Iftach Ian Amit | April 2011               Cyber[Crime|War]               Connecting the Dots               Iftach Ian Ami...
Iftach Ian Amit | April 2011                                          The Disclaimer                       This is “hacker...
Iftach Ian Amit | April 2011                                                     Agenda                   • Who am I?     ...
Iftach Ian Amit | April 2011                                                     Who Am IAll rights reserved to Security A...
Iftach Ian Amit | April 2011               This is NOT going to beAll rights reserved to Security Art ltd. 2002-2010   5
Iftach Ian Amit | April 2011    Picking up where we left off               At least as far as last year’s research is conc...
Iftach Ian Amit | April 2011                                                       Boss, is this                          ...
Iftach Ian Amit | April 2011       Final ly de-       classif ied...         (on p  ublic          dom   ain)             ...
Iftach Ian Amit | April 2011                         Hungry yet?                                                     That ...
Iftach Ian Amit | April 2011                Question 1: What is this?All rights reserved to Security Art ltd. 2002-2010   10
Iftach Ian Amit | April 2011               Question 1: What is this?All rights reserved to Security Art ltd. 2002-2010   11
Iftach Ian Amit | April 2011               Perceptions may be deceiving...                                  War           ...
Iftach Ian Amit | April 2011                                  War                              Crime             •      Go...
Iftach Ian Amit | April 2011                                                     CyberWar               “Cyberwarfare, (al...
Iftach Ian Amit | April 2011        It did                 not happen yet                               Estonia being an e...
Iftach Ian Amit | April 2011This is not the only way!                                     Neither is this...              ...
Iftach Ian Amit | April 2011                 Many faces of how CyberWar is perceived...                                   ...
Iftach Ian Amit | April 2011     We’ll focus on current players:                                                     And n...
Iftach Ian Amit | April 2011                                                     USA             •       Thoroughly docume...
Iftach Ian Amit | April 2011                                                     Russia                   •       GRU (Mai...
Iftach Ian Amit | April 2011                                                     China                   •       PLA (Peop...
Iftach Ian Amit | April 2011                                                     Iran                   • Telecommunicatio...
Iftach Ian Amit | April 2011                                                     Israel                   •       This is ...
Iftach Ian Amit | April 2011                             CyberWar - AttackHighly selective targeting ofmilitary (and criti...
Iftach Ian Amit | April 2011                        CyberWar - Defense             •      Never just military             ...
Iftach Ian Amit | April 2011                                                     CyberCrimeAll rights reserved to Security...
Iftach Ian Amit | April 2011                                                                              Criminal Boss   ...
Iftach Ian Amit | April 2011                        CyberCrime - Attack             •       Channels: web, mail, open serv...
Iftach Ian Amit | April 2011         CyberCrime - target locationsAll rights reserved to Security Art ltd. 2002-2010   29
Iftach Ian Amit | April 2011               CyberCrime - Locations                                                     Majo...
Iftach Ian Amit | April 2011                CyberCrime - Ammunition                                                     =≈...
Iftach Ian Amit | April 2011All rights reserved to Security Art ltd. 2002-2010   32
Iftach Ian Amit | April 2011                  CyberCrime - Defense             •       Anti [ Virus | Malware | Spyware | ...
Iftach Ian Amit | April 2011               How do these connect?                         Claim: CyberCrime is being used t...
Iftach Ian Amit | April 2011                          History - Revisited...       Estonia        You read all about it.  ...
Iftach Ian Amit | April 2011                          History - Revisited...       Israel                                 ...
Iftach Ian Amit | April 2011                Mid-east crime-war links        ARHack                Hacker forum by day     ...
Iftach Ian Amit | April 2011   Political post                                                 Buying/Selling cards for 1/2...
Iftach Ian Amit | April 2011                          History - Revisited...       Georgia        More interesting...     ...
Iftach Ian Amit | April 2011                Russian Crime/State Dillema                                                   ...
Iftach Ian Amit | April 2011                                                                          Russian             ...
Iftach Ian Amit | April 2011                         Remember Georgia?                   •       Started by picking on the...
Iftach Ian Amit | April 2011                                          Georgia - cont.                   •       Six (6) ne...
