This presentation shows how technology evolution has allowed syndicate criminals to become organised criminal “corporations”. How the evolution of hacking and the cyber world is putting our society at risk.

1. Delivering the best in z services, software, hardware and training.Delivering the best in z services, software, hardware and training.
Delivering the best in z services, skills, security and software.
Cybercrime, Inc.

2. Agenda
• Introductions
• Criminals and criminal organisations
• Cyber Crime
• Cybercrime, Inc.
• Hacking for Profit
• Being a Hacker
• Mainframe – The Crown Jewel
• What Can We Do?
• Before We Go
• Questions and Answers… maybe…

3. Who am I? A quick introduction…
RUI MIGUEL FEIO
• Senior Technical Lead at RSM Partners
• Based in the UK but travels all over the world
• 18 years experience working with mainframes
• Started with IBM as an MVS Sys Programmer
• Specialist in mainframe security
• Experience in other platforms

4. Introducing RSM Partners
• Sole Focus is IBM Mainframe Services
• IBM Business Partner
• World Leading, 1,000+ Man Years Experience
• Run 3 mainframes in-house
• Working with large financial, retail & utility companies
• One area of specialism is mainframe security:
– Whole range of services, Audits, pen tests, migrations and
security remediation programs
• We have a reputation for deliver:
– On time, On budget, Every Time

5. Criminals and Criminal
Organisations

6. Criminals from the past
Al Capone Pablo Escobar

7. • Some of the most well known criminal
organisations, the “Old Boys”:
– Cosa Nostra (Italian Mafia)
– Japanese Yakuza
– Chinese Triads
– Russian Mafia
– Nigerian mobs
– Latin American cartels
Criminal organisations

8. Why Crime?

9. In the modern world
* https://www.emarketer.com/Article/Worldwide-Retail-Ecommerce-Sales-Will-Reach-1915-Trillion-This-Year/1014369

10. New type of criminals
https://www.fbi.gov/investigate/cyber/most-wanted

11. New type of criminals
https://www.fbi.gov/investigate/cyber/most-wanted

12. New type of criminals

13. Cyber Crime

14. • Highly profitable (it’s always about the money)
• Low risk (anonymity and geographical location)
• More efficient due to technology
• Globally dispersed, with special concentration in:
Why Cyber Crime?
• Ukraine • China • Brazil
• Russia • Indonesia • USA
• Romania • Taiwan • Turkey
• Bulgaria • India • Nigeria

15. • They have adapted!
• Criminals and criminal organisations have adapted to the “new
modern world”.
• In fact, a 2014 study from the Rand Corporation says that:
“80% of hackers work with or are part of an organised crime group”
• The “Old Boys” have employed old strategies and traditional
business models and created the “Cybercrime, Inc.”.
What happened to the “Old Boys”?

16. Cybercrime, Inc.

17. • Cybercrime, Inc. is highly organised
• Deeply sophisticated:
– Business approach
– Towards the ‘client’
• Uses typical corporate strategies:
– Creative financing
– Global logistics
– Supply chain and workforce management
– Business and market analysis
– Focused on the client’s needs
Business Model

18. • Some of the new ‘business’ opportunities:
• Identity theft
• Intellectual property theft
• Trade secrets
• Industrial espionage
• Sensitive data theft
• Online extortion
• Financial crime
• Data manipulation
Business Opportunities

19. • Some of the tactics and methods used by Cybercrime, Inc.:
– Phishing and spear phishing
– Man-in-the-middle
– Vulnerabilities
– Spam
– Botnets
– Scareware, Malware and Ransomware
– DoS and DDoS
– …
Tactics Employed

20. Typical Business Organisation
CEO
CFO
Management
Sales People
CIO
Management
Researchers Developers Engineers QA Testers Tech Support
HR Director CMO
Management
Distributors Affiliates

21. Cybercrime, Inc.
CEO
(Boss)
CFO
(Underboss)
Management
(Lieutenant)
Money Mules
(Soldiers &
Associates)
CIO
(Underboss)
Management
(Lieutenant)
Researchers
(Soldiers)
Developers
(Soldiers)
Engineers
(Soldiers)
QA Testers
(Soldiers)
Tech Support
(Soldiers)
HR Director
(Underboss)
CMO
(Underboss)
Management
(Lieutenant)
Distributors
(Soldiers)
Affiliates
(Associates)

22. • Traditional desktops and servers
• Mobile devices
• Internet of Things (IoT) devices
• “Cloud” systems
• Supervisory Control And Data Acquisition (SCADA) devices
• GPS Systems
• Tracking Systems
• Implanted medical devices (IMDs)
• …
• Targeting data and the ability to control resources
Technological Targets

23. Hacking for Profit

24. • Founded by Sam Jain and Daniel Sundin
• Developed scareware rogue security SW
• Offices in 4 continents and HQ in Ukraine
• Support centres in US, Argentina and India
• Marketed products under more than 1,000
different brands and in 9 languages
• From 2002 to 2008 IMI generated hundreds
of millions of dollars in profit.
IMI – Innovative Marketing Inc.

