Weitere ähnliche Inhalte Ähnlich wie 20120329 Cybercrime threats on e-world (20) Kürzlich hochgeladen (20) 20120329 Cybercrime threats on e-world1. Cybercrime threats on
e-world
« What is the cybercriminal up to
and how to survive cybercrime ?»
Belgian Federal Judicial Police
Federal Computer Crime Unit
© Luc Beirens
2. AGENDA
General trends
Victims and their problems
Who should you be afraid of ?
Investigators and their problems
Recommendations for potential ICT crime victims
Contact data
© Luc Beirens
3. e-Architecture
Externally hosted website
Internet
VPN
Internal network
Firewall
DMZ
own Backup server
webserver Cloud service center
SCADA
End user
Roaming user
Process control
© Luc Beirens
4. General trends today
Evolution towards e-society
Replace persons by e-applications
Social networks (for private / professional – commercial use)
Very high mobility (Notebooks, smartphones, tablets, ...)
Interconnecting all systems (admin, industrial, control)
IP is common platform offered by many ISPs
integrating telephony / data / VPN & all new apps
=opportunities / Achilles tendon / scattered traces
Poor security in legacy applications and protocols
(userid+pw)=> identity fraud is easy
Enduser is not yet educated to act properly
© Luc Beirens
5. What do “criminals” want ?
Become rich / powerfull
rapidly, easily, very big ROI
in an illegal way if needed
Destabilaze (e-)society
by causing troubles
For both goals they can / will focus on :
Your data
Your system
© Luc Beirens
6. AGENDA
General trends
Victims and their problems
Who should you be afraid of ?
Investigators and their problems
Recommendations for potential ICT crime victims
Contact data
© Luc Beirens
7. Why would they choose you as their victim ?
They don’t especially target you …but
you’re connected to and visible on
the Internet or the telephone network or with your WIFI
they want to use any ICT system :
to store and exchange illegal stuff … (child porn, warez,…)
as an intermedian system for illegal activity
(spamming, hacking, phishing, …)
to obtain international connections … for which you pay
they just want a new computer and you have one
© Luc Beirens
8. Why would they choose you as their victim ?
They target you because :
of their interest in the data you store on your system
Personal identity information
Financial information (income, credit cards, …)
Business information (Customer/prospect DB, R&D info, …)
they don’t like you and want
to cause damage or take you out of business
Social / economical / civil / political organisations
Terrorist organisation
© Luc Beirens
9. The internal risk
Fired system administator in courier company
Hard working IT in financial institution
Dancing cursor in security firm
Theft of PCs in R&D department of company
Social conflict DDOS attacks on e-commerce
11. Recent cyber crime targetting firms
Spyware / trojan horses / remote admin
Botnet attacks
Espionage
Identity fraud (phishing – spear phishing)
getting your customers identity information : CO2
Fraudulent business proposals via Internet
Buying your goods with forged cheques
False escrow payment services (thrusted third parties)
Nigerian waste recycling => your old pc’s & harddisks
14. Phishing and money mules Victim
John DOE
2
Password
userid
Phishing site
3 Transfert
order Bank site
Bank John Doe
1
Contract as
“Financial manager”
4
Bank Money Mule
6 5
Money
Jefke Mule
15. Webserver
Capacity of a server is limited by :
-bandwidth connection line from the Internet to the server
-transaction capacity server : number of request per minute
Normal functioning of a webserver
© Luc Beirens
16. Webserver / node
Computer
Crash
Hacker
Internet
Info Access line
Cmd blocked
My IP is x.y.z.z
Command and
Control Server
Botnet attack on a webserver / node
17. How do I get infected ?
The hacker sending a Trojan Horse (= container program)
to the victim PC via
E-mail (spam, ...)
Peer2peer (Kazaa, bitorrent,...)
Chat (IRC, MSN, ...)