Iftach Ian Amit | April 2011                                          Georgia - cont.                   • Final nail in th...
Iftach Ian Amit | April 2011                          History - Revisited...       Iran        2009 Twitter DNS hack attri...
Iftach Ian Amit | April 2011All rights reserved to Security Art ltd. 2002-2010   46
Iftach Ian Amit | April 2011               Iran-Twitter connecting dots                   • Twitter taken down December 18...
Iftach Ian Amit | April 2011All rights reserved to Security Art ltd. 2002-2010   48
Iftach Ian Amit | April 2011                   Iran-Twitter - Ashiyane                   • Ashiyane was using the same pro...
Iftach Ian Amit | April 2011               On [Crime|War] training                                                     Ash...
Iftach Ian Amit | April 2011               Wargames targets includes:All rights reserved to Security Art ltd. 2002-2010   51
Iftach Ian Amit | April 2011               Back to [Crime|War] Links:      What else happened on the 18th?                ...
Iftach Ian Amit | April 2011         Mapping Iran’s [Crime|War]                                                     Iran  ...
Iftach Ian Amit | April 2011                             Iran - the unspoken                   • Stuxnet                  ...
Iftach Ian Amit | April 2011                          History - Revisited...       China                   • Great Chinese...
Iftach Ian Amit | April 2011                      China ...connecting the dots                       January 12th - Google...
Iftach Ian Amit | April 2011                     China ...connecting the dots.                January 12th - Adobe gets ha...
Iftach Ian Amit | April 2011                   China ...connecting the dots...                           Problem: Attacks ...
Iftach Ian Amit | April 2011                    Anecdote - a                                             professor in one ...
Iftach Ian Amit | April 2011               How does APT fit here?           RSA                   • Infection vector: Flash...
Iftach Ian Amit | April 2011                           APT ...connecting the dots           Compared to what we just revie...
Iftach Ian Amit | April 2011                     APT ...connecting the dots....?                                          ...
Iftach Ian Amit | April 2011                                          The Future (Ilustrated)                             ...
Iftach Ian Amit | April 2011                                                     Summary                                 G...
Iftach Ian Amit | April 2011                                                     Summary                                  ...
Iftach Ian Amit | April 2011                                                        Thanks!                               ...
Upcoming SlideShare
Loading in …5
×

Cyber [Crime|War] - SourceBoston 2011

1,788 views

Published on

The last and final presentation of the Cyber-[Crime|War] research at Source Boston 2011.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,788
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
92
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cyber [Crime|War] - SourceBoston 2011

  1. 1. Iftach Ian Amit | April 2011 Cyber[Crime|War] Connecting the Dots Iftach Ian Amit VP Consulting, Security Art Board Member - CSA Israel IL-CERT Dreamer DC9723All rights reserved to Security Art ltd. 2002-2010 www.security-art.com
  2. 2. Iftach Ian Amit | April 2011 The Disclaimer This is “hacker” me, and my own personal opinion only. This has got nothing to do with work stuff. The “work” me is often suited and talks in acronyms and industry best practices stuff.All rights reserved to Security Art ltd. 2002-2010 2
  3. 3. Iftach Ian Amit | April 2011 Agenda • Who am I? • CyberWar [Attack | Defense] • CyberCrime [Attack | Defense] • History revisited • Connecting the dots... • FutureAll rights reserved to Security Art ltd. 2002-2010 3
  4. 4. Iftach Ian Amit | April 2011 Who Am IAll rights reserved to Security Art ltd. 2002-2010 4
  5. 5. Iftach Ian Amit | April 2011 This is NOT going to beAll rights reserved to Security Art ltd. 2002-2010 5
  6. 6. Iftach Ian Amit | April 2011 Picking up where we left off At least as far as last year’s research is concerned...All rights reserved to Security Art ltd. 2002-2010 6
  7. 7. Iftach Ian Amit | April 2011 Boss, is this supposed to be on the internet? We probably need to call someone... I thi is fr nk t his pow om erpo myAll rights reserved to Security Art ltd. 2002-2010 7 int!
