Raoul chiesa - Auditing the hacker mind - da wargames a underground economy

15,289 views
15,141 views

Published on

Raoul Chiesa @ CRS4 Colloquia
13-06-2011

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
  • <br /><object type="application/x-shockwave-flash" data="http://www.youtube.com/v/GGlDvrEGSyE?version=3&amp;hl=en_US" width="350" height="288"><param name="movie" value="http://www.youtube.com/v/GGlDvrEGSyE?version=3&amp;hl=en_US"></param><embed src="http://www.youtube.com/v/GGlDvrEGSyE?version=3&amp;hl=en_US" width="350" height="288" type="application/x-shockwave-flash"></embed></object>
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
15,289
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
90
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Raoul chiesa - Auditing the hacker mind - da wargames a underground economy

  1. 1. Versione Pubblica(alcune slide sono state sanitizzate) Auditing the Hacker’s Mind: da Wargames all’Underground Economy, passando per il cybercrime A presentation by Raoul Chiesa Senior Advisor on Cybercrime, UNICRI United Nations - Interregional Crime and Justice Research Institute (UNICRI) Cagliari 13 Giugno 2011
  2. 2. Disclaimer● The information contained in this presentation does not break any intellectual property, nor does it provide detailed information that may be in conflict with actual Italian laws.● Registered brands belong to their legitimate owners.● The opinion here represented are my personal ones and do not necessary reflect the United Nations nor UNICRI or ENISA and ENISA’s ENISA’ PSG views. i
  3. 3. Agenda# whoisIntroduction and Key ConceptsYesterday’s h kiY t d ’ hacking VS today’s crime t d ’ iHacking eras and Hacker’s generationsCybercrimeHackers…Profiling the enemy: the Hackers Profiling Project (HPP)Hacking, today: Underground EconomyWhat’s next? The Dark LinksCybercrime: the responsesConclusions
  4. 4. #whois
  5. 5. Who am I?
  6. 6. Raoul “Nobody” Chiesa• Old-school Hacker from 1986 to 1995• Infosec Professional since 1997 @ Mediaservice.net• OSSTMM Key Contributor; HPP Project Manager; ISECOM y ; j g ; International Trainer• Co-founder of CLUSIT, Italian Computer Security Association (CLUSI* : Belgium, France, Luxembourg, Switzerland)• Member of TSTF.net – Telecom Security Task Force, APWG, ICANN; ENISA PSG.• I work worldwide (so I don’t get bored ;)• My areas of interest: Pentesting, SCADA/DCS/PLC National Pentesting SCADA/DCS/PLC, Critical Infrastructures, Security R&D+Exploiting weird stuff, , Security People, X.25, PSTN/ISDN, Hackers Profiling, Cybercrime, Information Warfare, Security methodologies, vertical Trainings.• Basically, I do not work in this field just to get my salary every month and pay the home/car/whatever loan: I really love it ☺
  7. 7. UNICRI What is UNICRI?United Nations Interregional Crime & Justice Research InstituteA United Nations entity established in 1968 to support countriesworldwide in crime prevention and criminal justiceUNICRI carries out applied research, training, technicalcooperation and documentation / information activitiesUNICRI disseminates information and maintains contacts withprofessionals and experts worldwideEmerging Crimes Unit (ECU): cyber crimes, counterfeiting,environmental crimes, trafficking in stolen works of art…Fake Bvlgari &Rolex, but also Guess how they update each others? Water systems with “sensors”… Viagra & Cialis (aka SPAM) Email, chat&IM, Skype…
  8. 8. Conficker (December 2009)
  9. 9. Stuxnet (December 2010)
  10. 10. UNICRI & Cybercrime Overview on UNICRI projects against cybercrime Hackers Profiling Project (HPP) SCADA & NCI s security (CIP) NCI’s Digital Forensics and digital investigation SCADA Security techniques Cybersecurity Trainings at the UN Campus
  11. 11. 2011
  12. 12. Strategic relationships and Information-sharing Networks, in order to fight cybercrime g yAlong the years we have been able to build a network of special relationships and directcontacts with the following organizations, working towards specific areas of interest andshared research topics:(this li t i(thi list is may not complete due to NDAs) t l t d t NDA ) Questa slide è stata sanitizzata e non è presente nella versione pubblica
  13. 13. Yesterday yand today’s Hacking
  14. 14. Crime->Yesterday “Every new technology, opens the door to new criminal approaches”.• The relationship between technologies and criminality has always been – since the very beginning – characterized by a kind of “competition” between the good and the bad guys, just like cats and mice.• As an example, at the beginning of 1900, when cars appeared, the “bad guys” started stealing them (!)• ….the police, in order to contrast the phenomenon, defined the mandatory use of car plates…• ….and the thieves began stealing the car plates from the cars (and/or falsifying them).
