Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Kenneth_McGuir. ppt

Cyber
Crime
EMERGING CYBER
CRIME TRENDS
March 17, 2006
by Kenneth G. McGuire
Supv. Special Agent
FBI
Topic Overview
1.Current Security Threats & Cases
2.Cyber Crime Incident Handling
3.Working With Law
Enforcement
Security Threats & Cases
1. TYPES OF PERPETRATORS
2. INTERNET FRAUD - Identity Theft, Phishing
Schemes, Remailer Schemes
3. COMPUTER INTRUSIONS & DISRUPTIONS –
1. RATs (Remote Access Trojans),
2. Extortion by DDoS (distributed denial of service),
3. “Hacker for Hire” Investigation,
4. Wireless Networks Concerns
4. INTELLECTUAL PROPERTY RIGHTS CRIMES –
Warez/Movie Servers, P2P
How Severe is the Threat?
T
H
R
E
A
T
•Professional Cyber Criminals
& Terrorists (hard to detect)
•Disgruntled Employees
•Competitors
•Hacktivists
•Script Kiddies
(Advertises Actions)
Identity Theft
•Growing sophistication of phishing emails
•Exploitation of Banking System
•Keystroke Loggers deployed by worms
•Exploding International Market for Stolen
Credit Card Databases and Identity Data
•FTC - $50B lost in Identity Theft in 2003
•300M manhours devoted to repairing
damage caused by this theft
Phishing Examples
Phishing Examples
Phishing Examples
MIRRORED
WEB SITE
Phishing Examples
MIRRORED WEB
SITE
Growing Trends
•Overall increase in sophistication by
a geographically diverse criminal
element
•Virus/Worm Payloads Used to Facilitate
Intrusion/Fraud Schemes
•Mercenary Distributed Denial Of Service Attacks
•Extortion Schemes Fueled by DDOS and Intrusion
•Spamming used to spread malicious payloads, phish,
and pay using adware/malware, spyware
•Identity Theft Underpins Most Computer Crime
Example of a Carder Site
Banking and Brokerage Account Compromise
•Internet Worms propagate keystroke logger
in payload to steal account usernames &
passwords
•U.S. citizens recruited to wire proceeds
cashed counterfeit checks for 30% fee
•Internet purchase funds first transmitted to
other U.S. accounts, then to the Eastern
bloc.
Remailer Schemes
World’s Largest Computer Equipment Supplier
•A union of computer intrusion and wire fraud
•Subjects have placed at least $10M in fraudulent
orders
•Subjects use work-from-home web sites to
recruit unwitting U.S. participants
•11 convictions to date in the U.S., at least a
dozen to follow
REMOTE ACCESS TROJANS (RATs)
•HACKER versions – Subseven, Backorifice,
Netbus
•Sometimes contained in email or programs
downloads, i.e. P2P programs like Kazaa
•COMMERCIAL PROGRAMS – GotomyPC, PC
Anywhere, Laplink
•OPERATING SYSTEMS PROGRAMS –
Telnet, ftp, Secure Shell (SSH), rlogin
Trojans and RAT’s
Sub-Seven Screen Capture (1999 version)
Trojans and RAT’s
Sub-7 v2.2 Gold
Below is a partial list of what Sub7 can do.
•Monitor ALL of your online activity
(purchases, chat, mail)
•Open Web Browser to specified location
•Restart Windows
•Reverse Mouse buttons
•Delete ANY of your files
•Put ANY file on your computer
•Record your passwords
•Record your Keystrokes (on and off-line)
•Open/Close your CD-ROM drive
•Print Documents
Change screen resolution
•Change Windows colors
•Change Volume
•Change Desktop wallpaper
•Play sounds files
•Play voice (using a Text to Speech engine)
•Turn off the speakers
•Change time/date
•Update itself with a newer version
Trojans and RAT’s
Sub-Seven Screen Capture
When run, the backdoor copies itself to the Windows directory
with the original name of the file it was run from or as
SERVER.EXE, KERNEL16.DL, RUNDLL16.COM,
SYSTEMTRAYICON!.EXE or WINDOW.EXE (names are
different in different versions of SubSeven).
Then it unpacks a single DLL file to the Windows System
directory - WATCHING.DLL (some versions don't do this).
Walter Wiggs
• Former USMC Scout
Sniper Instructor
• Violent Criminal
History
• Georgia Resident
• Software Engineer for
a Manhattan Beach
Telecommunications
Company
Walter Wiggs
• Employment Terminated
• Disabled
telecommunication
systems across the
country
• Caused a disruption in
the Los Angeles County
Child Protective Service
Hotline over July 4, 2003
• Arrested in August 2003
Extortion By DDOS
• Hiring hackers to create distributed
denial of service (DDOS) attacks
• Look for use of P2P instead of IRCds
ECHOUAFNI
CYBERSLAM
WALKER
Victims
Jeanson James Ancheta, aka
ResiLi3nt
Using a botnet to send spam.
1.
A botnet operator sends out viruses or worms,
infecting ordinary users' Windows PCs.
2.
The PCs log into an IRC server or other
communications medium.
3.
A spammer purchases access to the botnet from
the operator.
4.
The spammer sends instructions via the IRC
server to the infected PCs....
5.
... causing them to send out spam messages to
mail servers.
• Hacker pleads guilty to
building, renting attack
network
• FBI report estimates viruses,
worms & Trojan programs cost
U.S. organizations $11.9
billion each year.
