Cyber Threats in the 21st Century

Document Sample
Cyber Threats in the 21st Century Powered By Docstoc
					Tuesday, January 26, 2010   1
                            Cyber Threats in
                            the 21st Century

                              SSA Donald R. Codling
                                  Cyber Division
                                  202-651-3252
                             Donald.codling@ic.fbi.gov



Tuesday, January 26, 2010                                1
                                     Agenda
                            Current Issues/Trends
                            Botnets
                            Malware
                            Questions




Tuesday, January 26, 2010                           2
                            Threat Trends
             Criminal Use of Cyber Space
             Botnets
             Attacks on Financial Institutions (ACH Trxfr)
             Proliferation of Multi-Purpose Malcode
             Increased Use of Encrypted Peer-to-Peer
             Communication
             State Sponsored Cyber Activity
             Hacking for Profit




Tuesday, January 26, 2010                                    3
                            The Threat Actors

                            Advanced Cyber States
                            Industrial States
                            Criminal Enterprises
                            Terrorist Networks
                            Developing States
                            Hacker Groups
                            Individuals



Tuesday, January 26, 2010                           4
                            Impact of Illicit Use of
                                Cyberspace

          Economic

            •   Financial losses in the Billions?
            •   Lost confidence in Internet commerce
            •   Increased security costs
            •   Job Security




Tuesday, January 26, 2010                              5
                            Impact of Illicit Use of
                                Cyberspace
          National Security Implications
          Compromise of:
            •   Critical Government/Military/Commercial
                Networks
            •   Weapons Systems Under Development
            •   National Critical Infrastructure
                     Financial System Networks
                     Air Traffic Control
                     Power Grid


Tuesday, January 26, 2010                                 6
                        Today’s Cyber Crimes

          Internet Fraud
            •   “Nigerian” Scams
            •   Stock Fraud (Pump and Dump)
            •   Auction Fraud (Ebay, AutoTrader.com)
            •   Identity Theft/ Theft of Personal Identifying Information (PII)


          Child Pornography

          Intellectual Property Rights Violations/Theft of Trade
          Secrets




Tuesday, January 26, 2010                                                         7
                            Botnets Defined

          Robot Network or “Botnet”

          Created by the introduction of malware (the bot) onto a
          victim computer.

          Bot on infected PC (zombie) logs into a particular
          Command and Control (C&C) Server based on the
          instructions in the Bot code.

          The C&C Server issues instructions to the Bots for
          whatever nefarious purpose they wish



Tuesday, January 26, 2010                                           8
                            Botnet Uses

          Spam
          Anonymous Remote Access
          Malware Delivery
          Website Emulation (Phishing)
          Click Fraud
          DDOS (Distributed Denial of Service) Attacks




Tuesday, January 26, 2010                                9
                            Malware




Tuesday, January 26, 2010             10
                            Malware: What is it?

             Malware (Malicious Software)
            – Software or firmware intended to perform an
              unauthorized process that will have an adverse
              effect on the confidentiality, integrity, or availability of
              an information system. (FBI)
            – A generic term increasingly being used to describe
              any form of malicious software such as viruses,
              Trojan Horses, malicious active content, etc.
                  www.visiontm.com/Spy/Glossary.htm




Tuesday, January 26, 2010                                                    11
                            Malware: Why use it?

          Purpose
            – Increased revenue
            – Tracking of data
            – Theft of data
            – Disruption
            – Total system failure




Tuesday, January 26, 2010                          12
                            Malware Types
             Common Malware
            –     Trojan Horses
            –      Viruses
            –      Worms
            –      Rootkits
            –      Zombies
            –     Spyware
            –     Adware
            –     Toolbars




Tuesday, January 26, 2010                   13
                                       Malware
             Trojan Horse
            – A destructive program that masquerades as
              a benign application. Unlike viruses, Trojan
              horses do not replicate themselves but they
              can be just as destructive.
                  www.saol.com/glossary.asp

            – Can be known as a remote administration
              tool, or RAT




Tuesday, January 26, 2010                                    14
                            Malware
          Trojan Horse
            – Modern day Trojans no longer need a user to
              launch the Trojan code.
            – “EG Trojan Horse” (first discovered in Russia)
              lures victims to a website and automatically
              launches to exploit victim machine and install
              malicious code.