  15. 15. Crime->Today:Cybercrime• Cars have been substituted by information You got the information, you got the power.. (at least, in politics, in the business world, in our personal relationships…)• Simply p , this happens because the “information” can be transformed at once p y put, pp into “something else”: Competitive advantage Sensible/critical information Money• … that’s why all of us we want to “be secure”. be secure• It’s not by chance that it’s named “IS”: Information Security ☺
  16. 16. Esempi tutti italiani...• L’informazione è immediatamente trasformabile in:1. Vantaggio competitivo2. Informazione sensibile/critica3. Denaro4. Ricatto• Esempi ? (…imbarazzo della scelta ;) – Escorts & co – La villa di Montecarlo – Regione Lazio (dall “hacking” sino al caso Marrazzo e poi Polverini/account “fantasma”) – Calciopoli p – Scandalo Telecom Italia/SISMI – Attacco Vodafone Grecia – Vittorio Emanuele di Savoia – Vallettopoli + Scandalo Escorts – Corona – McLaren/Ferrari – …………….
  17. 17. Hacking eras & gHackers’ generations
  18. 18. Things changed…First generation (70’s) was inspired by the need forknowledgeSecond generation (1980-1984) was driven by curiosity plusthe knowledge starving: the only way to learn OSs was to hackthem; later (1985-1990) hacking becomes a trend.The Third one (90’s) was simply pushed by the anger forhacking, meaning a mix of addiction, curiosity, learning newstuff, hacking IT systems and networks, exchanging infowith the underground community Here we saw new concepts community.coming, such as hacker’s e-zines (Phrack, 2600 Magazine)along with BBSFourth generation (2000-today) is driven by angerness and (2000 today)money: often we can see subjects with a very low know-how,thinking that it’s “cool & bragging” being hackers, while they arenot interested in hacking & phreaking history, culture andethics. Here hacking meets with politics (cyber-hacktivism) orwith the criminal world (cybercrime). €, € $
  19. 19. Cybercrime: why?• QUESTION: – May we state that cybercrime – along with its many, many aspects and views – can be ranked as #1 in rising trend and global diffusion ?• ANSWER(S):• Given that all of you are attendees and speakers here today, I would say that th t we already are on the right track i order t analyze the problem ☺ l d th i ht t k in d to l th bl• Nevertheless, some factors exist for which the spreading of “e-crime-based” attacks relays.• Let’s take a look at them.
  20. 20. Reasons/1• 1. There are new users, more and more every day: this means the total amount of y y Thanks to broadband... broadband potential victims and/or attack vectors is increasing.• 2. Making money, “somehow and straight WW Economical away”. y crisis…• 3. Technical know-how public availability & 0-days, Internet distribution system / ready-to-go, even when talking about Black Markets average-high skills: that’s what I name “hacking p et à po te ac g pret-à-porter”
  21. 21. Darkness DDoS botnet
  22. 22. Reasons/2• 4. It s 4 It’s extremely easy to recruit “idiots” and set up groups molding those adepts idiots groups, upon the bad guy’s needs (think about e-mules) Newbies, Script Kiddies• 5. “They will never bust me” Psycology, Criminology• 6. 6 Lack of violent actions Psycology and Sociology
  23. 23. What the heck is changed then??What’s really changed is the attacker’stypologyFrom “bored teens”, doing it for “hobbyand curiosity” (obviously: during night,pizza hut spizza-hut’s box on the floor and cans ofRed Bull)…....to teenagers and adults not gmandatory “ICT” or “hackers”: they justdo it for the money.What’s changed is the attacker’sprofile, along with its justifications,motivations and reasons.Let’s have a quick test! 26
  24. 24. Hackers in their environment
  25. 25. “Professionals”
  26. 26. There’s a difference: why?• Why were the guys in the first slide hackers, and the others professionals ?• Because of the PCs ?• Because of their “look” ?• Due to the environments surrounding them ?• Because of the “expression on their faces” ?
