Don zaal a 11.15 11.45 fccu


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Don zaal a 11.15 11.45 fccu

  1. 1. How to survive in an era of hacktivists, cyber espionnage and internet fraudsters ? The need for an integrated approach to undermine the criminal cyber architecture Brussels, 21 March 2013 e-Shop Expo © 2013 Luc Beirens – Federal Computer Crime Unit - Belgian Federal Judicial Police – Direction economical and financial crime Presentation @LucBeirens Chief Commissioner Head of the Federal Computer Crime Unit Belgian Federal Judicial Police Direction Economical and financial crime Chairman of the EU Cybercrime task force representing the organization of heads of national hightech crime units of the EU 1
  2. 2. Topics - overview An analysis of the eSociety situation Who is threating eSociety and how ? Inside threat / outside threats Possible damage to eGov and eSociety Which response to give to this ?What is there to protect ? Your company / public image Your market share (even as public service) Your business activity / products Your existance as such Cybercrime threats © Belgian Federal Computer Crime Unit 2
  3. 3. What is there to protect ? Data (stored or in transmission)  Our personal data employees / citizens / customers  Info on the organisation (policy/functioning/financial)  Info on your activity, product (price list, patents, source code) Our information infrastructure  Internal / external systems  Network connexions  Storage and backup systems Privacy law requires measures organisational and technical to protect personal data Cybercrime threats © Belgian Federal Computer Crime UniteShop Be recognisable to your customers Beware of imposters  Use of certificates / control over domain Keep your customers safe  Data  Transactions Get paid for your services / products Don’t become unwillingly a criminal service platform Cybercrime threats © Belgian Federal Computer Crime Unit 3
  4. 4. e-Architecture Externally managed infrastructure Certification Authority Externally hosted website VPN Internet DNS Internal network Firewall DMZ own Backup server webserver Cloud service center SCADA End user Roaming user Process control © Luc Beirens General trends today  Evolution towards e-society  replace persons by e-applications  Interconnecting all systems (admin, industrial, control)  Mobile systems – Cloud  Social networks  IP is common platform offered by many ISPs integrating telephony / data / VPN & all new apps =opportunities / Achilles tendon / scattered traces  Poor security in legacy applications and protocols (userid+pw)=> identity fraud is easy  Enduser is not yet educated to act properly 4
  5. 5. What do criminals want ? Become rich / powerfull rapidly, easily, very big ROI in an illegal way if needed Destabilaze (e-)society by causing troublesFirst conclusions ? Society is thus very heavily depending on ICT ICT = important vulnerability of modern society End user = weakest link => biggest danger Need to  Guarantee continuity of ICT functioning  Availability and integrity of data Data is more and more in the cloud  Accessible from all over the world  Outside jurisdiction of your country 5
  6. 6. Who is threating us ? Script kiddies Insider ICT guy in your company Loosely organized criminals Firmly organized criminal groups Terrorists / hacktivists Foreign states / economical powers Nation warfare troupsWhat are the outside threats ? Cybercrime threats © Belgian Federal Computer Crime Unit 6
  7. 7. Threats in messageson hackersites Wiping away the websites in your state Infiltration in servers of the Public Treasury disrupting tax collection Infiltration in bank accounts Attacks on media websites Attacks on e-commerce websites Distribution of personnel data and credit card information Targetting also in the end of the year period Cybercrime threats © Belgian Federal Computer Crime UnitFocus On individuals On webservers On your organization On your partner’s organization On your infrastructure On cyber infrastructure Cybercrime threats © Belgian Federal Computer Crime Unit 7
  8. 8. Hacking webservers Motives of criminal :  Perform defacement  Use as storage platform for illegal content (childporn)  Use as intermediate platform for criminal activity  Get sensitive information and do extortion (idiot tax)  Get financial information (credit cards) To do :  Updates SW, strong admin access, no pers data on srvr  Follow up : a hackers drop off Cybercrime threats © Belgian Federal Computer Crime Unit Cybercrime threats © Belgian Federal Computer Crime Unit 8
