20121026 info pme threats on cyber


Published on

Présentation de Luc Beirens, Federal Computer Crime Unit lors du Brunch Info TIC de l'IDEA le 26 octobre 2012 au Microsoft Innovation Center

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

20121026 info pme threats on cyber

  1. 1. Risks on your information andon your ICT infrastructureInfoPME information security seminar26 October 2012@LucBeirens© Luc Beirens - Federal Computer Crime Unit - Direction economical and financial crime
  2. 2. Topics - overview An analysis of the eSociety situation Who is threating eSociety and how ? Inside threat / outside threats Possible damage to eGov and eSociety Which response to give to this ?
  3. 3. e-Architecture Externally managed infrastructure Externally hosted website Internet VPN Internal network Firewall DMZ own Backup server webserver Cloud service center SCADA End user Roaming userProcess control © Luc Beirens
  4. 4. General trends today Evolution towards e-society  replace persons by e-applications  Interconnecting all systems (admin, industrial, control)  Mobile systems – Cloud  Social networks IP is common platform offered by many ISPs integrating telephony / data / VPN & all new apps =opportunities / Achilles tendon / scattered traces Poor security in legacy applications and protocols (userid+pw)=> identity fraud is easy Enduser is not yet educated to act properly
  5. 5. What do criminals want ? Become rich / powerfull rapidly, easily, very big ROI in an illegal way if needed Destabilaze (e-)society by causing troubles
  6. 6. What is there to protect ? Your company image Your market share Your business activity / products Your existance as such Cybercrime threats © Belgian Federal Computer Crime Unit
  7. 7. What is there to protect ? Data (stored or in transmission)  Our personal data  Data on citizens / customers  Info on the organisation (policy/functioning/financial) Our information infrastructure  Internal / external systems  Network connexions  Storage and backup systems Privacy law requires measures organisational and technical to protect personal data Cybercrime threats © Belgian Federal Computer Crime Unit
  8. 8. The inside threats Cybercrime threats © Belgian Federal Computer Crime Unit
  9. 9. Theft of data and carriers SME service sector :  server + backups stolen  => reason theft unclear => SME had to close the books SME in construction sector  laptop stolen on professional congress  => more difficulties to give the best offer => customers are addressed by several other firms Cybercrime threats © Belgian Federal Computer Crime Unit
  10. 10. Theft of industrial secrets Multinational high tech software development  New experienced employee during his test period  DB with all functional and technical specs on internet space  Person left company : screen showed evidence SME CRM software developper  Several employees quit at the same time  New firm => same kind of product : source code ?  customers beeing transferred to the new company Multinational Metal industry  Director R&D quits and goes to the competitor  R&D information concerning specific handling of waste Cybercrime threats © Belgian Federal Computer Crime Unit
  11. 11. Theft of commercial and strategic information Firm in service sector  In financial department : installation keylogger on PC financial analyst : info via e-mail  Illegally ordered by shareholders  Detection by IDS Firm in distribution sector  Theft of 15 PC in dep of development and expansion  Chained to the desk but not encrypted  During weekend – seen on monday Cybercrime threats © Belgian Federal Computer Crime Unit
  12. 12. Theft security related data Multinational financial sector  New experienced employee helpdesk 3rd level  After test period not accepted => leaves with copy of DB problems on USB key  contact police => interception End user  victim infected with trojan horse  Take over of userid + passwords => mailbox consultation + ADSL use  Take over codes and certificates for commercial transactions Multinational security sector  Break in over remote administration access  Cursor moves over the screen and opens critical DBs  No immediate reaction : only after 3rd incident reported Cybercrime threats © Belgian Federal Computer Crime Unit
  13. 13. Theft of personal data Multinational credit cards  hacking website with cc-info  international criminal organisation abuses data SME in discussion about a possible take over  Systemadministrator reads mail of the board ? Public institution  System admin reads mails and documentation in private network share  Discovers a “secret relationship” => “extorsion” End User in eductation institution  Hacking : intimate pictures distributed to collegues Cybercrime threats © Belgian Federal Computer Crime Unit
