From Creeper       to Stuxnet    Tell me and I’ll forget                                 Shahar Geiger Maor,Show me and I ...
A Story With A Beginning And No End                                                                                       ...
The Beginning –Basic TerminologyPhreaking, Cracking and Hacking…                                                          ...
I’m A Creep(er)!               The very first viruses: Creeper and Wabbit                      19711960                197...
Captain Zap       first person ever arrested for a computer crime                                                19811960 ...
Machine Of The Year                                                       19821960                1970                    ...
War Games                                                         19831960                1970                     1980   ...
Introducing: MOD & LOD                                                         19871960                1970               ...
When Ideology meets Ego                                                                             19911960              ...
Professional conferences                                                                              19931960            ...
Celebrity                                                                                 19951960                1970    ...
The Rise of Malwares                                                      The Concept Virus                               ...
The Rise of Malwares                                The Melissa and                                Nimda Viruses          ...
The Rise of Malwares                                                                                                      ...
The Rise of Malwares                                                                                                      ...
The Increasingly Difficult Security Challenge1600000014000000                                                             ...
No Existing Protection Addresses the “Long Tail”    Today, both good and bad software obey a long-tail distribution.Bad Fi...
Growing Amount of Malware –Lower Rate of Detection                                                                        ...
Secured Mediation Kiosks                          Source: OPSWAT, STKI’s modificationsShahar Geiger Maor’s work Copyright ...
Nor(malware) distributionChoose any AV  software…                                                                         ...
Nor(malware) distributionChoose many AV  software…                                                                        ...
Organized Cybercrime                                                                                                      ...
M&As in the Cyber Underground…SpyEye made headlines this year wheninvestigators discovered it automatically searchedfor an...
Common “Positions” in the cyber-crime business                                                         Leaders            ...
Underground Economy                            Products                                                                   ...
Cyber Wars                                                                                        1990’s-2000’s-2010’s1960...
Growing Number of Incidents -US                                 Incidents of Malicious Cyber                           Act...
Sources of Attacks on gov.il                                          Source: CERT.gov.ilShahar Geiger Maor’s work Copyrig...
Cyber-Warfare is Becoming A Giants’ Playground           http://www.bbc.co.uk/news/technology-11773146  Shahar Geiger Maor...
Operation Aurorahttp://www.damballa.com/downloads/r_pubs/Aurora_Botnet_Command_StructuShahar Geiger Maor’s work Copyright ...
Advanced Persistent Threat (APT) –RSA Case Study“Recently, our securitysystems identified anextremely sophisticatedcyber a...
Stuxnet:                                                                                             (THE NEW YORK TIMES, ...
Stuxnet Timeline Eraly 2008: Siemenscooperated with Idaho National Laboratory ,    to identify the                        ...
Rootkit.Win32.Stuxnet GeographySource: http://ebiquity.umbc.edu/blogger/wp-content/uploads/2010/09/stuxnet.gif   Shahar Ge...
Stuxnet in Action: “A Game Changer” 10-30 developers (!!!) Stuxnet has some 4,000 functions (software that runs an avera...
Vulnerability Timeline                                                Source: Burton GroupShahar Geiger Maor’s work Copyri...
…Lets talk about Patch Management (PM)• Mostly Microsoft, security-related patches• “Its not the deployment, but the whole...
Your Text here                                                                                    Your Text here Shahar Ge...
Generic Cyber Attacks                                                                                       1. Individuals...
Distributed Denial Of Service (DDOS)                                                                                      ...
Advanced Persistent Threat (APT)                                                                                          ...
Security “Threatscape”Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic ...
Thank You!                          Scan Me To Your Contacts:                                                             ...
Upcoming SlideShare
Loading in...5
×

From creeper to stuxnet

3,687

Published on

Important (i hope...) milestones in the history of information security

Published in: Design, Business
2 Comments
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
3,687
On Slideshare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
34
Comments
2
Likes
0
Embeds 0
No embeds

