2012-02-27 - sabbatini - presentazionesala/events2012/bank2012_sabbatini.pdf · symantec...
TRANSCRIPT
R. Sabba'ni
Panoramica sugli a.acchi. I numeri ad oggi.
Renato Sabba8ni
MINICORSI 2012. E-‐commerce e on-‐line banking: effeEva sicurezza cri.ografica
Università degli Studi di Trento, Lab. di Matema8ca Industriale e Cri.ografia
27 Febbraio 2012
Panoramica sugli a3acchi
I canali di a.acco A.acchi , numeri e casi Chi difende i difensori ?
R. Sabba'ni Panoramica sugli a3acchi
I CANALI DI ATTACCO
I canali di a3acco A.acchi , numeri e casi Chi difende i difensori ?
R. Sabba'ni Panoramica sugli a3acchi
I canali di a3acco A.acchi , numeri e casi Chi difende i difensori ?
I canali di a3acco
Fisico Logico
Distribuito
Centralizzato
Malware
Malware
MitB attack
Data breach
*ishing
Credentials misuse
Equipments tampering
Skimmers
Lost and stolen
Physical intrusion
Archives theft
R. Sabba'ni Panoramica sugli a3acchi
ATTACCHI, NUMERI E CASI
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
VERIZONE - 2011 Data Breach Investigations Report
Cosa
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
VERIZONE - 2011 Data Breach Investigations Report
Quanto
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
ATM European ATM Security Team (EAST) has just published an ATM crime report covering the full year 2010. There has been a 14% drop in ATM related fraud losses in 2010, with total losses of €268 million reported (down €44 million from €312 million in 2009). This is the second successive annual drop, following on from the 36% fall reported for 2009.
This fall is driven by a reduc'on in losses due to card skimming a3acks, which have fallen for the past six half yearly repor8ng periods, from a peak of €315 million in December 2007, to the current level of €123 million in December 2010. ATM related fraud a.acks fell by 7% with a total of 12,383 incidents reported (down from 13,269 incidents in 2009).
The majority (82%) of ATM related card skimming losses are now interna8onal with most now occurring in countries outside of Europe. The risk of counterfeit EMV cards being used to withdraw cash fraudulently from ATMs in parts of the world that are not EMV compliant remains high and is leading some European card issuers to implement addi8onal security measures.
Physical a3acks on European ATMs, have fallen by 16% when compared with 2009 (down from 2,468 to 2,062 incidents). Within this total the number of reported explosive and gas a3acks (278) has gone up for the second year in succession, an 88% increase when compared to 2009. Overall losses rose 18% to €33 million (up from €28 million in 2008).
Quanto
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
VERIZONE - 2011 Data Breach Investigations Report
Come
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
VERIZONE - 2011 Data Breach Investigations Report
Chi
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
SYMANTEC - Report on Attack Kits and Malicious Websites
Da dove
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
VERIZONE - 2011 Data Breach Investigations Report
Dove
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
* VERIZONE - 2011 Data Breach Investigations Report
Dove
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
SYMANTEC - 2010 Annual Study - U.S. Cost of a Data Breach
Cos'
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
SYMANTEC - 2010 Annual Study - U.S. Cost of a Data Breach
Cos'
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
SYMANTEC - 2010 Annual Study - U.S. Cost of a Data Breach
Cos'
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
SYMANTEC - 2010 Annual Study - U.S. Cost of a Data Breach
Cos'
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
Last minute: Report highlights
Symantec Intelligence Report: January 2012
• Spam – 69.0 percent (an increase of 1.3 percentage points since December 2011)
• Phishing – One in 370.0 emails identified as phishing (an increase of 0.06 percentage points since December 2011)
• Malware – One in 295.0 emails contained malware (a decrease of 0.02 percentage points since December 2011)
• Malicious Web sites – 2,102 Web sites blocked per day (a decrease of 77.4 percent since December 2011)
• Spammers continue to take advantage of holidays and events
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
Last minute: Spam
Symantec Intelligence Report: January 2012
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
Last minute: Phishing
Symantec Intelligence Report: January 2012
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
Last minute: Virus
Symantec Intelligence Report: January 2012
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
Last minute: Phishing
Symantec Intelligence Report: January 2012
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
Last minute: Web-‐based malware
Symantec Intelligence Report: January 2012
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i numeri
Last minute: Web Policy Risks from Inappropriate Use
Symantec Intelligence Report: January 2012
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi, i casi
Millions hit in South Korean hack
… South Korea has blamed Chinese hackers for stealing data from 35 million accounts on a popular social network. The attacks were directed at the Cyworld website as well as the Nate web portal, both run by SK Communications. Hackers are believed to have stolen phone numbers, email addresses, names and encrypted information about the sites' many millions of members. It follows a series of recent cyber attacks directed at South Korea's government and financial firms. … The Nate portal gives people access to web services such as email while the Cyworld social site lets people share images and updates with friends and allows them to create an avatar that inhabits a small virtual apartment. …
Popolazione della Corea del Sud: 48,860,500 (previsione a luglio 2012) (dati CIA)
… una intera nazione clonata. Almeno all’interno del social network, l’attaccante poteva assumere l’identità di chiunque !!
