The Changing threat

landscape of Cybercrime

Gerhard Engelbrecht
Nedbank Business Banking
 Agenda
Introduction
Perspectives on a changing world
Some recent global events
Cyber warfare
Observations from local investigations
Where to start?
Questions
 We are all at risk
All credit card PIN numbers in the World leaked
The body of the message simply said 0000 0001 0002 0003 0004
 We are not security
conscious
Rank PIN Frequency
1 1234 10.71%
2 1111 6.02%
3 0000 1.88%
4 1212 1.20%
5 7777 0.75%
6 1004 0.62%
7 2000 0.61%
8 4444 0.53%
9 2222 0.52%
10 6969 0.51%
11 9999 0.45%
12 3333 0.42%
13 5555 0.40%
14 6666 0.39%
15 1122 0.37%
16 1313 0.30%
17 8888 0.30%
18 4321 0.29%
19 2001 0.29%
20 1010 0.29%
 Agenda
Introduction
Perspectives on a changing world
Some recent global events
Cyber warfare
Observations from local investigations
Where to start?
Questions
Perspectives on a changing world
You can't defend. You can't prevent. The only thing you can do is detect
and respond.

There are two types of encryption: one that will prevent your sister from
reading your diary and one that will prevent your government.

Bruce Schneier
 Perspectives on a changing world
Advanced Persistent Threat (APT):
Organised
Long-term
Attack

Who are the targets?

Government
Financial Institutions
Mobile Operators
Engineering
Construction
Mining Sector
Perspectives on a changing world
Previously, Apple had all but disabled tracking of iPhone users by
advertisers when it stopped app developers from utilising Apple mobile
device data
In iOS 6, however, tracking is most definitely back on, and it's more
effective than ever
Source: Business Insider

( but you can opt out)

Bruce Schneier
 Perspectives on a changing world
What we do is like little kids playing soccer we follow the ball. We focus
on the things that are visible instead of the things that are important...
Source: Irish Times

You don't want to have a police state where people can access anything
they want at any time, but hacking groups typically have no such concerns
and essentially break the law to have access to this information
themselves..
Source: CBC News
 Perspectives on a changing world
If we take as given that critical infrastructures are vulnerable to a cyber
terrorist attack, then the question becomes whether there are actors with
the capability and motivation to carry out such an operation.

While the vast majority of hackers may be disinclined towards violence, it

would only take a few to turn cyber terrorism into reality.

Dorothy Denning
 Agenda
Introduction
Perspectives our changing world
Some recent global events
Cyber warfare
Observations from local investigations
Where to start?
Questions
 Some recent global events
Ethical hacking schools proliferating but what about informal,
unethical schools?
New attacks actively exploit and reverse the technologies designed to
protect you:
Intelligent phishing techniques
Exploitation of browsers
Remote access
$13bn invested in VC in first half 2012 ($14.7bn 2011H1) PwC,
National Venture Capital Association
$4bn for software ($2.9bn 2011H1
New strategies post anti-virus
 Some recent global events
A few very recent items in the news
In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back
How millions of DSL modems were hacked in Brazil, to pay for Rio prostitutes
Shamoon' Virus Most Destructive Ever To Hit A Business, Leon Panetta Warns
World Of Warcraft Hack: Attack Kills Thousands Of Players, Destroys Several Major Cities
House Intelligence Committee Says China Tech Giants Pose National Security Threat To U.S.
Samuel Cox, U.S. Cyber Command Officier, Says China Is Targeting Pentagon Computers
Hack attack on energy giant highlights threat to critical infrastructure
DesignerWare Settlement: Companies Agree To Stop Snooping On People's Home
Computers
Twitter Hacking Victims Find Stolen Accounts Sold On Black Market
Middle East Cyber Attacks On U.S. Banks Were Highly Sophisticated
Barnes & Noble Discloses Credit Card Security Breach In 63 Stores
Suspect Named In Devastating Cyberattack On World's Most Valuable Oil Company
 Some recent global events
China

Caveat: China's economic data are a bit like sausages: If you're a fan, it's
best not to scrutinize how they're made. (Wall Street Journal)

