Technological Crime 2 Who Are We? The Royal Canadian Mounted Police is the Canadian national police service. We are an agency of the Ministry of Public Safety Canada. The RCMP is a national, federal, provincial and municipal policing body. We provide federal policing service to all Canadians and policing services under contract to the three territories, eight provinces (except Ontario and Quebec) and more than 200 municipalities and 600 Aboriginal communities. 3 Technological Crime mandate Investigate Pure Computer Crimes • • • Criminal offences detailed in OM.IV.1 Primarily unauthorized access and mischief to data CIP mandate Computer Investigative Support to Technologically Facilitated Crimes • • Any traditional crime assisted by information technologies Search, seizure, analysis of digital evidence 4 Service Delivery Structure RCMP - TECHNOLOGICAL CRIME PROGRAM TECHNOLOGICAL CRIME BRANCH Program Management Support Services Policy and Program Support Operations Support Integrated Cyber Analysis Team Operations Coordination and Liasion Technical Support Services Technical Analysis Team Forensic Utilities Research Team Senior Technical Advisor Network and Information Operations Team Integrated Technological Crime Units 5 The Cyber Crime Threat Why is it a problem? What is the nature of it? How is it evolving? What are our most successful techniques in combating this threat? 6 Cost and Means of Attack Cost of Capability Availability of Capability 1945 INVASION 1955 1960 STRATEGIC NUCLEAR WEAPONS 1970 ICBM / SLBM 1975 CRUISE MISSLES Source: SA Robert Flaim FBI 1985 TODAY PRECISION GUIDED MUNITIONS COMPUTERS 7 Why is it a problem? •Transnational nature of the Internet = vulnerability •Anonymous access to infrastructures via the Internet and SCADA •Interdependencies of systems make attack consequences harder to predict and more severe •Malicious software is widely available and does not require a high degree of technical skill to use •More individuals with malicious intent on Internet •New cyber threats outpace defensive measures 8 Why is it a problem? • Threat not merely in the value of the data compromised, stolen, or altered, but in the nature of an attack. Ex: Damage from a cyber attack usually much greater than the resources needed to accomplish the attack. • Attacks aided by the anonymity, openness, connectivity, and speed of the Internet. • Ramifications include loss of confidence in the systems that form our national core. 9 Cyberthreats •Due to the nature of globally interconnected networks, cyber attacks can be launched from anywhere in the world, with rapid cascading effects in multiple jurisdictions. •The extent of the cyber threat ranges from individuals and organizations to national security. •Estimates show that as few as 5% percent of cybercriminals are caught and convicted.* *Source: Mcafee: (McAfee North America Criminology Report - Organized Crime and the Internet 2007) 10 Cyberthreats •Attacks against individuals often fall into two categories: • malicious software • social engineering. •Malicious software attacks compromise home and small business computers. Once infected, the malicious code harvests personal data while the user is online. •Social engineering attacks are aimed at home users and try to trick them into revealing sensitive personal information, such as bank logins and credit card details. 11 Cyberthreats •Criminals are also targeting corporate networks to steal information, usually financial data, held on customer databases. •Successful hacking attacks on businesses can yield huge amounts of personal information which can then be easily exploited. •Since the possibility of attack is great and the volume of attackers is essentially limitless, without a defensive strategy, all users are potentially vulnerable over the Internet to criminals worldwide. 12 Sophistication of Cybercrime •Simple Unstructured: Individuals or groups working with little structure, forethought or preparation •Advanced Structured: Groups working with some structure, but little forethought or preparation •Complex Coordinated: Groups working with advance preparation with specific targets and objectives. 