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi, i casi
China-Based Hacking of 760 Companies Shows Cyber Cold War
(Dec. 9 (Bloomberg) Google Inc. (GOOG) and Intel Corp. (INTC) were logical targets for China-based hackers, given the solid-gold intellectual property data stored in their computers. An attack by cyber spies on iBahn, a provider of Internet services to hotels, takes some explaining. iBahn provides broadband business and entertainment access to guests of Marriott International Inc. and other hotel chains, including multinational companies that hold meetings on site. Breaking into iBahn’s networks, according to a senior U.S. intelligence official familiar with the matter, may have let hackers see millions of confidential e-mails, even encrypted ones, as executives from Dubai to New York reported back on everything from new product development to merger negotiations. More worrisome, hackers might have used iBahn’s system as a launching pad into corporate networks that are connected to it, using traveling employees to create a backdoor to company secrets, said Nick Percoco, head of Trustwave Corp.’s SpiderLabs, a security firm. ….
China has made industrial espionage an integral part of its economic policy, stealing company secrets to help it leapfrog over U.S. and other foreign competitors to further its goal of becoming the world’s largest economy, U.S. intelligence officials have concluded in a report released last month. …. In one instance, a ranking officer in China’s People’s Liberation Army, or PLA, employed the same server used in cyber-spying operations to communicate with his mistress …. For now, administration officials have correctly assessed that they lack the leverage to compel China to change its alleged criminal behavior, he said. “The Cold War is a pretty good analogy,” Falkenrath said.“There was never any serious effort to change the internal character of Soviet state.” At a minimum, the November intelligence agency report does throw down a marker in that conflict, said Estonian Defense Minister Mart Laar. Estonia, which suffered a massive cyber attack in 2007 it said originated from Russia -- is pushing for a NATO cyber defense alliance.
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi, i casi
Saudi hackers claim release of Israeli credit card info
(CNN) A group claiming to be Saudi Arabian hackers is posting the credit card information and other identifying data of thousands of Israelis online, prompting an international investigation. The group first posted a message Tuesday, which included claims that 400,000 credit card numbers had been published. "Hi, it's OxOmar from group-xp, largest Wahhabi hacker group of Saudi Arabia," read a statement posted on an Israeli sports website the group hacked into. "We are anonymous Saudi Arabian hackers. We decided to release first part of our data about Israel.“ The Bank of Israel released a statement Tuesday saying that based on information from credit card companies, only about 15,000 credit card numbers were exposed, and those cards were blocked for use in Internet and telephone purchases. Thursday, the group claimed to have released another 11,000 credit card numbers and threatened to publish many more. Yoram Hacohen, the head of the Israeli Law, Information and Technology Authority at the Israeli Ministry of Justice, told CNN in a phone interview Friday he's more concerned about the private information that was released, not the credit card numbers.
Saudi hackers attack Israel's stock exchange and national airline
The websites of the Tel Aviv stock exchange and the Israeli national airline have been attacked by hackers identified with a known Saudi group. There have been attacks in the past two weeks on Israeli businesses with details of credit cards posted online. …. According to OxOmar, "I want to harm Israel in any way possible. I can harm them in Cyber world so I would do anything for this world. I'll let Israeli authorities cry and suffer." …. "OxOmar" also demanded apology from the Deputy Foreign Minister Danny Ayalon, who said that the hackers' activities were acts of terror. …. BBC reports that after the hacker attack that affected at least 20,000 active credit cards, an Israeli hacker retaliated, publishing details of hundreds of Saudi credit cards online, portending a possible escalation of cyber-war in the Middle East.
