This document is an agenda for a presentation on cyberwarfare and cybercrime. It discusses perceptions of cyberwar versus cybercrime and focuses on current players in cyberwar like the USA and Russia. Various US government cyberwarfare agencies and capabilities are mentioned, as well as Russian intelligence agencies involved in cyber operations. The document explores different views on what constitutes cyberwar.
The document discusses cyberwarfare capabilities of various countries including the USA, Russia, China, Iran, and Israel. It notes government and military agencies in each country involved in offensive and defensive cyber operations. Examples given include the US Cyber Command, Russian GRU and FSB, China's PLA, Iran's military and telecom monopoly, and Israel's IDF and Mossad. Cyberwar attacks are described as potentially involving highly selective targeting of military resources alongside kinetic attacks, or large-scale distributed denial of service attacks.
This document discusses cyberwarfare and cybercrime. It begins with a disclaimer from the author stating this is his personal opinion. The agenda covers cyberwar attack and defense, cybercrime attack and defense, and connecting history to the future. Countries seen as developing advanced cyber capabilities are discussed, including the US, Russia, China, Iran, and Israel. Cyberwar attack is described as highly selective targeting of military and critical resources, often in conjunction with kinetic attacks.
The document discusses sources of data on security breaches and where to find qualified security personnel. It analyzes breach data trends from vendors, incident response firms, and mandatory disclosure databases. The analysis finds that while common problems still exist, attacks are becoming more advanced, and good security experts can be found in a variety of companies and roles, not just large firms or traditional security jobs. Hiring should focus on technical skills rather than titles or certifications.
This document discusses bridging gaps in information security and preparing for the future. It notes that the CIO and CISO roles are similar, as both require an understanding of technology and business, branding, and leadership. It emphasizes that information security and IT do not own risk, and that a "just say yes" approach works better than fear, uncertainty, and doubt messaging. It also stresses the importance of measurement, education, and leveraging existing frameworks to improve security and reduce risks like data loss.
Jeremy Allen - Rajendra Umadas - Network Stream Hacking With MallorySource Conference
Mallory is a man-in-the-middle proxy tool that was created to simplify common tasks in mobile application assessments such as setting up proxies and dealing with multiple protocols. It can intercept both HTTP and HTTPS traffic as well as other protocols like SSH and DNS. The tool has both a graphical user interface and programmatic APIs to modify intercepted traffic streams for tasks like fuzzing. It was demonstrated intercepting and modifying traffic for protocols like VNC and SSL.
The document summarizes recent developments in computer crime law, specifically regarding interpretations of the federal Computer Fraud and Abuse Act. It discusses how courts have broadly interpreted what constitutes unauthorized access, including violating an employer's computer use policies. It also notes problems with prosecutors trying to double-count penalties for unauthorized access by charging it as a felony in furtherance of another crime when it is essentially the same conduct. The future could see legislative changes enhancing penalties for computer crimes.
This document discusses how files can contain data in multiple formats by piggybacking one file type into another. It provides examples of how files like JPEGs, PDFs, and GIFs can sometimes contain additional hidden data like archives, scripts, or documents. This technique could allow for covert channels, bypass of security tools like antivirus, and denial of service attacks if file size limits are not properly enforced. The document recommends defenses like validating the full file contents and allowed extensions for file uploads to prevent abuse of this flexibility in file formats.
This document summarizes key issues to consider when establishing security regulations for cloud computing and outsourcing arrangements. It outlines topics such as: defining security breaches and responsibilities; establishing enforceable contract terms around security policies, third party access, data transmission and disposition; understanding applicable laws; and ensuring security obligations survive termination. The document provides sample contract language addressing notification of policy changes, rights to terminate for security impacts, data deletion obligations, and prior notice of governmental data access requests.
The document discusses cyberwarfare capabilities of various countries including the USA, Russia, China, Iran, and Israel. It notes government and military agencies in each country involved in offensive and defensive cyber operations. Examples given include the US Cyber Command, Russian GRU and FSB, China's PLA, Iran's military and telecom monopoly, and Israel's IDF and Mossad. Cyberwar attacks are described as potentially involving highly selective targeting of military resources alongside kinetic attacks, or large-scale distributed denial of service attacks.
This document discusses cyberwarfare and cybercrime. It begins with a disclaimer from the author stating this is his personal opinion. The agenda covers cyberwar attack and defense, cybercrime attack and defense, and connecting history to the future. Countries seen as developing advanced cyber capabilities are discussed, including the US, Russia, China, Iran, and Israel. Cyberwar attack is described as highly selective targeting of military and critical resources, often in conjunction with kinetic attacks.
The document discusses sources of data on security breaches and where to find qualified security personnel. It analyzes breach data trends from vendors, incident response firms, and mandatory disclosure databases. The analysis finds that while common problems still exist, attacks are becoming more advanced, and good security experts can be found in a variety of companies and roles, not just large firms or traditional security jobs. Hiring should focus on technical skills rather than titles or certifications.
This document discusses bridging gaps in information security and preparing for the future. It notes that the CIO and CISO roles are similar, as both require an understanding of technology and business, branding, and leadership. It emphasizes that information security and IT do not own risk, and that a "just say yes" approach works better than fear, uncertainty, and doubt messaging. It also stresses the importance of measurement, education, and leveraging existing frameworks to improve security and reduce risks like data loss.
Jeremy Allen - Rajendra Umadas - Network Stream Hacking With MallorySource Conference
Mallory is a man-in-the-middle proxy tool that was created to simplify common tasks in mobile application assessments such as setting up proxies and dealing with multiple protocols. It can intercept both HTTP and HTTPS traffic as well as other protocols like SSH and DNS. The tool has both a graphical user interface and programmatic APIs to modify intercepted traffic streams for tasks like fuzzing. It was demonstrated intercepting and modifying traffic for protocols like VNC and SSL.
The document summarizes recent developments in computer crime law, specifically regarding interpretations of the federal Computer Fraud and Abuse Act. It discusses how courts have broadly interpreted what constitutes unauthorized access, including violating an employer's computer use policies. It also notes problems with prosecutors trying to double-count penalties for unauthorized access by charging it as a felony in furtherance of another crime when it is essentially the same conduct. The future could see legislative changes enhancing penalties for computer crimes.
This document discusses how files can contain data in multiple formats by piggybacking one file type into another. It provides examples of how files like JPEGs, PDFs, and GIFs can sometimes contain additional hidden data like archives, scripts, or documents. This technique could allow for covert channels, bypass of security tools like antivirus, and denial of service attacks if file size limits are not properly enforced. The document recommends defenses like validating the full file contents and allowed extensions for file uploads to prevent abuse of this flexibility in file formats.
This document summarizes key issues to consider when establishing security regulations for cloud computing and outsourcing arrangements. It outlines topics such as: defining security breaches and responsibilities; establishing enforceable contract terms around security policies, third party access, data transmission and disposition; understanding applicable laws; and ensuring security obligations survive termination. The document provides sample contract language addressing notification of policy changes, rights to terminate for security impacts, data deletion obligations, and prior notice of governmental data access requests.
Brian Honan, IRISSCERT
Social media networks provide individuals and businesses with exciting opportunities to communicate and collaborate with others throughout the world. But with these opportunities come a number of security challenges and risks. This talk will outline how social media networks can pose various threats to businesses, from information leakage, reputational damage, to social engineering profiling, and vectors for enabling compromise of corporate systems. Social media networks also enable the rapid dissemination of news which in the event of an information security breach could either save or destroy an organisations reputation. Understanding and dealing with these challenges will enable companies to like and favourite social media networks in a secure way.
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland's first CERT. He is a Special Advisor to Europol's Cybercrime Centre (EC3), an adjunct lecturer on Information Security in University College Dublin. He is the author of the book "ISO 27001 in a Windows Environment" and co-author of "The Cloud Security Rules", and regularly speaks at major industry conferences. In 2013 Brian was awarded SC Magazine's Information Security Person of the year for his contribution to the computer security industry.
The document discusses challenges for incorporating security practices into agile development and proposes a "Security Toolbox" to help development teams identify and mitigate security risks through the use of accepted security knowledge bases and guidance mapped to specific architectural elements. The toolbox is intended to minimize "Security Debt" by predicting security issues upfront and providing acceptance tests and estimates to integrate security into sprint planning and product backlogs. An example is provided of how the toolbox could be applied to help three development teams implement a secure online comment system.
Wim Remes SOURCE Boston 2011 Prezo
Among the blind, the squinter rules.
Security visualization in the field.
@wimremes on twitter
wremes-at-gmail-dot-com
The document discusses analyzing and exploiting unknown radio protocols. It begins by outlining the methodology, which includes dissecting devices to identify chipsets, determining modulation schemes and frequencies, and building custom transceivers. Examples are provided of exploiting protocols from remote controls, fitness trackers, and keyboards. Specific chips like the Nordic nRF24L01 and techniques like sniffing without promiscuous mode support are examined. The document concludes by demonstrating how to sniff Microsoft keyboard traffic using the GoodFET device and custom firmware.
