Cybercrime threats on

e-world

Belgian Federal Judicial Police

Federal Computer Crime Unit

© Luc Beirens

« What is the cybercriminal up to and how to survive cybercrime ?»

AGENDA

General trends

Victims and their problems

Who should you be afraid of ?

Investigators and their problems

Recommendations for potential ICT crime victims

Contact data

© Luc Beirens

End user

Roaming user

Internal network

Externally hosted website

DMZ

own

webserver

Backup server

e-Architecture

Cloud service center

SCADA

Process control

Firewall

Internet VPN

© Luc Beirens

General trends today

Evolution towards e-society

Replace persons by e-applications

Social networks (for private / professional – commercial use)

Very high mobility (Notebooks, smartphones, tablets, ...)

Interconnecting all systems (admin, industrial, control)

IP is common platform offered by many ISPs

integrating telephony / data / VPN & all new apps

=opportunities / Achilles tendon / scattered traces

Poor security in legacy applications and protocols

(userid+pw)=> identity fraud is easy

Enduser is not yet educated to act properly

© Luc Beirens

What do “criminals” want ?

Become rich / powerfull rapidly, easily, very big ROI in an illegal way if needed

Destabilaze (e-)society by causing troubles

For both goals they can / will focus on : Your data

Your system

© Luc Beirens

AGENDA

General trends

Victims and their problems

Who should you be afraid of ?

Investigators and their problems

Recommendations for potential ICT crime victims

Contact data

© Luc Beirens

Why would they choose you as their victim ?

They don’t especially target you …but

you’re connected to and visible on the Internet or the telephone network or with your WIFI

they want to use any ICT system :

to store and exchange illegal stuff … (child porn, warez,…)

as an intermedian system for illegal activity (spamming, hacking, phishing, …)

to obtain international connections … for which you pay

they just want a new computer and you have one

© Luc Beirens

Why would they choose you as their victim ?

They target you because :

of their interest in the data you store on your system

Personal identity information

Financial information (income, credit cards, …)

Business information (Customer/prospect DB, R&D info, …)

they don’t like you and want to cause damage or take you out of business Social / economical / civil / political organisations

Terrorist organisation

© Luc Beirens

The internal risk

Fired system administator in courier company

Hard working IT in financial institution

Dancing cursor in security firm

Theft of PCs in R&D department of company

Social conflict DDOS attacks on e-commerce

Recent cyber crime targetting firms

Spyware / trojan horses / remote admin

Botnet attacks

Espionage

Identity fraud (phishing – spear phishing) getting your customers identity information : CO2

Fraudulent business proposals via Internet

Buying your goods with forged cheques

False escrow payment services (thrusted third parties)

Nigerian waste recycling => your old pc’s & harddisks

Mededeling per e-mail

Jefke

5

Phishing and money mules Victim

John DOE

Bank Money Mule

Bank John Doe

2 Password

userid

Phishing site

3 Transfert

order Bank site

6

4

1

Contract as

“Financial manager”

Money Mule

Webserver

Normal functioning of a webserver

Capacity of a server is limited by : -bandwidth connection line from the Internet to the server -transaction capacity server : number of request per minute

© Luc Beirens

Webserver / node

Internet

Command and

Control Server

Hacker

Access line

blocked

Computer

Crash

Botnet attack on a webserver / node

My IP is x.y.z.z

Info Cmd

How do I get infected ?

The hacker sending a Trojan Horse (= container program) to the victim PC via

E-mail (spam, ...)

Peer2peer (Kazaa, bitorrent,...)

Chat (IRC, MSN, ...)

Auto infection of the victim PC by visiting websites containing infecting scripts abusing OS vulnerabilities

Auto propagation of the malware from zombies towards neighbouring PCs in network abusing OS vulnerabilities

The infection procedure often connects to update server to download new versions to the zombie

Botnets attack capacity

Botnet that control from 2000 to more than 100.000 zombies

Each zombie sends several requests per second

Attack capacity in known cases Sustained dataflow

10 Gbps

during days

Peak dataflow about 40 Gbps

during hours

© Luc Beirens

Why ? Making money !

