NATO Advanced Training Seminar

CYBER TERRORISM PREVENTION &

COUNTERACTION

Kiev, Ukraine September 27-29, 2010

About

Cristian Driga - Attorney at Law, Executive director at Computer Crime Research Centre (NGO), Romania

Main practice areas: Computer Crime & Electronic Evidence

Special interests: public policy, raising public & legal professionals awareness in the fields of computer security, computer crime and electronic evidence.

http://en.criminalitate.info http://www.driga.ro

contact@criminalitate.info

CAPABILITIES OF CYBER-TERRORISTS

IT infrastructure and associated risksHypothetical situations and actual incidents

NATO Advanced Training Seminar – Kiev, Ukraine 2010

A world depending on computers

Computers & networks span all over the critical sectors of our lives

State and government, Military, Business & Banking, Health, Transportation, etc.

Communications Life support systems & Energy systems

The Internet as an invaluable source of information and as a global collaboration tool

Education and Research, Business, etc.

New roles for computers everyday

Technical advancement and miniaturization brings new roles for computers in our lives

Computerized cars Electronic national ID cards Medical devices, including pacemakers

Internet becomes more and more the primary information carrier in all areas

Phone conversations are moving to the web Same with Television & Radio

...all inter-connected and communicating

IT infrastructure & Security

Confidentiality

Integrity

Availability

Authenticity

Our IT Infrastructure – Our Risks

No computer system is 100% secure Intended usage vs. missuse

Technical risks Software related security problems Hardware related problems

External risks Network connectivity Service providers

Our IT Infrastructure – Our Risks

Internal risks Organizational policies Insider threat Complexity of technology and lack of education

in operating IT in a security aware way

The Politics Political and legal issues

Online safe-havens Lack of uniform legislation and cooperation

Cyber-Terrorism?

Many definitions politically motivated hacking operations intended to

cause grave harm such as loss of life or severe economic damage

unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives

Cybercrime?

Also many definitions But more in the way of an unified legal

definition at international level includes attacks against computers and networks to

disrupt processing also includes an "espionage" part of illegally

accessing computer systems and data and making unauthorized copies of private or classified data

Cybercrime or Cyber-Terrorism?

only difference:

the intent of the attacker!

Their Infrastructure – Our Risks

Cybercrime is continuously evolving: New and sophisticated tools Successfull infection and control of millions of

computers Proven attack, disruptive and espionage capabilities Improved methods of avoiding tracing and justice

Their Infrastructure – The Network

The Internet As an information exchange medium between

cybercriminals and as a training environment As medium for collaboration and procuring tools to

commit cybercrimes As carrier for the attacks and computer virus

infections As an annonimization tool

Botnets

armies of civilian and institutional computers infected with trojan viruses capable of executing commands sent by the

botmaster stealing information (i.e. passwords, credit card

information, etc.) providing remote access to the infected computer

(and sensitive information) sending SPAM attacking other computers and networks

How are botnets controlled?

Various methods difficult to trace and disrupt Listenting to an IRC chat room on the Internet Periodically reading certain Internet addresses Listening to messages sent by the botmaster on

social media sites like Twitter, etc.

Almost never contacted directly.

Key asset for cybercriminals

AUTOMATION

Automatic infection

Common infection techniques Malicious code on regular web pages testing the

visitor's browser for unpatched security holes If a security problem is found, the trojan virus will

install itself silently Opening an infected file received through email

from a friend's email address. Opening an infected removable storage (USB pen

drive, for instance)

After infection...

Hide themselves into the operating system Download and install other botnet components

and malicious software Record keyboard strokes looking for:

email accounts and Facebook accounts login e-banking accounts login credit card numbers and associated data website access login information (FTP accounts) of

people who own a web page

...all automated

Automation continued...

Delivery of captured information to the botmaster on special servers for exploitation (i.e. Credit card fraud)

A recently improved ZEUS trojan version is capable of detecting and hijacking the e-banking session, checking account ballance and placing automatic transfer orders.

More automation...