  8. 8. Iftach Ian Amit | April 2011 Final ly de- classif ied... (on p ublic dom ain) The initia “trace” o l r lo- jack used track dow to n the thief...All rights reserved to Security Art ltd. 2002-2010 8
  9. 9. Iftach Ian Amit | April 2011 Hungry yet? That was just the appetizer...All rights reserved to Security Art ltd. 2002-2010 9
  10. 10. Iftach Ian Amit | April 2011 Question 1: What is this?All rights reserved to Security Art ltd. 2002-2010 10
  11. 11. Iftach Ian Amit | April 2011 Question 1: What is this?All rights reserved to Security Art ltd. 2002-2010 11
  12. 12. Iftach Ian Amit | April 2011 Perceptions may be deceiving... War CrimeAll rights reserved to Security Art ltd. 2002-2010 12
  13. 13. Iftach Ian Amit | April 2011 War Crime • Government / state • Private • Official backing • Semi-official backing (org. crime) • Official resources • Financing • Official resources • Expertise? • Self financing? • Exploits/Vulns? • Established expertise (in- house + outsourced) • Market for exploitsAll rights reserved to Security Art ltd. 2002-2010 13
  14. 14. Iftach Ian Amit | April 2011 CyberWar “Cyberwarfare, (also known as cyberwar and Cyber Warfare), is the use of computers and the Internet in conducting warfare in cyberspace.” WikipediaAll rights reserved to Security Art ltd. 2002-2010 14
  15. 15. Iftach Ian Amit | April 2011 It did not happen yet Estonia being an exception? “There is no Cyberwar”All rights reserved to Security Art ltd. 2002-2010 15
  16. 16. Iftach Ian Amit | April 2011This is not the only way! Neither is this... But civilian are always at stake!All rights reserved to Security Art ltd. 2002-2010 16
  17. 17. Iftach Ian Amit | April 2011 Many faces of how CyberWar is perceived... From McAfee’s “Virtual Criminology Report” Image caption: “countries developing advanced offensive cyber capabilities”All rights reserved to Security Art ltd. 2002-2010 17
  18. 18. Iftach Ian Amit | April 2011 We’ll focus on current players: And no, here size does NOT matter...All rights reserved to Security Art ltd. 2002-2010 18
  19. 19. Iftach Ian Amit | April 2011 USA • Thoroughly documented activity around cyberwar preparedness as well as military/government agencies with readily available offensive capabilities • Massive recruiting of professional in attack/defense for different departments: • USCC (United States Cyber Command - includes AirForce, Marines, Navy and Army service components) • NSA • Other TLA’s...All rights reserved to Security Art ltd. 2002-2010 19
  20. 20. Iftach Ian Amit | April 2011 Russia • GRU (Main Intelligence Directorate of the Russian Armed Forces) • SVR (Foreign Intelligence Service) • FSB (Federal Security Services) • Center for Research of Military Strength of Foreign Countries • Several “National Youth Associations” (Nashi)All rights reserved to Security Art ltd. 2002-2010 20
  21. 21. Iftach Ian Amit | April 2011 China • PLA (People’s Liberation Army) • Homework: read the Northrop Grumman report... • General Staff Department 4th Department - Electronic Countermeasures == Offense • GSD 3rd Department - Signals Intelligence == Defense • Yes... Titan Rain...All rights reserved to Security Art ltd. 2002-2010 21
  22. 22. Iftach Ian Amit | April 2011 Iran • Telecommunications Infrastructure co. • Government telecom monopoly • Iranian Armed ForcesAll rights reserved to Security Art ltd. 2002-2010 22
  23. 23. Iftach Ian Amit | April 2011 Israel • This is going to be very boring... Google data only :-( • IDF (Israel Defense Forces) add cyber-attack capabilities. • C4I (Command, Control, Communications, Computers and Intelligence) branches in Intelligence and Air-Force commands • Staffing is mostly homegrown - trained in the army and other government agencies. • Mossad? (check out the jobs section on mossad.gov.il...)All rights reserved to Security Art ltd. 2002-2010 23