  27. 27. Surprise! Everything has changed• Erroneus media information pushed your pp mind to run this approach• T d Today, sometimes th professionals are ti the f i l the real criminals, and hackers “the good guys”… (Telecom Italia Scandal, Vodafone Greece Affair, etc…)
  28. 28. Understanding Hackers• It’ extremely important th t we understand the so-called It’s t l i t t that d t d th ll d “hacker’s behaviours” – Don’t limit yourself to analyse attacks and intrusion techniques: let’s analyze Don t let s their social behaviours• Try to identify those not-written rules of hacker’s subculture• Explore hacker’s social organization• Let’s zoom on those existing links between hacking and organized crime
  29. 29. Welcome to HPP
  30. 30. The Hackers Profiling Project (HPP) HackersThe term hacker has been heavily misused since the 80’s;since the 90’ the mainstream h i h 90’s, h i have used i to j if every d it justifykind of “IT crime”, from lame attacks to massive DDoS Lamers, script-kiddies, industrial spies, hobby hackers….for the mass, they are all the same From a business point of view, companies don’t clearly know who they should be afraid of To them they’re all of. they re just “hackers”
  31. 31. The Hackers Profiling Project (HPP) Hackers: a blurred image Yesterday: hacking was an emerging y g g g phenomenon – unknown to people & ignored by researchers Today: research carried out in “mono”: → mono : one type of hacker: ugly (thin, myopic), bad (malicious, destructive, criminal purposes) and “dirty” (asocial, without ethics, ethics anarchic) Tomorrow (HPP is the future): inter- disciplinary studies that merge criminology and information security → different typologies of hackers
  32. 32. The Hackers Profiling Project (HPP) HPP purposes Analyse the hacking phenomenon in its several aspects (technological, social, economic) through technical and criminological approaches Understand the different motivations and identify the actors involved Observe those true criminal actions “in the field” Apply the profiling methodology to collected data (4W: who, where, when, why) Acquire and disseminate knowledge
  33. 33. The Hackers Profiling Project (HPP) Project phases – starting: September 2004 j p g p1 – Theoretical collection: 5 – Gap analysis: p y of data from: questionnaire, honey-Questionnaire net, existing literature2 – Observation: 6 – HPP “live” assessment liveParticipation in IT underground security of profiles and correlation of modusevents operandi through data from phase 43 - Filing: 7 – Final profiling:Database for elaboration/classification Redefinition/fine-tuning of hackersof data (phase 1) profiles used as “de-facto” standard4 - Live collection: 8 – Diffusion of the model:Highly customised, new generation elaboration of results, publication ofHoney-net systems the methodology, raising awareness
  34. 34. The Hackers Profiling Project (HPP) Project phases - detail PHASE CARRIED OUT DURATION NOTES 1 – Theoretical Distribution on YES ON-GOING 16 months collection more levels From different 2 – Observation YES ON-GOING ON GOING 24 months points of view The hardest 3 – Filing ON-GOING 21 months phase The funniest4 – “Live” collection TO BE COMMENCED 21 months phase ☺ 5 – Gap & YET TO COME 18 months The Next Thing gCorrelation Analysis 6 – “Live” The biggest part PENDING 16 months Assessment of the Project 7 – Final Profiling PENDING 12 months “Satisfaction” Satisfaction8 – Diffusion of the Methodology’s PENDING GNU/FDL ;) model public release