25. IMI – Innovative Marketing Inc.

26. Carbanak Group (aka Anunak)
• First identified in early in 2015 by Kaspersky Lab
• Used an Advanced Persistent Threat (APT)
campaign targeting financial institutions
• Estimated $1 Billion US dollars have been stolen
in an attack against 100 banks and private
customers
• Targeted primarily Russia, United States,
Germany, China and Ukraine

27. Cybercrime, Inc. is Very Profitable
https://www.scmagazine.com/loss-from-cybercrime-exceeded-13b-in-2016-fbi-report/article/671047/

28. Being a Hacker

29. • Hackers are not born hackers, they are trained
• Enormous amount of free educational material in the internet and
in the underworld (dark web)
• PC games:
– Uplink
– Hacker Experience
– Torn City
– Hacknet
– Hackers (for iOS and Android)
Looking for a Hacker

30. Anyone who feels attracted or enjoys:
– Technology
– Challenge
– The thrill
– Adventure
– Danger
– Money
– Respect
– Fame
Who wants to be a Hacker?

31. Mainframe – The Crown
Jewel

32. • The mainframe processes and stores larges volumes of data
• It’s considered the most secure platform in the world that cannot
be hacked
• As such, it does not require big investments in security…
• Unfortunately, it’s not quite so. The truth is:
• The mainframe is a platform that is highly securable but not
secured by default. Investment and resources are required to
secure it
The Mainframe

33. Hacking the Mainframe

34. • Last month, did a mainframe security audit on a financial institution
who has had mainframe security issues in the past.
• 4 Production mainframe systems were in scope.
One should learn from one’s mistakes
Classification SYS1 SYS2 SYS3 SYS4
High 42 33 40 36
Medium 28 21 24 27
Low 12 11 12 11
Total out of
89 found
82 65 76 74

35. The SWIFT Hackings

36. • One of the banks targeted by the SWIFT attacks contacted RSM
Partners to help them securing the mainframe.
• Their mainframe had been compromised… almost a year ago!!!
• First phase was to do a mainframe security audit on 2 of their
production systems.
A Wake Up Call
Classification Score
High 34
Medium 41
Low 18
Total: 93

37. On a Pen Test at one of the top 5 US banks:
• Client was convinced they had a top of the art
network security system.
• I decided to unplug Ethernet cable from one of
the terminals and connect it to my laptop
• This went without detection
• I was able to run a port scan on the mainframe
without detection
• This was just the beginning!!...
They Could Have Been Next

38. On a Pen Test at one of the top 5 US banks:
• Client was convinced they had a top of the art
network security system.
• I decided to unplug Ethernet cable from one of
the terminals and connect it to my laptop
• This went without detection
• I was able to run a port scan on the mainframe
without detection
• This was just the beginning!!...
They Could Have Been Next
Vulnerabilities
24 high risk
25 medium risk
2 low risk

39. 1. RACF Database is not adequately protected
2. RACF profiles in WARNING mode
3. Excessive access to APF Libraries
4. Inappropriate usage of z/OS UNIX Superuser Privilege, UID = 0
5. Dataset profiles with UACC of READ
6. MVS and JES2 commands not properly protected
7. SERVAUTH class not active or without proper profiles in place
8. Cryptographic keys and services not properly protected
9. Excessive number of personal userids with system wide privileges
10. Unix System Services security being neglected
What we keep seeing

40. What Can We Do?

41. • Security must be taken seriously by everyone!
– Governments, companies, and individuals need to be security
conscious and security oriented
• Usual security recommendations apply:
– Keep security systems updated and up-to-date
– Question the origin of everything
– Be mindful of:
• The information you share and make ’publicly’ available
• Free Wifi hotspots (free can be become very expensive)
What can we do?

42. • Invest in security!
• Consider (as in doing!) regular:
– Security audits
– Penetration tests
– Vulnerability analysis
• Seek help for experts in the field to help to improve security
• Keep informed (training, conferences, articles, books, …)
• Don’t facilitate (weak passwords, use of same password, …)
What can we do?

43. • There must be no at home and at the office attitude. Security
awareness must always be present.
• Read before you ‘click’.
• Search, ask.
• Security must be seen as a whole! The mainframe is part of an
ecosystem of other systems and platforms.
• Ultimately, if this is too much. Just switch off every electronical
device and go back to pen and paper.
What can we do?

44. Before We Go

45. Before we go – Remember!!
• Be mindful • Be aware

46. Questions?

47. Rui Miguel Feio
RSM Partners
ruif@rsmpartners.com
mobile: +44 (0) 7570 911459
www.rsmpartners.com
Contact