  24. 24. Iftach Ian Amit | April 2011 CyberWar - AttackHighly selective targeting ofmilitary (and critical)resources In conjunction with a kinetic attack OR Massive DDOS in order to “black-out” a region, disrupt services, and/or push political agenda (propaganda)All rights reserved to Security Art ltd. 2002-2010 24
  25. 25. Iftach Ian Amit | April 2011 CyberWar - Defense • Never just military • Targets will be civilian • Physical and logical protections = last survival act • Availability and Integrity of services • Can manifest in the cost of making services unavailable for most civiliansAll rights reserved to Security Art ltd. 2002-2010 25
  26. 26. Iftach Ian Amit | April 2011 CyberCrimeAll rights reserved to Security Art ltd. 2002-2010 26
  27. 27. Iftach Ian Amit | April 2011 Criminal Boss Under Boss Trojan Provider and Manager Trojan Command and Control Attackers Crimeware You want Toolkit Owners Trojan distribution in legitimate website money, you Campaign Manager Campaign Manager Campaign Manager gotta play like the big boys do... Affiliation Affiliation Affiliation Network Network Network Stolen Data Reseller Stolen Data Reseller Stolen Data ResellerAll rights reserved to Security Art ltd. 2002-2010 27 Figure 2: Organizational chart of a Cybercrime organization
  28. 28. Iftach Ian Amit | April 2011 CyberCrime - Attack • Channels: web, mail, open services • Targeted attacks on premium resources • Commissioned, or for extortion purposes • Carpet bombing for most attacks • Segmenting geographical regions and market segments • Secondary infections through controlled outposts • Bots, infected sitesAll rights reserved to Security Art ltd. 2002-2010 28
  29. 29. Iftach Ian Amit | April 2011 CyberCrime - target locationsAll rights reserved to Security Art ltd. 2002-2010 29
  30. 30. Iftach Ian Amit | April 2011 CyberCrime - Locations Major Cybercrime group locationsAll rights reserved to Security Art ltd. 2002-2010 30
  31. 31. Iftach Ian Amit | April 2011 CyberCrime - Ammunition =≈ APTAll rights reserved to Security Art ltd. 2002-2010 31
  32. 32. Iftach Ian Amit | April 2011All rights reserved to Security Art ltd. 2002-2010 32
  33. 33. Iftach Ian Amit | April 2011 CyberCrime - Defense • Anti [ Virus | Malware | Spyware | Rootkit | Trojan ] • Seriously? • Firewalls / IDS / IPS • Seriously? • Brought to you by the numbers 80, 443, 53... • SSL...All rights reserved to Security Art ltd. 2002-2010 33
  34. 34. Iftach Ian Amit | April 2011 How do these connect? Claim: CyberCrime is being used to conduct CyberWar Proof: Let’s start with some history...All rights reserved to Security Art ltd. 2002-2010 34
  35. 35. Iftach Ian Amit | April 2011 History - Revisited... Estonia You read all about it. Bottom line: civilian infrastructure was targeted Attacks originated mostly from civilian networksAll rights reserved to Security Art ltd. 2002-2010 35
  36. 36. Iftach Ian Amit | April 2011 History - Revisited... Israel Operation Orchard September 6th, 2007 Source: Der Spiegel Source: http://en.wikipedia.org/wiki/ Operation_OrchardAll rights reserved to Security Art ltd. 2002-2010 36
  37. 37. Iftach Ian Amit | April 2011 Mid-east crime-war links ARHack Hacker forum by day Cybercrime operations by nightAll rights reserved to Security Art ltd. 2002-2010 37
  38. 38. Iftach Ian Amit | April 2011 Political post Buying/Selling cards for 1/2 their balance Selling 1600 visa cardsAll rights reserved to Security Art ltd. 2002-2010 38
  39. 39. Iftach Ian Amit | April 2011 History - Revisited... Georgia More interesting... Highly synchronized Kinetic and Cyber attacks Targets still mostly civilian Launched from civilian networksAll rights reserved to Security Art ltd. 2002-2010 39
  40. 40. Iftach Ian Amit | April 2011 Russian Crime/State Dillema Micronnet McColo Atrivo Eexhost ESTDomains RBN RealHostAll rights reserved to Security Art ltd. 2002-2010 40