Auto infection of the victim PC by visiting websites containing
infecting scripts abusing OS vulnerabilities
Auto propagation of the malware from zombies towards
neighbouring PCs in network abusing OS vulnerabilities
The infection procedure often connects to
update server to download new versions to the zombie
18. Botnets attack capacity
Botnet that control from 2000 to more than
100.000 zombies
Each zombie sends several requests per second
Attack capacity in known cases
Sustained dataflow
10 Gbps
during days
Peak dataflow
about 40 Gbps
during hours
© Luc Beirens
19. Why ? Making money !
Sometimes still for fun (scriptkiddies)
Spam distribution via Zombie
Click generation on banner publicity
Dialer installation on zombie to make premium rate calls
Spyware installation
Espionage => banking details / passwords / keylogging
Ransom bot => encrypts files => money for password
Capacity for distributed denial of service attacks DDOS
=> disturb functioning of internet device (server/router)
21. Threats
Attacks on e-commerce (e-gov) websites
=> website out of order
Attacks on network nodes
=> ALL USERS (firms) out of order
Increased risk if combination
with day-zero virus infections
=> NO security against infections
=> bigger armies of Zombies
© Luc Beirens
22. Latest malware developments
Stuxnet : very complex and elaborated trojan
Several replication vectors : networks / USB keys
Connects to C&C botnet server
Focused on industrial process control system
Searches for systems with this control system
Collects information on Siemens PLC systems
Changes process logic on infected machines
Duqu : spying
© Luc Beirens
23. You should take extra care if …
Your business / production processes depend
completely or to a great extend on your ICT system
=> growing vulnerability => bigger impact of ICT crime
=> More and more services over the Internet …
Your business activity provides vital or crucial services :
Energy / Water / Telecommunications / Transportation
Financial institutions / Health institutions
If your industrial process control systems are
directly or indirectly connected to the internet
Your employees / suppliers have external access to
your internal network (0800 lines/Internet)
© Luc Beirens
24. Damage to consider ...
A house search at your home or company (early in the morning)
Your firm cut off from Internet by your ISP
(because of spam distribution by a hacker using your server)
Your telecom invoice next month 200.000 € higher
Result of 5 year hightech R&D
code and documentation in the hands of your competitor
Your firm out of action for some days –
cost for diagnose & restarting – economical losses
Your system administrator arrested
for using your server to distribute childporn
Your personal documents / pictures / e-mails distributed
to anyone on the Internet
© Luc Beirens
25. And perhaps - as a victim –
you could be held liable for …
the illegal activity on your ICT system
the damage caused to
other ICT systems / your customers
not complying with the Privacy act :
obligation to secure personal data efficiently
not being able to provide authorities with
traffic data as a telecom service provider
© Luc Beirens
26. Victims of ICT crime
From multi-nationals over MSE to individuals
No assessment of value of data on ICT system
=> no backups
No or bad ICT security (role of management)
Bad control of the employees in key functions
Absolute lack of awareness individual users
ICT-crime mostly at night or in weekend
No or late discovery : often complaints from outside
Installation of adapted versions of operating
systems on hacked computers
© Luc Beirens
27. AGENDA
General trends
Victims and their problems
Who should you be afraid of ?
Investigators and their problems
Recommendations for potential ICT crime victims
Contact data
© Luc Beirens
28. Who is threating us ?
Script kiddies
Insider ICT guy in your company
Loosely organized criminals
Firmly organized criminal groups
Terrorists / hacktivists
Nation warfare troups
Undergroud economy platform for selling &
buying criminal services and products
29. Firmly organized criminals
We see more and more organization
in the criminal activity on the internet
Focussed on financial intent
Cooperation with moneylaunderers
Different specialisations
recruting persons – ICT development – handling money
Infiltration in or taking over legal businesses
(development firms, operators, ...)
30. Terrorist / hacktivists
No financial intent
Political / social objectives
Attack and create chaos and disaster
Destabilize economy and society
Might take their time to prepare ...
Or set up actions very quickly (social networks)
31. AGENDA
General trends
Victims and their problems
Who should you be afraid of ?