  14. 14. Analysis of incidents Cybercrime threats © Belgian Federal Computer Crime Unit
  15. 15. Which data ? Customer list / price lists Strategic vision / financial situation Industrial secrets / source code programs Security procedures Access codes Transfert codes => necessity to classify data according to the level of importance to continue bussiness handle each level accordingly Cybercrime threats © Belgian Federal Computer Crime Unit
  16. 16. Where and how stored ? Stored in ICT-infrastructure  server / end user equipment / data carriers In transmission  on intranet / internet / between keyboard and PC Often only password protected but not encrypted / very few logs => need for encryption and strong authentication Cybercrime threats © Belgian Federal Computer Crime Unit
  17. 17. How Physical theft  By burglary : servers desktop  Of mobile equipment : voyages, hotel, car Digital copy  Of complete database  During normal use / consultation  By Trojan => via internet connection  By keylogger => keyboard => passwords  By sniffer in network => all transmissions  rootkit => completely adapted operating system Cybercrime threats © Belgian Federal Computer Crime Unit
  18. 18. When ? During office hours but very often  At night  During weekends => need for detection & alarmsystems Cybercrime threats © Belgian Federal Computer Crime Unit
  19. 19. Server is well secured ... Then it is perhaps easier to  Copy data from logfiles  Copies in test environment  backup disks / tapes (in trunc of sysadmin ?) Very often access to this information is not controlled Cybercrime threats © Belgian Federal Computer Crime Unit
  20. 20. Who ? Employees / management Temporary employees / stagiairs Suppliers / maintenance External parties via external access => need for screening of persons in key functions => eventually external audit on these persons => reduce acces on need to have basis : also for sysadmin Difficulty : privacy regulations Cybercrime threats © Belgian Federal Computer Crime Unit
  21. 21. Consequences of information theft transactions / moneytransferts => direct damage extorsion espionage Loss of market share Discussion on owner rights of source code No longer access to data security incidents in real world indirect damage: loss of trust in the e-system Cybercrime threats © Belgian Federal Computer Crime Unit
  22. 22. Victim yes but also ... Penal liaibility if privacy is not protected !  Organisational and technical mesures  Access / use of private data Civil liaibility if  Negligence or fault  Damage caused Cybercrime threats © Belgian Federal Computer Crime Unit
  23. 23. Do you give it away ? When old equipment is  sold in second hand market  donated to a school  ... Formatting is not enough to remove data => wiping => magnetische schok Cybercrime threats © Belgian Federal Computer Crime Unit
  24. 24. Cybercrime threats © Belgian Federal Computer Crime Unit
  25. 25. The outside threats© 2006-2010 Luc Beirens – Federal Computer Crime Unit - Belgian Federal Judicial Police – Direction economical and financial crime Cybercrime threats © Belgian Federal Computer Crime Unit
  26. 26. Who is threating us ? Script kiddies Insider ICT guy in your company Loosely organized criminals Firmly organized criminal groups Terrorists / hacktivists Foreign states / economical powers Nation warfare troups
  27. 27. What are the outside threats ? Cybercrime threats © Belgian Federal Computer Crime Unit
  28. 28. Threats in messageson hackersites Wiping away the websites in your state Infiltration in servers of the Public Treasury disrupting tax collection Infiltration in bank accounts Attacks on media websites Attacks on e-commerce websites Distribution of personnel data and credit card information Targetting also in the end of the year period Cybercrime threats © Belgian Federal Computer Crime Unit
  29. 29. Overview of threats Hacking into websites / webservers Denial of service : blocking internetconnections / webservers Interfering with internet transactions Hacking into computer systems  Spying  altering / deleting data Destabilazing e-society by causing some havoc Cybercrime threats © Belgian Federal Computer Crime Unit
  30. 30. Cybercrime threats © Belgian Federal Computer Crime Unit