Reputation Digital Vaccine: Reinventing Internet BlacklistsSource Conference
The document discusses HP TippingPoint's Reputation Digital Vaccine (Reputation DV) service, which aims to rapidly counteract advanced Internet attacks by classifying hosts along a reputable-disreputable continuum. It does this through novel methods to identify and track Internet hosts, providing intelligence feeds that enable customers to actively enforce reputation-based security policies. The service implements a multi-step approach including gathering intelligence from various sources, analyzing hosts through active and passive techniques, applying machine learning algorithms to classify hosts and assign reputation scores, and distributing the intelligence to customers. Observations made in developing the system and ideas for further improving reputation-based security are also discussed.
This document discusses obfuscation techniques used in malware to conceal code and communications. It begins with an introduction and disclaimer, then covers various obfuscation methods including string obfuscation using ciphers, code obfuscation to make analysis difficult, and obfuscating command and control communications. While obfuscation aims to prolong undetected operation, the document notes that obfuscated malware can ultimately be deobfuscated through memory analysis and other techniques.
1) The document discusses the trends of post-PC devices taking over the market and consumer brands crowding out traditional IT favorites. It also outlines how mobile operating systems differ from PCs in being more closed and focused on security.
2) It recommends that enterprises do not need mobile antivirus except for Android devices. They also do not need mobile data leak prevention or enforcing the same device brands.
3) The document outlines five things enterprises must do which include configuring devices to protect data, picking a sensible mobile password policy, supporting multiple devices, merging mobile IT and security teams, and creating a mobile access security covenant.
This document discusses several techniques for validating user input and preventing cross-site scripting (XSS) attacks in JavaServer Faces (JSF) applications. It covers built-in JSF validators, custom validators, output encoding tags, and using OWASP ESAPI to properly encode output. The document also discusses using an AccessController for authorization and injecting anti-CSRF tokens to defend against cross-site request forgery attacks.
Everything you should already know about MS-SQL post-exploitationSource Conference
Rob Beck, Director of Assessment at Attack Research, gave a presentation on MS-SQL post exploitation. He explained that SQL post exploitation involves the steps an attacker takes after gaining SQL access or command execution on a database. He outlined several techniques attackers use, including utilizing stored procedures to attack the host system, harvesting credentials from the database that may be valid elsewhere, and using the database as an attack framework by loading compiled code or scripts. He emphasized that many SQL instances remain vulnerable because they are run as privileged accounts like SYSTEM and have advanced options enabled without additional security configurations.
This document discusses the creation of a common standard and methodology for penetration testing called the Penetration Testing Execution Standard (PTES). It aims to eliminate poorly performed "scanner monkey" tests and provide clear guidelines. The standard was created by a group of experienced penetration testers and is available online. They are seeking feedback and contributors to help complete the guidelines. The organizers hope to present the standard at Blackhat 2011 and improve the quality of penetration testing industry-wide.
WFUZZ is a web application brute forcing and fuzzing tool that allows penetration testers to perform complex brute force attacks on various parts of web applications like parameters, authentication, forms, directories, files, and headers. It has features like multiple injection points, advanced payload management, multi-threading, encodings, result filtering, and proxy support. New features include HEAD method scanning, fuzzing HTTP methods, following redirects, a plugin framework, and result filtering. It uses a modular architecture with payloads, encoders, iterators, plugins, and printers to perform brute force tests quickly and efficiently.
social media - the cyber reality [screen notes]jody wissing
Social media is a reality and necessary for business and churches alike, but one size does not fit all. In this breakout session you will learn:
How to get started
Your strategy
Maintaining your conversations
Tips & resources
Case studies
Tracking what works
If you have questions you would like answered or social media topics you would like to discuss, please tweet to @embracechaos. #smreality
This document summarizes a presentation given to the USSTRATCOM Space and Cyber Symposium on the future of space and cyber. It outlines key trends in both domains, including systems becoming larger in scale but more distributed and complex, as well as an increasing number of threats. The document also lists priority technology areas and recommendations for the Air Force to maintain advantages in space, cyber, and energy technologies. Overall, the presentation argues that rapid technological change, growing complexity, connectivity, and foreign threats are converging to create serious challenges to US advantages in these critical domains.
CSO Magazine Confab 2013 Atlanta - Cyber SecurityPhil Agcaoili
The document discusses cybersecurity trends and the US government's efforts to define and secure critical infrastructure. It begins by defining critical infrastructure sectors and noting the increase in cyber attacks over the last decade. It then discusses an executive order and presidential policy directive that aim to improve information sharing, develop a cybersecurity framework, and define roles for securing critical infrastructure. The document provides summaries of cybersecurity reports and trends to support taking a risk-based, evidence-driven approach to cybersecurity.
The document discusses cyber security and homeland security. It covers:
1) The growth of cyber space from the first email in 1971 to billions of connected devices today and how cyber warfare is a reality.
2) The need for robust counter-terrorism mechanisms after 9/11 and how mega cities are critical to economic growth and the fight against terrorism.
3) Various technological frameworks and solutions proposed for homeland security, including command and control centers, interception systems, video surveillance, radio networks, geospatial technologies, and integrated databases.
Lessons 5,18,21 Ofd, Air And Space Power Functions, Aef Doherty 27 Oct 09runningman825
This document discusses air/space/cyber power and maneuver warfare. It covers the culture of "airmindedness", tenets of air/space/cyber power, distinctive capabilities, and power functions. It then discusses how air/space/cyber power can be applied across different dimensions of warfare and at the strategic, tactical, and operational levels through maneuver and fires. The briefing concludes by discussing officer force development and the next class topics on international studies and military law.
1) The document discusses how increasing reliance on cyber systems by governments, militaries, and societies could lead to cyber wars, which are cheaper and easier to conduct than traditional wars.
2) A cyber war could potentially be the first step to an actual World War III if critical infrastructure systems like power, transportation, and emergency services are compromised through cyber attacks.
3) The document proposes making military and government systems independent of the internet and creating specialized cyber armies to secure important national systems from cyber attacks in order to prevent cyber wars and their potential escalation into a global conflict.
Industrial Control Systems have cyber vulnerabilities. With critical infrastructure industries depending on control systems for their operations, they have become easy targets for cyber criminals interested. No industry or country can ignore these threats. The following advice of the US Department of Homeland Security’s advice to CEOs says it all – “Incorporate cyber risks into existing risk management and governance processes. Cyber Security is NOT implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level. Managing cyber security risk as part of an organization’s governance, risk management, and business continuity frameworks provides the strategic framework for managing cyber security risk throughout the enterprise.”
This document discusses cyber crime and cyber war. It begins with introductions from the speaker, Uday, who works in penetration testing and data analysis. Several topics are then brought up for discussion, including how cyber war is defined, how it differs from cyber crime and espionage, and whether real data exists to argue that cyber war is occurring. Business models for cyber crime, like pay-per-install malware distribution, are presented. The document aims to have an academic debate on these issues and determine what constitutes an actual cyber war.
Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
Stephen Doherty, Symantec - iBanking is a relative newcomer to the mobile malware scene whose use was first identified in August of 2013. The Trojan targets Android devices and can be remotely controlled over SMS and HTTP. iBanking began life as a simple SMS stealer and call redirector, but has undergone significant development since then. iBanking is available for purchase on a private underground forum for between $4k - $5k, with the next release expected to include a 0-day exploit for the Android operating system. This presentation will discuss iBanking - it's capabilities and the reasons for targeting mobile devices.
Brian Honan, IRISSCERT
Social media networks provide individuals and businesses with exciting opportunities to communicate and collaborate with others throughout the world. But with these opportunities come a number of security challenges and risks. This talk will outline how social media networks can pose various threats to businesses, from information leakage, reputational damage, to social engineering profiling, and vectors for enabling compromise of corporate systems. Social media networks also enable the rapid dissemination of news which in the event of an information security breach could either save or destroy an organisations reputation. Understanding and dealing with these challenges will enable companies to like and favourite social media networks in a secure way.
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland's first CERT. He is a Special Advisor to Europol's Cybercrime Centre (EC3), an adjunct lecturer on Information Security in University College Dublin. He is the author of the book "ISO 27001 in a Windows Environment" and co-author of "The Cloud Security Rules", and regularly speaks at major industry conferences. In 2013 Brian was awarded SC Magazine's Information Security Person of the year for his contribution to the computer security industry.
The document discusses challenges for incorporating security practices into agile development and proposes a "Security Toolbox" to help development teams identify and mitigate security risks through the use of accepted security knowledge bases and guidance mapped to specific architectural elements. The toolbox is intended to minimize "Security Debt" by predicting security issues upfront and providing acceptance tests and estimates to integrate security into sprint planning and product backlogs. An example is provided of how the toolbox could be applied to help three development teams implement a secure online comment system.
