View
328
Download
0
Category
Preview:
Citation preview
NATO Advanced Training Seminar
CYBER TERRORISM PREVENTION &
COUNTERACTION
Kiev, Ukraine September 27-29, 2010
About
Cristian Driga - Attorney at Law, Executive director at Computer Crime Research Centre (NGO), Romania
Main practice areas: Computer Crime & Electronic Evidence
Special interests: public policy, raising public & legal professionals awareness in the fields of computer security, computer crime and electronic evidence.
http://en.criminalitate.info http://www.driga.ro
contact@criminalitate.info
CAPABILITIES OF CYBER-TERRORISTS
IT infrastructure and associated risksHypothetical situations and actual incidents
NATO Advanced Training Seminar – Kiev, Ukraine 2010
A world depending on computers
Computers & networks span all over the critical sectors of our lives
State and government, Military, Business & Banking, Health, Transportation, etc.
Communications Life support systems & Energy systems
The Internet as an invaluable source of information and as a global collaboration tool
Education and Research, Business, etc.
New roles for computers everyday
Technical advancement and miniaturization brings new roles for computers in our lives
Computerized cars Electronic national ID cards Medical devices, including pacemakers
Internet becomes more and more the primary information carrier in all areas
Phone conversations are moving to the web Same with Television & Radio
...all inter-connected and communicating
Our IT Infrastructure – Our Risks
No computer system is 100% secure Intended usage vs. missuse
Technical risks Software related security problems Hardware related problems
External risks Network connectivity Service providers
Our IT Infrastructure – Our Risks
Internal risks Organizational policies Insider threat Complexity of technology and lack of education
in operating IT in a security aware way
The Politics Political and legal issues
Online safe-havens Lack of uniform legislation and cooperation
Cyber-Terrorism?
Many definitions politically motivated hacking operations intended to
cause grave harm such as loss of life or severe economic damage
unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives
Cybercrime?
Also many definitions But more in the way of an unified legal
definition at international level includes attacks against computers and networks to
disrupt processing also includes an "espionage" part of illegally
accessing computer systems and data and making unauthorized copies of private or classified data
Their Infrastructure – Our Risks
Cybercrime is continuously evolving: New and sophisticated tools Successfull infection and control of millions of
computers Proven attack, disruptive and espionage capabilities Improved methods of avoiding tracing and justice
Their Infrastructure – The Network
The Internet As an information exchange medium between
cybercriminals and as a training environment As medium for collaboration and procuring tools to
commit cybercrimes As carrier for the attacks and computer virus
infections As an annonimization tool
Botnets
armies of civilian and institutional computers infected with trojan viruses capable of executing commands sent by the
botmaster stealing information (i.e. passwords, credit card
information, etc.) providing remote access to the infected computer
(and sensitive information) sending SPAM attacking other computers and networks
How are botnets controlled?
Various methods difficult to trace and disrupt Listenting to an IRC chat room on the Internet Periodically reading certain Internet addresses Listening to messages sent by the botmaster on
social media sites like Twitter, etc.
Almost never contacted directly.
Automatic infection
Common infection techniques Malicious code on regular web pages testing the
visitor's browser for unpatched security holes If a security problem is found, the trojan virus will
install itself silently Opening an infected file received through email
from a friend's email address. Opening an infected removable storage (USB pen
drive, for instance)
After infection...
Hide themselves into the operating system Download and install other botnet components
and malicious software Record keyboard strokes looking for:
email accounts and Facebook accounts login e-banking accounts login credit card numbers and associated data website access login information (FTP accounts) of
people who own a web page
...all automated
Automation continued...
Delivery of captured information to the botmaster on special servers for exploitation (i.e. Credit card fraud)
A recently improved ZEUS trojan version is capable of detecting and hijacking the e-banking session, checking account ballance and placing automatic transfer orders.
More automation...
