Transcript PPT

Why Cyber Security is the Right Career
Choice---------NOW
NSF---Information Assurance/Information
Security/Digital Forensics Conference
May 7th, 09
Paul M. Joyal
Managing Director, Public Safety and Homeland
Security Practice
Cyber and Information Warfare
“The growing role of information-technology is rapidly lowering the
barrier between war and peace.”
Mary C. FitzGerald
www.nationalstrategies.com
Cyber Security: Network Threats and
Policy Changes, Hearing, May 1, 2009
“Previous attempts to deal with cyber security
in isolation have failed,” Melissa Hathaway,
acting senior director for cyberspace for the
National Security Council and Homeland
Security Council.
“We are now at the point where we must
realize that economy and cyber security are
opposite sides of the same coin,” added. Larry
Clinton, President of the Internet Security
Alliance We cannot address one issue
without the other.”
Subcommittee on
Communications, Technology,
and the Internet, testimony
“Attacks are cheap and relatively easy to
conduct,” he explained. “Profits are
enormous. The defensive perimeter is
virtually endless and defensive measures
are expensive.” Altering these economics
is the challenge.
Today’s Cyber Warfare Realty
McAfee stated in their 2007 annual report that
approximately 120 countries have been developing
ways to use the Internet as a weapon and target
financial markets, government computer systems and
utilities.
In activities reminiscent of the Cold War, which caused
countries to engage in clandestine activities, intelligence
agencies are routinely testing networks looking for
weaknesses. These techniques for probing weaknesses
in the internet and global networks are growing more
sophisticated every year. [3]
Cyber Warfare Today
Jeff Green, senior vice president of McAfee
Avert Labs, states "Cybercrime is now a global
issue. It has evolved significantly and is no
longer just a threat to industry and individuals
but increasingly to national security." They
predicted that future attacks will be even more
sophisticated. "Attacks have progressed from
initial curiosity probes to well-funded and wellorganized operations for political, military,
economic and technical espionage,"
Cyber Counterintelligence
Cyber counter-intelligence are measures
to identify, penetrate, or neutralize
foreign operations that use cyber means
as the primary tradecraft methodology,
as well as foreign intelligence service
collection efforts that use traditional
methods to gauge cyber capabilities and
intentions.
What the US is doing in
Cyber Defense
On April 7, 2009, The Pentagon announced more than
$100 million was spent in the last six months
responding to and repairing damage from cyber attacks
and other computer network problems.
On April 1, 2009, U.S. lawmakers pushed for the
appointment of a White House cyber security "czar" to
dramatically escalate U.S. defenses against cyber
attacks, crafting proposals that would empower the
government to set and enforce security standards for
private industry for the first time.
New DHS Secretary calls for a
review of Cyber Security
On February 9, 2009, the White House
announced that it will conduct a review
of the nation's cyber security to ensure
that the Federal government of the
United States cyber security initiatives
are appropriately integrated, resourced
and coordinated with the United States
Congress and the private sector.
How did we get here
“Ancient History” Internet-style
• 2004 – the “Russian Spam Gang” identified
as one of the top spam producers. Headed
by MIT- and UMass-educated Leo Kuvayev.
• Tom Reilly, Massachusetts Attorney
General, sued Kuvayev for $37 Million.
Leo fled back to St. Petersburg.
“Rock Phish” – 2005 to 2007
• From 2005 until 2007, unknown phishers
operating from St. Petersburg and
Moscow stole more than $400 Million from
more than 50 financial institutions.
Russian Business Network
• In November of 2006, the Rock Phish
“mothership”, the hub of a distributed
network of botnet data collection points,
was operating on IP addresses owned by:
Russian Business
Network
12 Levashovskiy pr.
197110 Saint-Petersburg
Russia
RBM Prime Time Locations
RBN 2006
• At the time, the same Network was
hosting a malware distribution network
called “iframemoney.biz”, which infected
computers by showing them banner ads
from legitimate websites.
• They also hosted hundreds of child porn
domains, and had strong ties to Intercage,
Atrivo, and EST Domains
Stock Manipulation 2006
• In December 2006, the SEC froze the assets of
one Evgeny Gashichev for manipulating the value
of various stocks through “Stock Pump and
Dump” scams.
• At the time 41 year old Gashichev was running
his Estonian based business from his home in St.
Petersburg, Russia.
• Gashichev had run the scams since at least 1998,
earning millions of dollars by manipulating the US
stock exchange
Russian Government on RBN
• Queries to the Russian government were
greeted by the news that the Russian
Business Network was based in Panama.
As evidence, copies of the “WHOIS” data
were provided.
• Strangely, the only “upstream” provider of
RBN at the time was St. Petersburg
Telecom.