Wim Remes SOURCE Boston 2011 Prezo
Among the blind, the squinter rules.
Security visualization in the field.
@wimremes on twitter
wremes-at-gmail-dot-com
The document discusses analyzing and exploiting unknown radio protocols. It begins by outlining the methodology, which includes dissecting devices to identify chipsets, determining modulation schemes and frequencies, and building custom transceivers. Examples are provided of exploiting protocols from remote controls, fitness trackers, and keyboards. Specific chips like the Nordic nRF24L01 and techniques like sniffing without promiscuous mode support are examined. The document concludes by demonstrating how to sniff Microsoft keyboard traffic using the GoodFET device and custom firmware.
Reputation Digital Vaccine: Reinventing Internet BlacklistsSource Conference
The document discusses HP TippingPoint's Reputation Digital Vaccine (Reputation DV) service, which aims to rapidly counteract advanced Internet attacks by classifying hosts along a reputable-disreputable continuum. It does this through novel methods to identify and track Internet hosts, providing intelligence feeds that enable customers to actively enforce reputation-based security policies. The service implements a multi-step approach including gathering intelligence from various sources, analyzing hosts through active and passive techniques, applying machine learning algorithms to classify hosts and assign reputation scores, and distributing the intelligence to customers. Observations made in developing the system and ideas for further improving reputation-based security are also discussed.
This document discusses obfuscation techniques used in malware to conceal code and communications. It begins with an introduction and disclaimer, then covers various obfuscation methods including string obfuscation using ciphers, code obfuscation to make analysis difficult, and obfuscating command and control communications. While obfuscation aims to prolong undetected operation, the document notes that obfuscated malware can ultimately be deobfuscated through memory analysis and other techniques.
1) The document discusses the trends of post-PC devices taking over the market and consumer brands crowding out traditional IT favorites. It also outlines how mobile operating systems differ from PCs in being more closed and focused on security.
2) It recommends that enterprises do not need mobile antivirus except for Android devices. They also do not need mobile data leak prevention or enforcing the same device brands.
3) The document outlines five things enterprises must do which include configuring devices to protect data, picking a sensible mobile password policy, supporting multiple devices, merging mobile IT and security teams, and creating a mobile access security covenant.
This document discusses several techniques for validating user input and preventing cross-site scripting (XSS) attacks in JavaServer Faces (JSF) applications. It covers built-in JSF validators, custom validators, output encoding tags, and using OWASP ESAPI to properly encode output. The document also discusses using an AccessController for authorization and injecting anti-CSRF tokens to defend against cross-site request forgery attacks.
Everything you should already know about MS-SQL post-exploitationSource Conference
Rob Beck, Director of Assessment at Attack Research, gave a presentation on MS-SQL post exploitation. He explained that SQL post exploitation involves the steps an attacker takes after gaining SQL access or command execution on a database. He outlined several techniques attackers use, including utilizing stored procedures to attack the host system, harvesting credentials from the database that may be valid elsewhere, and using the database as an attack framework by loading compiled code or scripts. He emphasized that many SQL instances remain vulnerable because they are run as privileged accounts like SYSTEM and have advanced options enabled without additional security configurations.
This document discusses the creation of a common standard and methodology for penetration testing called the Penetration Testing Execution Standard (PTES). It aims to eliminate poorly performed "scanner monkey" tests and provide clear guidelines. The standard was created by a group of experienced penetration testers and is available online. They are seeking feedback and contributors to help complete the guidelines. The organizers hope to present the standard at Blackhat 2011 and improve the quality of penetration testing industry-wide.
WFUZZ is a web application brute forcing and fuzzing tool that allows penetration testers to perform complex brute force attacks on various parts of web applications like parameters, authentication, forms, directories, files, and headers. It has features like multiple injection points, advanced payload management, multi-threading, encodings, result filtering, and proxy support. New features include HEAD method scanning, fuzzing HTTP methods, following redirects, a plugin framework, and result filtering. It uses a modular architecture with payloads, encoders, iterators, plugins, and printers to perform brute force tests quickly and efficiently.
social media - the cyber reality [screen notes]jody wissing
Social media is a reality and necessary for business and churches alike, but one size does not fit all. In this breakout session you will learn:
How to get started
Your strategy
Maintaining your conversations
Tips & resources
Case studies
Tracking what works
If you have questions you would like answered or social media topics you would like to discuss, please tweet to @embracechaos. #smreality
This document summarizes a presentation given to the USSTRATCOM Space and Cyber Symposium on the future of space and cyber. It outlines key trends in both domains, including systems becoming larger in scale but more distributed and complex, as well as an increasing number of threats. The document also lists priority technology areas and recommendations for the Air Force to maintain advantages in space, cyber, and energy technologies. Overall, the presentation argues that rapid technological change, growing complexity, connectivity, and foreign threats are converging to create serious challenges to US advantages in these critical domains.
CSO Magazine Confab 2013 Atlanta - Cyber SecurityPhil Agcaoili
The document discusses cybersecurity trends and the US government's efforts to define and secure critical infrastructure. It begins by defining critical infrastructure sectors and noting the increase in cyber attacks over the last decade. It then discusses an executive order and presidential policy directive that aim to improve information sharing, develop a cybersecurity framework, and define roles for securing critical infrastructure. The document provides summaries of cybersecurity reports and trends to support taking a risk-based, evidence-driven approach to cybersecurity.
The document discusses cyber security and homeland security. It covers:
1) The growth of cyber space from the first email in 1971 to billions of connected devices today and how cyber warfare is a reality.
2) The need for robust counter-terrorism mechanisms after 9/11 and how mega cities are critical to economic growth and the fight against terrorism.
3) Various technological frameworks and solutions proposed for homeland security, including command and control centers, interception systems, video surveillance, radio networks, geospatial technologies, and integrated databases.
Lessons 5,18,21 Ofd, Air And Space Power Functions, Aef Doherty 27 Oct 09runningman825
This document discusses air/space/cyber power and maneuver warfare. It covers the culture of "airmindedness", tenets of air/space/cyber power, distinctive capabilities, and power functions. It then discusses how air/space/cyber power can be applied across different dimensions of warfare and at the strategic, tactical, and operational levels through maneuver and fires. The briefing concludes by discussing officer force development and the next class topics on international studies and military law.
1) The document discusses how increasing reliance on cyber systems by governments, militaries, and societies could lead to cyber wars, which are cheaper and easier to conduct than traditional wars.
2) A cyber war could potentially be the first step to an actual World War III if critical infrastructure systems like power, transportation, and emergency services are compromised through cyber attacks.
3) The document proposes making military and government systems independent of the internet and creating specialized cyber armies to secure important national systems from cyber attacks in order to prevent cyber wars and their potential escalation into a global conflict.
Industrial Control Systems have cyber vulnerabilities. With critical infrastructure industries depending on control systems for their operations, they have become easy targets for cyber criminals interested. No industry or country can ignore these threats. The following advice of the US Department of Homeland Security’s advice to CEOs says it all – “Incorporate cyber risks into existing risk management and governance processes. Cyber Security is NOT implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level. Managing cyber security risk as part of an organization’s governance, risk management, and business continuity frameworks provides the strategic framework for managing cyber security risk throughout the enterprise.”
This document discusses cyber crime and cyber war. It begins with introductions from the speaker, Uday, who works in penetration testing and data analysis. Several topics are then brought up for discussion, including how cyber war is defined, how it differs from cyber crime and espionage, and whether real data exists to argue that cyber war is occurring. Business models for cyber crime, like pay-per-install malware distribution, are presented. The document aims to have an academic debate on these issues and determine what constitutes an actual cyber war.
Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
Stephen Doherty, Symantec - iBanking is a relative newcomer to the mobile malware scene whose use was first identified in August of 2013. The Trojan targets Android devices and can be remotely controlled over SMS and HTTP. iBanking began life as a simple SMS stealer and call redirector, but has undergone significant development since then. iBanking is available for purchase on a private underground forum for between $4k - $5k, with the next release expected to include a 0-day exploit for the Android operating system. This presentation will discuss iBanking - it's capabilities and the reasons for targeting mobile devices.
The document discusses the SPDY and QUIC protocols which aim to improve upon HTTP. SPDY focuses on multiplexing, prioritization, header compression, and server push/hints. QUIC aims to eliminate head-of-line blocking, support 0RTT connections, recover lost packets, and survive network changes. Both protocols aim to improve web performance but also face security challenges around things like certificate revocation and content inspection. The future may see both protocols widely adopted in web clients, servers, and network infrastructure.
Mathieu Letourneau, Andrei Saygo, Eoin Ward, Microsoft
This talk will present our research project on .Net file clustering based on their respective basic blocks and the parallel that can be made with DNA sequence variation analysis. We implemented a system that extracts the basic blocks on each file and creates clusters based on them. We also developed an IDA plugin to make use of that data and speed up our analysis of .Net files.