  9. 9. E-Shop risks “Forgotten” test environments  Use of real data  No logging of Applications with debugging procedures Data bases with all user data on webserver instead of inside LAN User profiles unencrypted / unsalted ? Credit card information in profiles ? Use of stolen credit (new payment systems) Cybercrime threats © Belgian Federal Computer Crime Unit 9
  10. 10. Dossier Cybercrime - NVP PNS 2012-2015Security : encrypted data ! Infection of workstations and servers in company LAN  Using targetted e-mails / social media messages  Malicious encryption of all user data files  Ransom to get decryption key From those that paid : some got key some didn’t Others had a recent off-line backup ! Cybercrime threats © Belgian Federal Computer Crime Unit 10
  11. 11. Intrusions in your LAN Intrusion in your system to intercept data that allows to take away products from your stock  WIFI interception from parking  Infection by trojan (e-mail)  (unreported) burglary in the company to place  hardware keyloggers  complete small computer system WIFI intercept 3G transmit With valid ticket go fetch cargo To Do :  Encrypt WIFI transmissions  Patch only active workstation connections Cybercrime threats © Belgian Federal Computer Crime Unit Intrusion in your trading account Carbon dioxide certificates trade Open data : contact persons of companies Spear phishing mail + phishing website Access to trading account Millions of € sold in few hours all over EU  Sold far under price & immediately resold To do : Awareness Cybercrime threats © Belgian Federal Computer Crime Unit 11
  12. 12. Intrusion in your partner’s LAN Intrusion in LAN of foreign partner (Chinese) and get information on your business and invoices to pay You get mail with  Slightly different e-mail adresses  Change of bank account number to pay (Due to audit ...) To do : verify thouroughly any changes before paying Cybercrime threats © Belgian Federal Computer Crime UnitAttacking infrastructure Remote managed infrastructures in your buildings  Central heating  Elevator Creating disruption of this infrastructure => leads to high cost To do : verify if this applies to you and your infrastructure managing company Cybercrime threats © Belgian Federal Computer Crime Unit 12
  13. 13. Hacking into cloud accounts SME’s that have all their information in cloud accounts Hacking into these account  Taking over access control  Sending of SOS-e-mails (Robbed money needed)  Deleting all contact information in the account => preventing warning e-mails after getting back access to account To do :  enforce strong authentication and second ways to access the account  Have backups of these systems Cybercrime threats © Belgian Federal Computer Crime Unit Dossier Cybercrime - NVP PNS 2012-2015 13
  14. 14. Cyber crimeagainst cyber infrastructure Payment systems  2010 Wikileaks case : “Anonymous” attack on VISA, Paypal, Mastercard,... DNS – system create fraudulent routing or use for DDOS Certification autorities (Diginotar) Data centers (Blocs all servers in it) Dossier Cybercrime - NVP PNS 2012-2015 Dossier Cybercrime - NVP PNS 2012-2015 14
  15. 15. Cybercrime focusing individuals Individuals are  also working in companies / government  Use social networks / webmail  Often used to exchange business related info  Containing access code information Hacking of these profiles / webmails  Abuse to infect people you know  Get personal information of you and your contacts  Commit fraud Internet fraud of all kinds Webcam sex interception to do extortion Luc Beirens - FCCU -2012What are the criminals techtools to hack and attack ? Malware attacks (viruses, worms, trojans, ...) fast spreading day zero infections => no immediate cure => lot of victims (especially home PC’s – 24 / 365 available) Abuse of infected computers to create botnets (large “armies” of PC’s under control of 1 master) => used to make massive attacks on webservers or network nodes => high risk for your critical ICT infrastructure Cybercrime threats © Belgian Federal Computer Crime Unit 15
  16. 16. Webserver / node Computer Crash Hacker Internet Info Access lineCmd blocked My IP is x.y.z.z Command & Botnet attack on a webserver / node Control Server Webserver / node Hacker Knowledge server Internet trigger event MW update Very frequent MW update request Malware update server Command & Malware update / knowledge transfer Control Server 16