  35. 35. The Hackers Profiling Project (HPP) Profiling Hackers – the book
  36. 36. The Hackers Profiling Project (HPP) Evaluation and correlation standardsModus Operandi (MO) Hacking careerLone hacker or as amember of a group Principles of the hackers ethics pMotivations Crashed or damaged systems Perception of the illegality ofSelected targets their own activityRelationship between Effect of laws convictions and laws,motivations and targets technical difficulties as a deterrent
  37. 37. The Hackers Profiling Project (HPP) Detailed analysis and correlation of profiles – table #1
  38. 38. The Hackers Profiling Project (HPP) Detailed analysis and correlation of profiles – table #2 OFFENDER ID LONE / GROUP HACKER TARGET MOTIVATIONS / PURPOSESWanna Be Lamer 9-16 years GROUP End-User For fashion, It’s “cool” => to “I would like to be a boast and brag hacker, but I can’t”Script Kiddie 10-18 years GROUP: but they act alone SME / Specific security To give vent of their anger / The script boy flaws attract mass-media attentionCracker 17-30 years LONE Business company To demonstrate their powe The destructor, burned / attract mass-media ground attentionEthical Hacker 15-50 15 50 years LONE / Vendor / Technology For curiosity (to learn) and The “ethical” hacker’s GROUP (only for fun) altruistic purposes worldQuiet, Paranoid, Skilled 16-40 years LONE On necessity For curiosity (to learn) =>Hacker The very specialized and egoistic purposes paranoid attackerCyber-Warrior 18-50 years LONE “Symbol” business For profit The soldier, hacking for company / End-User moneyIndustrial Spy 22-45 years LONE Business company / For profit Industrial espionage CorporationGovernment Agent 25-45 years LONE / GROUP Government / Suspected Espionage/ CIA, Mossad, FBI, etc. Terrorist/ Counter-espionage Strategic company/ Vulnerability test Individual Activity-monitoringMilitary Hacker 25-45 years LONE / GROUP Government / Strategic Monitoring / company controlling / crashing systems
  39. 39. Ok Raoul…so what ?!?
  40. 40. Hacking, today Numbers 285 million records compromised in 2008 (source: Verizon 2009 Data BreachInvestigations Report) 2 Billion of US dollars: that’s RBN’s 2008 turnover +80 MLN of US$: IMU’s 2010 Turn Over IMU s 3 Billion of Euros: worldwide Cybercrime turnover in 2010 (?) +148% increasing in ATM frauds: more than 500 000 000 € business each 500.000.000year, just in Europe (source: ENISA “ATM Crime Report 2009”) .......bla bla bla Uh ?!? RBN ? WTH??
  41. 41. RBNRussian Business NetworkIt’s not that easy to explain what it is...First of all, cybercrime IRL means: Phishing & co Malware (rogue AVs, driven-by attacks, fake mobile games, + standard stuff) Frauds & Scams DDoS Attacks DD S Att k Digital Paedophilia (children and minors pornography ) Generic Porn (who would bother for 10 bucks lost??) On-line games (those fake web sites)
