20130321 Cybercrime threats on e-commerce online shops

How to survive in an era of hacktivists, cyber espionnage and internet fraudsters ?

The need for an integrated approach to undermine the criminal cyber architecture

© 2013 Luc Beirens – Federal Computer Crime Unit - Belgian Federal Judicial Police – Direction economical and financial crime

Brussels, 21 March 2013 e-Shop Expo

Presentation

@LucBeirens Chief Commissioner Head of the Federal Computer Crime Unit Belgian Federal Judicial Police Direction Economical and financial crime

Chairman of the EU Cybercrime task force

representing the organization of heads of national hightech crime units of the EU

Topics - overview

An analysis of the eSociety situation

Who is threating eSociety and how ? Inside threat / outside threats

Possible damage to eGov and eSociety

Which response to give to this ?

What is there to protect ?

Your company / public image

Your market share (even as public service)

Your business activity / products

Your existance as such

Cybercrime threats © Belgian Federal Computer Crime Unit

What is there to protect ?

Data (stored or in transmission)

Our personal data employees / citizens / customers

Info on the organisation (policy/functioning/financial)

Info on your activity, product (price list, patents, source code)

Our information infrastructure

Internal / external systems

Network connexions

Storage and backup systems

Privacy law requires measures organisational and technical to protect personal data


eShop

Be recognisable to your customers

Beware of imposters

Use of certificates / control over domain

Keep your customers safe

Data

Transactions

Get paid for your services / products

Don’t become unwillingly a criminal service platform


DNS

Certification Authority

End user Roaming user

Internal network

Externally hosted website

DMZ own webserver

Backup server

e-Architecture

Cloud service center

SCADA

Process control

Firewall

Internet VPN

© Luc Beirens

Externally managed infrastructure

General trends today

Evolution towards e-society

replace persons by e-applications

Interconnecting all systems (admin, industrial, control)

Mobile systems – Cloud

Social networks

IP is common platform offered by many ISPs integrating telephony / data / VPN & all new apps =opportunities / Achilles tendon / scattered traces

Poor security in legacy applications and protocols (userid+pw)=> identity fraud is easy

Enduser is not yet educated to act properly

What do criminals want ?

Become rich / powerfull rapidly, easily, very big ROI in an illegal way if needed

Destabilaze (e-)society by causing troubles

First conclusions ?

Society is thus very heavily depending on ICT

ICT = important vulnerability of modern society

End user = weakest link => biggest danger

Need to

Guarantee continuity of ICT functioning

Availability and integrity of data

Data is more and more in the cloud

Accessible from all over the world

Outside jurisdiction of your country

Who is threating us ?

Script kiddies

Insider ICT guy in your company

Loosely organized criminals

Firmly organized criminal groups

Terrorists / hacktivists

Foreign states / economical powers

Nation warfare troups

What are the outside threats ?


Threats in messages on hackersites

Wiping away the websites in your state

Infiltration in servers of the Public Treasury

disrupting tax collection

Infiltration in bank accounts

Attacks on media websites

Attacks on e-commerce websites

Distribution of personnel data and

credit card information

Targetting also in the end of the year period Cybercrime threats © Belgian Federal Computer Crime Unit

Focus

On individuals

On webservers

On your organization

On your partner’s organization

On your infrastructure

On cyber infrastructure


Hacking webservers

Motives of criminal :

Perform defacement

Use as storage platform for illegal content (childporn)

Use as intermediate platform for criminal activity

Get sensitive information and do extortion (idiot tax)

Get financial information (credit cards)

To do :

Updates SW, strong admin access, no pers data on srvr

Follow up pastebin.com : a hackers drop off



E-Shop risks

“Forgotten” test environments

Use of real data

No logging of

Applications with debugging procedures

Data bases with all user data on webserver instead of inside LAN

User profiles unencrypted / unsalted ?

Credit card information in profiles ?

Use of stolen credit (new payment systems)


Dossier Cybercrime - NVP PNS 2012-2015

Security : encrypted data !

Infection of workstations and servers in company LAN

Using targetted e-mails / social media messages

Malicious encryption of all user data files

Ransom to get decryption key

From those that paid : some got key some didn’t

Others had a recent off-line backup !


