Title: Cyberterrorism
1FEDERAL BUREAU OF INVESTIGATION Cyber
Division Cyber Criminals The Next Threat
Presented by SSA Terence B. Fisher Atlanta
FBI Squad C9
2(No Transcript)
3Presidential Decision Directive 62
- Identifies the FBI as the Lead Federal
Agency in investigating terrorism in the United
States and acts of terrorism against U.S.
citizens and interests around the world
(including intelligence and CT operations).
4(No Transcript)
5Terrorist Groups
6Cost Means of Attack
1955
1960
1970
1975
1985
1945
Today
7(No Transcript)
8Outage probe looks to single power line in Ohio
9Cyber Attack Could Cripple Power
10Cert Coordination Center
- In 2002 82,094 Incidents were reported
- In 2003 137,529 Incidents were reported
-
- Total Incidents reported (1988-2003)
319,992
11Atlanta Cyber Squad
- How does the FBI address computer crime and cyber
terrorism matters? - Field offices and resident agencies
- Legal attaché offices
- Regional computer crime and infrastructure
protection squads - Primary Mission of Cyber Squad
- Identify and warn of threats to critical computer
systems - - Threats from terrorists
- - Threats from criminals
- Conduct criminal investigations
12Other FBI Investigative Areas Related to
Computers
- Computers Used as Tools in Traditional
Crimes - Internet Fraud
- Identity Theft
- Child Exploitation (Innocent Images)
- Threats communicated via the Internet
- Computer-based extortion schemes
- Focus Today
- Insider Threats in Cyber Crime
13Terrorism Threats-Trends-Targets
- Terrorists are using our own systems against
us - Aircraft Pentagon/Twin Towers
- Mail Distribution Network Anthrax
- Computers E-Mail Next Step ?
14Trends in Cyber Crime
- Intrusions by insiders
- Economic espionage
- Juveniles involved in network
- intrusions
- Sophistication and complexity
- of crimes
- Activity by organized crime
- groups
15 New Vulnerabilties
- Computer attackers are opportunistic.
-
- They take the easiest and most convenient
route and exploit the best-known flaws with the
most effective and widely available attack tools. -
- They count on organizations not fixing the
problems, and they often attack indiscriminately,
scanning the Internet for any vulnerable systems. -
- The vast majority of worms and other
successful cyber attacks are made possible by
vulnerabilities in a small number of common
operating system services.
16(No Transcript)
17(No Transcript)
18Computer Based Vulnerabilities
- Computer based
- Poor passwords
- Lack of appropriate protection/or improperly
configured protection - Lack of comprehensive network securities policies
- Network based
- Unprotected or unnecessarily open entry points
- Email Based
- Lack of attachment filtering
- Poor policy enforcement
- Lack of adequate protection on WebMail
applications for mobile employees
19(No Transcript)
20W32.Vote.B_at_mm
21Wireless Networks
- Vulnerable to interception.
- 80 of corporate networks surveyed are
accessible from
outside their buildings - Among those broadcasting confidential
and sensitive information - 66 of banks
- 60 of financial services institutions
- 100 of education institutions
- 79 of IT companies
Red-M Survey, June 2004
22Data Breaches Hit 8.3 Million Records in First
Quarter
- The Identity Theft Resource Center in San Diego
said it tracked public reports of 167 data
breaches in the first three months of this year.
23How They Attack
- Threats today have become more complicated.
They tend to use multiple vectors to spread, thus
increasing their chances of infection. Once on
the system, these threats tend to show little to
no symptoms so they can survive undetected.
24Shift in Virus Strategy
- Virus strategy shifting to stealthy
commandeering of PC for money - Last year 33 viruses that caused massive
amounts of damage, this year 3 - Increase in Trojans, more in first half of
2005, than in 2004 - Its really about being stealthy and
silent, and stealing data, spamming, hosting
malicious Web sites and phishing.
25Banking in Silence
- Targeting over 400 banks and having the
ability to circumvent two-factor authentication
are just two of the features that push
Trojan.Silentbanker into the limelight. The scale
and sophistication of this emerging banking
Trojan is worrying, even for someone who sees
banking Trojans on a daily basis.
26Here is the login form viewed on a clean machine
27Below the form presented to an infected user is
shown, the input box added by the Trojan has been
marked in red
28Other Features of the Trojan
- If a transaction can occur at the
targeted bank using just a username and password
then the Trojan will take that information, if a
certificate is also required the Trojan can steal
that too, if cookies are required the Trojan will
steal those. In fact, even if the attacker is
missing a piece of information to conduct a
transaction, extra HTML can be added to the page
to ask the user for that extra information.
29Silent Banker Cont.
- When instructed, the Trojan can also
redirect users to an attacker-controlled server
instead of the real bank in order to perform a
classic man-in-the-middle attack. Currently there
is only one bank targeted in this way however,
recent updates to the Trojan change the user's
DNS settings to point to an attacker-controlled
server. Using this technique the Trojan can start
redirecting any site to an attacker site at any
time. This feature could also mean that if the
Trojan is removed but the DNS settings are left
unchanged then the user may still be at risk.
