[attachment=11113]
EMERGING CYBER CRIME TRENDS
Cyber Crime
Security Threats & Cases
How Severe is the Threat?
• Professional Cyber Criminals & Terrorists (hard to detect)
• Disgruntled Employees
• Competitors
• Hacktivists
• Script Kiddies
(Advertises Actions)
Identity Theft
• Growing sophistication of phishing emails
• Exploitation of Banking System
• Keystroke Loggers deployed by worms
• Exploding International Market for Stolen Credit Card Databases and Identity Data
• FTC - $50B lost in Identity Theft in 2003
• 300M manhours devoted to repairing damage caused by this theft
Phishing Examples
Banking and Brokerage Account Compromise
• Internet Worms propagate keystroke logger in payload to steal account usernames & passwords
• U.S. citizens recruited to wire proceeds cashed counterfeit checks for 30% fee
• Internet purchase funds first transmitted to other U.S. accounts, then to the Eastern bloc.
Remailer Schemes
World’s Largest Computer Equipment Supplier
REMOTE ACCESS TROJANS (RATs)
• HACKER versions – Subseven, Backorifice, Netbus
• Sometimes contained in email or programs downloads, i.e. P2P programs like Kazaa
• COMMERCIAL PROGRAMS – GotomyPC, PC Anywhere, Laplink
• OPERATING SYSTEMS PROGRAMS – Telnet, ftp, Secure Shell (SSH), rlogin
Trojans and RAT’s
When run, the backdoor copies itself to the Windows directory with the original name of the file it was run from or as SERVER.EXE, KERNEL16.DL, RUNDLL16.COM, SYSTEMTRAYICON!.EXE or WINDOW.EXE (names are different in different versions of SubSeven).
Then it unpacks a single DLL file to the Windows System directory - WATCHING.DLL (some versions don't do this).
Walter Wiggs
Former USMC Scout Sniper Instructor
Violent Criminal History
Georgia Resident
Software Engineer for a Manhattan Beach Telecommunications Company
Walter Wiggs
Employment Terminated
Disabled telecommunication systems across the country
Caused a disruption in the Los Angeles County Child Protective Service Hotline over July 4, 2003
Arrested in August 2003
Extortion By DDOS
• Hiring hackers to create distributed denial of service (DDOS) attacks
• Look for use of P2P instead of IRCds
Jeanson James Ancheta, aka ResiLi3nt
Hacker pleads guilty to building, renting attack network
FBI report estimates viruses, worms & Trojan programs cost U.S. organizations $11.9 billion each year.
20-year-old hacker living w/ mother in Downey
Prev. Criminal larceny conviction
Jeanson James Ancheta, aka ResiLi3nt
Sold botnets of 100 to 500 computers for $150 to $500
Infected >400,000 computers installing toolbars for click fees , made $61,000 as affiliates of Loudcash and Gammacash
Hacked China Lake Naval Weapons Center computer – Not Classified
1/23/06 Pled Guilty to 4 of 17 counts in 11/05 indictment
Sentencing May 1, 2006
Brian Tinney
Professional Burglar
Created fictitious computer company in Las Vegas
Created fictitious escrow company in San Francisco
Order $600,000 in high end computer equipment from suppliers around the U.S.
Steven-William:Sutcliffe
Global Crossing Employee
Sovereign Citizen Adherent
killercop.com
Web Terror Campaign
Posted all employee SSN’s
Home addresses, telephone numbers, residence maps
Death Threats
Arrested in New Hampshire
Countermeasures
Practice good computer security
Invest in a personal shredder
Examine your credit report annually
Scrutinize credit card statements
1-888-5-OPTOUT (1-888-567-8688)
Use caution supplying wire transfer info
Be alert to anomalous personal info requests
http://consumer.gov/idtheft/
Wireless Security Concerns
Wireless Security Measures
Preventing Disgruntled Employee Problems
Terminating System Access BEFORE TERMINATED EMPLOYEES ARE WALKING OUT THE DOOR
Well Documented and Proliferated Non-Disclosure and Authorized Activity Agreements/Notifications
Review Adequate Logging/Tracking
Enforce Your Rules
PRACTICE EXCERCISE – “RED TEAMING”
BANNER during Log-in of company computers
CYBER CRIME
INCIDENT HANDLING
1. Continuing Operations v. Preservation of Evidence
2. Identify the Incident Manager and Team – usually department heads or officers
3. Assess Systems Impaired and Damages
4. Review Adequate Logging/Tracking
5. Note Unusual Activities By Employees or on Computer Network
WORKING WITH LAW ENFORCEMENT
Identify your LOSS, HARM, or DAMAGE – lost asset, revenues, expenses, repair cost
Identify Capture or Quarantine Electronic or Computerized Equipment, Logs and Files
Maintain a “Chain of Custody” for Evidence
Begin a written chronology of events
Who may have to testify
Identify one or two individuals to be your main point of contact with LEOs
Alert Your General Counsel or Attorney
WORKING WITH LAW ENFORCEMENT
CRIMINAL LAWS THAT APPLY:
ECPA (Electronic Communications and Privacy Act)
4th Amendment – Search & Seizure
Interception of Communications (Wiretapping)
Court Orders – FGJ Subpoenas, Search Warrants, Pen Registers, Trap & Trace Orders, 2703(d) Orders, Title 3 Orders
Prepare for Incident Response
Have A Disaster Plan for Human-made and Natural Disasters
Need some ideas, try Risk Management Organizations - NIST.GOV,SANS.ORG
Practice The Plan!
Review The Plan Annually!
Include contacts with law enforcement or disaster officials
SANS Top 7 Management Errors
#7 Pretend the problem will go away if they ignore it.
#6 Authorize reactive, short-term fixes so problems re-emerge rapidly
#5 Fail to realize how much money their information and organizational reputations are worth.
#4 Rely primarily on a firewall.
#3 Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed
#2 Fail to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security.
#1 Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.
INFRAGARD PROGRAM
Contact