Sometimes still for fun (scriptkiddies)

Spam distribution via Zombie

Click generation on banner publicity

Dialer installation on zombie to make premium rate calls

Spyware installation

Espionage => banking details / passwords / keylogging

Ransom bot => encrypts files => money for password

Capacity for distributed denial of service attacks DDOS => disturb functioning of internet device (server/router)

Internet

Hacker

Company

network

Large firm hacking

using internal botnet

© Luc Beirens

Threats

Attacks on e-commerce (e-gov) websites

=> website out of order

Attacks on network nodes

=> ALL USERS (firms) out of order

Increased risk if combination with day-zero virus infections

=> NO security against infections

=> bigger armies of Zombies

© Luc Beirens

Latest malware developments

Stuxnet : very complex and elaborated trojan

Several replication vectors : networks / USB keys

Connects to C&C botnet server

Focused on industrial process control system

Searches for systems with this control system

Collects information on Siemens PLC systems

Changes process logic on infected machines

Duqu : spying

© Luc Beirens

You should take extra care if …

Your business / production processes depend completely or to a great extend on your ICT system => growing vulnerability => bigger impact of ICT crime => More and more services over the Internet …

Your business activity provides vital or crucial services :

Energy / Water / Telecommunications / Transportation

Financial institutions / Health institutions

If your industrial process control systems are directly or indirectly connected to the internet

Your employees / suppliers have external access to your internal network (0800 lines/Internet)

© Luc Beirens

Damage to consider ...

A house search at your home or company (early in the morning)

Your firm cut off from Internet by your ISP (because of spam distribution by a hacker using your server)

Your telecom invoice next month 200.000 € higher

Result of 5 year hightech R&D code and documentation in the hands of your competitor

Your firm out of action for some days – cost for diagnose & restarting – economical losses

Your system administrator arrested for using your server to distribute childporn

Your personal documents / pictures / e-mails distributed to anyone on the Internet

© Luc Beirens

And perhaps - as a victim –

you could be held liable for …

the illegal activity on your ICT system

the damage caused to

other ICT systems / your customers

not complying with the Privacy act : obligation to secure personal data efficiently

not being able to provide authorities with

traffic data as a telecom service provider

© Luc Beirens

Victims of ICT crime

From multi-nationals over MSE to individuals

No assessment of value of data on ICT system => no backups

No or bad ICT security (role of management)

Bad control of the employees in key functions

Absolute lack of awareness individual users

ICT-crime mostly at night or in weekend

No or late discovery : often complaints from outside

Installation of adapted versions of operating systems on hacked computers

© Luc Beirens

AGENDA

General trends

Victims and their problems

Who should you be afraid of ?

Investigators and their problems

Recommendations for potential ICT crime victims

Contact data

© Luc Beirens

Who is threating us ?

Script kiddies

Insider ICT guy in your company

Loosely organized criminals

Firmly organized criminal groups

Terrorists / hacktivists

Nation warfare troups

Undergroud economy platform for selling &

buying criminal services and products

Firmly organized criminals

We see more and more organization in the criminal activity on the internet

Focussed on financial intent

Cooperation with moneylaunderers

Different specialisations recruting persons – ICT development – handling money

Infiltration in or taking over legal businesses (development firms, operators, ...)

Terrorist / hacktivists

No financial intent

Political / social objectives

Attack and create chaos and disaster

Destabilize economy and society

Might take their time to prepare ...

Or set up actions very quickly (social networks)

AGENDA

General trends

Victims and their problems

Who should you be afraid of ?

Investigators and their problems

Recommendations for potential ICT crime victims

Contact data

© Luc Beirens

Who investigates ICT crime ?

Prosecutors / Examining Judges

Specialised police forces (nat’l & Internat’l)

Legal expert witnesses

Specialised forensic units of consulting firms

Associations defending commercial interests

Security firms => vulnerabilities

Activist groups => publish info on « truth »

© Luc Beirens

E-Police organisation and tasks

Integrated police

Federal Police National

Level

35 persons

1 Federal Computer Crime Unit 24 / 7 (inter)national contact

Policy

Training Equipment FCCU Network

Operations : Forensic ICT analysis

ICT Crime combating

Intelligence Internet & ePayment fraude Cybercrime

www.ecops.be hotline

Internat internet ID requests

Federal Police Regional

level

170 persons

25 Regionale Computer Crime Units (1 – 2 Arrondissementen)

Assistance for housesearches,

forensic analysis of ICT, taking

statements, internet investigations

Investigations of ICT crime case

(assisted by FCCU)

