An overview of cyber-crime in 2001

An overview of cyber-crime in 2001

Acts of malicious intent:A few examples

CLUSIF > 215/01/2002www.clusif.asso.fr – contact : [email protected]


Overview objectivesTo assess the emergence of new risks and determine current trends within existing risks.

To put into perspective those incidents which have gained a degree of notoriety or entered the realms of urban legend.

To look on high-tech crime in the same light as more conventional felonies.Initial overview… by a mixed workgroup (consultants, journalists, Information SecurityOfficers).



Choice of media eventsIllustration

– of an emergence, – of a trend,– of a volume of incidents.

Individual case– Impact or stakes,– Textbook example.

All companies are cited out of concern for accuracy and because their names have already appeared in the media.All images are copyrighted.

All information used has come from open sources



Contents- Yescard and fraudulent payments- CodeRed and Internet viruses- Attacks against e-books and digital works- Picking through the garbage, a lucrative trade- Victim of hacker or in-house malevolence?- Fake sites and domain names cyber-squatt- Financial rumors on the Internet- BadTrans and breaches of confidentiality



Yescard and fraudulent payments– Yescard is a programmable smart card which enables the

processing of purchasing transactions on certain types of automated electronic payment systems. The media focus on the “theoretical” nuts and bolts of the system resulted in an organized, highly localized fraud in a few regions of France that ultimately cost several million francs.

Timeline– Spring 2001: creation of a “yescarder” group.– Summer 2001: press and TV coverage with reports on individual

usage.– Fall 2001: establishment of organized networks, most notably in

areas close to gas stations with automated payment systems.



Yescard

G0lee program for Yescarding



YescardA few details

– Below a purchasing transaction threshold, the authentication of the card and its bearer are made locally.

– Only automatic payment terminals (gasoline, mass transit tickets, video rentals, etc.) were affected.

• ATMs request authorization on line.• The electronic payment terminals used by

retailers require the visible counterfeiting of the card or a scam involving insider collusion.



YescardContext

– Awareness of the principle among professionals.– The lawsuit between GIE-CB and Serge Humpich.– Dissemination of the keys on Usenet.– The current switchover to EMV 5.1 and 5.2.

As and from January 2002, the VA key was abandoned and replaced by a VS key. This was accompanied by a strengthening of the process of authentication and non-repudiation (certificate of purchase).



Newsgroup discussions about research and use of yescards



YescardStakes and consequences

– The problem of an overly popularized media focus on “card cloning”:

• Technical risk threat to the brand image.– A problem pertaining to the dissemination of

knowledge and know-how:• Intellectual challenge vs. the users’ need for

confidentiality and protection.• Internet debate over full disclosure.

– Consequences of such dissemination: • Hijacking of the know-how, followed by its

exploitation for fraudulent purposes.



CodeRed and Internet viruses

– On July 17th, 2001, the CodeRed virus began to spread over the Internet at an alarming rate (250,000 systems were infected in less than 9 hours).It targeted the IIS servers (WinNT and Win2000) using the TCP/IP protocol and port 80.The virus used an IP address scan engine then automatically installed itself on systems identified as vulnerable.

– Nimda broke out on September 18th of that same year.



CodeRedContext

– Viruses can no longer count on a slow and discreet propagation due to the rapid reaction of the anti-virus community.

– The individuals who create viruses are clearly seeking to exploit the functionality of the Internet.

– We are thus talking about a new category of viruses which rely less and less on external resources for their propagation.



CodeRedContext

– Consequently, several modes of transmission are favored (e-mail, Web, shared networks, etc.).

– The installation of a back-door or a Trojan Horse is also possible.

– The demarcation line between virus writers and hackers is becoming increasingly blurred.

– Virus scripts are on the wane while viruses which infect the executables are becoming more prevalent.



CodeRed

020406080

100120140160180

1998 1999 2000 2001

W97M/X97MW32/W95JS/VBS

Trends in virus infection mode



CodeRedStakes and consequences

– This quest for massive transmission in a short period of time requires a rapid reaction from everyone (anti-virus editors, businesses, Web surfers) and the necessary structures to enable such a reaction. The involvement of Internet access providers is also under discussion.

– The virus’s systematic search for vulnerabilities must be countered by an effective and proven system of security. Viruses also make Denial of Services (network bandwidth, capacity to transmit data).



E-Books and the protection of works

– A young Russian hacker explains how to circumvent the Adobe anti-copy protection system for e-Books.

Timeline– July: public conference at DefCon 9 (Las Vegas)

followed by police questioning (DMCA copyright act).Taken into custody then placed under house arrest.Returned to Russia at the end of December, trial underway.



eBooks

AEBPR, Elcomsoft software



eBooksContext

– The world market for the distribution of digital works.

– The significant economic implications.– This attack took on a double-approach:

• Crypto-analysis of the protection resources.• Full disclosure of the information found.