  31. 31. Hacking webservers Motives of criminal :  Perform defacement  Use as storage platform for illegal content (childporn)  Use as intermediate platform for criminal activity  Get sensitive information and do extortion (idiot tax)  Get financial information (credit cards) To do :  Updates SW, strong admin access, no pers data on srvr  Follow up pastebin.com : a hackers drop off Cybercrime threats © Belgian Federal Computer Crime Unit
  32. 32. Security : encrypted data ! Infection of workstations and servers in company LAN  Using targetted e-mails / social media messages  Malicious encryption of all user data files  Ransom to get decryption key From those that paid : some got key some didn’t Others had a recent backup not connected! Cybercrime threats © Belgian Federal Computer Crime Unit
  33. 33. Intrusions in your LAN Intrusion in your system to intercept data that allows to take away products from your stock  WIFI interception from parking  Infection by trojan (e-mail)  (unreported) burglary in the company to place  hardware keyloggers  complete small computer system WIFI intercept 3G transmit With valid ticket go fetch cargo To Do :  Encrypt WIFI transmissions  Patch onlyCybercrime threats © Belgian Federal Computer Crime Unit active workstation connections
  34. 34. Intrusion in yourtrading account Carbon dioxide certificates trade Open data : contact persons of companies Spear phishing mail + phishing website Access to trading account Millions of € sold in few hours all over EU  Sold far under price & immediately resold To do : Awareness Cybercrime threats © Belgian Federal Computer Crime Unit
  35. 35. Intrusion in your partner’s LAN Intrusion in LAN of foreign partner (Chinese) and get information on your business and invoices to pay You get mail with  Slightly different e-mail adresses  Change of bank account number to pay (Due to audit ...) To do : verify thouroughly any changes before paying Cybercrime threats © Belgian Federal Computer Crime Unit
  36. 36. Attacking infrastructure Remote managed infrastructures in your buildings  Central heating  Elevator Creating disruption of this infrastructure => leads to high cost To do : verify if this applies to you and your infrastructure managing company Cybercrime threats © Belgian Federal Computer Crime Unit
  37. 37. Hacking into cloud accounts SME’s that have all their information in cloud accounts Hacking into these account  Taking over access control  Sending of SOS-e-mails (Robbed money needed)  Deleting all contact information in the account => preventing warning e-mails after getting back access to account To do :  enforce strong authentication and second ways to access the account  Have backups of these systems Cybercrime threats © Belgian Federal Computer Crime Unit
  38. 38. What are the criminals techtools to hack and attack ? Malware attacks (viruses, worms, trojans, ...) fast spreading day zero infections => no immediate cure => lot of victims (especially home PC’s – 24 / 365 available) Abuse of infected computers to create botnets (large “armies” of PC’s under control of 1 master) => used to make massive attacks on webservers or network nodes => high risk for your critical ICT infrastructure Cybercrime threats © Belgian Federal Computer Crime Unit
  39. 39. Webserver / node Computer Crash Hacker Internet Info Access lineCmd blocked My IP is x.y.z.z Command & Botnet attack on a webserver / node Control Server
  40. 40. Webserver / node Hacker Knowledge server Internet trigger event MW update Very frequent MW update request Malware update serverCommand & Malware update / knowledge transferControl Server
  41. 41. Why ? Making money ! Sometimes still for fun (scriptkiddies) Spam distribution via Zombie Click generation on banner publicity Dialer installation on zombie to make premium rate calls Spyware installation Espionage => banking details / passwords / keylogging Ransom bot => encrypts files => money for password Capacity for distributed denial of service attacks DDOS => disturb functioning of internet device (server/router) Cybercrime threats © Belgian Federal Computer Crime Unit
  42. 42. How big is the problem ?  Already criminal cases in several countries  Botnets detected  Several hundreds of botnets worldwide  Several thousands of C&C worldwide  Thousands upto millions of zombie computers online  generated huge datatraffic upto 40 Gbps  Dismantling / crippling botnets
