andy malone mvp, mct [email protected] session code: sia330
TRANSCRIPT
Cybercrime: The Gathering Storm!
Andy Malone MVP, MCTwww.divedeeperevents.com [email protected]
SESSION CODE: SIA330
The Disclaimer!
In attending this session you agree that any software demonstrated comes absolutely with NO WARRANTY. Use entirely at your own risk. Microsoft Corporation, Quality Training (Scotland) Ltd, Dive Deeper Technology Events EMEA & the other 3rd party vendors whose software is demonstrated as part of this session are not responsible for any subsequent loss or damage whatsoever...You have been warned!
ContentsIntroduction Cybercrime – Latest Trends & DevelopmentsCyber Gangs: behind the ScenesReal World – The Boa FactoryPhysical Trends: The Growing Inside Man ThreatCybercrime to Cyber Terrorism Defense TacticsDemos & Conclusions
Q: What have all these things got in common?
It’s not Revolution, It’s Evolution!
Cybercrime: It’s not Revolution, It’s Evolution!
CybercrimeLatest Trends
The Changing Business EnvironmentEnterprise 1.0 Enterprise 2.O
HierarchyFriction
BureaucracyInflexibility
IT-driven technology / Lack of user controlTop down
CentralizedTeams are in one building / one time zone
Silos and boundariesNeed to know
Information systems are structured and dictatedTaxonomies
Overly complexClosed/ proprietary standards
ScheduledLong time-to-market cycles
Flat OrganizationEase of Organization Flow
AgilityFlexibility
User-driven technologyBottom upDistributed
Teams are globalFuzzy boundaries, open borders
TransparencyInformation systems are emergent
FolksonomiesSimpleOpen
On DemandShort time-to-market cycles
AdvancedIntrudersDiscover NewVulnerability
CrudeExploit Tools
Distributed
Novice IntrudersUse Crude
Exploit Tools
AutomatedScanning/ExploitTools Developed
Widespread Use of Automated Scanning/Exploit Tools
Intruders Begin Using New Types of Exploits
Cybercrime: Vulnerability Exploit Cycle
Source: CERT
Cybercrime Trends : 2010 Top Phishing Targets.
The financial services sector continues to be the most targeted industry sector (APWG)
Financial; 54%Payment Services; 26%
Re-tail; 3%
Auc-tion; 8%
Other; 9%
Cybercrime: Latest Trends – Applications are King!
http://www.sans.org/top-cyber-security-risks/
Current Cybercrime Trends!
1. Client-side software that remains un-patched.
2. Internet-facing web sites that are vulnerable.
3. Operating systems continue to have fewer remotely-exploitable vulnerabilities that lead to massive Internet worms.
4. Windows: Conficker/Downadup5. Large increase in Insider Threats
http://www.sans.org/top-cyber-security-risks/
Current Cybercrime Trends!
6. Application Vulnerabilities Exceed OS Vulnerabilities
7. Web Application Attacks8. Apple: QuickTime and Six
More9. Application Patching is Much
Slower than Operating System Patching
10.Rising numbers of zero-day vulnerabilities
http://www.sans.org/top-cyber-security-risks/
Cybercrime Latest TrendsSocial Engineering: Public Enemy No 1Social Networking Sites & other major targets!
Twitter, Facebook, MySpace etcFile Sharing Sites, E.G.PiratebayAdobe PDF and Flash files, normally considered safe, is being used to infect victims with malware."Cybercriminals are exploiting the global recession by luring in susceptible victims through the promise of easy money," blogged David DeWalt, CEO of McAfee.Cybercrime to Evolve to Cloud.
Social Networking Systems:Operational Threats
CSRF (Cross-site Request Forgery)worm (Latest Attack)
Increased Network Intrusions
Cyber Stalking / ID Theft
• 400 Million users (100 Million on Mobile)• If Facebook was a country it would be the
world’s 4th largest.• Average of 130 friends per user• More than 45 Million status updates per day• More than Two Billion photos and 16 Million
videos uploaded per month. That’s twice the amount of YouTube.
• People spend over 500 billion minutes per month on Facebook
• 44% of Facebook Users don’t vet Friends!
