Upload
luc-beirens
View
1.507
Download
0
Embed Size (px)
DESCRIPTION
Threats on e-Shops Presentation at e-Shop Expo in Tour & Taxis Brussels on 21 march 2013
Citation preview
How to survive in an era of hacktivists, cyber espionnage and internet fraudsters ?
The need for an integrated approach to undermine the criminal cyber architecture
© 2013 Luc Beirens – Federal Computer Crime Unit - Belgian Federal Judicial Police – Direction economical and financial crime
Brussels, 21 March 2013 e-Shop Expo
Presentation
@LucBeirens Chief Commissioner Head of the Federal Computer Crime Unit Belgian Federal Judicial Police Direction Economical and financial crime
Chairman of the EU Cybercrime task force
representing the organization of heads of national hightech crime units of the EU
Topics - overview
An analysis of the eSociety situation
Who is threating eSociety and how ? Inside threat / outside threats
Possible damage to eGov and eSociety
Which response to give to this ?
What is there to protect ?
Your company / public image
Your market share (even as public service)
Your business activity / products
Your existance as such
Cybercrime threats © Belgian Federal Computer Crime Unit
What is there to protect ?
Data (stored or in transmission)
Our personal data employees / citizens / customers
Info on the organisation (policy/functioning/financial)
Info on your activity, product (price list, patents, source code)
Our information infrastructure
Internal / external systems
Network connexions
Storage and backup systems
Privacy law requires measures organisational and technical to protect personal data
Cybercrime threats © Belgian Federal Computer Crime Unit
eShop
Be recognisable to your customers
Beware of imposters
Use of certificates / control over domain
Keep your customers safe
Data
Transactions
Get paid for your services / products
Don’t become unwillingly a criminal service platform
Cybercrime threats © Belgian Federal Computer Crime Unit
DNS
Certification Authority
End user Roaming user
Internal network
Externally hosted website
DMZ own webserver
Backup server
e-Architecture
Cloud service center
SCADA
Process control
Firewall
Internet VPN
© Luc Beirens
Externally managed infrastructure
General trends today
Evolution towards e-society
replace persons by e-applications
Interconnecting all systems (admin, industrial, control)
Mobile systems – Cloud
Social networks
IP is common platform offered by many ISPs integrating telephony / data / VPN & all new apps =opportunities / Achilles tendon / scattered traces
Poor security in legacy applications and protocols (userid+pw)=> identity fraud is easy
Enduser is not yet educated to act properly
What do criminals want ?
Become rich / powerfull rapidly, easily, very big ROI in an illegal way if needed
Destabilaze (e-)society by causing troubles
First conclusions ?
Society is thus very heavily depending on ICT
ICT = important vulnerability of modern society
End user = weakest link => biggest danger
Need to
Guarantee continuity of ICT functioning
Availability and integrity of data
Data is more and more in the cloud
Accessible from all over the world
Outside jurisdiction of your country
Who is threating us ?
Script kiddies
Insider ICT guy in your company
Loosely organized criminals
Firmly organized criminal groups
Terrorists / hacktivists
Foreign states / economical powers
Nation warfare troups
What are the outside threats ?
Cybercrime threats © Belgian Federal Computer Crime Unit
Threats in messages on hackersites
Wiping away the websites in your state
Infiltration in servers of the Public Treasury
disrupting tax collection
Infiltration in bank accounts
Attacks on media websites
Attacks on e-commerce websites
Distribution of personnel data and
credit card information
Targetting also in the end of the year period Cybercrime threats © Belgian Federal Computer Crime Unit
Focus
On individuals
On webservers
On your organization
On your partner’s organization
On your infrastructure
On cyber infrastructure
Cybercrime threats © Belgian Federal Computer Crime Unit
Hacking webservers
Motives of criminal :
Perform defacement
Use as storage platform for illegal content (childporn)
Use as intermediate platform for criminal activity
Get sensitive information and do extortion (idiot tax)
Get financial information (credit cards)
To do :
Updates SW, strong admin access, no pers data on srvr
Follow up pastebin.com : a hackers drop off
Cybercrime threats © Belgian Federal Computer Crime Unit
Cybercrime threats © Belgian Federal Computer Crime Unit
E-Shop risks
“Forgotten” test environments
Use of real data
No logging of
Applications with debugging procedures
Data bases with all user data on webserver instead of inside LAN
User profiles unencrypted / unsalted ?
Credit card information in profiles ?
Use of stolen credit (new payment systems)
Cybercrime threats © Belgian Federal Computer Crime Unit
Dossier Cybercrime - NVP PNS 2012-2015
Security : encrypted data !