Intrusions in your LAN

Intrusion in your system to intercept data that allows to take away products from your stock

WIFI interception from parking

Infection by trojan (e-mail)

(unreported) burglary in the company to place

hardware keyloggers

complete small computer system WIFI intercept 3G transmit

With valid ticket go fetch cargo

To Do :

Encrypt WIFI transmissions

Patch only active workstation connections


Intrusion in your trading account

Carbon dioxide certificates trade

Open data : contact persons of companies

Spear phishing mail + phishing website

Access to trading account

Millions of € sold in few hours all over EU

Sold far under price & immediately resold

To do : Awareness


Intrusion in your partner’s LAN

Intrusion in LAN of foreign partner (Chinese) and get information on your business and invoices to pay

You get mail with

Slightly different e-mail adresses

Change of bank account number to pay (Due to audit ...)

To do : verify thouroughly any changes before paying


Attacking infrastructure

Remote managed infrastructures in your buildings

Central heating

Elevator

Creating disruption of this infrastructure => leads to high cost

To do : verify if this applies to you and your infrastructure managing company


Hacking into cloud accounts

SME’s that have all their information in cloud accounts

Hacking into these account

Taking over access control

Sending of SOS-e-mails (Robbed money needed)

Deleting all contact information in the account => preventing warning e-mails after getting back access to account

To do :

enforce strong authentication and second ways to access the account

Have backups of these systems



Cyber crime against cyber infrastructure

Payment systems

2010 Wikileaks case : “Anonymous” attack on VISA, Paypal, Mastercard,...

DNS – system create fraudulent routing or use for DDOS

Certification autorities (Diginotar)

Data centers (Blocs all servers in it)



Cybercrime focusing individuals Individuals are

also working in companies / government Use social networks / webmail

Often used to exchange business related info Containing access code information

Hacking of these profiles / webmails Abuse to infect people you know Get personal information of you and your contacts Commit fraud

Internet fraud of all kinds Webcam sex interception to do extortion

Luc Beirens - FCCU -2012

What are the criminals tech tools to hack and attack ?

Malware attacks (viruses, worms, trojans, ...) fast spreading day zero infections => no immediate cure => lot of victims (especially home PC’s – 24 / 365 available)

Abuse of infected computers to create botnets (large “armies” of PC’s under control of 1 master) => used to make massive attacks on webservers or network nodes => high risk for your critical ICT infrastructure


Webserver / node

Internet

Command & Control Server

Hacker

Access line blocked

Computer Crash

Botnet attack on a webserver / node

My IP is x.y.z.z

Info

Cmd

Webserver / node

Internet

Command & Control Server

Hacker

Malware update / knowledge transfer

Knowledge server

Malware update server

MW update

Very frequent MW update request

trigger event

Why ? Making money !

Sometimes still for fun (scriptkiddies)

Spam distribution via Zombie

Click generation on banner publicity

Dialer installation on zombie to make premium rate calls

Spyware installation

Espionage => banking details / passwords / keylogging

Ransom bot => encrypts files => money for password

Capacity for distributed denial of service attacks DDOS => disturb functioning of internet device (server/router)


How big is the problem ?

Already criminal cases in several countries

Botnets detected

Several hundreds of botnets worldwide

Several thousands of C&C worldwide

Thousands upto millions of zombie computers online

generated huge datatraffic upto 40 Gbps

Dismantling / crippling botnets

e-Crime underground business

Underground fora and chatrooms

Restricted access – on invitation

Secured by encryption

Botnets for hire

Control over bot for spam : 0,04 $ / bot / day Small scale attack 20 Mbps : 50 – 100 $ / day

Large scale attack 10Gbps : 1000 $ / day

Malware development on demand


Important DDOS cases

UK 2004 : gambling website down (+ hoster + ISP)

NL 2005 : 2 botnets : millions of zombies

BE 2005 : DDOS on chatnetwork of Media firms

BE 2005 : DDOS on Firm (social conflict)

US 2006 : Blue security firm stops activity

SE 2006 : Website Gov and Police down due to DDOS after police raid on P2P

EE 2007 : Widespread DDOS attack on Estonia after incidents on moving soldier statue