Investigators and their problems
Recommendations for potential ICT crime victims
Contact data
© Luc Beirens
32. Who investigates ICT crime ?
Prosecutors / Examining Judges
Specialised police forces (nat’l & Internat’l)
Legal expert witnesses
Specialised forensic units of consulting firms
Associations defending commercial interests
Security firms => vulnerabilities
Activist groups => publish info on « truth »
© Luc Beirens
33. E-Police organisation and tasks
Integrated police
Federal 1 Federal Computer Crime Unit
Police
24 / 7 (inter)national contact
National Policy Operations : Intelligence
Level Internet & ePayment fraude
Training Forensic ICT analysis Cybercrime
35 persons Equipment ICT Crime combating www.ecops.be hotline
FCCU Network
Internat internet ID requests
Federal Police 25 Regionale Computer Crime Units (1 – 2 Arrondissementen)
Regional
level Assistance for housesearches, Investigations of ICT crime case
170 persons forensic analysis of ICT, taking (assisted by FCCU)
statements, internet investigations
Local Level First line police
Federal Police “Freezing” the situation until the arrival of CCU or FCCU
Local Police Selecting and safeguarding of digital evidence
© 2012 - Luc Beirens - FCCU - Belgian Federal Police
34. Our services
Help to take a complaint
Descend on the scene of crime
Make drawing of architecture of hacked system
Image backup of hacked system (if possible)
Internet investigations (Identification, location)
House searches
Taking statements of concerned parties
Forensic analysis of seized machines
Compile conclusive police report
© Luc Beirens
35. Investigative problems - tracking
Victims : Unfamiliar and fear for “Corporate image”
=> belated complaints – trashed / no more traces
Rather “unknown” world for police & justice
=> Delay before involvement specialised units
Limited ICT investigation capacity (technical & police skills)
Multiplication and integration of
services / providers / protocols / devices
Lack of harmonised international legislation & instruments
Anonymous / hacked connections – subscriptions - WIFI
Intermediate systems often cut track to purpetrator
© Luc Beirens
36. Investigative problems – evidence gathering
Delocalisation of evidence : the cloud ?
Exponential growth of storage capacity
=> time consuming :
backups & verification processes
Analysis
New legislation / jurisprudence imposes more rigorous
procedures for evidence gathering in cyber space
Bad ICT-security :
give proof of the source and the integrity of evidence
© Luc Beirens
37. Brussels, we have a problem ...
Complainer Politie
Hello, can you help ? OK
We are a Belgian hosting firm A few questions to
start our file …
We have a problem
Who, where, what,
Our webservers are hacked when …
& several websites
of our Belgian customers
have been defaced
© Luc Beirens
39. Who / where / what
In the USA
In Belgium
Hacked webserver
Hosting firm : Defaced website
nothing in Belgium
In the Netherlands
Customer : Hacked server
nothing in Belgium
In the UK
Hacked firm : Hacker ?
nothing in Belgium In the Luxemburg
Hacker ?
© Luc Beirens
40. Conclusions ...
Competence Belgian Justice authorities ? Discussion
viewpoint Public Prosecutor General : not competent
viewpoint lawyer victim : competent
viewpoint suspect’s defence : ????
If choice was made for storage in foreign country
Why ? Cost ? Evade regulations & obligations ?
No (?) protection of Belgian Law
No (?) intervention of Law Enforcement in Belgium
Protection by law & LE in country where server is
© Luc Beirens
41. AGENDA
General trends
Victims and their problems
Who should you be afraid of ?
Investigators and their problems
Recommendations for potential ICT crime victims
Contact data
© Luc Beirens
42. Preventive Recommendations
Draw up a general ICT usage directive (normal usage)
Awareness program for management & users
ICT security policy is part of the global security policy
Appoint an ICT security responsible
=> control on application of ICT usage & security policy
Keep critical systems separate from the Internet if possible !
Use software from a trusted source
Install recent Anti-virus and Firewall programms (laptops)
Synchronize the system clocks regularly
Activate and monitor log files on firewall, proxy, access
Make & test backups & keep them safe (generations) !
© Luc Beirens
43. Recommendations for victims of ICT crime
Disconnect from the outside world
Take note of last internet activities & exact date and time
Evaluate : damage more important than restart ?
Restart most important : make full backup before restore
Damage more important : don’t touch anything
Safeguard all messages, log files in original state
Inform ASAP the Federal District Police Services
and ask for assistance of the Federal or Regional CCU
Change all passwords and change all usernames
Reestablish the connection only
if ALL failures found and patched
© Luc Beirens
44. Where to make a complaint ?
Within a police force …
Local Police service => not specialised
=> not the right place for ICT-crime (hacking/sabotage/espionage)
=> place to make complaints on Internet fraud
Federal District Police Service (FGP) => better but …
Regional CCU => The right place to be for ICT crime
Federal Computer Crime Unit => 24/7 contact
Risks on vital or crucial ICT systems => call urgently
Illegal content (childporn, racism, …) => www.ecops.be
… or immediately report to a magistrate ?
Local prosecutor (Procureur) => will send it to police
=> can decide not to prosecute
Examining Judge => complaint with deposit of a bail
=> obligation to investigate the case
© Luc Beirens
45. Contact information
Belgian Federal Judicial Police
Direction for economical and financial crime
Federal Computer Crime Unit
Notelaarstraat 211 - 1000 Brussels – Belgium
Tel office : +32 2 743 74 74
Fax : +32 2 743 74 19
Head of Unit : luc.beirens@fccu.be
Central Internet Contact Point : www.ecops.be