Andrei Saygo, Eoin Ward and Mathieu Letourneau all work as Anti-Malware Security Engineers in the AM Scan team of Microsoft’s Product Release & Security Services group in Dublin, Ireland.
Extracting Forensic Information From Zeus DerivativesSource Conference
The document discusses extracting forensic information from Zeus and its derivatives. It outlines goals like determining what data was stolen, where it was sent, and who the attackers were. It then describes how to achieve these goals by extracting information like command and control addresses, stolen data, and configuration files from variants like Zeus 2.0.8.9, IceIX, Citadel, Gameover, and KINS through analyzing their encryption routines, configuration retrieval methods, and automated analysis.
This document provides an overview and introduction to Ruby on Rails. It begins with an agenda and introduction to the speaker. It then provides a brief introduction to Rails, including what industries use it, examples of popular websites built with Rails, and an explanation of its model-view-controller architecture and RESTful design philosophy. The document continues with sections on auditing Rails applications, identifying common vulnerabilities like mass assignment and cross-site scripting, and recommendations for removing vulnerabilities.
This document discusses security testing for RESTful applications. It begins with an introduction to RESTful web services and how they differ from SOAP web services in using HTTP methods to indicate actions and embedding parameters in requests. It notes challenges in testing RESTful applications including that documentation may not reveal the full attack surface and requests can be dynamically generated. It recommends using documentation, proxies, and fuzzing to determine parameters and potential vulnerabilities. The document concludes by discussing how automated pen testing works by crawling to determine the attack surface through both links and emulated JavaScript to find dynamic requests.
Este documento proporciona una introducción a la esteganografía, que es la técnica de ocultar información dentro de otro contenido como imágenes, documentos u otros archivos. Explica que la esteganografía se ha utilizado desde la antigua Grecia y Roma, y que a lo largo de la historia se han empleado diferentes métodos como tablas de cera, tatuajes, tinta invisible y filigranas en papel. También describe brevemente algunas técnicas más recientes como los micropuntos y los métodos digitales basados en bits
The document discusses techniques for detecting "man in the browser" (MitB) attacks, where malware running in a user's browser is able to intercept and modify traffic between the browser and web applications. It describes shape-based tests that examine requests for unusual changes typical of malware, and content-based tests where the server embeds a random value in content and the browser verifies it was not altered to detect tampering by malware. The overall goal is to identify infected client sessions to protect businesses from the risks posed by consumers being attacked.
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
The document appears to be a presentation by Iftach Ian Amit from November 2011 about advanced data exfiltration techniques. It includes sections on using emails, web links and phishing to extract data, as well as utilizing social engineering techniques to manipulate targets. Automating parts of the process with tools like SET is also mentioned. The presentation suggests using both aggressive and ingratiating social behaviors when interacting with targets. It diagrams extracting data by routing it through third parties and the internet.
Joshua Corman gave a presentation about adapting to Anonymous in the age of chaotic actors. He began by providing background on himself and his research interests. He then discussed understanding Anonymous by deconstructing it and looking at its rise, different sects, and levels of involvement. Corman addressed adapting to Anonymous by looking at escalation risks and the need for improved security strategies. He concluded by discussing the possibility of building a better version of Anonymous that is focused on positive goals.
Are Agile And Secure Development Mutually Exclusive?Source Conference
The document discusses agile and secure software development. It provides an overview of traditional waterfall and agile project methods. Agile practices like working in short cycles, customer collaboration, and responding to change are highlighted. The roles of project managers, quality assurance teams, and security practices within agile development are also examined. Finally, the document questions whether agile and secure development can be mutually exclusive.
This document discusses binary planting techniques such as DLL hijacking. It provides examples of binary planting issues found in Real Player and Opera on Windows XP, where they load unexpected DLLs and EXEs during execution. It warns that downloading files can leave computers vulnerable if installers load DLLs from the Downloads folder, allowing for "persistent mines" to be planted months later when applications are launched. It provides guidelines for researchers and developers to prevent binary planting issues in their own software.
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
This document discusses legal and technical strategies for addressing data security risks when controls shift to the cloud. It outlines various legislative and regulatory targets relating to data breaches, both malicious and benign. It provides guidance on security, data transfer, disposition of data upon termination, and access to data when using cloud services.
This document provides guidance on how to determine the right amount to spend on security. It recommends first formalizing mandatory, discretionary, and risk-based security spending. Prioritize assets and risks using a structured process involving business owners. Consider likelihood and impact ranges to evaluate risks. Prioritize risks based on business value and cost. Define security services and align spending with maturity targets. Start with quick wins and metrics to gain support for an ongoing process.
Eric Cowperthwaite became the CSO of Providence Health & Services in May 2006 after they had experienced several data security incidents including stolen laptops containing patient data. As the new CSO, he had to establish an information security program from the ground up amid middle management resistance and a decentralized IT environment. Over several years, he implemented new security controls, became transparent with regulators investigating HIPAA violations, and signed a resolution agreement to establish specific requirements. More recently, he has focused on building sustainability through an enterprise risk management program with governance separated from operations and independent oversight of the chief risk officer.
This document provides best practices and guidance for threat modeling. It discusses key concepts like taxonomy, timing of threat modeling, contributors, audience, and tools. Common pitfalls discussed include not making it a collaborative effort, poor presentation of results, deleting threats, failing to identify assets properly, making unreasonable threats, digging too deep initially, and not versioning threat modeling results. The overall aim is to help people understand how to effectively incorporate threat modeling into their projects and security development lifecycle.
Forensic Memory Analysis of Android's Dalvik Virtual MachineSource Conference
This document summarizes a presentation on analyzing the memory of the Dalvik virtual machine used in Android. It discusses acquiring Android phone memory, locating key data structures in Dalvik like loaded classes and instance fields, and analyzing specific Android applications to recover data like call histories, text messages, browser sessions, and wireless network information. The goal is to extract runtime information and data from Android apps through memory forensics.
This document discusses banking fraud techniques used by malware. It describes banking trojans like Zeus and SpyEye that steal credentials through man-in-the-browser attacks. A new trojan called Tatanga is profiled that records videos and has many modules. Anatomy of a fraud incident is explained involving infecting a system, stealing credentials, and laundering money. Real examples of Zeus conducting man-in-the-mobile attacks via SMS are provided to steal one-time passwords. The document concludes that successful attacks rely more on social engineering than specific malware and stresses the importance of monitoring for and sharing information about injection attacks.
Geer - Hutton - Shannon - A Pilot Project On The Use Of Prediction Markets I...Source Conference
The document discusses a pilot project to use prediction markets to collect informed opinions from security professionals on future security events. Prediction markets aggregate anonymous predictions from a crowd to forecast outcomes. The pilot will test various security-related contracts over 60 days with 20-30 participants to see if the consensus opinions are useful for participants, organizations, and the security industry. The goal is to accelerate sharing of actionable security information from diverse sources using prediction markets.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfflufftailshop
When it comes to unit testing in the .NET ecosystem, developers have a wide range of options available. Among the most popular choices are NUnit, XUnit, and MSTest. These unit testing frameworks provide essential tools and features to help ensure the quality and reliability of code. However, understanding the differences between these frameworks is crucial for selecting the most suitable one for your projects.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
A Comprehensive Guide to DeFi Development Services in 2024Intelisync
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
Ian Iftach Amit - Cyber[Crime|War] - Connecting The Dots
1. Iftach Ian Amit | April 2011
Cyber[Crime|War]
Connecting the Dots
Iftach Ian Amit
VP Consulting, Security Art
Board Member - CSA Israel
IL-CERT Dreamer
DC9723
All rights reserved to Security Art ltd. 2002-2010 www.security-art.com
2. Iftach Ian Amit | April 2011
The Disclaimer
This is “hacker” me, and my own personal opinion only. This has got nothing to do with work
stuff. The “work” me is often suited and talks in acronyms and industry best practices stuff.
All rights reserved to Security Art ltd. 2002-2010 2
3. Iftach Ian Amit | April 2011
Agenda
• Who am I?
• CyberWar [Attack | Defense]
• CyberCrime [Attack | Defense]
• History revisited
• Connecting the dots...
• Future
All rights reserved to Security Art ltd. 2002-2010 3
4. Iftach Ian Amit | April 2011
Who Am I
All rights reserved to Security Art ltd. 2002-2010 4
5. Iftach Ian Amit | April 2011
This is NOT going to be
All rights reserved to Security Art ltd. 2002-2010 5
6. Iftach Ian Amit | April 2011
This is NOT going to be
All rights reserved to Security Art ltd. 2002-2010 5
7. Iftach Ian Amit | April 2011
Picking up where we left off
At least as far as last year’s research is concerned...
All rights reserved to Security Art ltd. 2002-2010 6
8. Iftach Ian Amit | April 2011
All rights reserved to Security Art ltd. 2002-2010 7
9. Iftach Ian Amit | April 2011
Boss, is this
supposed to
be on the
internet?