Georgia 2008 : cyber war during military conflict

World 2010 : Wikileaks case : Visa Mastercard paypal

World 2012 : CIA FBI USDOJ EU Arcelor Mittal ... Cybercrime threats © Belgian Federal Computer Crime Unit

Attacks on eSociety authentication systems using malware and botnets


Challenge based

eService user

Authentication systems

eService website

New authentication systems One time passwords Time based

user : password :

Give token 15 :

u123 secret123

Word15

Give OT password : Timedependentcode

Calculate OTP with challenge 12345678

Calculated OTP Consultation & Transfers

Authentication

Consultation & Transfers

Intercepted userid + pw

Intercepting 36 sessions Phishing website 3 x 12

Waiting the authentication Afterwards perform transaction

Waiting the authentication Need for user cooperation ????

Consultation & Transfers

If technical security is ok ...

They are informed of webactivity over the botnet

They know you ! (knowledge base & social networks)

They will switch to social engineering They will make you believe they are someone else to make you do something they want / need

Abusing expected “normal user behaviour”

Fear of or willingness to help or coope with hierarchy security services / helpdesk / vendors / (business) partners

Love for (new) friends

Greed

Fake Company

Proxy

Spam

Money collector

Money Mule

eBank user Bank site

Money Mule

10

4 5

9

11

7

12 13

8

Fake site

6

trying to surf on the real website

Activity spying Keylogging

Trojan distribution campain

Hackers Knowledge database

1

Authentication Authentication Money transfer order

Local storage

2 Use of intermediate systems to control network

Bank account transfer

3

Latest malware developments

Stuxnet : very complex and elaborated trojan

Several replication vectors :

Networks

USB keys

Connects to C&C botnet server

Focused on industrial control system

Searches for systems with this control system

Collects information on Siemens PLC systems

Changes process logic on infected machines

Duqu based upon Stuxnet : spying purposes © Luc Beirens


Biggest threat ? Criminal’s Knowledge database

SQL (standard query language) databases

Several backup servers

Content Keylogging (everything also userids, passwords)

Screenshots (of all opened windows, websites,...)

URL

IP-addresses

Base for reverse R&D to counter new security


Cases ?

e-Banking fraud

Hacking of large institutions / firms

Long time unaware of hacking

Keylogging

Encrypted files on PC

Internal botnet

Intermediate step to other networks

Often no complaint


Internet

Hacker

Company network

Large firm hacking using internal botnet

© Luc Beirens

And the victims ?

Who ?

Transactional websites

Communication networks

ISPs and all other clients

Reaction

Unaware of incidents going on

ISPs try to solve it themselves

Nearly no complaints made – even if asked ...

Result ? The hackers go on developing botnets

Combined threat

What if abused by terrorists ? ... simultaniously with a real world attack?

How will you handle the crisis ? Your telephone system is not working !


Risks

Economical disaster

Large scale : critical infrastructure

Small scale : enterprise

Individual data

Loss of trust in e-society


Who investigates ICT crime ?

Prosecutors / Examining Judges

Specialised police forces (nat’l & Internat’l)

Legal expert witnesses

Specialised forensic units of consulting firms

Associations defending commercial interests

Security firms => vulnerabilities

Activist groups => publish info on « truth »

© Luc Beirens

E-Police organisation and tasks Integrated police

Federal Police National

Level

33 persons

1 Federal Computer Crime Unit 24 / 7 (inter)national contact

Policy

Training Equipment FCCU Network

Operations : Forensic ICT analysis

ICT Crime combating

Intelligence Internet & ePayment fraude Cybercrime

www.ecops.be hotline

Internat internet ID requests

Federal Police Regional

level

180 persons

25 Regionale Computer Crime Units (1 – 2 Arrondissementen)

Assistance for housesearches,

forensic analysis of ICT, taking

statements, internet investigations

Investigations of ICT crime case

(assisted by FCCU)

Local Level

Federal Police

Local Police

First line police

“Freezing” the situation until the arrival of CCU or FCCU

Selecting and safeguarding of digital evidence

© 2013 - Luc Beirens - FCCU - Belgian Federal Police

http://www.ecops.be/

Our services

Help to take a complaint

Descend on the scene of crime

Make drawing of architecture of hacked system

Image backup of hacked system (if possible)

