Cyber Threats in the 21st Century

Document Sample
Cyber Threats in the 21st Century Powered By Docstoc
					Tuesday, January 26, 2010   1
                            Cyber Threats in
                            the 21st Century

                              SSA Donald R. Codling
                                  Cyber Division

Tuesday, January 26, 2010                                1
                            Current Issues/Trends

Tuesday, January 26, 2010                           2
                            Threat Trends
             Criminal Use of Cyber Space
             Attacks on Financial Institutions (ACH Trxfr)
             Proliferation of Multi-Purpose Malcode
             Increased Use of Encrypted Peer-to-Peer
             State Sponsored Cyber Activity
             Hacking for Profit

Tuesday, January 26, 2010                                    3
                            The Threat Actors

                            Advanced Cyber States
                            Industrial States
                            Criminal Enterprises
                            Terrorist Networks
                            Developing States
                            Hacker Groups

Tuesday, January 26, 2010                           4
                            Impact of Illicit Use of


            •   Financial losses in the Billions?
            •   Lost confidence in Internet commerce
            •   Increased security costs
            •   Job Security

Tuesday, January 26, 2010                              5
                            Impact of Illicit Use of
          National Security Implications
          Compromise of:
            •   Critical Government/Military/Commercial
            •   Weapons Systems Under Development
            •   National Critical Infrastructure
                     Financial System Networks
                     Air Traffic Control
                     Power Grid

Tuesday, January 26, 2010                                 6
                        Today’s Cyber Crimes

          Internet Fraud
            •   “Nigerian” Scams
            •   Stock Fraud (Pump and Dump)
            •   Auction Fraud (Ebay,
            •   Identity Theft/ Theft of Personal Identifying Information (PII)

          Child Pornography

          Intellectual Property Rights Violations/Theft of Trade

Tuesday, January 26, 2010                                                         7
                            Botnets Defined

          Robot Network or “Botnet”

          Created by the introduction of malware (the bot) onto a
          victim computer.

          Bot on infected PC (zombie) logs into a particular
          Command and Control (C&C) Server based on the
          instructions in the Bot code.

          The C&C Server issues instructions to the Bots for
          whatever nefarious purpose they wish

Tuesday, January 26, 2010                                           8
                            Botnet Uses

          Anonymous Remote Access
          Malware Delivery
          Website Emulation (Phishing)
          Click Fraud
          DDOS (Distributed Denial of Service) Attacks

Tuesday, January 26, 2010                                9

Tuesday, January 26, 2010             10
                            Malware: What is it?

             Malware (Malicious Software)
            – Software or firmware intended to perform an
              unauthorized process that will have an adverse
              effect on the confidentiality, integrity, or availability of
              an information system. (FBI)
            – A generic term increasingly being used to describe
              any form of malicious software such as viruses,
              Trojan Horses, malicious active content, etc.

Tuesday, January 26, 2010                                                    11
                            Malware: Why use it?

            – Increased revenue
            – Tracking of data
            – Theft of data
            – Disruption
            – Total system failure

Tuesday, January 26, 2010                          12
                            Malware Types
             Common Malware
            –     Trojan Horses
            –      Viruses
            –      Worms
            –      Rootkits
            –      Zombies
            –     Spyware
            –     Adware
            –     Toolbars

Tuesday, January 26, 2010                   13
             Trojan Horse
            – A destructive program that masquerades as
              a benign application. Unlike viruses, Trojan
              horses do not replicate themselves but they
              can be just as destructive.

            – Can be known as a remote administration
              tool, or RAT

Tuesday, January 26, 2010                                    14
          Trojan Horse
            – Modern day Trojans no longer need a user to
              launch the Trojan code.
            – “EG Trojan Horse” (first discovered in Russia)
              lures victims to a website and automatically
              launches to exploit victim machine and install
              malicious code.

Tuesday, January 26, 2010                                      15
          Trojan Horse Examples
            – BackOrifice
            – SubSeven
            – PGPcoder*

Tuesday, January 26, 2010             16
            – A self-replicating program that spreads by inserting
              copies of itself into other executable code or
              documents. Thus, a computer virus behaves in a
              way similar to a biological virus, which spreads by
              inserting itself into living cells.