All rights reserved to Security Art ltd. 2002-2010 7
10. Iftach Ian Amit | April 2011
Boss, is this
supposed to
be on the
internet?
I thi
is fr nk t
his
pow om
erpo my
All rights reserved to Security Art ltd. 2002-2010 7
int!
11. Iftach Ian Amit | April 2011
Boss, is this
supposed to
be on the
internet?
We probably
need to call
someone...
I thi
is fr nk t
his
pow om
erpo my
All rights reserved to Security Art ltd. 2002-2010 7
int!
12. Iftach Ian Amit | April 2011
All rights reserved to Security Art ltd. 2002-2010 8
13. Iftach Ian Amit | April 2011
All rights reserved to Security Art ltd. 2002-2010 8
14. Iftach Ian Amit | April 2011
All rights reserved to Security Art ltd. 2002-2010 8
15. Iftach Ian Amit | April 2011
Final ly de-
classif ied...
(on p ublic
dom ain)
The initia
“trace” o l
r lo-
jack used
track dow to
n the
thief...
All rights reserved to Security Art ltd. 2002-2010 8
16. Iftach Ian Amit | April 2011
Hungry yet?
That was just the appetizer...
All rights reserved to Security Art ltd. 2002-2010 9
17. Iftach Ian Amit | April 2011
Question 1: What is this?
All rights reserved to Security Art ltd. 2002-2010 10
18. Iftach Ian Amit | April 2011
Question 1: What is this?
All rights reserved to Security Art ltd. 2002-2010 11
19. Iftach Ian Amit | April 2011
Perceptions may be deceiving...
War Crime
All rights reserved to Security Art ltd. 2002-2010 12
20. Iftach Ian Amit | April 2011
War Crime
• Government / state • Private
• Official backing • Semi-official backing (org.
crime)
• Official resources
• Financing
• Official resources
• Expertise?
• Self financing?
• Exploits/Vulns?
• Established expertise (in-
house + outsourced)
• Market for exploits
All rights reserved to Security Art ltd. 2002-2010 13
21. Iftach Ian Amit | April 2011
CyberWar
“Cyberwarfare, (also known as
cyberwar and Cyber Warfare), is the
use of computers and the Internet in
conducting warfare in cyberspace.”
Wikipedia
All rights reserved to Security Art ltd. 2002-2010 14
22. Iftach Ian Amit | April 2011
It did not happen yet
Estonia being an exception?
“There is no Cyberwar”
All rights reserved to Security Art ltd. 2002-2010 15
23. Iftach Ian Amit | April 2011
It did not happen yet
RSA being an exception?
“There is no Cyberwar”
All rights reserved to Security Art ltd. 2002-2010 15
24. Iftach Ian Amit | April 2011
It did not happen yet
RSA being an exception?
“There is no Cyberwar”
All rights reserved to Security Art ltd. 2002-2010 15
25. Iftach Ian Amit | April 2011
This is not the only way! Neither is this...
But civilian are
always at stake!
All rights reserved to Security Art ltd. 2002-2010 16
26. Iftach Ian Amit | April 2011
Many faces of how CyberWar is perceived...
From McAfee’s “Virtual Criminology Report”
Image caption:
“countries developing advanced offensive cyber capabilities”
All rights reserved to Security Art ltd. 2002-2010 17
27. Iftach Ian Amit | April 2011
We’ll focus on current players:
And no, here size does NOT matter...
All rights reserved to Security Art ltd. 2002-2010 18
28. Iftach Ian Amit | April 2011
USA
• Thoroughly documented activity around cyberwar
preparedness as well as military/government agencies
with readily available offensive capabilities
• Massive recruiting of professional in attack/defense for
different departments:
• USCC (United States Cyber Command - includes
AirForce, Marines, Navy and Army service
components)
• NSA
• Other TLA’s...
All rights reserved to Security Art ltd. 2002-2010 19
29. Iftach Ian Amit | April 2011
Russia
• GRU (Main Intelligence Directorate of the
Russian Armed Forces)
• SVR (Foreign Intelligence Service)
• FSB (Federal Security Services)
• Center for Research of Military Strength of
Foreign Countries
• Several “National Youth Associations” (Nashi)
All rights reserved to Security Art ltd. 2002-2010 20
30. Iftach Ian Amit | April 2011
China
• PLA (People’s Liberation Army)
• Homework: read the Northrop Grumman
report...
• General Staff Department 4th Department -
Electronic Countermeasures == Offense
• GSD 3rd Department - Signals Intelligence
== Defense
• Yes... Titan Rain...
All rights reserved to Security Art ltd. 2002-2010 21
31. Iftach Ian Amit | April 2011
Iran
• Telecommunications Infrastructure
co.
• Government telecom monopoly
• Iranian Armed Forces
All rights reserved to Security Art ltd. 2002-2010 22
32. Iftach Ian Amit | April 2011
Israel
• This is going to be very boring... Google data only :-(
• IDF (Israel Defense Forces) add cyber-attack
capabilities.
• C4I (Command, Control, Communications, Computers
and Intelligence) branches in Intelligence and Air-Force
commands
• Staffing is mostly homegrown - trained in the army and
other government agencies.
• Mossad? (check out the jobs section on mossad.gov.il...)
All rights reserved to Security Art ltd. 2002-2010 23
33. Iftach Ian Amit | April 2011
Israel
• This is going to be very boring... Google data only :-(
• IDF (Israel Defense Forces) add cyber-attack
capabilities.
• C4I (Command, Control, Communications, Computers
and Intelligence) branches in Intelligence and Air-Force
commands
• Staffing is mostly homegrown - trained in the army and
other government agencies.
• Mossad? (check out the jobs section on mossad.gov.il...)
All rights reserved to Security Art ltd. 2002-2010 23
34. Iftach Ian Amit | April 2011
Israel
• This is going to be very boring... Google data only :-(
• IDF (Israel Defense Forces) add cyber-attack
capabilities.
• C4I (Command, Control, Communications, Computers
and Intelligence) branches in Intelligence and Air-Force
commands
• Staffing is mostly homegrown - trained in the army and
other government agencies.
• Mossad? (check out the jobs section on mossad.gov.il...)
All rights reserved to Security Art ltd. 2002-2010 23
35. Iftach Ian Amit | April 2011
CyberWar - Attack
Highly selective targeting of
military (and critical)
resources
In conjunction with a
kinetic attack
All rights reserved to Security Art ltd. 2002-2010 24
36. Iftach Ian Amit | April 2011
CyberWar - Attack
Highly selective targeting of
military (and critical)
resources
In conjunction with a
kinetic attack
OR
All rights reserved to Security Art ltd. 2002-2010 24
37. Iftach Ian Amit | April 2011
CyberWar - Attack
Highly selective targeting of
military (and critical)
resources
In conjunction with a
kinetic attack
OR
Massive DDOS in order to
“black-out” a region,
disrupt services, and/or
push political agenda
(propaganda)
All rights reserved to Security Art ltd. 2002-2010 24
38. Iftach Ian Amit | April 2011
CyberWar - Defense
• Never just military
• Targets will be civilian
• Physical and logical protections = last
survival act
• Availability and Integrity of
services
• Can manifest in the cost of making
services unavailable for most
civilians
All rights reserved to Security Art ltd. 2002-2010 25
39. Iftach Ian Amit | April 2011
CyberCrime
All rights reserved to Security Art ltd. 2002-2010 26
40. Iftach Ian Amit | April 2011 Criminal Boss
Under Boss Trojan
Provider and Manager
Trojan Command and
Control
Attackers Crimeware
You want
Toolkit Owners
Trojan distribution in
legitimate website
money, you Campaign Manager Campaign Manager Campaign Manager
gotta play like
the big boys
do...
Affiliation Affiliation Affiliation
Network Network Network
Stolen Data Reseller Stolen Data Reseller Stolen Data Reseller
All rights reserved to Security Art ltd. 2002-2010 27
Figure 2: Organizational chart of a Cybercrime organization
41. Iftach Ian Amit | April 2011
CyberCrime - Attack
• Channels: web, mail, open services
• Targeted attacks on premium resources
• Commissioned, or for extortion purposes
• Carpet bombing for most attacks
• Segmenting geographical regions and market
segments
• Secondary infections through controlled outposts
• Bots, infected sites
All rights reserved to Security Art ltd. 2002-2010 28
42. Iftach Ian Amit | April 2011
CyberCrime - target locations
All rights reserved to Security Art ltd. 2002-2010 29
43. Iftach Ian Amit | April 2011
CyberCrime - Locations
Major Cybercrime group locations
All rights reserved to Security Art ltd. 2002-2010 30
44. Iftach Ian Amit | April 2011
CyberCrime - Ammunition
All rights reserved to Security Art ltd. 2002-2010 31
45. Iftach Ian Amit | April 2011
CyberCrime - Ammunition
=≈ APT
All rights reserved to Security Art ltd. 2002-2010 31
46. Iftach Ian Amit | April 2011
CyberCrime - Ammunition
=≈ APT
All rights reserved to Security Art ltd. 2002-2010 31
47. Iftach Ian Amit | April 2011
All rights reserved to Security Art ltd. 2002-2010 32
48. Iftach Ian Amit | April 2011
CyberCrime - Defense
All rights reserved to Security Art ltd. 2002-2010 33
49. Iftach Ian Amit | April 2011
CyberCrime - Defense
• Anti [ Virus | Malware | Spyware | Rootkit | Trojan ]
All rights reserved to Security Art ltd. 2002-2010 33
50. Iftach Ian Amit | April 2011
CyberCrime - Defense
• Anti [ Virus | Malware | Spyware | Rootkit | Trojan ]
• Seriously?