Internet investigations (Identification, location)

House searches

Taking statements of concerned parties

Forensic analysis of seized machines

Compile conclusive police report

© Luc Beirens

Investigative problems - tracking

Victims : Unfamiliar and fear for “Corporate image” => belated complaints – trashed / no more traces

Rather “unknown” world for police & justice => Delay before involvement specialised units Limited ICT investigation capacity (technical & police skills)

Multiplication and integration of services / providers / protocols / devices

Lack of harmonised international legislation & instruments

Anonymous / hacked connections – subscriptions - WIFI

Intermediate systems often cut track to purpetrator

© Luc Beirens

Investigative problems – evidence gathering

Delocalisation of evidence : the cloud ?

Exponential growth of storage capacity => time consuming :

backups & verification processes

Analysis

New legislation / jurisprudence imposes more rigorous procedures for evidence gathering in cyber space

Bad ICT-security : give proof of the source and the integrity of evidence

© Luc Beirens

Brussels, we have a problem ...

Complainer

Hello, can you help ?

We are a Belgian hosting firm

We have a problem

Our webservers are hacked

& several websites of our Belgian customers have been defaced

Politie OK

A few questions to start our file …

Who, where, what, when …

© Luc Beirens

Who is where ?

© Luc Beirens

Hacked firm : nothing in Belgium

In the UK Hacker ?

In the Luxemburg Hacker ?

Who / where / what

In Belgium

Hosting firm : nothing in Belgium

Customer : nothing in Belgium

In the USA Hacked webserver

Defaced website

In the Netherlands Hacked server

© Luc Beirens

Conclusions ...

Competence Belgian Justice authorities ? Discussion

viewpoint Public Prosecutor General : not competent

viewpoint lawyer victim : competent

viewpoint suspect’s defence : ????

If choice was made for storage in foreign country

Why ? Cost ? Evade regulations & obligations ?

No (?) protection of Belgian Law

No (?) intervention of Law Enforcement in Belgium

Protection by law & LE in country where server is

© Luc Beirens

Preventive Recommendations Draw up a general ICT usage directive (normal usage)

Awareness program for management & users ICT security policy is part of the global security policy

Appoint an ICT security responsible => control on application of ICT usage & security policy

Keep critical systems separate from the Internet if possible !

Use software from a trusted source

Install recent Anti-virus and Firewall programms (laptops)

Synchronize the system clocks regularly

Activate and monitor log files on firewall, proxy, access

Make & test backups & keep them safe (generations) !

© Luc Beirens

Recommendations for victims of ICT crime

Disconnect from the outside world

Take note of last internet activities & exact date and time

Evaluate : damage more important than restart ? Restart most important: make full backup before restore Damage more important : don’t touch anything

Safeguard all messages, log files in original state

Inform ASAP the Federal Judicial Police and ask for assistance of the Federal or Regional CCU

Force change all passwords

Reestablish the connection only if ALL failures patched

© Luc Beirens

Where to make a complaint ?

Within a police force … Local Police service => not specialised

=> not the right place for ICT-crime (hacking/sabotage/espionage) => place to make complaints on Internet fraud

Federal judicial police (FGP) => better but … Regional CCU => The right place to be for ICT crime

Federal Computer Crime Unit => 24/7 contact Risks on vital or crucial ICT systems => call urgently

Illegal content (childporn, …) => www.ecops.be

… or immediately report to a magistrate ? Local prosecutor (Procureur) => will send it to police

=> can decide not to prosecute

Examining Judge => complaint with deposit of a bail => obligation to investigate the case

© Luc Beirens

For the sys admin

Several layers of protection

Internal firewalls

Encrypted communications

Encrypted data bases

Check active sys admin profiles on svrs

Log and follow up FW, IDS : IP + port + time

Certificates should be signed by 2 CA


Contact information

Federal Judicial Police Direction for Economical and Financial crime

Federal Computer Crime Unit Notelaarstraat 211 - 1000 Brussels – Belgium

Tel office : +32 2 743 74 74 Fax : +32 2 743 74 19

E-mail : [email protected] Twitter : @LucBeirens


mailto:[email protected]

Business

20130321 Cybercrime threats on e-commerce online shops