Tuesday, January 26, 2010                                                        17
          Virus Examples
            –   Melissa
            –   Bugbear
            –   Blaster
            –   Trojan.Satiloler.C
            –   W32.Beagle.DR@mm

Tuesday, January 26, 2010              18
            – is a self-replicating computer program, similar to a
              computer virus. A virus attaches itself to, and
              becomes part of, another executable program;
              however, a worm is self-contained and does not
              need to be part of another program to propagate
              itself. They are often designed to exploit the file
              transmission capabilities found on many

Tuesday, January 26, 2010                                            19
          Worm Examples
            – Love Bug
            – Code Red

Tuesday, January 26, 2010             20
          Worm Examples
            – Love Bug
            – Code Red

Tuesday, January 26, 2010             20
                        Trap Door/Back Door
                       –    is a deliberate hole built in to a computer program,
                            which can be used to gain unauthorized access to
                            a computer or network.

                        Zombie Computer
                       –    a computer attached to a network that has had its
                            security compromised and is remotely controlled
                            for another purpose. This purpose may be to use it
                            as a launching point for another attack, or the
                            distribution of SPAM.

Tuesday, January 26, 2010                                                              21
            – Programs that send information about you
              and your computer to somebody else.
            – programs that place advertisements on your

Tuesday, January 26, 2010                                  22
                            Malware Summary
          Ranges from annoying to illegal to
          Impact on Computer Security
            – Training and policies
            – Equipment and software
            – Personnel and expertise
            – $$$$

Tuesday, January 26, 2010                      23
                            Crimeware: What is it?
            – any computer program or set of programs
              designed expressly to facilitate illegal activity
            – Used almost exclusively to collect financial
              data to commit identity theft or steal funds.

Tuesday, January 26, 2010                                         24
            – Phishing Kits
            – Keystroke Loggers
            – Browser Hijackers

Tuesday, January 26, 2010               25
             Phishing Kits
            – a collection of tools assembled to make it
              easy to launch a phishing exploit
            – Kit usually includes website development
              software and spamming software

Tuesday, January 26, 2010                                  26

Tuesday, January 26, 2010               27
          Keystroke Loggers
            – Records every keystroke entered on a
              keyboard. A Trojan horse program installed on
              your computer will periodically send the
              collected information to the crimeware

Tuesday, January 26, 2010                                     28
          Keystroke Loggers
            – Can be hardware or software

Tuesday, January 26, 2010                   29
          Keystroke Loggers
            – Require a new defense

Tuesday, January 26, 2010               30
          Browser Hijackers
            – Programs that take control of various parts of your
              web browser, including your home page, search
              pages, and search bar.
            – These programs can redirect a browser to a
              counterfeit website even if the user types in the
              proper domain name in the address bar.

Tuesday, January 26, 2010                                           31

Tuesday, January 26, 2010               32
                            Crimeware Summary
          By definition is used to further some illegal act
            – Identity theft
            – Wire fraud
            – Unauthorized access
          Impact on Computer Security
            –   Training and policies
            –   Equipment and software
            –   Personnel and expertise
            –   $$$$

Tuesday, January 26, 2010                                     33
                            Hacking: What is it?
            – (in a cybercrime context) is the development and
              modification of computer software and computer
              hardware, usually by someone who is skilled in
              computer programming, administration and security.
            – This is done to reach a goal by employing a series of
              modifications to exploit or extend existing code or
              resources for criminal purposes.

Tuesday, January 26, 2010                                             34
                            Hacking: Why do it?
          State sponsored attacks/intrusions
            – Terrorism: Attempt to influence or disrupt U.S.
            – National intelligence: Attempts by foreign
              governments to steal economic, political, or
              military secrets
            – Infowarfare: Cyber attacks on the nation‘s
              infrastructure to disrupt critical operations

Tuesday, January 26, 2010                                       35
                            Hacking: Why do it?
            – Industrial espionage: the theft of proprietary
              information or trade secrets
            – Extortion
            – Identity theft, theft of financial data or funds