  42. 42. RBN & phishing David Bizeul (Head of CERT at Societe Generale, France) wrote an excellent study onRBN. One page was so interesting: p g ghttp://194.146.207.18/configstorage_send_interval="600" config_file ="$_2341234.TMP" storage_file ="$_2341233.TMP" www_domains_list ="pageshowlink.com" redirector_url ="citibusinessonline.da-us.citibank.com /cbusol/uSignOn.do {www}/usa/citibusiness.php/usa/citibusiness php 2 0 3" redirector url = "*fineco it /fineco/PortaleLogin {www} /it/fineco.php 2 0 3" 3 redirector_url fineco.it /it/fineco php 3redirector_url = "onlineid.bankofamerica.com /cgi-bin/sso.login.controller* {www} /usa/boa_pers/sso.login.php2 0 2" redirector_url = "onlinebanking-nw.bankofamerica.com /login.jsp* {www} /usa/boa_pers/sso.login.php2 0 2" redirector_url = "online.wellsfargo.com /signon* {www} /usa/wellsfargo.php 2 0 2" redirector_url ="ibank barclays co uk /olb/*/LoginPasscode do {www} /uk/barc/LoginPasscode php 2 0 2" redirector url = ibank.barclays.co.uk /olb/ /LoginPasscode.do /uk/barc/LoginPasscode.php 2 redirector_url"*ebank.hsbc.co.uk /servlet/com.hsbc.ib.app.pib.logon.servlet.OnLogonVerificationServlet {www}/uk/hsbc/hsbc.php 2 0 2" redirector_url = "online*.lloydstsb.* /miheld.ibc {www} /uk/lloyds/lloyds.php 2 0 2"redirector_url = "*halifax-online.co.uk /_mem_bin/UMLogonVerify.asp {www} /uk/halifax.co.uk.php 2 0 3"redirector_url olb2.nationet.com /signon/SinglePageSignon wp1 asp*redirector url = "olb2 nationet com /signon/SinglePageSignon_wp1.asp {www} /uk/nationwide.php 2 0 3" /uk/nationwide php 3redirector_url = "webbank.openplan.co.uk /core/webbank.asp {www} /uk/woolwich.co.uk.php 2 0 3" #DEredirector_url = "meine.deutsche-bank.de /mod/WebObjects/dbpbc.woa/* {www}/de/deutsche-bank.de/login.php 2 0 3" redirector_url = "banking.postbank.de /app/login.prep.do* {www}/de/postbank/postbank.de.php/de/postbank/postbank de php 2 0 3" redirector url = "portal*.commerzbanking.de /P- 3 redirector_url portal commerzbanking de /PPortal/XML/IFILPortal/pgf.html* {www} /de/commerzbanking/login.php 2 0 2" redirector_url = "www.dresdner-privat.de /servlet/P/SSA_MLS_PPP_INSECURE_P/pinLogin.do {www} /de/dresdner-privat/pers.php 2 0 3"redirector_url = "www.dresdner-privat.de /servlet/N/SSA_MLS_PPP_INSECURE_N/pinLogin.do {www}/de/dresdner privat/corp.php/de/dresdner-privat/corp php 2 0 3 3"
  43. 43. What about the other IPaddresses?
  44. 44. RBN’s model
  45. 45. Underground g Economy
  46. 46. “Cybercriminals”
  47. 47. UEUnderground Economy is the concept thanks to which we will not experienceanymore – in the next future – “bank robbings”Nowadays the ways in order to fraud and steal money are SO MANY. And, theworld is just full of unexperienced, not-educated users.What is needed is to “clean” the money: money laundering. They need the y y g ymules.
  48. 48. UE: the approach1.1 Basics: Malware and Botnets Create the malware, build the botnet2. Identity theft Stealing personal and financial credentials (e-banking)3. Running the e-crime g i.e.: e-Banking attacks and e-commerce frauds (Ebay docet)4. Money laundering Setup money laundering’s networks
  49. 49. UE Business ModelQuesta slide è stata sanitizzata e non è presente nella versione pubblica
  50. 50. UE Cooperation ModelQuesta slide è stata sanitizzata e non è presente nella versione pubblica
  51. 51. Surprise....This was happening last time one year ago ago.Now there’s IMU (Innovative Marketing Ukraine) and other “spare” organizedcrime gangs.So, they’ve changed their business model (!)
