2012-02-27 - sabbatini - presentazionesala/events2012/bank2012_sabbatini.pdf · symantec...

R. Sabba'ni

Panoramica sugli a.acchi. I numeri ad oggi.

Renato Sabba8ni

MINICORSI 2012. E-‐commerce e on-‐line banking: effeEva sicurezza cri.ografica

Università degli Studi di Trento, Lab. di Matema8ca Industriale e Cri.ografia

27 Febbraio 2012

Panoramica sugli a3acchi

I canali di a.acco A.acchi , numeri e casi Chi difende i difensori ?

R. Sabba'ni Panoramica sugli a3acchi

I CANALI DI ATTACCO

I canali di a3acco A.acchi , numeri e casi Chi difende i difensori ?


I canali di a3acco A.acchi , numeri e casi Chi difende i difensori ?

I canali di a3acco

Fisico Logico

Distribuito

Centralizzato

Malware

Malware

MitB attack

Data breach

*ishing

Credentials misuse

Equipments tampering

Skimmers

Lost and stolen

Physical intrusion

Archives theft


ATTACCHI, NUMERI E CASI

I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?



Attacchi , i numeri

VERIZONE - 2011 Data Breach Investigations Report

Cosa



Attacchi , i numeri


Quanto



Attacchi , i numeri

ATM European ATM Security Team (EAST) has just published an ATM crime report covering the full year 2010. There has been a 14% drop in ATM related fraud losses in 2010, with total losses of €268 million reported (down €44 million from €312 million in 2009). This is the second successive annual drop, following on from the 36% fall reported for 2009.

This fall is driven by a reduc'on in losses due to card skimming a3acks, which have fallen for the past six half yearly repor8ng periods, from a peak of €315 million in December 2007, to the current level of €123 million in December 2010. ATM related fraud a.acks fell by 7% with a total of 12,383 incidents reported (down from 13,269 incidents in 2009).

The majority (82%) of ATM related card skimming losses are now interna8onal with most now occurring in countries outside of Europe. The risk of counterfeit EMV cards being used to withdraw cash fraudulently from ATMs in parts of the world that are not EMV compliant remains high and is leading some European card issuers to implement addi8onal security measures.

Physical a3acks on European ATMs, have fallen by 16% when compared with 2009 (down from 2,468 to 2,062 incidents). Within this total the number of reported explosive and gas a3acks (278) has gone up for the second year in succession, an 88% increase when compared to 2009. Overall losses rose 18% to €33 million (up from €28 million in 2008).

Quanto



Attacchi , i numeri


Come



Attacchi , i numeri


Chi



Attacchi , i numeri

SYMANTEC - Report on Attack Kits and Malicious Websites

Da dove



Attacchi , i numeri


Dove



Attacchi , i numeri

* VERIZONE - 2011 Data Breach Investigations Report

Dove



Attacchi , i numeri

SYMANTEC - 2010 Annual Study - U.S. Cost of a Data Breach

Cos'



Attacchi , i numeri

Last minute: Report highlights

Symantec Intelligence Report: January 2012

• Spam – 69.0 percent (an increase of 1.3 percentage points since December 2011)

• Phishing – One in 370.0 emails identified as phishing (an increase of 0.06 percentage points since December 2011)

• Malware – One in 295.0 emails contained malware (a decrease of 0.02 percentage points since December 2011)

• Malicious Web sites – 2,102 Web sites blocked per day (a decrease of 77.4 percent since December 2011)