– Other cases of DeCSS being used to counter DVD anti-copy protection.



eBooksStakes and consequences

– Don’t touch the e-Dollars!..– Strength of the cryptographic system:

• Authenticity and imprinting of digital works stored or reproduced on websites.

• Anti-copy protection of the supports (e.g. e-Books).

• Real-time crypto-analysis of the PPV (pay per view) systems used for the digital transmission of pay TV channels.

– Criminal prosecution for making the resources available (cf. cyber-crime treaty).



Picking through the garbage

– Unilever vs. Procter & Gamble.Objective: the theft of strategic data outside of the information technology systems, $3 million invested in the operation.

– Foraging through the trashcans of a Unilever subsidiary (Sunsilk) in Chicago:

80 documents recovered by a company specializing in economic intelligence,

Plans for new product launches, HR policy, business strategy.Use of a stratagem (fake financial analysts) among Unilever managers.



Picking through the garbageContext

– A highly competitive market for beauty products (shampoo).– A situation in which product innovation brings real

competitive advantages.Result: damage to the brand image, $10 million paid out in compensation.

– Other cases:• Oracle vs. Microsoft: theft of two trash bags. Objective: to

compromise Microsoft in the media to prove the financing of pressure groups.

• Transmeta: attempt to steal trash cans a few weeks prior to the launch of a new microchip.



Picking through the garbage

Stakes and consequences– Risks beyond a company’s (physical) boundaries.– Few practical measures taken to prevent entry.– Little awareness of such a low-tech risk.– Similar use in the underground world (dumpster

diving) to gather information on the architecture of information systems.

– Little in the way of technical solutions.



Victim of hacker or in-house malevolence?

– In late November, an article in the French daily “Libération”, entitled “Off-track betting group PMU thrown by hackers”, cited the creation of an unauthorized parallel website: “It’s possible to make 35 billion francs at the PMU.”The article also evoked a “large-scale attack » (250 PCs and 40 servers).Furthermore, the article talked of hacking, a term that usually implies an outside attack and not an act of vengeance orchestrated by a disgruntled employee.




Context– The source of the articles in the mass media was found

to be an “underground news” website which presented the unauthorized website as well as an interview with a former PMU employee.

– The malicious act cited originally occurred a year before (23/11/00) and was followed by a more recent disclosure with the help of some in-house complicity.

– Discussions in newsgroups specializing in worker activism.



Victim of hacker or in-house malevolence?Context (cont.)

– These articles only rarely mentioned the in-house nature of the act (an employee hired on a contractual basis) and lumped it and other types of unrelated incidents (bugs) together in a way that helped to build a mass of evidence.The resulting impact was disproportionate: “a criminal act that enabled the perpetrators to tamper with bets, make fraudulent electronic transfers (…) and to create fictitious jobs”.









Stakes and consequences– A problem of managing workers who are not directly

employed by the company, and more generally the problem of in-house acts of malicious intent.

– A media communication “scoop” a year after the actual act and several weeks after the disclosure of the facts.

– The need to monitor the media and counter misinformation.

– A policy of modified security (a change of IPs, passwords, configurations) and a strengthening of the relevant architecture.



Fake sites and domain names cyber-squatt

– On October 30th 2001, the WTO issued a press communiqué advising the public that the existence of the website, www.gatt.org, could lead to confusion with the WTO’s official site, www.wto.org.The site in question was portrayed by Reuters as an example of “cyber-hijacking”.In the event, it was not a case of hacking, but rather, a parody of the official site that had borrowed the WTO’slogo, its layout and graphics and embellished it with photographs of WTO representatives to present rewritten interviews. The tone was decidedly anti-WTO.



Fake sites and domain names cyber-squattDetails

– The domain name www.gatt.org was originally registered in 1997. It was one of numerous sites created by ®TMark, a specialist in the creation of unofficial sites.At the time, GATT had yet to be renamed the WTO.In March 2000, ®TMark entrusted the Gatt.org site to the Yes Men, an association of self-declared “impostors”.Their aim: “To draw attention to the fact that the WTO’s laissez-faire economic program was disastrous for people”.Officials from the University of Tampere in Finland sent an e-mail to the www.gatt.org website believing that they had contacted Mike Moore, president of the WTO. They then proceeded to invite the latter to a seminar. In his place, Andy, one of the Yes Men,duly appeared at the conference…






Fake sites and domain names cyber-squattContext

– Conflicts over domain names are becoming more prevalent.

– Also on the rise:• Pirating, interference, and misappropriation of official sites, as

well as the creation of parody sites.• Websites with similar names that automatically redirect the

visitor to a site sponsored by an opponent/competitor.– Similarly, an increase in the number of sites linked to

politics:• In the UK, the misappropriation of the names of political parties.• In Belgium, the third-party registering of domain names that

would otherwise have been used by political figures.• In France, domain names linked to political figures that have

been preempted by adversaries.