  52. 52. Questa slide è stata sanitizzata e non è presente nella versione pubblica
  53. 53. Questa slide è stata sanitizzata e non è presente nella versione pubblica
  54. 54. Questa slide è stata sanitizzata e non è presente nella versione pubblica
  55. 55. Who’s beyond ? Next slides will contain images from realLaw Enforcement operations, as well asundercover operations. Please, stop video recording, no picturesand….DOand DO NOT DO THIS AT HOME ! ;) Thanks. Thanks
  56. 56. Carding 101• Carder - Slang used to describe individuals who use stolen credit card account information to conduct fraudulent transactions.• Carding - Trafficking in and fraudulent use of stolen credit card account information.• Cashing - The act of obtaining money by committing fraud. This act can be committed in a variety of ways: The term can stand for cashing out Western Union wires, Postal money orders and WebMoney; using track data with PINs to obtain cash at ATMs, from PayPal accounts, or setting up a bank account with a fake ID to withdraw cash on a credit card account account.• CC - Slang for credit card.• Change of Billing (COB or COBs) - Term used to describe the act of changing the billing address on a credit account to match that of a mail drop. This act allows the carder full takeover capability of the compromised credit card account and increases the probability that the account will not be rejected when being used for Internet transactions.• CVV2 - CVV2 stands for credit card security code. Visa, MasterCard, and Discover require this feature. It is a 3 digit number on the back of the card.• DDoS - Acronym for Distributed Denial of Service Attack. The intent when conducting a DDOS attack is to shut down a targeted website, at least for a period of time, by flooding the network with an overflow of traffic.• DLs - A slang term that stands for counterfeit or novelty drivers licenses.• Drop - An intermediary used to disguise the source of a transaction (addresses, phones etc.)• Dumps - Copied payment card information, at least Track 1 data, but usually Track 1 and Track 2 data. information data data• Dump checking - Using specific software or alternatively encoding track data on plastic and using a point of sale terminal to test whether the dump is approved or declined. This provides carders a higher sense of security for obtaining quality dumps fro those who offer them and also a sense of security when doing in store carding.• Full info(s) - Term used to describe obtaining addresses, phone numbers, social security numbers, PIN numbers, credit history reports and so on. Full Info(s) are synonymous with carders who wish to take over the identity of a person or to sell the identity of a person.• Holos - Sl Slang for the word Holograms. Holograms are important for those who make counterfeit plastic credit cards to emulate an existing security feature. f h d l l i f h h k f i l i di d l i i i f• ICQ - An abbreviation for "I Seek You". ICQ is the most widely used instant messaging system for carders. Popular among Eastern Europeans in their Internet culture, it continues to be used for carding activity.• IRC - An abbreviation for "Internet Relay Chat". IRC is a global system of servers through which users can conduct real-time text-based chat, exchange files, and interact in other ways.• IDs - Slang for identification documents. Carders market a variety of IDs, including bills, diplomas, drivers licenses, passports, or anything that can be used as an identity document.• MSR (Magnetic Strip Reader) - Device that can be used for skimming payment card information and/or encoding track information on plastic.• Phishing - The extraction of information from a target using a hook (usually an e-mail purporting to be from a legitimate company). Phishers spam the Internet with e-mails in hopes of obtaining information that can be used for fraudulent purposes.• POS (Point of Sale) - Acronym for a terminal through which credit cards are swiped in order to communicate with processors who approve or decline transactions.• Proxies - Term used for proxy servers. The use of proxy servers to mask ones identity on the Internet is widely practiced amongst carders. Many vendors sell access to proxy servers, socks, http, https, and VPN (Virtual Private Networks), which aide in hiding the users actual IP address when committing fraud or other illegal activity on the Internet.• Track 1/Track 2 data - Track 1 and Track 2 data is the information stored on the magnetic stripe of a payment card that contains the account information.
  57. 57. Who lays behindthis ?Questa slide è stata sanitizzata e non è presente nella versione pubblica
  58. 58. Questa slide è stata sanitizzata e non è presente nella versione pubblica
  59. 59. The organizationalmodelQuesta slide è stata sanitizzata e non è presente nella versione pubblica
  60. 60. Who’s beyond?
  61. 61. Early Arrests Markus Kellerer aka Matrix001 Renu Subramaniam aka JiLsi& Five Others, May 2007-Oct. 2007 July 2007 y Germany United Kingdom Co-Founder Founder
  62. 62. Max Butler, aka IcemanSeptember 2007San Francisco/RichmondFounder of CardersMarket$86 Million in actual Fraud Loss
  63. 63. Who’s beyond?Questa slide è stata sanitizzata e non è presente nella versione pubblica
  64. 64. Who’s beyond?Questa slide è stata sanitizzata e non è presente nella versione pubblica
  65. 65. Chi c’è dietro ?Questa slide è stata sanitizzata e non è presente nella versione pubblica
  66. 66. Who’s beyond?