  41. 41. Iftach Ian Amit | April 2011 Russian Crime Government ESTDomains ESTDom RBN Atrivo McColo UkrTeleGroup HostFresh Hosted by Customer Network providerAll rights reserved to Security Art ltd. 2002-2010 41
  42. 42. Iftach Ian Amit | April 2011 Remember Georgia? • Started by picking on the president... flood http www.president.gov.ge flood tcp www.president.gov.ge flood icmp www.president.gov.ge • Then the C&C used to control the botnet was shut down as: • Troops cross the border towards Georgia • A few days of silence...All rights reserved to Security Art ltd. 2002-2010 42
  43. 43. Iftach Ian Amit | April 2011 Georgia - cont. • Six (6) new C&C servers came up and drove attacks at additional Georgian sites www.president.gov.ge os-inform.com www.parliament.ge www.kasparov.ru apsny.ge hacking.ge mk.ru news.ge newstula.info tbilisiweb.info skandaly.ru newsgeorgia.ru • BUT - the same C&C’s were also used for attacks on commercial sites in order to extort them (botnet- for-hire) Additional sites attacked: •Porn sites •Carder forums •Adult escort services •Gambling sites •Nazi/Racist sites •Webmoney/Webgold/etc… BTW - Guess who were the owners of all the Georgian IPSs?(Russia)All rights reserved to Security Art ltd. 2002-2010 43
  44. 44. Iftach Ian Amit | April 2011 Georgia - cont. • Final nail in the coffin: • The city of Gori • DDoS hits all municipal sites August 7th 2008 at 22:00 • Complete network disconnect of the district August 8th 06:00 • First strike on city August 8th 07:30All rights reserved to Security Art ltd. 2002-2010 44
  45. 45. Iftach Ian Amit | April 2011 History - Revisited... Iran 2009 Twitter DNS hack attributed to Iranian activity. Political connections are too obvious to ignore (elections) Timing was right on: Protests by UN Council leadership opposition Decisions in TehranAll rights reserved to Security Art ltd. 2002-2010 45
  46. 46. Iftach Ian Amit | April 2011All rights reserved to Security Art ltd. 2002-2010 46
  47. 47. Iftach Ian Amit | April 2011 Iran-Twitter connecting dots • Twitter taken down December 18th 2009 • Attack attributed eventually to cyber-crime/ vigilante group named “Iranian Cyber Army” • Until December 2009 there was no group known as “Iranian Cyber Army”... • BUT - “Ashiyane” (Shiite group) is from the same place as the “Iranian Cyber Army”All rights reserved to Security Art ltd. 2002-2010 47
  48. 48. Iftach Ian Amit | April 2011All rights reserved to Security Art ltd. 2002-2010 48
  49. 49. Iftach Ian Amit | April 2011 Iran-Twitter - Ashiyane • Ashiyane was using the same pro-Hezbolla messages that were used on the Twitter attack with their own attacks for some time... • AND the “Iranian Cyber Army” seems to be a pretty active group on the Ashiyane forums www.ashiyane.com/forum Let’s take a look at how Ashiyane operates...All rights reserved to Security Art ltd. 2002-2010 49
  50. 50. Iftach Ian Amit | April 2011 On [Crime|War] training Ashiyane forums WarGamesAll rights reserved to Security Art ltd. 2002-2010 50
  51. 51. Iftach Ian Amit | April 2011 Wargames targets includes:All rights reserved to Security Art ltd. 2002-2010 51
  52. 52. Iftach Ian Amit | April 2011 Back to [Crime|War] Links: What else happened on the 18th? Later on - Baidu takedown with the same MO (credentials)All rights reserved to Security Art ltd. 2002-2010 52
  53. 53. Iftach Ian Amit | April 2011 Mapping Iran’s [Crime|War] Iran US Iraq Site DDoS Defacement Ashiyane Botnet Credit Herding Card Theft $$ UK Crime War Iranian Strategic Cyber Attacks US CNAll rights reserved to Security Art ltd. 2002-2010 53
  54. 54. Iftach Ian Amit | April 2011 Iran - the unspoken • Stuxnet • There, I’ve said itAll rights reserved to Security Art ltd. 2002-2010 54
  55. 55. Iftach Ian Amit | April 2011 History - Revisited... China • Great Chinese Firewall doing an OK job in keeping information out. • Proving grounds for many cyber-attackers • Bulletpfoof hosting (after RBN temporary closure in 2008 China provided an alternative that stayed...)All rights reserved to Security Art ltd. 2002-2010 55