Automatic login to E-Mail and Facebook accounts and sending apparently legitimate emails to friends and contacts to spread the infection
Infecting the web pages of the computer owner (using FTP account login to install exploit packs on the pages)
Famous botnets and exploit packs
Botnets: Rustock, Storm, Srizbi botnet, Conficker, Kraken, Cutwail, Mega-D, Nucrypt, etc.
Exploit Packs: Crimepack, Phoenix, Eleonore, Fragus, Siberia, Icepack, El Fiesta, Yes Exploit, etc.
Powerful and successfull tools
Because of the automation of the whole process
Easy of use Millions of infected computers capable of acting
as one giant super-computer Milions of unprotected users visiting infected
websites Hard to trace the origins of an attack initiated by
large numbers of computers all over the world
More reasons...
Lack of consistent minimal public education on using the computers and the Internet in a safe way
Lack of strong computer usage policies for employees in companies
Because of the existence of the so-called server safe-havens
Safe havens for cybercrime
Countries not willing to cooperate in bringing cybercriminals to justice
Insufficient national laws not able to criminalize such computer crimes
Botnets would hardly be possible without the servers that collect the data stolen and give commands to the bots
To solve this problem means international cooperation and unified legislation.
Politics at its best.
Money as the link...
In the recent years a new trend has developed:
botnets for hire or rent
One can find on the Internet exploit kits and all the needed software to create his own botnet
When lacking strong technical skills, one can hire or rent a botnet
Back to Cyber-Terrorism...
Botnet developers are in this business for money. If terrorists would pay, they've got themselves a very powerful cyber-weapon.
Organized crime has the money for creating botnets but they might have other needs (safe routes for drugs, weapons, training, etc.) which terrorists are able to provide in exchange for hiring botnets.
Terrorists usage of botnets?
a terrorist group renting a botnet of millions of computers capable of heavily attacking critical infrastructure servers and bringing them down is a real threat
renting a botnet and using it to collect credit card data to commit credit card fraud is a way of financing real life terrorist activities
Actual incidents?
More evidence of large scale cybercrime related attacks than of cyber-terrorism incidents
Difficulties in attributing cyber-attacks to terrorists
However, there is plenty of evidence that terrorist groups are using the Internet to conduct their activities and become proficient in using IT
How long before an actual attack?
Reports
One US Congress report mentions Romanian hackers threatening to shutdown the life support systems for the National Science Foundation's Amundsen Scott South Pole‐Station – but lacked political motivation
A hack into a Queensland Australia sewerage system, heavily polluting rivers and parks – proof of devastating effect but no political motivation
Estonia 2007 – likely to be a cyber-terrorist attack and surely an example of what could happen
Estonia 2007
Experts from US and NATO helped in recovery and attempted to discover the source of DDOS attacks
Evidence pointed to more than one source (some pointed to Russia and some to other countries)
No conclusive evidence about the original source – common opinion: botnets were used
Hard to trace and almost impossible to retaliate
Hypothetical situations
The Estonia incident showed that it is possible to paralyse even web related activities of states
Many daily life aspects take place in cyberspace and/or depend on IT
Various possible scenarios have been suggested, in which different critical infrastructure networks are disrupted by cyber-attacks
Economy related targets
Banks and international transactions Stock exchange Businesses and online commerce
May result in loss of confidence in the economic system
Transportation systems
From disruption of traffic lights systems in big cities
To interference with flight and train control systems
Would result in accidents, loss of lifes,and would paralyse transportation
Energy supply systems
Electricity production and distribution Gas supply Water supply systems
Directly affecting the population
Other systems as targets
Military command and control Emergency systems (112 or the US 911) Healthcare IT infrastructure Industrial processes
Experts say these scenarios are possible.
Cybercrime examples confirm the potential.
How do we make them impossible?
Thank you!
Cristian Driga - Attorney at Law, Executive director at Computer Crime Research Centre (NGO), Romania
Main practice areas: Computer Crime & Electronic Evidence
Special interests: public policy, raising public & legal professionals awareness in the fields of computer security, computer crime and electronic evidence.
http://en.criminalitate.info http://www.driga.ro
contact@criminalitate.info
Recommended