All rights reserved to Security Art ltd. 2002-2010 33
51. Iftach Ian Amit | April 2011
CyberCrime - Defense
• Anti [ Virus | Malware | Spyware | Rootkit | Trojan ]
• Seriously?
All rights reserved to Security Art ltd. 2002-2010 33
52. Iftach Ian Amit | April 2011
CyberCrime - Defense
• Anti [ Virus | Malware | Spyware | Rootkit | Trojan ]
• Seriously?
All rights reserved to Security Art ltd. 2002-2010 33
53. Iftach Ian Amit | April 2011
CyberCrime - Defense
• Anti [ Virus | Malware | Spyware | Rootkit | Trojan ]
• Seriously?
• Firewalls / IDS / IPS
All rights reserved to Security Art ltd. 2002-2010 33
54. Iftach Ian Amit | April 2011
CyberCrime - Defense
• Anti [ Virus | Malware | Spyware | Rootkit | Trojan ]
• Seriously?
• Firewalls / IDS / IPS
• Seriously?
All rights reserved to Security Art ltd. 2002-2010 33
55. Iftach Ian Amit | April 2011
CyberCrime - Defense
• Anti [ Virus | Malware | Spyware | Rootkit | Trojan ]
• Seriously?
• Firewalls / IDS / IPS
• Seriously?
• Brought to you by the numbers 80, 443, 53...
All rights reserved to Security Art ltd. 2002-2010 33
56. Iftach Ian Amit | April 2011
CyberCrime - Defense
• Anti [ Virus | Malware | Spyware | Rootkit | Trojan ]
• Seriously?
• Firewalls / IDS / IPS
• Seriously?
• Brought to you by the numbers 80, 443, 53...
• SSL...
All rights reserved to Security Art ltd. 2002-2010 33
57. Iftach Ian Amit | April 2011
How do these connect?
Claim: CyberCrime is being used to
conduct CyberWar
Proof: Let’s start with some history...
All rights reserved to Security Art ltd. 2002-2010 34
58. Iftach Ian Amit | April 2011
History - Revisited...
Estonia
You read all about it.
Bottom line: civilian infrastructure was targeted
Attacks originated mostly from civilian networks
All rights reserved to Security Art ltd. 2002-2010 35
59. Iftach Ian Amit | April 2011
History - Revisited...
Israel
Operation Orchard
September 6th, 2007 Source: Der Spiegel
Source: http://en.wikipedia.org/wiki/
Operation_Orchard
All rights reserved to Security Art ltd. 2002-2010 36
60. Iftach Ian Amit | April 2011
History - Revisited...
Israel
Operation Orchard
September 6th, 2007 Source: Der Spiegel
Source: http://en.wikipedia.org/wiki/
Operation_Orchard
All rights reserved to Security Art ltd. 2002-2010 36
61. Iftach Ian Amit | April 2011
Mid-east crime-war links
ARHack
Hacker forum by day
Cybercrime operations by night
All rights reserved to Security Art ltd. 2002-2010 37
62. Iftach Ian Amit | April 2011
All rights reserved to Security Art ltd. 2002-2010 38
63. Iftach Ian Amit | April 2011
Political post
All rights reserved to Security Art ltd. 2002-2010 38
64. Iftach Ian Amit | April 2011
Political post
Buying/Selling cards for 1/2 their balance
All rights reserved to Security Art ltd. 2002-2010 38
65. Iftach Ian Amit | April 2011
Political post
Buying/Selling cards for 1/2 their balance
Selling 1600
visa cards
All rights reserved to Security Art ltd. 2002-2010 38
66. Iftach Ian Amit | April 2011
History - Revisited...
Georgia
More interesting...
Highly synchronized Kinetic and Cyber attacks
Targets still mostly civilian
Launched from civilian networks
All rights reserved to Security Art ltd. 2002-2010 39
67. Iftach Ian Amit | April 2011
Russian Crime/State Dillema
Micronnet
McColo
Atrivo
Eexhost
ESTDomains
RBN
RealHost
All rights reserved to Security Art ltd. 2002-2010 40
68. Iftach Ian Amit | April 2011
Russian
Crime
Government
ESTDomains ESTDom RBN
Atrivo
McColo UkrTeleGroup
HostFresh
All rights reserved to Security Art ltd. 2002-2010 41
69. Iftach Ian Amit | April 2011
Russian
Crime
Government
ESTDomains ESTDom RBN
Atrivo
McColo UkrTeleGroup
HostFresh
Hosted by
All rights reserved to Security Art ltd. 2002-2010 41
70. Iftach Ian Amit | April 2011
Russian
Crime
Government
ESTDomains ESTDom RBN
Atrivo
McColo UkrTeleGroup
HostFresh
Hosted by
Customer
All rights reserved to Security Art ltd. 2002-2010 41
71. Iftach Ian Amit | April 2011
Russian
Crime
Government
ESTDomains ESTDom RBN
Atrivo
McColo UkrTeleGroup
HostFresh
Hosted by
Customer
Network provider
All rights reserved to Security Art ltd. 2002-2010 41
72. Iftach Ian Amit | April 2011
Russian
Crime
Government
ESTDomains ESTDom RBN
Atrivo
McColo UkrTeleGroup
HostFresh
Hosted by
Customer
Network provider
All rights reserved to Security Art ltd. 2002-2010 41
73. Iftach Ian Amit | April 2011
Remember Georgia?
• Started by picking on the president...
flood http www.president.gov.ge
flood tcp www.president.gov.ge
flood icmp www.president.gov.ge
• Then the C&C used to control the botnet
was shut down as:
• Troops cross the border towards Georgia
• A few days of silence...
All rights reserved to Security Art ltd. 2002-2010 42
74. Iftach Ian Amit | April 2011
Georgia - cont.
All rights reserved to Security Art ltd. 2002-2010 43
75. Iftach Ian Amit | April 2011
Georgia - cont.
• Six (6) new C&C servers came up and drove attacks
at additional Georgian sites
www.president.gov.ge
os-inform.com
www.parliament.ge
www.kasparov.ru
apsny.ge
hacking.ge mk.ru
news.ge
newstula.info
tbilisiweb.info
skandaly.ru
newsgeorgia.ru
All rights reserved to Security Art ltd. 2002-2010 43
76. Iftach Ian Amit | April 2011
Georgia - cont.
• Six (6) new C&C servers came up and drove attacks
at additional Georgian sites
www.president.gov.ge
os-inform.com
www.parliament.ge
www.kasparov.ru
apsny.ge
hacking.ge mk.ru
news.ge
newstula.info
tbilisiweb.info
skandaly.ru
newsgeorgia.ru
• BUT - the same C&C’s were also used for attacks on
commercial sites in order to extort them (botnet-
for-hire) Additional sites attacked:
•Porn sites •Carder forums
•Adult escort services •Gambling sites
•Nazi/Racist sites •Webmoney/Webgold/etc…
All rights reserved to Security Art ltd. 2002-2010 43
77. Iftach Ian Amit | April 2011
Georgia - cont.
• Six (6) new C&C servers came up and drove attacks
at additional Georgian sites
www.president.gov.ge
os-inform.com
www.parliament.ge
www.kasparov.ru
apsny.ge
hacking.ge mk.ru
news.ge
newstula.info
tbilisiweb.info
skandaly.ru
newsgeorgia.ru
• BUT - the same C&C’s were also used for attacks on
commercial sites in order to extort them (botnet-
for-hire) Additional sites attacked:
•Porn sites •Carder forums
•Adult escort services •Gambling sites
•Nazi/Racist sites •Webmoney/Webgold/etc…
All rights reserved to Security Art ltd. 2002-2010 43
78. Iftach Ian Amit | April 2011
Georgia - cont.
• Six (6) new C&C servers came up and drove attacks
at additional Georgian sites
www.president.gov.ge
os-inform.com
www.parliament.ge
www.kasparov.ru
apsny.ge
hacking.ge mk.ru
news.ge
newstula.info
tbilisiweb.info
skandaly.ru
newsgeorgia.ru
• BUT - the same C&C’s were also used for attacks on
commercial sites in order to extort them (botnet-
for-hire) Additional sites attacked:
•Porn sites •Carder forums
•Adult escort services •Gambling sites
•Nazi/Racist sites •Webmoney/Webgold/etc…
BTW - Guess who
were the owners of all the
Georgian IPSs?(Russia)
All rights reserved to Security Art ltd. 2002-2010 43
79. Iftach Ian Amit | April 2011
Georgia - cont.