Tuesday, January 26, 2010                                        36
                            Hacking: Why do it?
            – Hack into very secure system to show off
            – Obtain resources for further hacking
            – Disgruntled employees
            – Love (jilted love, unrequited love, no love, love
              triangle, too much love)

Tuesday, January 26, 2010                                         37
                      Hacking: How is it done?
                     Open Doors
                       – Scanning systems for existing
                       – No need to hack if the door is left
                            War driving, open systems
                     Social Engineering
                       – Posing as an insider and getting people
                         to give out passwords or sensitive
                            Phone calls, phishing schemes, tech forums

Tuesday, January 26, 2010                                                38
                      Hacking: How is it done?
          Brute Force
            – identifying targets and openly attacking them
                    Password crackers
                    Denial of service
                    Distributed denial of service
                    Buffer overflow exploits

Tuesday, January 26, 2010                                     39
                      Hacking: How is it done?
          Technical Intrusions
            – Exploiting deficiencies in system design,
              configuration, or management, such as:
                    inherent security defects
                    misuse of legitimate tools
                    improper maintenance
                    ineffective security
                    inadequate detection systems

Tuesday, January 26, 2010                                 40
                                Hacking Targets
                            Systems to disrupt for terrorism
                       –      Government, military, infrastructure
                            Systems with key information
                       –      Financial data, intellectual property
                            Potential zombie victims
                       –      For spamming, virus infections,
                              botnets, extra computing resources

Tuesday, January 26, 2010                                             41
                  Hacking Tools and Methods
          Distributed/Denial of Service Attacks
            – Send victim more data than can they can
              process, denying the ability to communicate
            – Intent is to prevent or impair the legitimate use
              of computer or network resources
            – Technology of DoS And DDoS attacks
              evolves, but the circumstances enabling
              attacks have not changed in years

Tuesday, January 26, 2010                                         42
                  Hacking Tools and Methods
          DDoS Attacks
            – Compromises a network of slave computers
                    Slaves often called “zombies” by hackers
                    Hackers controlling several computers operate
                    “slave networks”
            – Loads attack software tools on zombies
            – Hacker orders attack on victim

Tuesday, January 26, 2010                                           43
           Hacking Tools and Methods - DDoS


Tuesday, January 26, 2010                                  44
           Hacking Tools and Methods - DDoS
                            2. Servers (Now Referred To
                               As “Slaves”) Await Command
                                   From Central Client


Tuesday, January 26, 2010                                            44
           Hacking Tools and Methods - DDoS
                            3. Master Instructs Servers
                            to Send As Much Traffic as
                            Possible to One Target



Tuesday, January 26, 2010                                          44
           Hacking Tools and Methods - DDoS
                            4. The Work of Flooding a
                            Target is Distributed
                            Between the Servers


Tuesday, January 26, 2010                                        44
                            Hacking Tools and Methods

                    Distributed Denial of Service attack
                      – Difficult to defend against
                      – Difficult to investigate
                            Spoofed/faked source
                            IRC command and control
                      – Disruptive to websites
                            Attacks on e-commerce companies have
                            cost millions
                      – DNS top-level domain attack
                            Infrastructure Threat

Tuesday, January 26, 2010                                          45
                  Hacking Tools and Methods
          Buffer Overflow Exploit
            – A process (running computer program) may need
              unlimited privileges to check passwords or write to
              certain areas of the file system
            – Buffer overflow exploits trick a program into running
              code with its unlimited privileges
            – The “Buffer Overflow” code, running with unlimited
              privilege, contains commands that hack the computer

Tuesday, January 26, 2010                                             46
                  Hacking Tools and Methods
            – a set of software tools used by a hacker to
              gain access to a computer system.
            – These tools are intended to conceal running
              malicious processes, files or system data,
              which help an intruder maintain access to a
              system without the user's knowledge.

Tuesday, January 26, 2010                                   47
                            Hacking Summary
          Ranges from annoying to illegal to
          threatening to deadly
          Impact on Computer Security
            – Constant vigilance
            – New answers to new threats
            – Needs a combination of security, legislation,
              and international cooperation to combat cyber

Tuesday, January 26, 2010                                     48
                            Questions ?

Tuesday, January 26, 2010                 49