  17. 17. Why ? Making money !  Sometimes still for fun (scriptkiddies)  Spam distribution via Zombie  Click generation on banner publicity  Dialer installation on zombie to make premium rate calls  Spyware installation  Espionage => banking details / passwords / keylogging  Ransom bot => encrypts files => money for password  Capacity for distributed denial of service attacks DDOS => disturb functioning of internet device (server/router) Cybercrime threats © Belgian Federal Computer Crime UnitHow big is the problem ?  Already criminal cases in several countries  Botnets detected  Several hundreds of botnets worldwide  Several thousands of C&C worldwide  Thousands upto millions of zombie computers online  generated huge datatraffic upto 40 Gbps  Dismantling / crippling botnets 17
  18. 18. e-Crime underground business  Underground fora and chatrooms  Restricted access – on invitation  Secured by encryption  Botnets for hire  Control over bot for spam : 0,04 $ / bot / day Small scale attack 20 Mbps : 50 – 100 $ / day  Large scale attack 10Gbps : 1000 $ / day  Malware development on demand Cybercrime threats © Belgian Federal Computer Crime UnitImportant DDOS cases UK 2004 : gambling website down (+ hoster + ISP) NL 2005 : 2 botnets : millions of zombies BE 2005 : DDOS on chatnetwork of Media firms BE 2005 : DDOS on Firm (social conflict) US 2006 : Blue security firm stops activity SE 2006 : Website Gov and Police down due to DDOS after police raid on P2P EE 2007 : Widespread DDOS attack on Estonia after incidents on moving soldier statue Georgia 2008 : cyber war during military conflict World 2010 : Wikileaks case : Visa Mastercard paypal World 2012 : CIA FBI USDOJ EU Arcelor Mittal ... Cybercrime threats © Belgian Federal Computer Crime Unit 18
  19. 19. Latest malware developments  Stuxnet : very complex and elaborated trojan  Several replication vectors :  Networks  USB keys  Connects to C&C botnet server  Focused on industrial control system  Searches for systems with this control system  Collects information on Siemens PLC systems  Changes process logic on infected machines  Duqu based upon Stuxnet : spying purposes Cybercrime threats © Belgian Federal Computer Crime Unit © Luc Beirens Biggest threat ? Criminal’s Knowledge database  SQL (standard query language) databases  Several backup servers  Content  Keylogging (everything also userids, passwords)  Screenshots (of all opened windows, websites,...)  URL  IP-addresses  Base for reverse R&D to counter new security Cybercrime threats © Belgian Federal Computer Crime Unit 19
  20. 20. Cases ?  e-Banking fraud  Hacking of large institutions / firms  Long time unaware of hacking  Keylogging  Encrypted files on PC  Internal botnet  Intermediate step to other networks  Often no complaint Cybercrime threats © Belgian Federal Computer Crime UnitLarge firm hackingusing internal botnet Internet Hacker Company network © Luc Beirens 20
  21. 21. And the victims ? Who ?  Transactional websites  Communication networks  ISPs and all other clients Reaction  Unaware of incidents going on  ISPs try to solve it themselves  Nearly no complaints made – even if asked ... Result ? The hackers go on developing botnetsCombined threat What if abused by terrorists ? ... simultaniously with a real world attack? How will you handle the crisis ? Your telephone system is not working ! Cybercrime threats © Belgian Federal Computer Crime Unit 21
  22. 22. Risks  Economical disaster  Large scale : critical infrastructure  Small scale : enterprise  Individual data  Loss of trust in e-society Cybercrime threats © Belgian Federal Computer Crime UnitWho investigates ICT crime ? Prosecutors / Examining Judges Specialised police forces (nat’l & Internat’l) Legal expert witnesses Specialised forensic units of consulting firms Associations defending commercial interests Security firms => vulnerabilities Activist groups => publish info on « truth » © Luc Beirens 22
  23. 23. E-Police organisation and tasks Integrated policeFederal 1 Federal Computer Crime UnitPolice 24 / 7 (inter)national contactNational Policy Operations : IntelligenceLevel Internet & ePayment fraude Training Forensic ICT analysis Cybercrime33 persons Equipment ICT Crime combating hotline FCCU Network Internat internet ID requestsFederal Police 25 Regionale Computer Crime Units (1 – 2 Arrondissementen)Regionallevel Assistance for housesearches, Investigations of ICT crime case180 persons forensic analysis of ICT, taking (assisted by FCCU) statements, internet investigationsLocal Level First line policeFederal Police “Freezing” the situation until the arrival of CCU or FCCULocal Police Selecting and safeguarding of digital evidence © 2013 - Luc Beirens - FCCU - Belgian Federal Police Our services  Help to take a complaint  Descend on the scene of crime  Make drawing of architecture of hacked system  Image backup of hacked system (if possible)  Internet investigations (Identification, location)  House searches  Taking statements of concerned parties  Forensic analysis of seized machines  Compile conclusive police report © Luc Beirens 23