All rights reserved to Security Art ltd. 2002-2010 44
80. Iftach Ian Amit | April 2011
Georgia - cont.
• Final nail in the coffin:
All rights reserved to Security Art ltd. 2002-2010 44
81. Iftach Ian Amit | April 2011
Georgia - cont.
• Final nail in the coffin:
• The city of Gori
All rights reserved to Security Art ltd. 2002-2010 44
82. Iftach Ian Amit | April 2011
Georgia - cont.
• Final nail in the coffin:
• The city of Gori
• DDoS hits all municipal sites August
7th 2008 at 22:00
All rights reserved to Security Art ltd. 2002-2010 44
83. Iftach Ian Amit | April 2011
Georgia - cont.
• Final nail in the coffin:
• The city of Gori
• DDoS hits all municipal sites August
7th 2008 at 22:00
• Complete network disconnect of the
district August 8th 06:00
All rights reserved to Security Art ltd. 2002-2010 44
84. Iftach Ian Amit | April 2011
Georgia - cont.
• Final nail in the coffin:
• The city of Gori
• DDoS hits all municipal sites August
7th 2008 at 22:00
• Complete network disconnect of the
district August 8th 06:00
• First strike on city August 8th 07:30
All rights reserved to Security Art ltd. 2002-2010 44
85. Iftach Ian Amit | April 2011
Georgia - cont.
• Final nail in the coffin:
• The city of Gori
• DDoS hits all municipal sites August
7th 2008 at 22:00
• Complete network disconnect of the
district August 8th 06:00
• First strike on city August 8th 07:30
All rights reserved to Security Art ltd. 2002-2010 44
86. Iftach Ian Amit | April 2011
History - Revisited...
Iran
2009 Twitter DNS hack attributed to Iranian
activity.
Political connections are too obvious to ignore
(elections)
Timing was right on:
Protests by
UN Council
leadership opposition
Decisions
in Tehran
All rights reserved to Security Art ltd. 2002-2010 45
87. Iftach Ian Amit | April 2011
All rights reserved to Security Art ltd. 2002-2010 46
88. Iftach Ian Amit | April 2011
All rights reserved to Security Art ltd. 2002-2010 46
89. Iftach Ian Amit | April 2011
Iran-Twitter connecting dots
• Twitter taken down December 18th 2009
• Attack attributed eventually to cyber-crime/
vigilante group named “Iranian Cyber Army”
• Until December 2009 there was no group
known as “Iranian Cyber Army”...
• BUT - “Ashiyane” (Shiite group) is from the
same place as the “Iranian Cyber Army”
All rights reserved to Security Art ltd. 2002-2010 47
90. Iftach Ian Amit | April 2011
All rights reserved to Security Art ltd. 2002-2010 48
91. Iftach Ian Amit | April 2011
All rights reserved to Security Art ltd. 2002-2010 48
92. Iftach Ian Amit | April 2011
Iran-Twitter - Ashiyane
• Ashiyane was using the same pro-Hezbolla
messages that were used on the Twitter
attack with their own attacks for some
time...
• AND the “Iranian Cyber Army” seems to
be a pretty active group on the Ashiyane
forums www.ashiyane.com/forum
Let’s take a look at how Ashiyane operates...
All rights reserved to Security Art ltd. 2002-2010 49
93. Iftach Ian Amit | April 2011
On [Crime|War] training
Ashiyane forums
WarGames
All rights reserved to Security Art ltd. 2002-2010 50
94. Iftach Ian Amit | April 2011
On [Crime|War] training
Ashiyane forums
WarGames
All rights reserved to Security Art ltd. 2002-2010 50
95. Iftach Ian Amit | April 2011
On [Crime|War] training
Ashiyane forums
WarGames
All rights reserved to Security Art ltd. 2002-2010 50
96. Iftach Ian Amit | April 2011
Wargames targets includes:
All rights reserved to Security Art ltd. 2002-2010 51
97. Iftach Ian Amit | April 2011
Back to [Crime|War] Links:
What else happened on the 18th?
All rights reserved to Security Art ltd. 2002-2010 52
98. Iftach Ian Amit | April 2011
Back to [Crime|War] Links:
What else happened on the 18th?
All rights reserved to Security Art ltd. 2002-2010 52
99. Iftach Ian Amit | April 2011
Back to [Crime|War] Links:
What else happened on the 18th?
All rights reserved to Security Art ltd. 2002-2010 52
100. Iftach Ian Amit | April 2011
Back to [Crime|War] Links:
What else happened on the 18th?
All rights reserved to Security Art ltd. 2002-2010 52
101. Iftach Ian Amit | April 2011
Back to [Crime|War] Links:
What else happened on the 18th?
Later on - Baidu takedown
with the same MO (credentials)
All rights reserved to Security Art ltd. 2002-2010 52
102. Iftach Ian Amit | April 2011
Mapping Iran’s [Crime|War]
Ashiyane
All rights reserved to Security Art ltd. 2002-2010 53
103. Iftach Ian Amit | April 2011
Mapping Iran’s [Crime|War]
Site
DDoS
Defacement
Ashiyane
Botnet Credit
Herding Card Theft
All rights reserved to Security Art ltd. 2002-2010 53
104. Iftach Ian Amit | April 2011
Mapping Iran’s [Crime|War]
Iran
US
Iraq Site
DDoS
Defacement
Ashiyane
Botnet Credit
Herding Card Theft
$$ UK
All rights reserved to Security Art ltd. 2002-2010 53
105. Iftach Ian Amit | April 2011
Mapping Iran’s [Crime|War]
Iran
US
Iraq Site
DDoS
Defacement
Ashiyane
Botnet Credit
Herding Card Theft
$$ UK
Iranian
Cyber
All rights reserved to Security Art ltd. 2002-2010 53
106. Iftach Ian Amit | April 2011
Mapping Iran’s [Crime|War]
Iran
US
Iraq Site
DDoS
Defacement
Ashiyane
Botnet Credit
Herding Card Theft
$$ UK
Iranian Strategic
Cyber Attacks
All rights reserved to Security Art ltd. 2002-2010 53
107. Iftach Ian Amit | April 2011
Mapping Iran’s [Crime|War]
Iran
US
Iraq Site
DDoS
Defacement
Ashiyane
Botnet Credit
Herding Card Theft
$$ UK
Iranian Strategic
Cyber Attacks
US CN
All rights reserved to Security Art ltd. 2002-2010 53
108. Iftach Ian Amit | April 2011
Mapping Iran’s [Crime|War]
Iran
US
Iraq Site
DDoS
Defacement
Ashiyane
Botnet Credit
Herding Card Theft
$$ UK
Crime
War
Iranian Strategic
Cyber Attacks
US CN
All rights reserved to Security Art ltd. 2002-2010 53
109. Iftach Ian Amit | April 2011
Mapping Iran’s [Crime|War]
Iran
US
Iraq Site
DDoS
Defacement
Ashiyane
Botnet Credit
Herding Card Theft
$$ UK
Crime
War
Iranian Strategic
Cyber Attacks
US CN
All rights reserved to Security Art ltd. 2002-2010 53
110. Iftach Ian Amit | April 2011
Iran - the unspoken
All rights reserved to Security Art ltd. 2002-2010 54
111. Iftach Ian Amit | April 2011
Iran - the unspoken
• Stuxnet
All rights reserved to Security Art ltd. 2002-2010 54
112. Iftach Ian Amit | April 2011
Iran - the unspoken
• Stuxnet
• There, I’ve said it
All rights reserved to Security Art ltd. 2002-2010 54
113. Iftach Ian Amit | April 2011
History - Revisited...
China
• Great Chinese Firewall doing an OK job in
keeping information out.
• Proving grounds for many cyber-attackers
• Bulletpfoof hosting (after RBN temporary
closure in 2008 China provided an alternative
that stayed...)
All rights reserved to Security Art ltd. 2002-2010 55
114. Iftach Ian Amit | April 2011
China ...connecting the dots
January 12th - Google announces it was hacked
by China
Not as in the “we lost a few minutes of DNS”
hacked...
“In mid-December we detected a highly
sophisticated and targeted attack on our
corporate infrastructure originating from China that
resulted in the theft of intellectual property from
Google” (David Drummond, SVP @Google)
All rights reserved to Security Art ltd. 2002-2010 56
115. Iftach Ian Amit | April 2011
China ...connecting the dots.
January 12th - Adobe gets hacked. By China.