  43. 43. e-Crime underground business  Underground fora and chatrooms  Restricted access – on invitation  Secured by encryption  Botnets for hire  Control over bot for spam : 0,04 $ / bot / day Small scale attack 20 Mbps : 50 – 100 $ / day  Large scale attack 10Gbps : 1000 $ / day  Malware development on demand Cybercrime threats © Belgian Federal Computer Crime Unit
  44. 44. Important DDOS cases UK 2004 : gambling website down (+ hoster + ISP) NL 2005 : 2 botnets : millions of zombies BE 2005 : DDOS on chatnetwork of Media firms BE 2005 : DDOS on Firm (social conflict) US 2006 : Blue security firm stops activity SE 2006 : Website Gov and Police down due to DDOS after police raid on P2P EE 2007 : Widespread DDOS attack on Estonia after incidents on moving soldier statue Georgia 2008 : cyber war during military conflict World 2010 : Wikileaks case : Visa Mastercard paypal World 2012 : CIA FBI USDOJ EU Arcelor Mittal ... Cybercrime threats © Belgian Federal Computer Crime Unit
  45. 45. Latest malware developments  Stuxnet : very complex and elaborated trojan  Several replication vectors :  Networks  USB keys  Connects to C&C botnet server  Focused on industrial control system  Searches for systems with this control system  Collects information on Siemens PLC systems  Changes process logic on infected machines  Duqu based upon Stuxnet : spying purposes Cybercrime threats © Belgian Federal Computer Crime Unit © Luc Beirens
  46. 46. Biggest threat ? Criminal’sKnowledge database SQL (standard query language) databases Several backup servers Content  Keylogging (everything also userids, passwords)  Screenshots (of all opened windows, websites,...)  URL  IP-addresses Base for reverse R&D to counter new security Cybercrime threats © Belgian Federal Computer Crime Unit
  47. 47. Cases ? e-Banking fraud Hacking of large institutions / firms  Long time unaware of hacking  Keylogging  Encrypted files on PC  Internal botnet  Intermediate step to other networks  Often no complaint Cybercrime threats © Belgian Federal Computer Crime Unit
  48. 48. Large firm hackingusing internal botnet Internet Hacker Company network © Luc Beirens
  49. 49. Cybercrime focusing individuals Individuals are  also working in companies / gov  Use social networks / webmail  Often used to exchange business related info  Containing access code information Hacking of these profiles / webmails  Abuse to infect people you know  Get personal information of you and your contacts  Commit fraud Internet fraud of all kinds Webcam sex interception to do extortion Luc Beirens - FCCU -2012
  50. 50. And the victims ? Who ?  Transactional websites  Communication networks  ISPs and all other clients Reaction  Unaware of incidents going on  ISPs try to solve it themselves  Nearly no complaints made – even if asked ... Result ? The hackers go on developing botnets
  51. 51. Combined threat What if abused by terrorists ? ... simultaniously with a real world attack? How will you handle the crisis ? Your telephone system is not working ! Cybercrime threats © Belgian Federal Computer Crime Unit
  52. 52. Risks Economical disaster  Large scale : critical infrastructure  Small scale : enterprise Individual data Loss of trust in e-society Cybercrime threats © Belgian Federal Computer Crime Unit
  53. 53. Who investigates ICT crime ? Prosecutors / Examining Judges Specialised police forces (nat’l & Internat’l) Legal expert witnesses Specialised forensic units of consulting firms Associations defending commercial interests Security firms => vulnerabilities Activist groups => publish info on « truth » © Luc Beirens
  54. 54. E-Police organisation and tasks Integrated policeFederal 1 Federal Computer Crime UnitPolice 24 / 7 (inter)national contactNational Policy Operations : IntelligenceLevel Internet & ePayment fraude Training Forensic ICT analysis Cybercrime35 persons Equipment ICT Crime combating www.ecops.be hotline FCCU Network Internat internet ID requestsFederal Police 25 Regionale Computer Crime Units (1 – 2 Arrondissementen)Regionallevel Assistance for housesearches, Investigations of ICT crime case170 persons forensic analysis of ICT, taking (assisted by FCCU) statements, internet investigationsLocal Level First line policeFederal Police “Freezing” the situation until the arrival of CCU or FCCULocal Police Selecting and safeguarding of digital evidence © 2012 - Luc Beirens - FCCU - Belgian Federal Police
  55. 55. Our services Help to take a complaint Descend on the scene of crime  Make drawing of architecture of hacked system  Image backup of hacked system (if possible) Internet investigations (Identification, location) House searches Taking statements of concerned parties Forensic analysis of seized machines Compile conclusive police report © Luc Beirens