• http://www.facebook.com/press/info.php?statistics
Threats
Social Networking: The New Boom Town!
CybercrimeBehind the Scenes
Tempted?: What’s Your Price?
Cybercrime: An Evolving LandscapeIt’s not just Hackers Anymore...Companies seeking competitor’s trade secretsPartnerka 3 (Russian business PartnershipsGovernment / Military InterestCon-artistsPedophilesDisgruntled employees“Accidental” criminalsCopyright Violations
Cyber Criminals come in 8 Basic Models
Author
National Interest
PersonalGain
PersonalFame
Curiosity
Script-Kiddy Undergraduate Expert Specialist
Vandal
Thief
Spy
Trespasser
SOURCE: Microsoft and Accenture
Largest Growth Sector
The Top 10 Dodgy Careers!1. Coders/programmers: They write malware code used by the criminal
enterprise 2. Distributors: They trade and sell stolen data and act as vouchers for the
goods provided by other specialists. 3. Tech experts: They maintain the hack organisation's IT infrastructure,
including servers, encryption technologies, databases, and the like. 4. Hackers: They search for and exploit applications, systems and network
vulnerabilities. 5. Fraudsters: They create and deploy various social engineering schemes
(example phishing and spam) to dupe computer users.
The Top 10 Dodgy Careers!6. Hosted systems providers: They offer safe hosting of illicit content servers
and sites.7. Cashiers: They control drop accounts and provide names and accounts to
other criminals for a fee.8. Money mules: These money mules complete wire transfers between bank
accounts. The money mules in many cases use student and work visas to travel to the US to open bank accounts.
9. Tellers: They transfer and launder the illicitly gained proceeds through digital currency services and different world currencies.
10. Organization Leaders: They are often "people persons" without technical skills. Their job is to select the team and choose targets
Cybercrime: The Traditional Gang Structure
Cybercrime Tactics: Hacker Intrusion Activity Model Chart
Cybercrime Tactics: Hacker Intrusion Activity Model Chart
Cybercrime: Current Tools & Tactics?Low Risk – High Return – Work Your Own Hours
Hacker Tools Easily Available.Identity TheftRemote Access Tools – known as RATsKey logger ToolsVideo And Audio Systems – Remote Webcam ActivationComputer Memory StorageSpamming ToolsCreate Your Own Virus Tools for FREE!Drive By Spyware - Bad guy’s will pay you!Computer Scrambling Devices – Ransom ware!
From Russia With Love
DEMO
CybercrimeReal World Example: The BOA Factory!
With special thanks to:
The JCC Fraud Prevention Tool
Safeguard Fraud Monitoring System Rule Based (Acquiring and Issuing module)On-line & Batch Mode (Off-line transactions)Accommodates Visa and MasterCard minimum monitoring requirements and many rules from hands on experiences (local customizations)Easily updatable for any new ‘modus operanti’ Alerts can be transmitted to users via SMS messages
Meet Roman & Igor...
BOA, ROMAN VEGA, ROMEO ANTONIO
VEGA, MIKE OLDFIELD,JERRY DEEWOOD
IGOR ANATOLYTERESCHENKO
It Begins...
Case Analysis – Background!
Two “Eastern Europeans” arrested (Owner of ‘BOA FACTORY’ – The Leader of a Worldwide credit card trafficking ring)166 White Plastics found – Most of them encoded3 Lap Tops recoveredEncoding machineCounterfeited passports & visas recovered
Case Analysis - Photos
Case Analysis - Photos
Case Analysis - Photos
Case Analysis - Photos
Case Analysis - Photos
Case Analysis – Data & Computer Forensics
154,000 Credit Card Numbers Numbers Coming From Following Computer Hacks
Rich SolutionsDPISLM SoftMarriott HotelsGlobal Card Services (also Eckenbach case)**Isabel BloomIMAX, Tempe AZInnobeta ATM network
Lap Top Findings - Photo VisualsFloppy Disk – Evidence #4Unerased file: zakarty-tr1.txtContents:WaitApp: zakaz.txt - ÁëîêíîòApp: zakaz.txt - Áëîêíîò |Pos:44x44-772x365|Delay:0:00:01Mouse: x:308 y:60 butt:LeftDelay:0:00:05Mouse: x:51 y:96 butt:LeftDelay:0:00:01Key:|250||241||251||252|C|253|WaitApp: RenCode 2000 (M) - Database: L:\WORK\zakaz.wokApp: Action mode: Magnetic Stripe - Database: zakaz.wok |Pos:193x165-832x604|Delay:0:00:02Mouse: x:798 y:184 butt:LeftDelay:0:00:02Mouse: x:778 y:503 butt:LeftDelay:0:00:01Key:|252|V|253||9|WaitApp: zakaz.txt - Áëîêíîò
Lap Top Findings - Photo Visuals
Lap Top Findings - Photo Visuals
Boa Factory Services Expansion of assortment and change of the prices will be published soon.
