanism Users will accept a block if all the transactions in it are

valid, and if the coins have not been previously spent.

Users show their acceptance of the block by using its

hash value (digest) as the “previous hash” for the next

block, thereby growing the block chain.

The block chain serves as a public ledger that records

all transactions.

41

Security notesBitcoin is “secure” as long as honest users

collectively control more CPU power than any

cooperating (colluding) group of users.

Since all transactions are public, payer

anonymity and payment untraceability can not

be guaranteed.

42

BTC anonymity, unlinkability, traceability…

There is fundamental and inherent conflict between decentralization and anonymity. For most users decentralization seems to be more important than anonymity.

How hard is to link different addresses of the same user? How hard is to link different transactions of the same user? How hard is to link sender of payment to its recipient?

Crypto currencies privacy (anonymity) properties are generally much weaker than those in traditional centralized banking system because anybody can examine Block chain of all transactions.

Bitcoin allows for multiple “side channels” that leaks data and for data mining techniques (e.g. Transaction Graph Analysis) to establish links.

There are several new proposals how to fix BTC anonymity issues for good using zero-knowledge protocols (e.g. Zerocoin, Zerocash). They all have some implementations challenges, but if realized, these protocols will be able to achieve real anonymity thus creating significant advantages for bad guys and significant headaches for the law enforcement agencies. 43

Extensibility and Limitations Block chain data structure and distributed peer-to-peer

consensus mechanism have potentially many applications, even outside finance (e.g. IoT).

Bitcoin as it is operating now has several niche applications (e.g. international contractors and extortionists) and have some severe limitations and shortcomings:

“Bitcoin will start to malfunction early next year. Transactions will become increasingly delayed, and the system of money now worth $3.3 billion will begin to die as its flakiness drives people away, so says Gavin Andresen, who in 2010 was designated chief caretaker of the code that powers Bitcoin by its shadowy creator”. Andresen’s gloomy prediction stems from the fact that Bitcoin can’t process more than seven transactions a second” (e.g. compared for about 20,000 for Visa)

45% of exchanges are closed due to various failures or fraud issues.

Wall Street made $30 M investment into Chain Inc. to develop Block chain technology for financial applications aiming to reduce complexity and cost of existing system. Investors include Visa, Capital One, Goldman Saks, Fiserv and Orange.

44

Conclusion Bitcoin opened a large and fast developing areas for research as well as several

practical applications and generated considerable interest from computer scientists, economists, business people, lawyers, governments and non ethical hacking community (the bad guys).

Bitcoin is most certainly a testament to human ingenuity, its implementation integrates a number of known and ingenious ideas with new creative and elegant computational techniques.

Practice seems to be ahead of the theory. No one knows whether Bitcoin is stable and going to survive or it will experience a major setback or a shock and be folded

(following Digi Cash and number of other cryptocurrencies into a graveyard). Given amount of investment and interest that BTC has generated so far it is likely

that BTC concepts and implementation techniques will produce important and far-reaching implications in many areas of society and economy.

Regulation Stay tuned! Note: This presentation contains materials from many web sources, including Princeton University

Course “Bitcoin and Cryptocurrencies Technology”, Akamai and personal communications and materials from Prof. A. Menezes of the University of Waterloo in Canada. These materials are gratefully acknowledged. 46

Extortion &


September 30, 2015

Sponsored by:

Presen ted by

Panel ists

William P. SheaDeputy Commissioner of Emergency Services & Public Protection, The State of Connecticut

Leon PintsovCEO, SignitSure

Timothy RonanAttorney, Pullman & Comley, LLC

Moderator: Patricia FisherPresident & CEO, JANUS ASSOCIATES; Board Member, CTC; Chair, CTC Cybersecurity Task Force

Joseph CorayVice President, Technology & Life Science Practice, The Hartford

CONNECTICUT TECHNOLOGY

COUNCIL

Cybersecurity Extortion and Fraud

Tim Ronan

September 30, 2015

“Choose a convenient payment method” 1 BTC


CryptoLocker –USD MoneyPak® payment


FBI Ransomware --Complete with handcuffs


DOJ Ransomware –It’s a “fine,” not a ransom.


DOJ-Homeland- FBIRansomware


FBI-DOJ-Homeland Ransomware Pay just a $300 “fine” for the key and to close your case.


TeslaCrypt – Shocker: They’ve even co-opted Nikola’s name.


The clock is always ticking…


… so what do you do?


BRIDGEPORT | HARTFORD | STAMFORD | WATERBURY | WHITE PLAINS

www.pullcom.com

These slides are intended for educational and informational purposes only. Readers are advised to seek appropriate professional consultation before acting on any matters in this update. These slides may be

considered attorney advertising. Prior results do not guarantee a similar outcome.

These slides are intended for educational and informational purposes only. Readers are advised to seek appropriate professional consultation before acting on any matters in this update. These slides may be

considered attorney advertising. Prior results do not guarantee a similar outcome.

Extortion &


September 30, 2015

Sponsored by:

Presen ted by

Panel ists

William P. SheaDeputy Commissioner of Emergency Services & Public Protection, The State of Connecticut

Leon PintsovCEO, SignitSure

Timothy RonanAttorney, Pullman & Comley, LLC

Moderator: Patricia FisherPresident & CEO, JANUS ASSOCIATES; Board Member, CTC; Chair, CTC Cybersecurity Task Force

Joseph CorayVice President, Technology & Life Science Practice, The Hartford

Extortion &


September 30, 2015

Sponsored by:

Presen ted by

Bruce CarlsonPresident & CEOCT Technology Council

Patricia FisherPresident & CEOJANUS Associates, Inc.

Nancy HancockPartnerPullman and Comley LLC

Richard HarrisPartnerDay Pitney LLP

Rick HuebnerPresident & CEOVisual Technologies, Inc.

Lyle LibermanCOOJANUS Associates, Inc.

Andy McCarthyVP of Engineering & Technical Ops, Western NE Region Comcast

Suzanne Novak Owner/PresidentERUdyne. LLC

Dr. Leon PintsovCEO SignitSure Inc.

Paige RasidCOOCT Technology Council

Ray Umerley Vice PresidentChief Data Protection Officer, Pitney Bowes

Ron VernierSVP and CIOHartford Steam Boiler

Cybersecur i ty Task Force

Click to edit Master title style

9/29/2015 62

CybersecurityExtortion &

Fraud

Goodwin CollegeSeptember 30, 2015Sponsored by:

CS3: Cybersecurity Extortion & Fraud

Technology

Transcript of CS3: Cybersecurity Extortion & Fraud