• Spammers continue to take advantage of holidays and events



Attacchi , i numeri

Last minute: Spam




Attacchi , i numeri

Last minute: Phishing




Attacchi , i numeri

Last minute: Virus




Attacchi , i numeri

Last minute: Phishing




Attacchi , i numeri

Last minute: Web-‐based malware




Attacchi , i numeri

Last minute: Web Policy Risks from Inappropriate Use




Attacchi, i casi

Millions hit in South Korean hack

… South Korea has blamed Chinese hackers for stealing data from 35 million accounts on a popular social network. The attacks were directed at the Cyworld website as well as the Nate web portal, both run by SK Communications. Hackers are believed to have stolen phone numbers, email addresses, names and encrypted information about the sites' many millions of members. It follows a series of recent cyber attacks directed at South Korea's government and financial firms. … The Nate portal gives people access to web services such as email while the Cyworld social site lets people share images and updates with friends and allows them to create an avatar that inhabits a small virtual apartment. …

Popolazione della Corea del Sud: 48,860,500 (previsione a luglio 2012) (dati CIA)

… una intera nazione clonata. Almeno all’interno del social network, l’attaccante poteva assumere l’identità di chiunque !!



Attacchi, i casi

China-Based Hacking of 760 Companies Shows Cyber Cold War

(Dec. 9 (Bloomberg) Google Inc. (GOOG) and Intel Corp. (INTC) were logical targets for China-based hackers, given the solid-gold intellectual property data stored in their computers. An attack by cyber spies on iBahn, a provider of Internet services to hotels, takes some explaining. iBahn provides broadband business and entertainment access to guests of Marriott International Inc. and other hotel chains, including multinational companies that hold meetings on site. Breaking into iBahn’s networks, according to a senior U.S. intelligence official familiar with the matter, may have let hackers see millions of confidential e-mails, even encrypted ones, as executives from Dubai to New York reported back on everything from new product development to merger negotiations. More worrisome, hackers might have used iBahn’s system as a launching pad into corporate networks that are connected to it, using traveling employees to create a backdoor to company secrets, said Nick Percoco, head of Trustwave Corp.’s SpiderLabs, a security firm. ….

China has made industrial espionage an integral part of its economic policy, stealing company secrets to help it leapfrog over U.S. and other foreign competitors to further its goal of becoming the world’s largest economy, U.S. intelligence officials have concluded in a report released last month. …. In one instance, a ranking officer in China’s People’s Liberation Army, or PLA, employed the same server used in cyber-spying operations to communicate with his mistress …. For now, administration officials have correctly assessed that they lack the leverage to compel China to change its alleged criminal behavior, he said. “The Cold War is a pretty good analogy,” Falkenrath said.“There was never any serious effort to change the internal character of Soviet state.” At a minimum, the November intelligence agency report does throw down a marker in that conflict, said Estonian Defense Minister Mart Laar. Estonia, which suffered a massive cyber attack in 2007 it said originated from Russia -- is pushing for a NATO cyber defense alliance.



Attacchi, i casi

Saudi hackers claim release of Israeli credit card info

(CNN) A group claiming to be Saudi Arabian hackers is posting the credit card information and other identifying data of thousands of Israelis online, prompting an international investigation. The group first posted a message Tuesday, which included claims that 400,000 credit card numbers had been published. "Hi, it's OxOmar from group-xp, largest Wahhabi hacker group of Saudi Arabia," read a statement posted on an Israeli sports website the group hacked into. "We are anonymous Saudi Arabian hackers. We decided to release first part of our data about Israel.“ The Bank of Israel released a statement Tuesday saying that based on information from credit card companies, only about 15,000 credit card numbers were exposed, and those cards were blocked for use in Internet and telephone purchases. Thursday, the group claimed to have released another 11,000 credit card numbers and threatened to publish many more. Yoram Hacohen, the head of the Israeli Law, Information and Technology Authority at the Israeli Ministry of Justice, told CNN in a phone interview Friday he's more concerned about the private information that was released, not the credit card numbers.