  67. 67. Le feste per “i dealer”Questa slide è stata sanitizzata e non è presente nella versione pubblica
  68. 68. Girls, money, cars..Questa slide è stata sanitizzata e non è presente nella versione pubblica
  69. 69. Girls, money, cars..Questa slide è stata sanitizzata e non è presente nella versione pubblica
  70. 70. Videoclip Romania (2010)Hi-Tech Crime Police Unit enters in ATM Skimmer factory
  71. 71. This is the end,my friends Final toughts The hacking world has not always been linked to those true criminal actions. Those researches carried out until now, have not properly snapshot thehacking world and its “tunings”. tunings At the same time, nowaday’s hacking is moving (transforming?) towards crime.And, different elements began working together (see next slides). Cybercrime and Underground Economy problem is not “a tech-people issue”:rather, it is an issue for ALL of us, representing an impact on the countries’ecosystem that could reveal itself as devastating. Also, forget fighting cybercrime on your own: you just can’t. That s That’s why my last slides are on cybercrime’s answers and VTFs (Virtual Task cybercrime sForces).
  72. 72. What’s next? The Dark Links
  73. 73. Human Organs trafficking September 2010, Asti (North-West of Italy) Police was eavesdropping on phone calls from and to the “Capo dei Capi” of aNigerian gang, specialized in cloned credit cards and elite cars theft. In one of this calls, a guy said to the Boss: “the Kidneys are ready”. So, So what we have here? Organized Crime “buying” Human Organs from Nigeria – buyingusing the money gathered from cybercrime – then selling into EU (!).
  74. 74. Coke for cards? March/May 2010, Turin (North-West of Italy) Turin has got the biggest Romania s community of Italy Romania’s Italy. We also have a very big Nigeria’s community. Historically, Romenian gangs drive the business of ATM skimmers… y, g g …and Nigerian the Cocaine business. After a joined FBI/US Secret Service/Interpol/Italian Postal Police operation, the j p pRomanians decided to “sell” the business to Nigerians. Cloned cards were paid with Cocaine. This happens because the Romenians also run the prostitutes business… …and, prostitute’s customers want coke as well. Compared to these guys, S C d h Scarface was nearly a kid f l
  75. 75. Cybercrime: the answers• Cybercrime is typically a transnational crime, borderless, that includes so many actors and different roles.• That’s why you just can’t think about a single answer.• Instead, it is necessary to think and act in a distributed approach, creating Virtual Task Forces (VTFs).• It is essential the collaboration among Law Enforcement, Internet community, Finance sector, ISPs and carriers (voice & data), vertical groups, in order to identify a specific group, malware or facilitator.• From the investigative point of view, challenges are the following: Analyze the malware Map the infrastructure Eavesdrop/Intercept/Sniff the communication and/or the links Explore the executed attacks Identify the developers and its crime-rings.
  76. 76. Vertical Groups & VTFs• That’s why, along these years, Vertical Groups have been raised, among which we can list the following: Team Cymru APWG –Anti Phishing Working Group IEEE-SA Shadow Server Foundation UNICRI – Emerging Crimes Unit Host Exploit Cyberdefcon ………..• …working along with : INTERPOL EUROPOL “Hi-Tech Crimes” groups into each National LEAs
  77. 77. While..you better watchout!