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i trend
RSA - 2012 cyber-crime trends report
Cybercrime Trend 1. Trojan Wars Con+nue, but Zeus will Prevail as the Top Financial Malware
Cybercrime Trend 2. Cybercriminals will Find New Ways to Mone+ze Non-‐Financial Data
Cybercrime Trend 3. Fraud-‐as-‐a-‐service Vendors Will Bring New Innova+ons
Cybercrime Trend 4. Out-‐of-‐band Methods Will Force Cybercriminals to Innovate
Cybercrime Trend 4. The Rise of Hack+vism
Cybercrime Trend 4. BeLer Informa+on Sharing will Lead to More Crackdowns on Cyber Gangs and Botnet Operators
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i trend
IBM - X-Force - 2010 Trend and Risk Report
Mobile!
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i trend
IBM - X-Force - 2010 Trend and Risk Report
Mobile!
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i trend
Mobile!
Malicious Mobile Threats - Report 2010/2011 - Juniper Networks Global Threat Center Research
Smartphones and other mobile devices serve the same func8ons as laptop computers, with comparable compu8ng power, but with li.le or no endpoint security.
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A3acchi , numeri e casi Chi difende i difensori ?
Attacchi , i trend
Mobile!
Malicious Mobile Threats - Report 2010/2011 - Juniper Networks Global Threat Center Research
R. Sabba'ni Panoramica sugli a3acchi
CHI DIFENDE I DIFENSORI ? (e di chi ci fidiamo?)
I canali di a.acco A.acchi , i numeri Chi difende i difensori ?
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A.acchi , i numeri Chi difende i difensori ?
Chi difende i difensori ?
I “difensori “ a3acca' :
• The “Black Tulip Affair” (fonte ENISA “Cer'ficate authori'es lose authority) • DigiNotar, a digital cer8ficate authority (CA), recently suffered a cyber-‐a.ack which led to its bankruptcy • No immediate incident repor'ng: DigiNotar did not immediately report the cyber-‐a.ack to customers or government authori8es, which put the security and privacy of millions of ci8zens at risk.
• Fundamental weaknesses in the design of HTTPS: In the current setup, browsers and opera8ng systems (e.g. Microsod’s cer8ficate store) place trust by default in a large number of CAs (hundreds) by default, so a failure with one of them creates a risk for all users and all websites.
• Failure to implement basic security measures: The Fox-‐IT report shows that basic security measures were not taken, no an8-‐virus in place, weak administrator passwords and insufficient logging (DigiNotar was audited yearly by an independent auditor against the ETSI standard (TS101456) for cer+ficate authori+es)
• The “Comodo Affair” • Generazione di una serie di cer'fica' “fasulli” che avrebbero permesso all’a3accante di impersonare alcuni dei più famosi si' supportando il protocollo SSL (il famoso lucche.o!)
• Non sembra abbia provocato danni, ma certamente ha minato la confidenza degli uten8 nei confron8 di una modalità di sicurezza universalmente acce.ata (fino ad oggi)
• Anche in questo caso l’a.acco ha un risvolto geo-‐poli8co
• The “RSA Affair” • A.acco “molto sofis+cato” portato contro l’infrastru.ura di una delle più importan8 società di soluzioni di sicurezza e di monitoraggio del “cyber-‐crime”
• In realtà, le “voci di corridoio” parlano del più banale degli errori, l’apertura di un allegato in una e-‐mail • So.razione di informazioni rela8ve al sistema di auten'cazione a due fa3ori SecurID • La comunicazione dell’a3acco è stata molto lacunosa, e ha scatenato ogni 8po di “dietrologia”
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A.acchi , i numeri Chi difende i difensori ?
Chi difende i difensori ?