Automatic login to E-Mail and Facebook accounts and sending apparently legitimate emails to friends and contacts to spread the infection

Infecting the web pages of the computer owner (using FTP account login to install exploit packs on the pages)

Famous botnets and exploit packs

Botnets: Rustock, Storm, Srizbi botnet, Conficker, Kraken, Cutwail, Mega-D, Nucrypt, etc.

Exploit Packs: Crimepack, Phoenix, Eleonore, Fragus, Siberia, Icepack, El Fiesta, Yes Exploit, etc.

Powerful and successfull tools

Because of the automation of the whole process

Easy of use Millions of infected computers capable of acting

as one giant super-computer Milions of unprotected users visiting infected

websites Hard to trace the origins of an attack initiated by

large numbers of computers all over the world

More reasons...

Lack of consistent minimal public education on using the computers and the Internet in a safe way

Lack of strong computer usage policies for employees in companies

Because of the existence of the so-called server safe-havens

Safe havens for cybercrime

Countries not willing to cooperate in bringing cybercriminals to justice

Insufficient national laws not able to criminalize such computer crimes

Botnets would hardly be possible without the servers that collect the data stolen and give commands to the bots

To solve this problem means international cooperation and unified legislation.

Politics at its best.

Money as the link...

In the recent years a new trend has developed:

botnets for hire or rent

One can find on the Internet exploit kits and all the needed software to create his own botnet

When lacking strong technical skills, one can hire or rent a botnet

Back to Cyber-Terrorism...

Botnet developers are in this business for money. If terrorists would pay, they've got themselves a very powerful cyber-weapon.

Organized crime has the money for creating botnets but they might have other needs (safe routes for drugs, weapons, training, etc.) which terrorists are able to provide in exchange for hiring botnets.

Terrorists usage of botnets?

a terrorist group renting a botnet of millions of computers capable of heavily attacking critical infrastructure servers and bringing them down is a real threat

renting a botnet and using it to collect credit card data to commit credit card fraud is a way of financing real life terrorist activities

Actual incidents?

More evidence of large scale cybercrime related attacks than of cyber-terrorism incidents

Difficulties in attributing cyber-attacks to terrorists

However, there is plenty of evidence that terrorist groups are using the Internet to conduct their activities and become proficient in using IT

How long before an actual attack?

Reports

One US Congress report mentions Romanian hackers threatening to shutdown the life support systems for the National Science Foundation's Amundsen Scott South Pole‐Station – but lacked political motivation

A hack into a Queensland Australia sewerage system, heavily polluting rivers and parks – proof of devastating effect but no political motivation

Estonia 2007 – likely to be a cyber-terrorist attack and surely an example of what could happen

Estonia 2007

Experts from US and NATO helped in recovery and attempted to discover the source of DDOS attacks

Evidence pointed to more than one source (some pointed to Russia and some to other countries)

No conclusive evidence about the original source – common opinion: botnets were used

Hard to trace and almost impossible to retaliate

Hypothetical situations

The Estonia incident showed that it is possible to paralyse even web related activities of states

Many daily life aspects take place in cyberspace and/or depend on IT

Various possible scenarios have been suggested, in which different critical infrastructure networks are disrupted by cyber-attacks

Economy related targets

Banks and international transactions Stock exchange Businesses and online commerce

May result in loss of confidence in the economic system

Transportation systems

From disruption of traffic lights systems in big cities

To interference with flight and train control systems

Would result in accidents, loss of lifes,and would paralyse transportation

Energy supply systems

Electricity production and distribution Gas supply Water supply systems

Directly affecting the population

Other systems as targets

Military command and control Emergency systems (112 or the US 911) Healthcare IT infrastructure Industrial processes

Experts say these scenarios are possible.

Cybercrime examples confirm the potential.

How do we make them impossible?

Thank you!

Cristian Driga - Attorney at Law, Executive director at Computer Crime Research Centre (NGO), Romania

Main practice areas: Computer Crime & Electronic Evidence

Special interests: public policy, raising public & legal professionals awareness in the fields of computer security, computer crime and electronic evidence.

http://en.criminalitate.info http://www.driga.ro

contact@criminalitate.info