13 Attack Sophistication vs Intruder Knowledge HIGH Zero-Day Staged Distributed Attack Tools Auto Coordinated Intruder Knowledge WWW Attacks Automated Probes/Scanners Cross Site Scripting Packet Spoofing Scanners Denial of Service Back Door Exploitation GUI Attacks Audit Blocking Sniffers Session Hijacking Password Cracking Burglaries A c tta k Stealth / Advanced Scanners ic t s hi p So on i t a LOW Vulnerability Exploitation Computer Virus 1980 1985 1990 1995 Source: Carnegie Mellon University 2000 and Beyond 14 Threats and Capabilities Cyberwar THREAT Foreign Intelligence Terrorists Organized Crime Competitors (Foreign & Domestic) Organized Hacker Groups “Hacktivists” Real Hackers Script Kiddies CAPABILITY 15 Vulnerability Exploit Cycle Automated scanning / exploit tools developed Widespread use of automated scanning / exploit tools. Intruders begin using new types of Exploits Novice Intruders use crude exploit tools developed Crude exploit tools developed Intruder discovers new vulnerability Source: Carnegie Mellon University 16 What is the nature of the threat? Technical Threats • How IT systems are configured/deployed (Speed & Convenience vs. security) • Some systems are highly vulnerable until the worst bugs in the software have been reported and corrected, which creates a window of opportunity for criminals to exploit these systems. • Blended Threats: Botnets/Malware/Viruses/etc 17 How is the threat evolving? • The race between criminals to exploit data/systems before security measures protect it or law enforcement catches them. • Blended threats are expected to increase, especially within the following areas: - Exploitation frameworks and rootkits - BOT-NETS, Trojan-Horse malicious code - Increasingly Sophisticated Attacks - Wireless devices - Zero-day exploits - ID-Theft (Phishing) - “High-Yield” Investment Offers 18 How is the threat evolving? • Blended threats continued: - Online “419” Schemes - Electronic Billing Fraud - Auction on Line/ Non Delivery of Goods - Targeted Attacks - Hackers - Child Exploitation - SCADA – Supervisory Control and Data Acquisition - Exploit process/software vulnerabilities for cash 19 How is the threat evolving? Financially Motivated Cyber Crime • Digital currency ( theft/layering stage of the money laundering process) • Legislation • Anonymous • Borders • Internet Payment Systems • Online Banking • Online Casinos • Pre-paid Credit Cards 20 Internal & External Drivers • Emerging 3rd generation of convergent communications device technologies • Increased criminal use of Internet • Increased public use of technology = increased demand for analysis •Enhanced use of security products & services • Capacity/proliferation of devices with increasing storage capabilities and continually shrinking electronic footprints (encryption & compression) • Development of new technologies (VHS vs. DVR) 21 Internal & External Drivers • Complex tracking of identification and transactions • Jurisdiction/Nonexistent or differing laws • Speed of cooperation and information sharing • Private sector concerns re privacy/shareholders/solutions • Large scale investigations with multiple sites and suspects which can also cross international boarders 22 MOST SUCCESSFUL TECHNIQUES Sharing information between government agencies, the private sector and the public • Canadian Cyber Incident Response Centre (CCIRC) • Cybertip.ca portal • Phonebusters • Strong networking / relationship building with our partners • Leveraging partnerships maximizing potential/minimizing duplication • NRCAN, Bell Security Solutions, ARIN • Combining Efforts to Combat Cyber Crime • Cyber Crime Council • Locally, Provincially, Nationally and Internationally • G8 – HTC Sub Committee, CACP E-crimes,etc 23 MOST SUCCESSFUL TECHNIQUES • Focused Enforcement Strategies • Integrated Policing • Sharing of tools, techniques and/or best practices • Enhancing our communications strategy – internal and external • Continuous development: employees, tools and techniques • Continuously look to the future to identify trends & technology • Prevention and Public Education 24 How can you help? •Observe •Identify •Notify •Partner = positive impact 25 With ever increasing numbers, Canadians are embracing the internet. Only by working in partnership we can achieve the goal of making the Internet a safe community for Canadians. 26 Insp. Carole Bird OIC Program Management Support Services Technological Crime Branch Royal Canadian Mounted Police (613)990-1353 Carole.Bird@rcmp-grc.gc.ca