Stakes and consequences– Numerous negative consequences: infringement of

intellectual property, trademark violation.– Damage to reputation, interference.– Difficulties in pursuing and settling lawsuits.

• WIPO report in September 2001.

– Problems for ICANN.



Financial rumors and the Internet

– Stock investment fraud on the Internet.A 17-year-old college student was able to mastermind an on-line stock investment scam.The scam earned him over a million euros.In the space of a month and a half (between November 1st and December 15th, 2001), the young man created a web-based investment brokerage complete with its own investor mail-list ("Invest Better 2001").Incentive: the offer of “guaranteed, risk-free” investments with the promise of a return of between 125% and 2,500%.Over 1,000 people fell victim to the fraud.The perpetrator was finally trapped by the SEC (Securities and Exchange Commission).




Context– Web-based fraud is a major problem and it takes on

numerous forms:• Rumors to inflate or deflate stock prices.• Consultancies demanding fees for fictitious stock investments.• Pseudo-independent consultancies.• Pyramid schemes (William Caudell affair).• Websites acting as a window for fake companies.• Websites purposely designed to usurp real financial institutions

(cf. the scandal involving the issuing of fake bank guarantees, 29 Websites made to look like they were Bloomberg sites).

• On-line purchases without delivery of the advertised goods.• Etc.




A context facilitated by– The appeal of making a quick and easy profit.– The popularity of on-line stock sites.– The naivety of Web surfers.– The speed by which news and rumors can spread.

• The use of information boards and discussion groups.

– The ease by which it can be done: requiring little in terms of computer skills.




Stakes and consequences– Financial losses.– Pirating of websites.– Forgery and use of forged documents.– Organized crime.– Flight of capital to tax shelters.



BadTrans and confidentiality

– On November 24th,a new variant of the BadTrans virus began to spread. Once installed, the virus monitors for the entry of certain key letter strings ("log", "pass", "rem", "con", "ter", "net"). The connection data is then intercepted and sent out via the Internet.



BadTrans

Context– A virus is no longer a single act of vandalism

(destruction of data or operational malfunctions on the computer of an unknown victim).

– The virus communicates:• To update its code… However, the process has

so far proved to be inefficient due to the rapid shutdown of sites (cf. Babylonia).

• To pass on what it harvests to websites, discussion groups and e-mail addresses.



BadTrans

Variety and trends in virus writing• APStrojan.qa• BadTrans.b• Babylonia• Caligula• Getit (sous Netware)• LoveLetter.bd• Marker• VBS/FunnyStory• VBS/Monopoly@MM



BadTransStakes

– The risk that sensitive information may be compromised.

– The risk that confidentiality may be breached and regulatory obligations compromised.

– The FBI wished to gather the fruits of the virus’s work with an Internet access provider. Response: the creation of an on-line data base…





BadTrans

Stakes and consequences– If a virus can find a point of entry (ex. CodeRed), that

weakness can be humanly exploited.– If a virus can contaminate a classified document (cf.

articles on the contamination of .doc files at the US Defense Dept.), the potential is there for the document to be disclosed.

– A little carelessness can have huge consequences!



BadTrans022240 ................................................................022280 ..........................................G.......Times New Roma0222C0 n.......Symbol.. ....Arial.......Times New Roman...022300 Maman..D‚ja 15 ans que tu es partie.pourquoi022340 n'est tu pas rest‚ parmi nous.J'ai souvent l'id‚e d'aller te rej022380 oindre depuis quelque temps.Sauf que mes enfants m'en empeches.T0223C0 u as 5 petit enfants et un 6 en route.Donc deux qui son a moi :X022400 XXXXXX et YYYYYYY.Je ne suis plus avec leurs pere.De toute facon022440 s'‚tais peine perdu..J'ai rencontrer un autre jeune homme.Il a 022480 28 ans,il s'appelle ZZZZ.Il adore les enfants.Sauf qu'il y a que0224C0 lque chose qui ne clique pas entre nous.Je serais tellement bien022500 avec.Il est tellement gentil,affectueux,doux avec les enfants.J022540 e ne sais meme plus quoi penser face a lui.J'aimerais tellement 022580 qu'il m'aime juste un peu.Maman aide moi a voir plus clair je ne0225C0 sais plus quoi faire ... Ta fille qui s'ennuie. 022600 YYYYY xxx. ‚crit le 10 octobre 2000......022640 ................................................................022680 ................................................................

Private document compromised and transmitted by the virus… (Here above text is anonimyzed and without any changes for accentuated characters)



In conclusion

We would also like to mention…– Attacks against telephone technology: acts of

malicious intent, fraud.– Attacks on wireless networks (WLAN): arrogation,

denial of service.– Rumors and denigrations via e-mails and discussion

groups.– Data theft (source programs, bank cards, etc.).– …

Documents

An overview of cyber-crime in 2001