No notes for slide

From creeper to stuxnet

  1. 1. From Creeper to Stuxnet Tell me and I’ll forget Shahar Geiger Maor,Show me and I may remember VP & Senior AnalystInvolve me and I’ll understand
  2. 2. A Story With A Beginning And No End 2Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  3. 3. The Beginning –Basic TerminologyPhreaking, Cracking and Hacking… 3 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  4. 4. I’m A Creep(er)! The very first viruses: Creeper and Wabbit 19711960 1970 1980 1990 2000 2010 4 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  5. 5. Captain Zap first person ever arrested for a computer crime 19811960 1970 1980 1990 2000 2010 5 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  6. 6. Machine Of The Year 19821960 1970 1980 1990 2000 2010 6 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  7. 7. War Games 19831960 1970 1980 1990 2000 2010 7 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  8. 8. Introducing: MOD & LOD 19871960 1970 1980 1990 2000 2010 8 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  9. 9. When Ideology meets Ego 19911960 1970 1980 1990 2000 2010 9 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  10. 10. Professional conferences 19931960 1970 1980 1990 2000 2010 10 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  11. 11. Celebrity 19951960 1970 1980 1990 2000 2010 11 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  12. 12. The Rise of Malwares The Concept Virus 19951960 1970 1980 1990 2000 2010 12 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  13. 13. The Rise of Malwares The Melissa and Nimda Viruses http://scforum.info/index.php?topic=2528.msg4935;topicseen 19991960 1970 1980 1990 2000 2010 13 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  14. 14. The Rise of Malwares The ILOVEYOU Worm 20001960 1970 1980 1990 2000 2010 14 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  15. 15. The Rise of Malwares Conficker 20081960 1970 1980 1990 2000 2010 15 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  16. 16. The Increasingly Difficult Security Challenge1600000014000000 AV Signatures1200000010000000 100s of millions of viruses. signature based scanning won’t keep up…8000000600000040000002000000 0 Mar-01 Oct-01 Mar-08 May-02 Oct-08 Dec-02 May-09 Dec-09 Aug-00 Jul-03 Feb-04 Sep-04 Apr-05 Nov-05 Jun-06 Aug-07 Jan-00 Jan-07 Source: Symantec Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  17. 17. No Existing Protection Addresses the “Long Tail” Today, both good and bad software obey a long-tail distribution.Bad Files Unfortunately neither technique Good Files works well for the tens of millions of files with low prevalence. Prevalence (But this is precisely where the majority of today’s malware falls)Blacklisting works For this long tail a new Whitelisting works well here. technique is needed. well here. Source: Symantec Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  18. 18. Growing Amount of Malware –Lower Rate of Detection Submission-ID: 2009- Submission-ID: 2010- 12-10_22-01_0002 01-15_22-14_0001 src: AV-Test.org src: AV-Test.org AV Engine Time To Detect Time To Detect Authentium Zero-hour No detection Avast 24.28 hrs. 2.10 hrs. AVG 10.18 hrs. 3.52 hrs. CA-AV No detection Zero-hour ClamAV 40.82 hrs. No detection Dr.Web 3.68 hrs. 13.17 hrs. Eset Nod32 2.35 hrs. Zero-hour F-Secure Zero-hour 20.03 hrs. Ikarus 2.55 hrs. 1.90 hrs. ISS VPS No detection No detection Kaspersky 6.70 hrs. 14.52 hrs. McAfee 28.83 hrs. No detection Microsoft 11.62 hrs. No detection Norman Zero-hour No detection Panda 76.48 hrs. No detection Rising 71.27 hrs. No detection Spybot S&D No detection No detection Sunbelt No detection Zero-hour VirusBuster 4.05 hrs. Zero-hour Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  19. 19. Secured Mediation Kiosks Source: OPSWAT, STKI’s modificationsShahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  20. 20. Nor(malware) distributionChoose any AV software… What about the long tail? Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  21. 21. Nor(malware) distributionChoose many AV software… The long tail problem remains Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  22. 22. Organized Cybercrime 20091960 1970 1980 1990 2000 2010 22 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  23. 23. M&As in the Cyber Underground…SpyEye made headlines this year wheninvestigators discovered it automatically searchedfor and removed ZeuS from infected PCs beforeinstalling itself http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/ Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  24. 24. Common “Positions” in the cyber-crime business Leaders Hosted Programmers systems Cashiers providers Distributors Fraudsters Money mules Tech experts Crackers Tellers http://www.fbi.gov/news/speeches/the-cyber-threat-whos-doing-what-to-whom Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  25. 