Do not miss special short-term actions! - The process of ordering is explained on every single page down here. - Any corrections, more precise on every order we settle along the way. We give
unique order number for every client. You can always see your order status here. - Read Policy of Boa Factory before making the order. - There are few services that we recommend to use from other vendors. We recommend
you buying cards data (standard and CVV) from Script and different services from trusted sellers.
Policy of Boa Factory - We do NOT responsible for amount of money available on dumps we sold, we sell
valid dumps, meaning they all checked for decline. So if you do not find 1k on this card we won’t accept any claims.
Lap Top FindingsThis is basically usual card with cvv2 code, the only difference between any other cards is that you have the ability to go to the web site of the bank where the card has been issued and by entering the login and password information you'll be able to know the current balance on the card, daily charge limits, available credit amount, date of last purchase, but that's not all. You'll also be able to change the cardholder's billing address and the phone number on the card (ex. to the address and telephone # of your drop). The Name and Surname cannot be changed.
Why would you need such kind of service? 1. This card is irreplaceable for people who do the shopping, when you have the ability to change the address on the address you need. Which means when shop is sending the stuff you've ordered it can see that the address on the card is exactly the same as the address you're dropping this to. 2. This will also be a great service for those who work with Western Union! This kind of card goes with extra features like SSN and Date of Birth of the owner. You'll also be able to see the daily limits, and current balance. 3. Once again this card maybe a great get-out for those who does the PayPal verification. Because you have online access to the card, you'll be able to see those cents that PayPal will send you for verification. However there is a flip-side of the coin, the card may never enter the PayPal system, this only depends on person professionalism and luck.
Here is the current price list: 1. The price of the card with available balance from $1,000 to $3,000 will be $100. This card goes with online access, which means I'm opening and giving you the card out, and you'll be able to change the Address and Phone # on it. 2. The price of the card with available balance from $4,001 to $6,000 will be $150. 3. The price of the card with available balance from $7,001 to $15,000 will be $250. 4. The price of the card with available balance from $16,001 to $30,000 will be $350.
Guarantees: Unfortunately there is no guarantees for this kind of service. You change the billing address yourself, I'm giving you the working card, just after that you go to the web site of the bank with the login\password information provided by me, and make yourself sure that the amount of money that we've previously discussed is available on the card. Just after moment you are the only one whos responsible for the card. I can only replace you the card if it has been closed within an hour after you've received it. My recommendation is to only use the card if you have
Case Analysis - Results
Possible Link to a $200.000.000 money laundering schemeRelated to some Offshore Companies in Cyprus (under police investigation)Vega was extradited to US and Cyprus Police Authorities)
Data Breaches - Conclusions
Year 2009 / 10 – Many Breaches reported with new twists and trends…Attacks with inside help, sources usually from Eastern Europe. Organized Crime below the large breaches – ‘The US Heartland case’: 130.000.000 cards compromised. The Organized Criminal Groups are the driving evolution of cybercrime.Attackers are exploiting system errors, weaknesses in system monitoring, mainly where the PCI DSS (Payment Card Industry Data security Standards) rules and applications are not in place.Primary Hacker’s target: Organizations that process and/or store large volumes of ‘desirable data’ that can turn into money --- payment card data…Hackers Main Goal: Hack into systems & install ‘customized intelligent’ malware
Data Breaches - ConclusionsTo Cut to the Chase…:
The Organized crime has discovered that their interests can be assisted through the recruitment or placement of bank insiders….The nature of staff employed is changing – not dedicated. Many do not see their current employment as a long-term career, pressure from personal debts, thirst for quick wealth.