Tuesday, January 26, 2010                                      15
                            Malware
          Trojan Horse Examples
            – BackOrifice
            – SubSeven
            – PGPcoder*




Tuesday, January 26, 2010             16
                                   Malware
             Virus
            – A self-replicating program that spreads by inserting
              copies of itself into other executable code or
              documents. Thus, a computer virus behaves in a
              way similar to a biological virus, which spreads by
              inserting itself into living cells. en.wikipedia.org/wiki/Virus_
                  (computer)




Tuesday, January 26, 2010                                                        17
                             Malware
          Virus Examples
            –   Melissa
            –   Bugbear
            –   Blaster
            –   Trojan.Satiloler.C
            –   W32.Beagle.DR@mm




Tuesday, January 26, 2010              18
                                        Malware
             Worm
            – is a self-replicating computer program, similar to a
              computer virus. A virus attaches itself to, and
              becomes part of, another executable program;
              however, a worm is self-contained and does not
              need to be part of another program to propagate
              itself. They are often designed to exploit the file
              transmission capabilities found on many
              computers.
                  en.wikipedia.org/wiki/Worm_(computing)




Tuesday, January 26, 2010                                            19
                            Malware
          Worm Examples
            – Love Bug
            – Code Red




Tuesday, January 26, 2010             20
                            Malware
          Worm Examples
            – Love Bug
            – Code Red




Tuesday, January 26, 2010             20
                                         Malware
                        Trap Door/Back Door
                       –    is a deliberate hole built in to a computer program,
                            which can be used to gain unauthorized access to
                            a computer or network.
                            www.tecc.com.au/tecc/guide/glossary.asp

                        Zombie Computer
                       –    a computer attached to a network that has had its
                            security compromised and is remotely controlled
                            for another purpose. This purpose may be to use it
                            as a launching point for another attack, or the
                            distribution of SPAM.
                            www.parliament.vic.gov.au/sarc/E-Democracy/Final_Report/
                            Glossary.htm




Tuesday, January 26, 2010                                                              21
                            Malware
          Spyware
            – Programs that send information about you
              and your computer to somebody else.
          Adware
            – programs that place advertisements on your
              screen




Tuesday, January 26, 2010                                  22
                            Malware Summary
          Ranges from annoying to illegal to
          threatening
          Impact on Computer Security
            – Training and policies
            – Equipment and software
            – Personnel and expertise
            – $$$$




Tuesday, January 26, 2010                      23
                            Crimeware: What is it?
             Crimeware
            – any computer program or set of programs
              designed expressly to facilitate illegal activity
              online.
            – Used almost exclusively to collect financial
              data to commit identity theft or steal funds.




Tuesday, January 26, 2010                                         24
                            Crimeware
             Types
            – Phishing Kits
            – Keystroke Loggers
            – Browser Hijackers




Tuesday, January 26, 2010               25
                            Crimeware
             Phishing Kits
            – a collection of tools assembled to make it
              easy to launch a phishing exploit
            – Kit usually includes website development
              software and spamming software




Tuesday, January 26, 2010                                  26
                            Crimeware




Tuesday, January 26, 2010               27
                            Crimeware
          Keystroke Loggers
            – Records every keystroke entered on a
              keyboard. A Trojan horse program installed on
              your computer will periodically send the
              collected information to the crimeware
              originator.




Tuesday, January 26, 2010                                     28
                            Crimeware
          Keystroke Loggers
            – Can be hardware or software




Tuesday, January 26, 2010                   29
                            Crimeware
          Keystroke Loggers
            – Require a new defense




Tuesday, January 26, 2010               30
                             Crimeware
          Browser Hijackers
            – Programs that take control of various parts of your
              web browser, including your home page, search
              pages, and search bar.
            – These programs can redirect a browser to a
              counterfeit website even if the user types in the
              proper domain name in the address bar.




Tuesday, January 26, 2010                                           31
                            Crimeware




Tuesday, January 26, 2010               32
                            Crimeware Summary
          By definition is used to further some illegal act
            – Identity theft
            – Wire fraud
            – Unauthorized access
          Impact on Computer Security
            –   Training and policies
            –   Equipment and software
            –   Personnel and expertise
            –   $$$$



Tuesday, January 26, 2010                                     33
                            Hacking: What is it?
          Hacking
            – (in a cybercrime context) is the development and
              modification of computer software and computer
              hardware, usually by someone who is skilled in
              computer programming, administration and security.
            – This is done to reach a goal by employing a series of
              modifications to exploit or extend existing code or
              resources for criminal purposes.