Saudi hackers attack Israel's stock exchange and national airline

The websites of the Tel Aviv stock exchange and the Israeli national airline have been attacked by hackers identified with a known Saudi group. There have been attacks in the past two weeks on Israeli businesses with details of credit cards posted online. …. According to OxOmar, "I want to harm Israel in any way possible. I can harm them in Cyber world so I would do anything for this world. I'll let Israeli authorities cry and suffer." …. "OxOmar" also demanded apology from the Deputy Foreign Minister Danny Ayalon, who said that the hackers' activities were acts of terror. …. BBC reports that after the hacker attack that affected at least 20,000 active credit cards, an Israeli hacker retaliated, publishing details of hundreds of Saudi credit cards online, portending a possible escalation of cyber-war in the Middle East.



Attacchi , i trend

RSA - 2012 cyber-crime trends report

Cybercrime Trend 1. Trojan Wars Con+nue, but Zeus will Prevail as the Top Financial Malware

Cybercrime Trend 2. Cybercriminals will Find New Ways to Mone+ze Non-‐Financial Data

Cybercrime Trend 3. Fraud-‐as-‐a-‐service Vendors Will Bring New Innova+ons

Cybercrime Trend 4. Out-‐of-‐band Methods Will Force Cybercriminals to Innovate

Cybercrime Trend 4. The Rise of Hack+vism

Cybercrime Trend 4. BeLer Informa+on Sharing will Lead to More Crackdowns on Cyber Gangs and Botnet Operators



Attacchi , i trend

IBM - X-Force - 2010 Trend and Risk Report

Mobile!



Attacchi , i trend

Mobile!

Malicious Mobile Threats - Report 2010/2011 - Juniper Networks Global Threat Center Research

Smartphones and other mobile devices serve the same func8ons as laptop computers, with comparable compu8ng power, but with li.le or no endpoint security.



Attacchi , i trend

Mobile!

Malicious Mobile Threats - Report 2010/2011 - Juniper Networks Global Threat Center Research


CHI DIFENDE I DIFENSORI ? (e di chi ci fidiamo?)

I canali di a.acco A.acchi , i numeri Chi difende i difensori ?



Chi difende i difensori ?

I “difensori “ a3acca' :

• The “Black Tulip Affair” (fonte ENISA “Cer'ficate authori'es lose authority) • DigiNotar, a digital cer8ficate authority (CA), recently suffered a cyber-‐a.ack which led to its bankruptcy • No immediate incident repor'ng: DigiNotar did not immediately report the cyber-‐a.ack to customers or government authori8es, which put the security and privacy of millions of ci8zens at risk.

• Fundamental weaknesses in the design of HTTPS: In the current setup, browsers and opera8ng systems (e.g. Microsod’s cer8ficate store) place trust by default in a large number of CAs (hundreds) by default, so a failure with one of them creates a risk for all users and all websites.

• Failure to implement basic security measures: The Fox-‐IT report shows that basic security measures were not taken, no an8-‐virus in place, weak administrator passwords and insufficient logging (DigiNotar was audited yearly by an independent auditor against the ETSI standard (TS101456) for cer+ficate authori+es)

• The “Comodo Affair” • Generazione di una serie di cer'fica' “fasulli” che avrebbero permesso all’a3accante di impersonare alcuni dei più famosi si' supportando il protocollo SSL (il famoso lucche.o!)

• Non sembra abbia provocato danni, ma certamente ha minato la confidenza degli uten8 nei confron8 di una modalità di sicurezza universalmente acce.ata (fino ad oggi)

• Anche in questo caso l’a.acco ha un risvolto geo-‐poli8co

• The “RSA Affair” • A.acco “molto sofis+cato” portato contro l’infrastru.ura di una delle più importan8 società di soluzioni di sicurezza e di monitoraggio del “cyber-‐crime”

• In realtà, le “voci di corridoio” parlano del più banale degli errori, l’apertura di un allegato in una e-‐mail • So.razione di informazioni rela8ve al sistema di auten'cazione a due fa3ori SecurID • La comunicazione dell’a3acco è stata molto lacunosa, e ha scatenato ogni 8po di “dietrologia”




I “difensori “ a3acca' :

• The “Symantec Affair”

…. (Reuters) - Symantec Corp, the top maker of security software, said hackers had exposed a chunk of its source code,

which is essentially the blueprint for its products, potentially giving rivals some insight into the company's technology. The developer of the popular Norton antivirus software said the hackers stole the code from a third party and that the company's own network had not been breached, nor had any customer information been affected. The software maker would not confirm the claim of a group called the Lords of Dharmaraja, who said that they had obtained Symantec's source code by hacking the Indian military. Some governments ask their security vendors to provide their source code to ensure there is nothing in the code that could act as spyware, said Rob Rachwald, director of security strategy at data security firm Imperva.