Infection of workstations and servers in company LAN
Using targetted e-mails / social media messages
Malicious encryption of all user data files
Ransom to get decryption key
From those that paid : some got key some didn’t
Others had a recent off-line backup !
Cybercrime threats © Belgian Federal Computer Crime Unit
Intrusions in your LAN
Intrusion in your system to intercept data that allows to take away products from your stock
WIFI interception from parking
Infection by trojan (e-mail)
(unreported) burglary in the company to place
hardware keyloggers
complete small computer system WIFI intercept 3G transmit
With valid ticket go fetch cargo
To Do :
Encrypt WIFI transmissions
Patch only active workstation connections
Cybercrime threats © Belgian Federal Computer Crime Unit
Intrusion in your trading account
Carbon dioxide certificates trade
Open data : contact persons of companies
Spear phishing mail + phishing website
Access to trading account
Millions of € sold in few hours all over EU
Sold far under price & immediately resold
To do : Awareness
Cybercrime threats © Belgian Federal Computer Crime Unit
Intrusion in your partner’s LAN
Intrusion in LAN of foreign partner (Chinese) and get information on your business and invoices to pay
You get mail with
Slightly different e-mail adresses
Change of bank account number to pay (Due to audit ...)
To do : verify thouroughly any changes before paying
Cybercrime threats © Belgian Federal Computer Crime Unit
Attacking infrastructure
Remote managed infrastructures in your buildings
Central heating
Elevator
Creating disruption of this infrastructure => leads to high cost
To do : verify if this applies to you and your infrastructure managing company
Cybercrime threats © Belgian Federal Computer Crime Unit
Hacking into cloud accounts
SME’s that have all their information in cloud accounts
Hacking into these account
Taking over access control
Sending of SOS-e-mails (Robbed money needed)
Deleting all contact information in the account => preventing warning e-mails after getting back access to account
To do :
enforce strong authentication and second ways to access the account
Have backups of these systems
Cybercrime threats © Belgian Federal Computer Crime Unit
Dossier Cybercrime - NVP PNS 2012-2015
Cyber crime against cyber infrastructure
Payment systems
2010 Wikileaks case : “Anonymous” attack on VISA, Paypal, Mastercard,...
DNS – system create fraudulent routing or use for DDOS
Certification autorities (Diginotar)
Data centers (Blocs all servers in it)
Dossier Cybercrime - NVP PNS 2012-2015
Dossier Cybercrime - NVP PNS 2012-2015
Cybercrime focusing individuals Individuals are
also working in companies / government Use social networks / webmail
Often used to exchange business related info Containing access code information
Hacking of these profiles / webmails Abuse to infect people you know Get personal information of you and your contacts Commit fraud
Internet fraud of all kinds Webcam sex interception to do extortion
Luc Beirens - FCCU -2012
What are the criminals tech tools to hack and attack ?
Malware attacks (viruses, worms, trojans, ...) fast spreading day zero infections => no immediate cure => lot of victims (especially home PC’s – 24 / 365 available)
Abuse of infected computers to create botnets (large “armies” of PC’s under control of 1 master) => used to make massive attacks on webservers or network nodes => high risk for your critical ICT infrastructure
Cybercrime threats © Belgian Federal Computer Crime Unit
Webserver / node
Internet
Command & Control Server
Hacker
Access line blocked
Computer Crash
Botnet attack on a webserver / node
My IP is x.y.z.z
Info
Cmd
Webserver / node
Internet
Command & Control Server
Hacker
Malware update / knowledge transfer
Knowledge server
Malware update server
MW update
Very frequent MW update request
trigger event
Why ? Making money !
Sometimes still for fun (scriptkiddies)
Spam distribution via Zombie
Click generation on banner publicity
Dialer installation on zombie to make premium rate calls
Spyware installation
Espionage => banking details / passwords / keylogging
Ransom bot => encrypts files => money for password
Capacity for distributed denial of service attacks DDOS => disturb functioning of internet device (server/router)
Cybercrime threats © Belgian Federal Computer Crime Unit
How big is the problem ?