The Spy Who Loved Me
DEMO
Covert Monitoring Software.
Cybercrime Vs Cyber Terrorism. Think of the PotentialArmies may cease to marchGovernments May FallStock may lose a hundred pointsBusinesses may be bankruptedIndividuals may lose their social identityThreats not from novice teenagers, but purposeful military, political, and criminal organizations
Cyber Terrorism: Botnet Example: Georgian cyber attacks launched by Russian crime gangs
2008 cyber attacks that brought internet traffic to a standstill in Georgia were carried out by civilians and Russian crime gangs.US Cyber Consequences Unit (US-CCU) said the cyber attacks coincided with the Russian military's invasion of Georgia in August 2008!It was almost impossible for citizens and officials to communicate about what was happening on the ground during the military operation.
Cyber Terrorism Botnet Example: Georgian cyber attacks launched by Russian crime gangs
Wave 1 - The first group involved used botnets, command and control channels, and other resources operated by Russian crime gangs.11 government websites were felled by the botnets, which directed a torrent of traffic at their targets.A separate source of the cyber attacks came in the form of civilians who willingly installed improvised software that targeted an additional 43 websites operated by Georgia-based news agencies.
Social Engineering DefensePublic Enemy Number 1
Basically Employee’s Come in 3 Flavours!
Engaged
Not Engaged
Actively Disengaged
Number 1: Engaged
EngagedWork with PassionFeel a Profound Connection with EmployerDrive Innovation & move the company forward
Number 2: Not Engaged
Not EngagedEmployees are Essentially Checked Out!Sleepwalking through their Working Day.Putting in Time, but not Energy or Passion.
Number 3: Actively Disengaged
Actively DisengagedEmployee’s aren't just unhappy they are busy acting out their unhappiness.Every Day These people undermine what their Engaged Co-Workers Accomplish
Why Employees Turn Bad!
Low Pay!Poor Job MotivationLow Self EsteemOpportunismToo Many Network PermissionsAssumed TrustAccess to sensitive MaterialsEasy Target: Can easily Recruited by Bad Guy’s
Hacker Recruitment Process
Get NoticedHacking ContestTracked at ConferencesAdvertise via IRC Channels & WebsitesApply for Job in Target Company
Industrial Espionage!
Low cost of entry.High rate of return.Low probability of detection.Lower probability of prosecution.Even lower probability of meaningful punishment.
Possible Solution: Adopt Employee monitoring Methods
CCTVWiretappingEmail MonitoringSmart Card LoggingTimesheets / Clock!!!GadgetsMonitoring SoftwareAuditing
Do you Suspect Someone?Collect EvidenceEnsure that ALL Policies & Procedures have been FollowedDetermine on What Grounds Employee can be SuspendedSeek Legal AdviceLock Users Account / ComputerSuspend Terminate Employment if Necessary Call Law Enforcement if Necessary & Perform Forensic Analysis
Basic Forensic Skills Every Administrator Should Know!Wireshark (See Laura’s Session)Understand File SignaturesUnderstand How Firewalls Actually WorkUnderstand where Deleted Files Actually Go.Monitor Employee EmailsUse Forensic Tools to Uncover basic SecretsBlock Hardware based Bugs & devices
The Man with the Golden Gun!
DEMO
Forensic Tools For Network Administrators
Top Tip: Now It’s the Ultimate Defense Tool!
Top Tip: Protect & Survive
Top Tip: Generate a Secure Appearance!
ReviewIntroduction Cybercrime – Latest Trends & DevelopmentsCyber Gangs: behind the ScenesReal World – The Boa FactoryPhysical Trends: The Growing Inside Man ThreatCybercrime to Cyber Terrorism Defense TacticsDemos & Conclusions
Thanks for Attending!Andy Malone MVP, MCTwww.divedeeperevents.com [email protected]
SESSION CODE: SIA330
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
JUNE 7-10, 2010 | NEW ORLEANS, LA