  56. 56. Investigative problems -tracking Victims : Unfamiliar and fear for “Corporate image” => belated complaints – trashed / no more traces Rather “unknown” world for police & justice => Delay before involvement specialised units Limited ICT investigation capacity (technical & police skills) Multiplication and integration of services / providers / protocols / devices Lack of harmonised international legislation & instruments Anonymous / hacked connections – subscriptions - WIFI Intermediate systems often cut track to purpetrator © Luc Beirens
  57. 57. Investigative problems –evidence gathering Delocalisation of evidence : the cloud ? Exponential growth of storage capacity => time consuming :  backups & verification processes  Analysis New legislation / jurisprudence imposes more rigorous procedures for evidence gathering in cyber space Bad ICT-security : give proof of the source and the integrity of evidence © Luc Beirens
  58. 58. Brussels, we have a problem ... Complainer  Politie  OK  Hello, can you help ?  A few questions to start  We are a Belgian hosting firm our file …  Who, where, what, when  We have a problem …  Our webservers are hacked  & several websites of our Belgian customers have been defaced © Luc Beirens
  59. 59. Who is where ? © Luc Beirens
  60. 60. Who / where / what  In the USA In Belgium  Hacked webserver Defaced website  Hosting firm :  nothing in Belgium  In the Netherlands  Hacked server  Customer : nothing in Belgium  In the UK  Hacker ?  Hacked firm :  In the Luxemburg nothing in Belgium  Hacker ? © Luc Beirens
  61. 61. Conclusions ... Competence Belgian Justice authorities ? Discussion  viewpoint Public Prosecutor General : not competent  viewpoint lawyer victim : competent  viewpoint suspect’s defence : ???? If choice was made for storage in foreign country Why ? Cost ? Evade regulations & obligations ? No (?) protection of Belgian Law No (?) intervention of Law Enforcement in Belgium Protection by law & LE in country where server is © Luc Beirens
  62. 62. PreventiveRecommendations Draw up a general ICT usage directive (normal usage) Awareness program for management & users ICT security policy is part of the global security policy Appoint an ICT security responsible => control on application of ICT usage & security policy Keep critical systems separate from the Internet if possible ! Use software from a trusted source Install recent Anti-virus and Firewall programms (laptops) Synchronize the system clocks regularly Activate and monitor log files on firewall, proxy, access Make & test backups & keep them safe (generations) ! © Luc Beirens
  63. 63. Recommendations for victims of ICT crime Disconnect from the outside world Take note of last internet activities & exact date and time Evaluate : damage more important than restart ?  Restart most important: make full backup before restor  Damage more important : don’t touch anything Safeguard all messages, log files in original state Inform ASAP the Federal Judicial Police and ask for assistance of the Federal or Regional CCU Force change all passwords Reestablish the connection only if ALL failures patched © Luc Beirens
  64. 64. Where to make a complaint ? Within a police force …  Local Police service => not specialised => not the right place for ICT-crime (hacking/sabotage/espionage) => place to make complaints on Internet fraud  Federal judicial police (FGP) => better but … Regional CCU => The right place to be for ICT crime  Federal Computer Crime Unit => 24/7 contact Risks on vital or crucial ICT systems => call urgently  Illegal content (childporn, …) => www.ecops.be … or immediately report to a magistrate ?  Local prosecutor (Procureur) => will send it to police => can decide not to prosecute  Examining Judge => complaint with deposit of a bail => obligation to investigate the case © Luc Beirens
  65. 65. For the sys admin Several layers of protection  Internal firewalls  Encrypted communications  Encrypted data bases Check active sys admin profiles on svrs Log and follow up FW, IDS Cybercrime threats © Belgian Federal Computer Crime Unit
  66. 66. Contact informationFederal Judicial PoliceDirection for Economical and Financial crimeFederal Computer Crime UnitNotelaarstraat 211 - 1000 Brussels – BelgiumTel office : +32 2 743 74 74Fax : +32 2 743 74 19E-mail : luc.beirens@fccu.beTwitter : @LucBeirens Cybercrime threats © Belgian Federal Computer Crime Unit