….

(CNET News) Backtracking on earlier statements blaming a third party, the security software maker acknowledges that hackers infiltrated its own networks. Symantec said today that a 2006 security breach led to the theft of source code for some of its flagship products, backtracking on earlier statements that its network had not been hacked. The security software maker, which had previously blamed the theft on a third party, acknowledged that hackers had infiltrated its own networks. The hackers obtained 2006-era source code for Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack), and PCAnywhere, the company said in a statement. "Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006," a Symantec representative said in a statement. The software maker said that due to the age of the exposed source code, most Symantec customers are not in any increased danger of cyber-attacks as a result of the code's theft. However, the company said users of its remote-access suite PCAnywhere may face a "slightly increased security risk," and that the company is in the process of notifying those users of the situation and providing them a remedy to protect their data.



Conclusioni



Conclusioni

….. We live in a tough world full of liars and deceivers. Competition is fierce and unforgiving. People lie. ….. Pete Herzog, co-fondatore di ISECOM (Institute for Security and Open Methodologies), nella e-mail di presentazione dell’evento “TROPPERS 12 – Make the world a safer place” che si terrà a Heidelberg a Marzo



Conclusioni

Regional Card Blocking (Geo-blocking)

Regional Card Blocking, or geo-blocking, is becoming more common in Europe. This is when card issuers block their cards from being used in specified countries or regions. Typically customers then have to ‘opt-in’ to have their cards approved for use outside of Europe. EAST first provided information on geo-blocking with an update from Norway in the December 2010 Monthly Update

Why is geo-blocking becoming popular with EMV card issuers? Most EMV (Chip and PIN) cards also have a magnetic stripe and this stripe is still vulnerable to being copied or skimmed by criminals. Cloned cards made from copied EMV data cannot typically be used at EMV compliant ATMs or payment terminals, because there is no Chip. However they can be used in countries where there are no EMV terminals, or where signature-based transactions are still common.

The implementation of geo-blocking means that skimming related card losses can fall significantly. In January 2011 the Belgian Banks introduced geo-blocking for debit card usage outside of Europe. The results were spectacular, with dramatic falls in the number of card skimming incidents and also in skimming related losses. Several banks in Germany have also started to implement geo-blocking and banks in other European countries are starting to follow suit.

What do cardholders think? EAST carried out a research poll on Smart Card Security in January and February 2010. The result showed that 60% of the respondents were in favor of action being taken as follows: 1. 28% indicated that they would be happy to contact their bank to have the stripe on their card activated before travelling outside Europe; 2. 12% indicated that they would be happy to carry a chip only card, and to apply for a separate stripe card should they need to travel outside Europe; 3. and 20% agreed with both approaches. And geo-blocking is not just happening in Europe. By June of this year all Singaporean banks will block ATM and ATM-linked debit cards from being used overseas, unless individual customers request otherwise. It seems that, as long as some countries do not adopt the EMV standard, geo-blocking is here to stay!

European ATM Security Team (EAST) February 2012 Update



Conclusioni

Forse, oltre a tutto quello che stiamo facendo in ambito DLP (Data loss prevention), abbiamo bisogno anche di azioni orientate a

Grazie ! [email protected]

- DBDP (Data breach disaster recovery)

- DVR (Data value reduction)

2012-02-27 - sabbatini - presentazionesala/events2012/bank2012_sabbatini.pdf · symantec...

Documents