I “difensori “ a3acca' :
• The “Symantec Affair”
…. (Reuters) - Symantec Corp, the top maker of security software, said hackers had exposed a chunk of its source code,
which is essentially the blueprint for its products, potentially giving rivals some insight into the company's technology. The developer of the popular Norton antivirus software said the hackers stole the code from a third party and that the company's own network had not been breached, nor had any customer information been affected. The software maker would not confirm the claim of a group called the Lords of Dharmaraja, who said that they had obtained Symantec's source code by hacking the Indian military. Some governments ask their security vendors to provide their source code to ensure there is nothing in the code that could act as spyware, said Rob Rachwald, director of security strategy at data security firm Imperva.
….
(CNET News) Backtracking on earlier statements blaming a third party, the security software maker acknowledges that hackers infiltrated its own networks. Symantec said today that a 2006 security breach led to the theft of source code for some of its flagship products, backtracking on earlier statements that its network had not been hacked. The security software maker, which had previously blamed the theft on a third party, acknowledged that hackers had infiltrated its own networks. The hackers obtained 2006-era source code for Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack), and PCAnywhere, the company said in a statement. "Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006," a Symantec representative said in a statement. The software maker said that due to the age of the exposed source code, most Symantec customers are not in any increased danger of cyber-attacks as a result of the code's theft. However, the company said users of its remote-access suite PCAnywhere may face a "slightly increased security risk," and that the company is in the process of notifying those users of the situation and providing them a remedy to protect their data.
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A.acchi , i numeri Chi difende i difensori ?
Chi difende i difensori ?
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A.acchi , i numeri Chi difende i difensori ?
Conclusioni
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A.acchi , i numeri Chi difende i difensori ?
Conclusioni
….. We live in a tough world full of liars and deceivers. Competition is fierce and unforgiving. People lie. ….. Pete Herzog, co-fondatore di ISECOM (Institute for Security and Open Methodologies), nella e-mail di presentazione dell’evento “TROPPERS 12 – Make the world a safer place” che si terrà a Heidelberg a Marzo
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A.acchi , i numeri Chi difende i difensori ?
Conclusioni
Regional Card Blocking (Geo-blocking)
Regional Card Blocking, or geo-blocking, is becoming more common in Europe. This is when card issuers block their cards from being used in specified countries or regions. Typically customers then have to ‘opt-in’ to have their cards approved for use outside of Europe. EAST first provided information on geo-blocking with an update from Norway in the December 2010 Monthly Update
Why is geo-blocking becoming popular with EMV card issuers? Most EMV (Chip and PIN) cards also have a magnetic stripe and this stripe is still vulnerable to being copied or skimmed by criminals. Cloned cards made from copied EMV data cannot typically be used at EMV compliant ATMs or payment terminals, because there is no Chip. However they can be used in countries where there are no EMV terminals, or where signature-based transactions are still common.
The implementation of geo-blocking means that skimming related card losses can fall significantly. In January 2011 the Belgian Banks introduced geo-blocking for debit card usage outside of Europe. The results were spectacular, with dramatic falls in the number of card skimming incidents and also in skimming related losses. Several banks in Germany have also started to implement geo-blocking and banks in other European countries are starting to follow suit.
What do cardholders think? EAST carried out a research poll on Smart Card Security in January and February 2010. The result showed that 60% of the respondents were in favor of action being taken as follows: 1. 28% indicated that they would be happy to contact their bank to have the stripe on their card activated before travelling outside Europe; 2. 12% indicated that they would be happy to carry a chip only card, and to apply for a separate stripe card should they need to travel outside Europe; 3. and 20% agreed with both approaches. And geo-blocking is not just happening in Europe. By June of this year all Singaporean banks will block ATM and ATM-linked debit cards from being used overseas, unless individual customers request otherwise. It seems that, as long as some countries do not adopt the EMV standard, geo-blocking is here to stay!
European ATM Security Team (EAST) February 2012 Update
R. Sabba'ni Panoramica sugli a3acchi
I canali di a.acco A.acchi , i numeri Chi difende i difensori ?
Conclusioni
Forse, oltre a tutto quello che stiamo facendo in ambito DLP (Data loss prevention), abbiamo bisogno anche di azioni orientate a
Grazie ! [email protected]
- DBDP (Data breach disaster recovery)
- DVR (Data value reduction)