RBN Reports
• David Bizeul, Verisign iDefense have
produced analyst reports on RBN,
suggesting ties to banking trojans, such as
Torpig, and password stealing schemes,
such as Gozi, which have infected millions
of computers around the world.
• blog.wired.com/defense/files/iDefense_RBNUpd
ated_20080303.doc
• www.bizeul.org/files/RBN_study.pdf
ShadowServer on RBN
ShadowServer, a security
research organization,
prepared this diagram
showing how 2,664
different malware programs
made connection back to
94 hosts (the big dots)
controlled by the Russian
Business Network
A closer look at AS40989
Each malicious
program was
found to connect
to either a
“Command &
Control” server,
or a data drop on
one of the RBN
Computers, such
as 81.95.146.204
RBN Goes Dark
• The ShadowServer Foundation report,
showed that the RBN Network, known as
“AS40989” ranked #10 out of the 1,447
networks known to host malware
worldwide.
• On November 6, 2007, in direct response
to public pressure created by Brian Krebs’
articles in the Washington Post, the Russian
Business Network disappeared.
RBN Franchises
• Those of us who monitor such things began
to see “RBN-like” activity on networks
around the world, most notably, InterCage,
SoftLayer, Layered Technologies,
UKRTelegroup, Turkey Abdallah Internet
Hizmetleri, and HostFresh.
• Despite their new locations, it was clear
that the RBN team was still in control.
Rampant Credential Theft
Credential Stealing
• Since May 30th, a long series of Password Stealing scams have
been sent to American’s via email. The Stolen credentials are
all sent back to one of the RBN Franchises (in the Ukraine)
• This sample was the morning after the election. Others have
used “Classmates.com” or “Bank of America” or other scams
to trick users into infecting themselves.
• In each case, five “.cn” – Chinese registered domains were
used.
• In reality, the domains are registered by a “reseller” of
BizCN.com – who lives in St. Petersburg, Russia
Anti-Virus is No
Defense
This week’s version of the “Snifula / Gozi”
password stealing malware was unknown
to 33 of the 39 antivirus products we
tested it against.
We received 810 emails on March 10th
which pretended to be an invitation to
“ClassMates.com”
Stealing Information
Yesterday’s ClassMates
Malware
 Today’s version of the ClassMates.com Malware steals email
passwords, website passwords, ftp passwords, and more . . .
 It’s using these five newly created domain names:
Installserverversion10.com, Clieckfordownload.com,
Unionmeetflash.com
Videoplayer11version.com, Updtadeyouwinplayer.com
 The Stolen Passwords are being sent to 58.65.232.17 -- which is on
HostFresh, one of the RBN Affiliate Networks
 The same botnet that hosts these domains is also hosting:
 Sparkasse phishing sites
 Alliance & Leicester phishing sites
 Fifth Third Bank phishing sites
Fifth Third Example
On March 10th, this phishing site was hosted on:
ifiili.li, jjf1.com, j1ffj.com, j1ffj.net, idsrtd04.eu,idsrt-d05.eu, idsrt-d09.eu, dk1ili.eu,
biili.eu, bllli.eu, dkllli.eu, billl.eu
$8 for 1000 userids and
passwords!
The password
stealing is so
successful, the
Russians are now
selling passwords for
email accounts at a
rate of $8 per 1000.
How many
Government
employees use
Hotmail, Yahoo, and
Gmail accounts to
avoid email problems
at work?
Microsoft: Infections increasing
In the first half of
2008, Microsoft
says 11.2% of
American
computers had
been infected with
some form of
malware – an
increase of 38%
from the previous
half year.
Some malware families tied to RBN had
Increased by as much as 163% from the
previous reporting period.
Microsoft Security Intelligence Report
Botnets used to anonymize
criminal traffic . . .
ДДос сервис (DDOS Service)
ДДос сервис (DDOS Service)
• Russian sites use these networks of
captured computers (botnets) to sell
DDOS services
• XAKEPY.RU, the “Portal of Russian
Hackers” has hundreds of hackers selling
DDOS services delivered via Botnets, many
of which are controlled on the RBN
“franchises”
Typical RBN Attack Profile
From Georgia to Georgia
• After the “.gov.ge” domains failed, they
were relocated to the United States – to
Atlanta, Georgia, (Tulip Systems) which
gave us much greater visibility into the
botnets being used for the attacks.
• One of the main attacking bots was the
“MachBot” , a signature of the RBN
DDOSers.
Fingers on the Trigger?
• The Spam that went out in the middle of July
accused the President of Georgia of being
homosexual.
• It was traced to the same spam botnets that
have been used to send the Canadian
Pharmacy spam hosted on the RBN networks.
• Alexandr A Boykov, of 13 Sedova St in St.