Tuesday, January 26, 2010                                             34
                            Hacking: Why do it?
          State sponsored attacks/intrusions
            – Terrorism: Attempt to influence or disrupt U.S.
              policy
            – National intelligence: Attempts by foreign
              governments to steal economic, political, or
              military secrets
            – Infowarfare: Cyber attacks on the nation‘s
              infrastructure to disrupt critical operations




Tuesday, January 26, 2010                                       35
                            Hacking: Why do it?
          Money
            – Industrial espionage: the theft of proprietary
              information or trade secrets
            – Extortion
            – Identity theft, theft of financial data or funds




Tuesday, January 26, 2010                                        36
                            Hacking: Why do it?
          Fame/Notoriety
            – Hack into very secure system to show off
              skills
          Practicality
            – Obtain resources for further hacking
          Revenge
            – Disgruntled employees
            – Love (jilted love, unrequited love, no love, love
              triangle, too much love)



Tuesday, January 26, 2010                                         37
                      Hacking: How is it done?
                     Open Doors
                       – Scanning systems for existing
                         vulnerabilities
                       – No need to hack if the door is left
                         unlocked
                            War driving, open systems
                     Social Engineering
                       – Posing as an insider and getting people
                         to give out passwords or sensitive
                         information
                            Phone calls, phishing schemes, tech forums

Tuesday, January 26, 2010                                                38
                      Hacking: How is it done?
          Brute Force
            – identifying targets and openly attacking them
                    Password crackers
                    Denial of service
                    Distributed denial of service
                    Buffer overflow exploits




Tuesday, January 26, 2010                                     39
                      Hacking: How is it done?
          Technical Intrusions
            – Exploiting deficiencies in system design,
              configuration, or management, such as:
                    inherent security defects
                    misuse of legitimate tools
                    improper maintenance
                    ineffective security
                    inadequate detection systems




Tuesday, January 26, 2010                                 40
                                Hacking Targets
                            Systems to disrupt for terrorism
                       –      Government, military, infrastructure
                            Systems with key information
                       –      Financial data, intellectual property
                            Potential zombie victims
                       –      For spamming, virus infections,
                              botnets, extra computing resources




Tuesday, January 26, 2010                                             41
                  Hacking Tools and Methods
          Distributed/Denial of Service Attacks
            – Send victim more data than can they can
              process, denying the ability to communicate
            – Intent is to prevent or impair the legitimate use
              of computer or network resources
            – Technology of DoS And DDoS attacks
              evolves, but the circumstances enabling
              attacks have not changed in years




Tuesday, January 26, 2010                                         42
                  Hacking Tools and Methods
          DDoS Attacks
            – Compromises a network of slave computers
                    Slaves often called “zombies” by hackers
                    Hackers controlling several computers operate
                    “slave networks”
            – Loads attack software tools on zombies
            – Hacker orders attack on victim




Tuesday, January 26, 2010                                           43
           Hacking Tools and Methods - DDoS
                            Hacker/Master




                                            Unsuspecting
                                            computers


Tuesday, January 26, 2010                                  44
           Hacking Tools and Methods - DDoS
                            Hacker/Master
                            2. Servers (Now Referred To
                               As “Slaves”) Await Command
                                   From Central Client
                                        (“Master”)




                                                            Slaves


Tuesday, January 26, 2010                                            44
           Hacking Tools and Methods - DDoS
                            Hacker/Master
                            3. Master Instructs Servers
                            to Send As Much Traffic as
                            Possible to One Target




Attack!




                                                          Slaves


Tuesday, January 26, 2010                                          44
           Hacking Tools and Methods - DDoS
                            Hacker/Master
                            4. The Work of Flooding a
                            Target is Distributed
                            Between the Servers




                                                        Slaves


Tuesday, January 26, 2010                                        44
                            Hacking Tools and Methods

                    Distributed Denial of Service attack
                      – Difficult to defend against
                      – Difficult to investigate
                            Spoofed/faked source
                            IRC command and control
                      – Disruptive to websites
                            Attacks on e-commerce companies have
                            cost millions
                      – DNS top-level domain attack
                            Infrastructure Threat



Tuesday, January 26, 2010                                          45
                  Hacking Tools and Methods
          Buffer Overflow Exploit
            – A process (running computer program) may need
              unlimited privileges to check passwords or write to
              certain areas of the file system
            – Buffer overflow exploits trick a program into running
              code with its unlimited privileges
            – The “Buffer Overflow” code, running with unlimited
              privilege, contains commands that hack the computer




Tuesday, January 26, 2010                                             46
                  Hacking Tools and Methods
          Rootkit
            – a set of software tools used by a hacker to
              gain access to a computer system.
            – These tools are intended to conceal running
              malicious processes, files or system data,
              which help an intruder maintain access to a
              system without the user's knowledge.




Tuesday, January 26, 2010                                   47
                            Hacking Summary
          Ranges from annoying to illegal to
          threatening to deadly
          Impact on Computer Security
            – Constant vigilance
            – New answers to new threats
            – Needs a combination of security, legislation,
              and international cooperation to combat cyber
              crime



Tuesday, January 26, 2010                                     48
                            Questions ?




Tuesday, January 26, 2010                 49