Already criminal cases in several countries
Botnets detected
Several hundreds of botnets worldwide
Several thousands of C&C worldwide
Thousands upto millions of zombie computers online
generated huge datatraffic upto 40 Gbps
Dismantling / crippling botnets
e-Crime underground business
Underground fora and chatrooms
Restricted access – on invitation
Secured by encryption
Botnets for hire
Control over bot for spam : 0,04 $ / bot / day Small scale attack 20 Mbps : 50 – 100 $ / day
Large scale attack 10Gbps : 1000 $ / day
Malware development on demand
Cybercrime threats © Belgian Federal Computer Crime Unit
Important DDOS cases
UK 2004 : gambling website down (+ hoster + ISP)
NL 2005 : 2 botnets : millions of zombies
BE 2005 : DDOS on chatnetwork of Media firms
BE 2005 : DDOS on Firm (social conflict)
US 2006 : Blue security firm stops activity
SE 2006 : Website Gov and Police down due to DDOS after police raid on P2P
EE 2007 : Widespread DDOS attack on Estonia after incidents on moving soldier statue
Georgia 2008 : cyber war during military conflict
World 2010 : Wikileaks case : Visa Mastercard paypal
World 2012 : CIA FBI USDOJ EU Arcelor Mittal ... Cybercrime threats © Belgian Federal Computer Crime Unit
Attacks on eSociety authentication systems using malware and botnets
Cybercrime threats © Belgian Federal Computer Crime Unit
Challenge based
eService user
Authentication systems
eService website
New authentication systems One time passwords Time based
user : password :
Give token 15 :
u123 secret123
Word15
Give OT password : Timedependentcode
Calculate OTP with challenge 12345678
Calculated OTP Consultation & Transfers
Authentication
Consultation & Transfers
Intercepted userid + pw
Intercepting 36 sessions Phishing website 3 x 12
Waiting the authentication Afterwards perform transaction
Waiting the authentication Need for user cooperation ????
Consultation & Transfers
If technical security is ok ...
They are informed of webactivity over the botnet
They know you ! (knowledge base & social networks)
They will switch to social engineering They will make you believe they are someone else to make you do something they want / need
Abusing expected “normal user behaviour”
Fear of or willingness to help or coope with hierarchy security services / helpdesk / vendors / (business) partners
Love for (new) friends
Greed
Fake Company
Proxy
Spam
Money collector
Money Mule
eBank user Bank site
Money Mule
10
4 5
9
11
7
12 13
8
Fake site
6
trying to surf on the real website
Activity spying Keylogging
Trojan distribution campain
Hackers Knowledge database
1
Authentication Authentication Money transfer order
Local storage
2 Use of intermediate systems to control network
Bank account transfer
3
Latest malware developments
Stuxnet : very complex and elaborated trojan
Several replication vectors :
Networks
USB keys
Connects to C&C botnet server
Focused on industrial control system
Searches for systems with this control system
Collects information on Siemens PLC systems
Changes process logic on infected machines
Duqu based upon Stuxnet : spying purposes © Luc Beirens
Cybercrime threats © Belgian Federal Computer Crime Unit
Biggest threat ? Criminal’s Knowledge database
SQL (standard query language) databases
Several backup servers
Content Keylogging (everything also userids, passwords)
Screenshots (of all opened windows, websites,...)
URL
IP-addresses
Base for reverse R&D to counter new security
Cybercrime threats © Belgian Federal Computer Crime Unit
Cases ?
e-Banking fraud
Hacking of large institutions / firms
Long time unaware of hacking
Keylogging
Encrypted files on PC
Internal botnet
Intermediate step to other networks
Often no complaint
Cybercrime threats © Belgian Federal Computer Crime Unit
Internet
Hacker
Company network
Large firm hacking using internal botnet
© Luc Beirens
And the victims ?
Who ?
Transactional websites
Communication networks
ISPs and all other clients
Reaction
Unaware of incidents going on
ISPs try to solve it themselves
Nearly no complaints made – even if asked ...
Result ? The hackers go on developing botnets
Combined threat
What if abused by terrorists ? ... simultaniously with a real world attack?
How will you handle the crisis ? Your telephone system is not working !
Cybercrime threats © Belgian Federal Computer Crime Unit
Risks
Economical disaster
Large scale : critical infrastructure
Small scale : enterprise
Individual data
Loss of trust in e-society
Cybercrime threats © Belgian Federal Computer Crime Unit
Who investigates ICT crime ?