Local Level

Federal Police

Local Police

First line police

“Freezing” the situation until the arrival of CCU or FCCU

Selecting and safeguarding of digital evidence

© 2012 - Luc Beirens - FCCU - Belgian Federal Police

Our services

Help to take a complaint

Descend on the scene of crime

Make drawing of architecture of hacked system

Image backup of hacked system (if possible)

Internet investigations (Identification, location)

House searches

Taking statements of concerned parties

Forensic analysis of seized machines

Compile conclusive police report

© Luc Beirens

Investigative problems - tracking

Victims : Unfamiliar and fear for “Corporate image”

=> belated complaints – trashed / no more traces

Rather “unknown” world for police & justice

=> Delay before involvement specialised units

Limited ICT investigation capacity (technical & police skills)

Multiplication and integration of

services / providers / protocols / devices

Lack of harmonised international legislation & instruments

Anonymous / hacked connections – subscriptions - WIFI

Intermediate systems often cut track to purpetrator

© Luc Beirens

Investigative problems – evidence gathering

Delocalisation of evidence : the cloud ?

Exponential growth of storage capacity => time consuming :

backups & verification processes

Analysis

New legislation / jurisprudence imposes more rigorous procedures for evidence gathering in cyber space

Bad ICT-security : give proof of the source and the integrity of evidence

© Luc Beirens

Brussels, we have a problem ...

Complainer

Hello, can you help ?

We are a Belgian hosting firm

We have a problem

Our webservers are hacked

& several websites

of our Belgian customers

have been defaced

Politie

OK

A few questions to start our file …

Who, where, what, when …

© Luc Beirens

Who is where ?

© Luc Beirens

Hacked firm :

nothing in Belgium

In the UK

Hacker ?

In the Luxemburg

Hacker ?

Who / where / what

In Belgium

Hosting firm :

nothing in Belgium

Customer :

nothing in Belgium

In the USA

Hacked webserver

Defaced website

In the Netherlands

Hacked server

© Luc Beirens

Conclusions ...

Competence Belgian Justice authorities ? Discussion

viewpoint Public Prosecutor General : not competent

viewpoint lawyer victim : competent

viewpoint suspect’s defence : ????

If choice was made for storage in foreign country

Why ? Cost ? Evade regulations & obligations ?

No (?) protection of Belgian Law

No (?) intervention of Law Enforcement in Belgium

Protection by law & LE in country where server is

© Luc Beirens

AGENDA

General trends

Victims and their problems

Who should you be afraid of ?

Investigators and their problems

Recommendations for potential ICT crime victims

Contact data

© Luc Beirens

Preventive Recommendations

Draw up a general ICT usage directive (normal usage)

Awareness program for management & users ICT security policy is part of the global security policy

Appoint an ICT security responsible => control on application of ICT usage & security policy

Keep critical systems separate from the Internet if possible !

Use software from a trusted source

Install recent Anti-virus and Firewall programms (laptops)

Synchronize the system clocks regularly

Activate and monitor log files on firewall, proxy, access

Make & test backups & keep them safe (generations) !

© Luc Beirens

Recommendations for victims of ICT crime

Disconnect from the outside world

Take note of last internet activities & exact date and time

Evaluate : damage more important than restart ? Restart most important : make full backup before restore Damage more important : don’t touch anything

Safeguard all messages, log files in original state

Inform ASAP the Federal District Police Services and ask for assistance of the Federal or Regional CCU

Change all passwords and change all usernames

Reestablish the connection only if ALL failures found and patched

© Luc Beirens

Where to make a complaint ? Within a police force …

Local Police service => not specialised => not the right place for ICT-crime (hacking/sabotage/espionage) => place to make complaints on Internet fraud

Federal District Police Service (FGP) => better but … Regional CCU => The right place to be for ICT crime

Federal Computer Crime Unit => 24/7 contact Risks on vital or crucial ICT systems => call urgently

Illegal content (childporn, racism, …) => www.ecops.be

… or immediately report to a magistrate ? Local prosecutor (Procureur) => will send it to police

=> can decide not to prosecute

Examining Judge => complaint with deposit of a bail => obligation to investigate the case

© Luc Beirens

Contact information

Belgian Federal Judicial Police

Direction for economical and financial crime

Federal Computer Crime Unit Notelaarstraat 211 - 1000 Brussels – Belgium

Tel office : +32 2 743 74 74

Fax : +32 2 743 74 19

Head of Unit : luc.beirens@fccu.be

Central Internet Contact Point : www.ecops.be