Over 1 billion mobile phone users

Third highest number of PC users in the world
China piracy cost software industry $20bn in 2010 (source: Sydney
Morning Herald)
In 2009, Chinas internet users outnumbered the total population in the
USA
 Some recent global events
China
Expected to add most of the new PC users in the next 3 years globally
From 0 to 1 billion PCs: 27 years
From 1 to 2 billion PCs: 7 years (2015)
China: will be 500m new users of the 2nd billion
China piracy cost software industry $20bn in 2010 (Sydney Morning
Herald)
Chinas internet users already outnumbered the total population in the
USA in 2009
 Agenda
Introduction
Perspectives our changing world
Some recent global events
Cyber warfare
Lessons learnt from local investigations
Where to start proactive response
Questions
 Cyber warfare
Politically motivated hacking to conduct sabotage and espionage.

Actions by a nation-state to penetrate another nation's computers or

networks for the purposes of causing damage or disruption.

Wikipedia
 Cyber warfare
North Koreas government has a significant cyber warfare capability that
it continues to improve. (October 2012)

North Korea employs sophisticated computer hackers trained to launch

cyber infiltration and cyber attacks (March 2012)
Army General James Thurman,
U.S. commander, Korean peninsula

Russia and China have advanced cyber capabilities, and Iran is

undertaking a concerted effort to use cyberspace to its advantage. (Oct
2012)
US Defense Secretary Leon Panetta
 Cyber warfare
Pres. Obamas order accelerated a wave of cyber attacks against Iran
From his first months in office, President Obama secretly ordered
increasingly sophisticated attacks
Target: computer systems that run in Irans main nuclear enrichment
facilities
USAs first sustained use of cyber weapons
Stuxnet (code name Olympic Games) Did it end there?
W32.Duqu, Flame
US government only recently acknowledged developing cyber weapons
but has never admitted using them
The US stand to lose even more if its infrastructure is attacked Jack
Bauer, CTU
 Cyber warfare

The Department of Defense is looking to develop new technologies,

including hardened operating systems and other platforms, for managing
cyber warfare in real time on a large scale.
InformationWeek
 Agenda
Introduction
Perspectives our changing world
Some recent global events
Cyber warfare
Observations from local investigations
Where to start proactive response
Questions
 Observations from local
investigations
Hammerhead investigation
Discovery of stolen artifacts by SAPS when they arrested someone on
suspicion of other crimes
Underscores links beween organised crime in its various formats
human trafficking, narcotics, cybercrime, etc.
Did not even realise the extent of the compromise
Settled a claim from a business partner regarding compromised
information
Suspected system problems, isolated incident
Discovered key logging software
They were compromised, invaded
Properly hacked
 Observations from local
investigations
Hammerhead
Lost millions, huge reputational damage risk
Exposed over a significant period of time (years)
Root access on Domain Controllers (undetected)
Admin accounts created (and used) (undetected)
Full extent of compromise not known
Check mate:
Massive server farm (1000+ servers)
Exposed open over an extended period of time
Who knows how many backdoors were installed
Not feasible to rebuild entire farm at once
 Observations from local
investigations
Hammerhead
Identity management very weak
No two-factor authentication, even sensitive areas
No physical segregation of critical data networks
Inadequate and insecure logging
Unclear ownership of risk
Is your organisation taking the threat seriously enough?
Are you?
How much is your data worth?
E.g. gift cards/vouchers, credit card details, prepaid electricity/airtime?
And the data of your customers?
 Agenda
Introduction
Perspectives our changing world
Some recent global events
Cyber warfare
Observations from local investigations
Where to start?
Questions
 Where to start?
Computer forensics is not enough
Prosecution remains a challenge
But: you can be proactive:
Perimeter not properly secured?
Network not properly reviewed because it is not properly understood?
Lack of internal expertise to randomly perform assessments to detect APTs?
Identity management must be world-class
Two-factor authentication, minimum for sensitive areas
Physical segregation of critical data networks
Enable logging, make sure you segregate log store and server (manipulation)
Establish proper clear ownership of risk at the highest level
 Where to start?
Change the perspective to protecting data throughout the lifecycle
across the enterprise and the entire supply chain
This is NOT an IT function
Assume that your organisation may already be compromised
Upon discovery:
Escalate
If needed, get help!
 Agenda
Introduction
Perspectives our changing world
Some recent global events
Cyber warfare
Observations from local investigations
Where to start?
Questions