25. Underground Economy Products PriceCredit card details From $2-$90Physical credit cards From $190 + cost of detailsCard cloners From $200-$1000Fake ATMs Up to $35,000Bank credentials From $80 to 700$ (with guaranteed balance) From 10 to 40% of the total $10 for simple account without guaranteedBank transfers and cashing checks balanceOnline stores and pay platforms From $80-$1500 with guaranteed balanceDesign and publishing of fake online stores According to the project (not specified)Purchase and forwarding of products From $30-$300 (depending on the project)Spam rental From $15SMTP rental From $20 to $40 for three months http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  26. 26. Cyber Wars 1990’s-2000’s-2010’s1960 1970 1980 1990 2000 2010 26 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  27. 27. Growing Number of Incidents -US Incidents of Malicious Cyber Activity Against Department of Defense Information Systems, 2000–2009 http://www.uscc.gov/annual_report/2010/annual_report_full_10.pdfShahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  28. 28. Sources of Attacks on gov.il Source: CERT.gov.ilShahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  29. 29. Cyber-Warfare is Becoming A Giants’ Playground http://www.bbc.co.uk/news/technology-11773146 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  30. 30. Operation Aurorahttp://www.damballa.com/downloads/r_pubs/Aurora_Botnet_Command_StructuShahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic re.pdf
  31. 31. Advanced Persistent Threat (APT) –RSA Case Study“Recently, our securitysystems identified anextremely sophisticatedcyber attack in progressbeing mounted againstRSA”.Art CovielloExecutive Chairman, RSAhttp://www.rsa.com/node.aspx?id=3872 http://www.nytimes.com/2011/03/18/technology/18secure.html Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  32. 32. Stuxnet: (THE NEW YORK TIMES, 15/1/11) http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=2&hp Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  33. 33. Stuxnet Timeline Eraly 2008: Siemenscooperated with Idaho National Laboratory , to identify the July 2009: vulnerabilities of Stuxnet began computer controllers circulating around thethat the company sells world 2008-2009: July 2010: Stuxnet is Suspected exploits first discovered by have been created for VirusBlokAda Siemens SCADA systems Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  34. 34. Rootkit.Win32.Stuxnet GeographySource: http://ebiquity.umbc.edu/blogger/wp-content/uploads/2010/09/stuxnet.gif Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  35. 35. Stuxnet in Action: “A Game Changer” 10-30 developers (!!!) Stuxnet has some 4,000 functions (software that runs an average email server has about 2,000 functions) Exploits a total of four unpatched Microsoft vulnerabilities compromise two digital certificates• Self-replicates through removable drives• Spreads in a LAN through a vulnerability in the Windows Print Spooler• Copies and executes itself on remote computers through network shares• Updates itself through a peer-to-peer mechanism within a LAN• Contacts a remote command and control server• modifies code on the Siemens PLCs• Hides modified code on PLCs Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  36. 36. Vulnerability Timeline Source: Burton GroupShahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  37. 37. …Lets talk about Patch Management (PM)• Mostly Microsoft, security-related patches• “Its not the deployment, but the whole process evolving” AKA Pizza Night.• 20%-50% FTE is dedicated for PM• Common SLAs: 3…6…or sometimes 12 Months!!• VIP patches: up-to a week• Hardwarenon-security patches’ SLA: Where upgradesvendor support is needed Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  38. 38. Your Text here Your Text here Shahar GeigerMaor’s work Copyright 2012 @STKI Do Do not remove source or attribution from any or portion of graphic of graphic Shahar Maor’s work Copyright 2012 @STKI not remove source or attribution from any graphic graphic or portion 38
  39. 39. Generic Cyber Attacks 1. IndividualsGroups 2. CriminalNationalistic background 3. Lots of intervals 4. Lots of targets 5. Common tools 39Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  40. 40. Distributed Denial Of Service (DDOS) 1. Targets websites, internet lines etc. 2. Legitimate traffic 3. Many different sources 4. From all over the world 5. Perfect timing 40Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  41. 41. Advanced Persistent Threat (APT) 1. Group/ Org./ State 2. Ideological/ Nationalistic background 3. Multi-layered attack 4. Targeted 5. Variety of tools 6. Impossible to detect in real time(???) 41Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  42. 42. Security “Threatscape”Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  43. 43. Thank You! Scan Me To Your Contacts: 43Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×