Petersburg registered the domains used by
that botnet.
The Brave New World of the 5 Day War
Where Cyber and Military Might Combined for War
Fighting Advantage.
Paul M. Joyal, Managing Director
Public Safety and Homeland Security
Russian analysts Yevgeniy Korotchenko and
Nikolay Plotnikov conclude in 1993:
“We are now seeing a tendency toward a
shift in the center of gravity away from
traditional methods of force and the means
of combat toward non-traditional methods,
including information. Their impact is
imperceptible and appears gradually…
Thus today information and information
technologies are becoming a real weapon.
A weapon not just in a metaphoric sense
but in a direct sense as well.”
Two Aspects of Parity and Defense
Sufficiency (1993)
Russian Admiral V.S. Pirumov
"... that a war's main objective, shifting
away from seizure of the opponent's
territory and moving towards
neutralizing his political or militaryeconomic potential - eliminating a
competitor - and ensuring the victor's
supremacy in the political arena or in
raw materials and sales markets.”
General Viktor Samsonov, Chief of the
Russian General Staff stated 23 Dec 96
“The high effectiveness of ‘information warfare’
systems, in combination with highly accurate
weapons and ‘non-military means of influence’
makes it possible to disorganize the system of
state administration, hit strategically important
installations and groupings of forces, and affect
the mentality and moral spirit of the population.
In other words, the effect of using these means
is comparable with the damage resulting from
the effect of weapons of mass destruction.”
Developments to this doctrinal
understanding have evolved in the 90’s with
the dynamism of the information era
I.
Today information warfare doctrine has expanded to
include target country information systems,
communications networks and economic infrastructure. The
role of intelligence services accelerated these
developments. US and coalition forces learned important
information on warfare operations during the first Gulf War
contributed to these developments.
II. Cyberspace has clearly emerged as a dimension to attack
an enemy and break his "will" to resist. This is an extension
of the traditional Soviet intelligence “Active Measure”
doctrine. Active Measures are an array of overt and covert
techniques for influencing events and behavior, and the
actions of targeted foreign countries.
Information age technologies have created a
new cyberspace environment in which to
conduct warfare.
Russia's response to the information age highlights the
potential for challenges to the existing military balance and
global security. This was brought vividly home during the 5
Day Russian Georgian War.
Countries around the globe are increasingly vulnerable to
information warfare as cyberspace and social networking
increases dependence expands. The gap between the
emerging information age environment and the doctrine,
capabilities and strategies for defending against and
prosecuting information warfare are now being globally
confronted.
Tectonic shift in military affairs:
6th Generation warfare will change the laws of
combat and the principles of military science
1. The Russians foresee impending sixth
generation of information warfare
technology as a potential for cyber warfare
to inflict decisive military and political
defeat on an enemy at low cost and without
occupying enemy territory
2. Thinking of the enemy as a system is the
basis to understanding how cyberspace
could be used to exploit warfare.
Psychological Operations and
Information Warfare
1.
According to Russian military scientists new weapons
will exert a deep influence on the methods, ultimate
objectives and definitions of victory in future wars.
2.
The use of new information and cyber weapons will
be directed primarily at achieving the most important
political and economic objectives without direct
contact of the opposing forces and without armed
combat .
3.
These weapons and techniques are designed to
destroy the state and societal institutions, create
mass disorder, degrade the functioning of society,
and ultimately the collapse of the state.
CYBERWAR
The New “Active Measure”
1. Intelligence subunits of the new cyber military are
involved in preparing and conducting psychological
operations reinforce the actions of sabotage and
reconnaissance, military intelligence and public
information services during combat operations.
2. The organization of such is regulated by special
directives and manuals developed by military and
intelligence services.
3. These CYBER PSYOPS support combat operations in
the preparatory period of combat and during combat.
Russian Cyber Warfare Doctrine also
addresses the optimum time to strike.
Prior to an “information strike”, all targets
should be identified (including enemy
information systems), enemy access to
external information should be denied,
credit and monetary circulation should be
disrupted, and the populace should be
subjected to a massive psychological
operation--including disinformation and
propaganda.
The New Age of Cyber
Warfare
• A criminal network runs unchecked,
controlling HUNDREDS OF THOUSANDS
of computers, and running servers in
Russia, China, Turkey, Hong Kong,
Malaysia, Ukraine, Netherlands, and even
the United States
• This network is a loaded gun, which can be
pointed and fired at any network resource
to please the politics and ideologies of its
masters.
The future is Now---Cyber Defense and Security
• Careers in cyber security and defense offer
a stable growth track with tremendous job
prospects, especially in the Washington
area.
• Billions will be spend to defend our new
Web 2.0 government
• Cyber security in both civilian and
government positions will increase