  78. 78. Must-read books / 1During the different phases of bibliography research, the Authors have made reference (also) to the following publications and on-lineresources:● H.P.P. Questionnaires 2005-2011The Kingpin, Kevin Poulsen, 2011●● Fatal System Error: the Hunt for the new Crime Lords who are bringing down the Internet, Joseph Menn, Public Affairs, 2010 y g g , p , ,● Stealing the Network: How to 0wn a Continent, (an Identity), (a Shadow) (V.A.), Syngress Publishing, 2004, 2006, 2007● Stealing the Network: How to 0wn the Box, (V.A.), Syngress Publishing, 2003●Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier, Suelette Dreyfus, Random House g g, , y ,Australia, 1997● The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, Clifford Stoll, DoubleDay (1989), Pocket (2000)● Masters of Deception: the Gang that Ruled Cyberspace, Michelle Stalalla & Joshua Quinttner, Harpercollins, 1995● Kevin Poulsen, Serial Hacker, Jonathan Littman, Little & Brown, 1997● Takedown, John Markoff and Tsutomu Shimomura, Sperling & Kupfler, (Hyperion Books), 1996● The Fugitive Game: online with Kevin Mitnick, Jonathan Littman, Little & Brown, 1997● The Art of Deception, Kevin D. Mitnick & William L. Simon, Wiley, 2002● The Art of Intrusion, Kevin D. Mitnick & William L. Simon, Wiley, 2004● @ Large: the Strange Case of the World’s Biggest Internet Invasion, Charles Mann & David Freedman, Touchstone, 1998
  79. 79. Must-read books / 2The Estonia attack: Battling Botnets and online Mobs, Gadi Evron, 2008 (white paper)●Who is “n3td3v”?, by Hacker Factor Solutions, 2006 (white paper)● y ( p p )Mafiaboy: How I cracked the Internet and Why it’s still broken, Michael Calce with Craig Silverman, 2008●The Hacker Diaries: Confessions of Teenage Hackers, Dan Verton, McGraw-Hill Osborne Media, 2002●Cyberpunk: Outlaws and Hackers on the Computer Frontier, Katie Hafner, Simon & Schuster, 1995●Cyber Adversary Characterization: auditing the hacker mind, Tom Parker, Syngress, 2004●Inside the SPAM Cartel: trade secrets from the Dark Side, by Spammer X, Syngress, 2004●Hacker Cracker, Ejovu Nuwere with David Chanoff, Harper Collins, 2002●Compendio di criminologia, P ti G., Raffaello C tiC● di i i l i Ponti G R ff ll Cortina, 1991●Criminalità da computer, Tiedemann K., in Trattato di criminologia, medicina criminologica e psichiatria forense, vol.X, Ilcambiamento delle forme di criminalità e devianza, Ferracuti F. (a cura di), Giuffrè, 1988●United Nations Manual on the Prevention and Control of Computer-related Crime, in International Review ofCriminal Policy – Nos 43 and 44 Nos.●Criminal Profiling: dall’analisi della scena del delitto al profilo psicologico del criminale, Massimo Picozzi, AngeloZappalà, McGraw Hill, 2001● Deductive Criminal Profiling: Comparing Applied Methodologies Between Inductive and Deductive CriminalProfiling Techniques, Turvey B., Knowledge Solutions Library, January, 1998 g q , y , g y, y,●Malicious Hackers: a framework for Analysis and Case Study, Laura J. Kleen, Captain, USAF, US Air Force Institute ofTechnology●Criminal Profiling Research Site. Scientific Offender Profiling Resource in Switzerland. Criminology, Law,Psychology, Täterpro
  80. 80. Must-read books / 3● Profiling Hackers: the Science of Criminal Profiling as applied to the World of Hacking● ISBN: 978-1-4200-8693-5-90000
  81. 81. And...a gift for you all here! ☺● Get your own, FREE copy of “F3” (Freedom from●Fear, the United Nations magazine) issue #7,totally focused on Cybercrimes!DOWNLOAD:DOWNLOAD●● www.FreedomFromFearMagazine.org● Or, email me and I will send you the full PDF (10MB)
  82. 82. Q Questions? Contacts, Q&A Raoul Chiesa E-mail: chiesa@UNICRI.it Thanks folks! UNICRI Cybercrime Home Page: y g http://www.unicri.ithttp://www.unicri.it/emerging_crimes/cybercrime/

×