30(No Transcript)
31All veterans at risk of ID theft after data heist
A long-time analyst at the massive federal agency
was blamed for the theft of 26.5 million Social
Security numbers after he took home sensitive
data and his home was burglarized
32Who is Responsible?
- Businesses - 36 Percent of the Breaches
- Schools Universities 25 Percent
- Government Military - 18 Percent
- Medical Health - 14 Percent
- Financial Institutions - 7 Percent
33RIM Blackberry Vulnerabilities
- The vulnerabilities could allow an attacker
to execute arbitrary code on or cause a denial of
service to the BlackBerry Attachment Service. An
attacker could also cause a denial of service to
the BlackBerry Router or the web browser on
BlackBerry Handheld devices
34First 4 Internet XCP (Sony DRM) Vulnerabilities
- The XCP copy protection software uses
"rootkit" technology to hide certain files from
the user.
3513 Percent of Data Breaches Were The Result of
Hacker Break-Ins
- Most of the data Breaches this year appear to
have resulted from lost of stolen laptops, hard
drives, or thumb drives.
36EXE2HTML HTA Exploit Generator
37Warning SignsOver the last two months, I have
noticed irregular scanning patterns and activity
coming from the Peoples Republic of China. 24/7.
- Time,                Event,               Â
Intruder    Count Origin - 8/11/2003 95420 PM, TCP_Probe_MSRPC,
218.1.220.194,    1  China - 8/11/2003 94940 PM, UDP_Probe_Other, Â
218.87.86.104,    4  China - 8/11/2003 94823 PM, UDP_Probe_MSRPC,
218.87.86.104,    1 China - 8/11/2003 94640 PM, TCP_Probe_MSRPC,
FRONTEND2BDC, 2 - 8/11/2003 75413 PM, UDP_Probe_MSRPC,
218.15.192.64,     1  China - 8/11/2003 71609 PM, Application Terminated,
0.0.0.0, 1 - 8/11/2003 71540 PM, Application Terminated,
0.0.0.0, 1 - 8/11/2003 65451 PM, TCP_Probe_MSRPC,
JASON-AJO1YLXZG, 1 - 8/11/2003 64620 PM, TCP_Probe_MSRPC,
WSPINOTBLANC, 1 - 8/11/2003 64419 PM, TCP_Probe_MSRPC, SCANNER, 1
- 8/11/2003 61912 PM, UDP_Probe_Other,  Â
218.87.86.104,    5 China - 8/11/2003 61753 PM, UDP_Probe_MSRPC,Â
218.87.86.104,    1 China - 8/11/2003 61456 PM, UDP_Probe_Other,  Â
218.15.192.64,     1 China
38What can be done to prevent an electronic
terrorist attack?
- Public/Private interaction
- Effective use of intelligence gathered from all
sources - Continued enhancement of resources
- Computer security and awareness training
- Continuing education regarding terrorist trends
and methodologies - Perpetual readiness to defend against attacks
39Planning for Computer Intrusions
- Develop a Cyber Crisis Management Team
- Ensure preventive technologies are in place
- Ensure policies are in place for tracing and
document intrusions - In-depth understanding of how to leverage Federal
Legislation, such as the USA Patriot Act
CAN-SPAM Act 2003
40Responding to a Computer Intrusion
- Completed Crime?
- - Trace Intruders actions
- - Preserve Evidence
- Continuing Crime?
- - Disconnect/Stay Connected
- - Trace intruders actions
- - Confront / Ignore intruder
- - Preserve Evidence
-
41Conclusion
- Our national security, databases, and economy
are extremely dependent upon automation. - Therefore, there exists a target rich
environment for those who would do harm via the
Internet. - Our critical infrastructures require joint
private/public efforts to protect them.
42What is InfraGard
- Network of individuals
- interested in Cyber and
- physical security issues
- Government / Law Enforcement alliance with the
private sector - System of formal and informal channels
- for the exchange of information about
Infrastructure threats and cyber vulnerabilities
43InfraGard Membership
- Representatives from private industry,
government agencies, academic Institutions, state
local law enforcement - Membership requirements
- - Confidentiality pledge
- - Commitment to actively participate
- - Membership agreement
- No membership fee charged by the FBI
44CuckooFrom The Cuckoos Egg by Cliff Stoll
- Lays Eggs in Other Bird's Nests
- Other Birds Raise Her Young
- Survival of Cuckoo Depends on Ignorance of
Others - Survival of the Hacker Depends on Our
Ignorance
45QUESTIONS?
- TERENCE B. FISHER SUPERVISORY SPECIAL AGENT -
FBIATLANTA, GEORGIA - (404) 679-9000
- Tfisher_at_fbi.gov