• 20-year-old hacker living w/
mother in Downey
• Prev. Criminal larceny
conviction
Jeanson James Ancheta, aka
ResiLi3nt
• Sold botnets of 100 to 500 computers for
$150 to $500
• Infected >400,000 computers installing
toolbars for click fees , made $61,000 as
affiliates of Loudcash and Gammacash
• Hacked China Lake Naval Weapons
Center computer – Not Classified
• 1/23/06 Pled Guilty to 4 of 17 counts in
11/05 indictment
• Sentencing May 1, 2006
Brian Tinney
• Professional Burglar
• Created fictitious
computer company in
Las Vegas
• Created fictitious escrow
company in San
Francisco
• Order $600,000 in high
end computer equipment
from suppliers around
the U.S.
Steven-William:Sutcliffe
•
•
•
•
•
•
Global Crossing Employee
Sovereign Citizen Adherent
www.killercop.com
Web Terror Campaign
Posted all employee SSN’s
Home addresses, telephone
numbers, residence maps
• Death Threats
• Arrested in New Hampshire
“UCC-207” “All Rights Reserved”
Countermeasures
•
•
•
•
Practice good computer security
Invest in a personal shredder
Examine your credit report annually
Scrutinize credit card statements
•
•
•
•
1-888-5-OPTOUT (1-888-567-8688)
Use caution supplying wire transfer info
Be alert to anomalous personal info requests
http://www.consumer.gov/idtheft/
Wireless Security Concerns
1) Availability of free
WAP detection and
logging tools like
Netstumbler and Kismet
2) War Driving-where
individuals drive (or walk)
Around to find
unprotected and
accessible WAPs
3) Consumer and even
system administrators
fail to configure their
systems adequately
Wireless Security Measures
1. Uses 128-bit encryption
Wireless Encryption
Protocol
or
Wireless
Equivalency
Protection (WEP)
2. WEP’s poor implementation of the algorithm caused it to be broken which
is available to hackers.
3. Replacement for WEP called WiFi Protected Access (WPA) not widely
implemented.
4. WEP is not configured out of the box and therefore, not protecting the
system.
5. When WEP is configured by owner the default password is used -ADMIN
Preventing Disgruntled
Employee Problems
• Terminating System Access BEFORE
TERMINATED EMPLOYEES ARE
WALKING OUT THE DOOR
• Well Documented and Proliferated NonDisclosure and Authorized Activity
Agreements/Notifications
• Review Adequate Logging/Tracking
• Enforce Your Rules
• PRACTICE EXCERCISE – “RED
TEAMING”
• BANNER during Log-in of company
computers
CYBER CRIME
INCIDENT HANDLING
1. Continuing Operations v. Preservation of
Evidence
2. Identify the Incident Manager and Team –
usually department heads or officers
3. Assess Systems Impaired and Damages
4. Review Adequate Logging/Tracking
5. Note Unusual Activities By Employees or
on Computer Network
WORKING WITH LAW
ENFORCEMENT
• Identify your LOSS, HARM, or DAMAGE – lost
asset, revenues, expenses, repair cost
• Identify Capture or Quarantine Electronic or
Computerized Equipment, Logs and Files
• Maintain a “Chain of Custody” for Evidence
• Begin a written chronology of events
• Who may have to testify
• Identify one or two individuals to be your main
point of contact with LEOs
• Alert Your General Counsel or Attorney
WORKING WITH LAW
ENFORCEMENT
• CRIMINAL LAWS THAT APPLY:
– ECPA (Electronic Communications and
Privacy Act)
– 4th Amendment – Search & Seizure
– Interception of Communications
(Wiretapping)
– Court Orders – FGJ Subpoenas, Search
Warrants, Pen Registers, Trap & Trace
Orders, 2703(d) Orders, Title 3 Orders
Prepare for Incident Response
• Have A Disaster Plan for Humanmade and Natural Disasters
– Need some ideas, try Risk Management
Organizations - NIST.GOV,SANS.ORG
• Practice The Plan!
• Review The Plan Annually!
– Include contacts with law enforcement or
disaster officials
SANS Top 7 Management Errors
• #7 Pretend the problem will go away if they ignore it.
• #6 Authorize reactive, short-term fixes so problems re-emerge
rapidly
• #5 Fail to realize how much money their information and
organizational reputations are worth.
• #4 Rely primarily on a firewall.
• #3 Fail to deal with the operational aspects of security: make a
few fixes and then not allow the follow through necessary to
ensure the problems stay fixed
• #2 Fail to understand the relationship of information security
to the business problem -- they understand physical security
but do not see the consequences of poor information security.
• #1 Assign untrained people to maintain security and provide
neither the training nor the time to make it possible to do the
job.
INFRAGARD PROGRAM
Contact
INFRAGARD COORDINATOR
Regina Miles-Canales
310-477-6565
Contact
Cyber Crime Supervisor
Ken McGuire
310.996.3854
kenneth.mcguire@ic.fbi.gov
Related documents
Internet Safety - CFFinfo
Internet Safety - CFFinfo
Presentation - myroyalmail
Presentation - myroyalmail
Breaking Trust On The Internet
Breaking Trust On The Internet
Security Awareness for ISACA
Security Awareness for ISACA
Criminal Law
Criminal Law
PCC_Social-Engineering_2014_Final
PCC_Social-Engineering_2014_Final
IT Applications Theory Slideshows - VCE IT Lecture Notes by Mark
IT Applications Theory Slideshows - VCE IT Lecture Notes by Mark
International Cyber Crime
International Cyber Crime
Test5_12th grade 1 Complete the text with the correct words from
Test5_12th grade 1 Complete the text with the correct words from
Download