“Adobe became aware on January 2, 2010 of a
computer secur ity incident involving a
sophisticated coordinated attack
against corporate network systems managed by
Adobe and other companies” (Adobe official
blog)
Same MO: 0-day in Internet Explorer to get
into Google, Adobe and more than 40
additional companies
All rights reserved to Security Art ltd. 2002-2010 57
116. Iftach Ian Amit | April 2011
China ...connecting the dots...
Problem: Attacks all carry the signs of
Cybercrime...
Criminal groups attack companies in order to get
to their data so they can sell it (whether it was
commercial or government data!)
US Response: “We look to the Chinese government
for an explanation. The ability to operate with
confidence in cyberspace is critical in a modern society
and economy.” (Hillary Clinton, Secretary of State)
All rights reserved to Security Art ltd. 2002-2010 58
117. Iftach Ian Amit | April 2011
China ...connecting the dots....
All rights reserved to Security Art ltd. 2002-2010 59
118. Iftach Ian Amit | April 2011
China ...connecting the dots....
The China move:
All rights reserved to Security Art ltd. 2002-2010 59
119. Iftach Ian Amit | April 2011
China ...connecting the dots....
The China move:
Use of criminal groups to carry out the
attacks provides the perfect deniability on
espionage connections (just like in the past,
and a perfect response to clinton).
All rights reserved to Security Art ltd. 2002-2010 59
120. Iftach Ian Amit | April 2011 Anecdote - a
professor in one of the
China ... universities linked to the attack
connecting the dots....
admitted that the school network
is often used to anonymously
The China move:
relay attacks
Use of criminal groups to carry out the
attacks provides the perfect deniability on
espionage connections (just like in the past,
and a perfect response to clinton).
All rights reserved to Security Art ltd. 2002-2010 59
121. Iftach Ian Amit | April 2011 Anecdote - a
professor in one of the
China ... universities linked to the attack
connecting the dots....
admitted that the school network
is often used to anonymously
The China move:
relay attacks
Use of criminal groups to carry out the
attacks provides the perfect deniability on
espionage connections (just like in the past,
and a perfect response to clinton).
Targets are major US companies with strategic
poise to enable state interest espionage
All rights reserved to Security Art ltd. 2002-2010 59
122. Iftach Ian Amit | April 2011 Anecdote - a
professor in one of the
China ... universities linked to the attack
connecting the dots....
admitted that the school network
is often used to anonymously
The China move:
relay attacks
Use of criminal groups to carry out the
attacks provides the perfect deniability on
espionage connections (just like in the past,
and a perfect response to clinton).
Targets are major US companies with strategic
poise to enable state interest espionage
Information sharing at its best:
State Crime
All rights reserved to Security Art ltd. 2002-2010 59
123. Iftach Ian Amit | April 2011 Anecdote - a
professor in one of the
China ... universities linked to the attack
connecting the dots....
admitted that the school network
is often used to anonymously
The China move:
relay attacks
Use of criminal groups to carry out the
attacks provides the perfect deniability on
espionage connections (just like in the past,
and a perfect response to clinton).
Targets are major US companies with strategic
poise to enable state interest espionage
Information sharing at its best:
State Crime
All rights reserved to Security Art ltd. 2002-2010
Win59 - Win
124. Iftach Ian Amit | April 2011
History - Revisited...
Spain
• You are on the map as well! - MARIPOSA
• Highly respected 12M bots run by Spanish
ringleaders
• Slovenian source (developer)
• Global distribution
• Surprise... very painful to some governments...
All rights reserved to Security Art ltd. 2002-2010 60
125. Iftach Ian Amit | April 2011
Spain ...connecting the dots
3 People arrested by the Spanish Civil Guard in
February 2010
Florencio Carro Ruiz (netkairo), Jonathan Pazos
Rivera (jonylolente), and Juan Jose Bellido Rios
(ostiator) == DDP (Dias de Pesadilla)
All rights reserved to Security Art ltd. 2002-2010 61
126. Iftach Ian Amit | April 2011
Spain ...connecting the dots
On July 2010, Slovenian police arrested their
“source” (iserdo) who sold the kit to hundreds
of additional individuals and governments
The FBI called the Slovenian operation
“excellent” and “unparalleled” ?!?!
All rights reserved to Security Art ltd. 2002-2010 62
127. Iftach Ian Amit | April 2011
Spain ...connecting the dots....?
All rights reserved to Security Art ltd. 2002-2010 63
128. Iftach Ian Amit | April 2011
Spain ...connecting the dots....?
Closure is still far on this one :-(
All rights reserved to Security Art ltd. 2002-2010 63
129. Iftach Ian Amit | April 2011
Spain ...connecting the dots....?
Closure is still far on this one :-(
Several more governments are involved, and additional
“clients” of Isedro (the savior in Slovenian when spelled
backwards) are part of open intelligence cases.
All rights reserved to Security Art ltd. 2002-2010 63
130. Iftach Ian Amit | April 2011
How does APT fit here?
RSA
• Infection vector: Flash vulnerability exploited
through Excel file
• Persistence: Using Poison Ivy as the trojan
• Exfiltration: Pack data in password protected
RAR files and upload to FTP
All rights reserved to Security Art ltd. 2002-2010 64
131. Iftach Ian Amit | April 2011
APT ...connecting the dots
Compared to what we just reviewed, that was a
SIMPLE attack...
Trojan is not even a “commercial” product (free
download at http://www.poisonivy-rat.com/)
All rights reserved to Security Art ltd. 2002-2010 65
132. Iftach Ian Amit | April 2011
APT ...connecting the dots....?
All rights reserved to Security Art ltd. 2002-2010 66
133. Iftach Ian Amit | April 2011
APT ...connecting the dots....?
Infiltration
Social/
physical
Phishing
All rights reserved to Security Art ltd. 2002-2010 66
134. Iftach Ian Amit | April 2011
APT ...connecting the dots....?
Persistence,
Infiltration
C&C
Social/ Advanced C&C
(p2p, lateral move)
physical
Simple C&C
Phishing
(HTTP)
All rights reserved to Security Art ltd. 2002-2010 66
135. Iftach Ian Amit | April 2011
APT ...connecting the dots....?
Persistence,
Infiltration Exfiltration
C&C
Social/ Advanced C&C Advanced
APT (p2p, lateral move) exfil (dns,VoIP)
physical
Simple C&C Simple exfil
APT?! Phishing
(HTTP) (FTP)
All rights reserved to Security Art ltd. 2002-2010 66
136. Iftach Ian Amit | April 2011
APT ...connecting the dots....?
Persistence,
Infiltration Exfiltration
C&C
Social/ Advanced C&C Advanced
APT (p2p, lateral move) exfil (dns,VoIP)
physical
Simple C&C Simple exfil
APT?! Phishing
(HTTP) (FTP)
Bottom line: Not a direct state attack - Criminals again...
All rights reserved to Security Art ltd. 2002-2010 66
137. Iftach Ian Amit | April 2011
The Future (Ilustrated)
All rights reserved to Security Art ltd. 2002-2010 67
138. Iftach Ian Amit | April 2011
The Future (Ilustrated)
All rights reserved to Security Art ltd. 2002-2010 67
139. Iftach Ian Amit | April 2011
The Future (Ilustrated)
All rights reserved to Security Art ltd. 2002-2010 67
140. Iftach Ian Amit | April 2011
The Future (Ilustrated)
All rights reserved to Security Art ltd. 2002-2010 67
141. Iftach Ian Amit | April 2011
The Future (Ilustrated)
All rights reserved to Security Art ltd. 2002-2010 67
142. Iftach Ian Amit | April 2011
The Future (Ilustrated)
All rights reserved to Security Art ltd. 2002-2010 67
143. Iftach Ian Amit | April 2011
The Future (Ilustrated)
All rights reserved to Security Art ltd. 2002-2010 67
144. Iftach Ian Amit | April 2011
The Future (Ilustrated)
CLOUDS
All rights reserved to Security Art ltd. 2002-2010 67
145. Iftach Ian Amit | April 2011
Summary
Good Bad
Formal training on Commercial
cybersecurity by development of
nations malware still reigns
All rights reserved to Security Art ltd. 2002-2010 68
146. Iftach Ian Amit | April 2011
Summary
Good Bad
Formal training on Commercial
cybersecurity by development of
nations malware still reigns
Ugly
Good meet Bad: money changes hands, less
tracks to cover, criminal ops already creating
the weapons...
All rights reserved to Security Art ltd. 2002-2010 68
147. Iftach Ian Amit | April 2011
Summary
The Future
Lack of legislation and cooperation on multi-
national level is creating de-facto “safe
haven” for cybercrime. <- Fix this!
Treaties and anti-crime activities may prove to
be beneficial. <- Translate to politics/law!
All rights reserved to Security Art ltd. 2002-2010 69
148. Iftach Ian Amit | April 2011
Thanks!
Q&A
iamit@iamit.org
pro: iamit@security-art.com
twitter: twitter.com/iiamit
blog: iamit.org/blog
All rights reserved to Security Art ltd. 2002-2010 70