Prosecutors / Examining Judges
Specialised police forces (nat’l & Internat’l)
Legal expert witnesses
Specialised forensic units of consulting firms
Associations defending commercial interests
Security firms => vulnerabilities
Activist groups => publish info on « truth »
© Luc Beirens
E-Police organisation and tasks Integrated police
Federal Police National
Level
33 persons
1 Federal Computer Crime Unit 24 / 7 (inter)national contact
Policy
Training Equipment FCCU Network
Operations : Forensic ICT analysis
ICT Crime combating
Intelligence Internet & ePayment fraude Cybercrime
www.ecops.be hotline
Internat internet ID requests
Federal Police Regional
level
180 persons
25 Regionale Computer Crime Units (1 – 2 Arrondissementen)
Assistance for housesearches,
forensic analysis of ICT, taking
statements, internet investigations
Investigations of ICT crime case
(assisted by FCCU)
Local Level
Federal Police
Local Police
First line police
“Freezing” the situation until the arrival of CCU or FCCU
Selecting and safeguarding of digital evidence
© 2013 - Luc Beirens - FCCU - Belgian Federal Police
Our services
Help to take a complaint
Descend on the scene of crime
Make drawing of architecture of hacked system
Image backup of hacked system (if possible)
Internet investigations (Identification, location)
House searches
Taking statements of concerned parties
Forensic analysis of seized machines
Compile conclusive police report
© Luc Beirens
Investigative problems - tracking
Victims : Unfamiliar and fear for “Corporate image” => belated complaints – trashed / no more traces
Rather “unknown” world for police & justice => Delay before involvement specialised units Limited ICT investigation capacity (technical & police skills)
Multiplication and integration of services / providers / protocols / devices
Lack of harmonised international legislation & instruments
Anonymous / hacked connections – subscriptions - WIFI
Intermediate systems often cut track to purpetrator
© Luc Beirens
Investigative problems – evidence gathering
Delocalisation of evidence : the cloud ?
Exponential growth of storage capacity => time consuming :
backups & verification processes
Analysis
New legislation / jurisprudence imposes more rigorous procedures for evidence gathering in cyber space
Bad ICT-security : give proof of the source and the integrity of evidence
© Luc Beirens
Brussels, we have a problem ...
Complainer
Hello, can you help ?
We are a Belgian hosting firm
We have a problem
Our webservers are hacked
& several websites of our Belgian customers have been defaced
Politie OK
A few questions to start our file …
Who, where, what, when …
© Luc Beirens
Who is where ?
© Luc Beirens
Hacked firm : nothing in Belgium
In the UK Hacker ?
In the Luxemburg Hacker ?
Who / where / what
In Belgium
Hosting firm : nothing in Belgium
Customer : nothing in Belgium
In the USA Hacked webserver
Defaced website
In the Netherlands Hacked server
© Luc Beirens
Conclusions ...
Competence Belgian Justice authorities ? Discussion
viewpoint Public Prosecutor General : not competent
viewpoint lawyer victim : competent
viewpoint suspect’s defence : ????
If choice was made for storage in foreign country
Why ? Cost ? Evade regulations & obligations ?
No (?) protection of Belgian Law
No (?) intervention of Law Enforcement in Belgium
Protection by law & LE in country where server is
© Luc Beirens
Preventive Recommendations Draw up a general ICT usage directive (normal usage)
Awareness program for management & users ICT security policy is part of the global security policy
Appoint an ICT security responsible => control on application of ICT usage & security policy
Keep critical systems separate from the Internet if possible !
Use software from a trusted source
Install recent Anti-virus and Firewall programms (laptops)
Synchronize the system clocks regularly
Activate and monitor log files on firewall, proxy, access
Make & test backups & keep them safe (generations) !
© Luc Beirens
Recommendations for victims of ICT crime
Disconnect from the outside world
Take note of last internet activities & exact date and time
Evaluate : damage more important than restart ? Restart most important: make full backup before restore Damage more important : don’t touch anything
Safeguard all messages, log files in original state
Inform ASAP the Federal Judicial Police and ask for assistance of the Federal or Regional CCU
Force change all passwords
Reestablish the connection only if ALL failures patched
© Luc Beirens
Where to make a complaint ?
Within a police force … Local Police service => not specialised
=> not the right place for ICT-crime (hacking/sabotage/espionage) => place to make complaints on Internet fraud
Federal judicial police (FGP) => better but … Regional CCU => The right place to be for ICT crime
Federal Computer Crime Unit => 24/7 contact Risks on vital or crucial ICT systems => call urgently
Illegal content (childporn, …) => www.ecops.be
… or immediately report to a magistrate ? Local prosecutor (Procureur) => will send it to police
=> can decide not to prosecute
Examining Judge => complaint with deposit of a bail => obligation to investigate the case
© Luc Beirens
For the sys admin
Several layers of protection
Internal firewalls
Encrypted communications
Encrypted data bases
Check active sys admin profiles on svrs
Log and follow up FW, IDS : IP + port + time
Certificates should be signed by 2 CA
Cybercrime threats © Belgian Federal Computer Crime Unit
Contact information
Federal Judicial Police Direction for Economical and Financial crime
Federal Computer Crime Unit Notelaarstraat 211 - 1000 Brussels – Belgium
Tel office : +32 2 743 74 74 Fax : +32 2 743 74 19
E-mail : [email protected] Twitter : @LucBeirens
Cybercrime threats © Belgian Federal Computer Crime Unit