  56. 56. Iftach Ian Amit | April 2011 China ...connecting the dots January 12th - Google announces it was hacked by China Not as in the “we lost a few minutes of DNS” hacked... “In mid-December we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google” (David Drummond, SVP @Google)All rights reserved to Security Art ltd. 2002-2010 56
  57. 57. Iftach Ian Amit | April 2011 China ...connecting the dots. January 12th - Adobe gets hacked. By China. “Adobe became aware on January 2, 2010 of a computer secur ity incident involving a sophisticated coordinated attack against corporate network systems managed by Adobe and other companies” (Adobe official blog) Same MO: 0-day in Internet Explorer to get into Google, Adobe and more than 40 additional companiesAll rights reserved to Security Art ltd. 2002-2010 57
  58. 58. Iftach Ian Amit | April 2011 China ...connecting the dots... Problem: Attacks all carry the signs of Cybercrime... Criminal groups attack companies in order to get to their data so they can sell it (whether it was commercial or government data!) US Response: “We look to the Chinese government for an explanation. The ability to operate with confidence in cyberspace is critical in a modern society and economy.” (Hillary Clinton, Secretary of State)All rights reserved to Security Art ltd. 2002-2010 58
  59. 59. Iftach Ian Amit | April 2011 Anecdote - a professor in one of the China ... universities linked to the attack connecting the dots.... admitted that the school network is often used to anonymously The China move: relay attacks Use of criminal groups to carry out the attacks provides the perfect deniability on espionage connections (just like in the past, and a perfect response to clinton). Targets are major US companies with strategic poise to enable state interest espionage Information sharing at its best: State CrimeAll rights reserved to Security Art ltd. 2002-2010 Win59 - Win
  60. 60. Iftach Ian Amit | April 2011 How does APT fit here? RSA • Infection vector: Flash vulnerability exploited through Excel file • Persistence: Using Poison Ivy as the trojan • Exfiltration: Pack data in password protected RAR files and upload to FTPAll rights reserved to Security Art ltd. 2002-2010 60
  61. 61. Iftach Ian Amit | April 2011 APT ...connecting the dots Compared to what we just reviewed, that was a SIMPLE attack... Trojan is not even a “commercial” product (free download at http://www.poisonivy-rat.com/)All rights reserved to Security Art ltd. 2002-2010 61
  62. 62. Iftach Ian Amit | April 2011 APT ...connecting the dots....? Persistence, Infiltration Exfiltration C&C Social/ Advanced C&C Advanced APT (p2p, lateral move) exfil (dns,VoIP) physical Simple C&C Simple exfil APT?! Phishing (HTTP) (FTP)Bottom line: Not a direct state attack - Criminals again...All rights reserved to Security Art ltd. 2002-2010 62
  63. 63. Iftach Ian Amit | April 2011 The Future (Ilustrated) CLOUDSAll rights reserved to Security Art ltd. 2002-2010 63
  64. 64. Iftach Ian Amit | April 2011 Summary Good Bad Formal training on Commercial cybersecurity by development of nations malware still reigns Ugly Good meet Bad: money changes hands, less tracks to cover, criminal ops already creating the weapons...All rights reserved to Security Art ltd. 2002-2010 64
  65. 65. Iftach Ian Amit | April 2011 Summary The Future Lack of legislation and cooperation on multi- national level is creating de-facto “safe haven” for cybercrime. <- Fix this! Treaties and anti-crime activities may prove to be beneficial. <- Translate to politics/law!All rights reserved to Security Art ltd. 2002-2010 65
  66. 66. Iftach Ian Amit | April 2011 Thanks! Q&A iamit@iamit.org pro: iamit@security-art.com twitter: twitter.com/iiamit blog: iamit.org/blogAll rights reserved to Security Art ltd. 2002-2010 66

×