  24. 24. Investigative problems -tracking Victims : Unfamiliar and fear for “Corporate image” => belated complaints – trashed / no more traces Rather “unknown” world for police & justice => Delay before involvement specialised units Limited ICT investigation capacity (technical & police skills) Multiplication and integration of services / providers / protocols / devices Lack of harmonised international legislation & instruments Anonymous / hacked connections – subscriptions - WIFI Intermediate systems often cut track to purpetrator © Luc BeirensInvestigative problems –evidence gathering Delocalisation of evidence : the cloud ? Exponential growth of storage capacity => time consuming :  backups & verification processes  Analysis New legislation / jurisprudence imposes more rigorous procedures for evidence gathering in cyber space Bad ICT-security : give proof of the source and the integrity of evidence © Luc Beirens 24
  25. 25. Brussels, we have a problem ... Complainer  Politie  OK  Hello, can you help ?  A few questions to start  We are a Belgian hosting firm our file …  Who, where, what, when  We have a problem …  Our webservers are hacked  & several websites of our Belgian customers have been defaced © Luc BeirensWho is where ? © Luc Beirens 25
  26. 26. Who / where / what  In the USA In Belgium  Hacked webserver Defaced website  Hosting firm :  nothing in Belgium  In the Netherlands  Hacked server  Customer : nothing in Belgium  In the UK  Hacker ?  Hacked firm :  In the Luxemburg nothing in Belgium  Hacker ? © Luc Beirens Conclusions ... Competence Belgian Justice authorities ? Discussion  viewpoint Public Prosecutor General : not competent  viewpoint lawyer victim : competent  viewpoint suspect’s defence : ???? If choice was made for storage in foreign country Why ? Cost ? Evade regulations & obligations ? No (?) protection of Belgian Law No (?) intervention of Law Enforcement in Belgium Protection by law & LE in country where server is © Luc Beirens 26
  27. 27. Preventive Recommendations  Draw up a general ICT usage directive (normal usage)  Awareness program for management & users ICT security policy is part of the global security policy  Appoint an ICT security responsible => control on application of ICT usage & security policy  Keep critical systems separate from the Internet if possible !  Use software from a trusted source  Install recent Anti-virus and Firewall programms (laptops)  Synchronize the system clocks regularly  Activate and monitor log files on firewall, proxy, access  Make & test backups & keep them safe (generations) ! © Luc Beirens Recommendations for victims of ICT crime Disconnect from the outside world Take note of last internet activities & exact date and time Evaluate : damage more important than restart ?  Restart most important: make full backup before restore  Damage more important : don’t touch anything Safeguard all messages, log files in original state Inform ASAP the Federal Judicial Police and ask for assistance of the Federal or Regional CCU Force change all passwords Reestablish the connection only if ALL failures patched © Luc Beirens 27
  28. 28. Where to make a complaint ? Within a police force …  Local Police service => not specialised => not the right place for ICT-crime (hacking/sabotage/espionage) => place to make complaints on Internet fraud  Federal judicial police (FGP) => better but … Regional CCU => The right place to be for ICT crime  Federal Computer Crime Unit => 24/7 contact Risks on vital or crucial ICT systems => call urgently  Illegal content (childporn, …) => … or immediately report to a magistrate ?  Local prosecutor (Procureur) => will send it to police => can decide not to prosecute  Examining Judge => complaint with deposit of a bail => obligation to investigate the case © Luc Beirens For the sys admin  Several layers of protection  Internal firewalls  Encrypted communications  Encrypted data bases  Check active sys admin profiles on svrs  Log and follow up FW, IDS : IP + port + time  Certificates should be signed by 2 CA Cybercrime threats © Belgian Federal Computer Crime Unit 28
  29. 29. Contact informationFederal Judicial PoliceDirection for Economical and Financial crimeFederal Computer Crime UnitNotelaarstraat 211 - 1000 Brussels – BelgiumTel office : +32 2 743 74 74Fax : +32 2 743 74 19E-mail : luc.beirens@fccu.beTwitter : @LucBeirens Cybercrime threats © Belgian Federal Computer Crime Unit 29