Profile of the World’s

Top Hackers: Mafiaboy

22

Agenda

•The New Threat Landscape

• Insider’s View of Cybercrime

•Evolution of Hacker Techniques

•Changing Motives and Targets

• Impact on Businesses and Governments

•Steps to Reducing the Threat of Attack

3

Panelists

3

Paul HenrySecurity and Forensics Analyst, Lumension

Byron AcohidoInvestigative Reporter and Author of Zero Day Threat

Michael Calce a.k.a. Mafiaboy

The New Threat Landscape

5

•Allows anything connected via USB to be easily shared across the Internet

» Hard drive

» Ethernet adapter

» Wireless adapter

Pogo Plug – Backdoor in a Box

6

•Yes there are a few good uses but…. Pogo Plug demonstrates the need to re-evaluate access to 80/443 outbound

Pogo Plug – Backdoor in a Box

7

Business Is Good For The Bad Guys

•Companies in the US, UK, Germany, Japan, Brazil, India and Dubai lost $4.6 billion in intellectual property last year

» And spent $600M on repairing the damage

•Global damage from data loss will exceed $1Trillion

» This is more then the cost to fix the global recession

•98% of those polled in a recent survey reported a tangible loss due to cybercrime

8

Annual Reported Vulnerabilities

0

1,000

2,000

3,000

4,000

5,000

6,000

7,000

1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008

24 75251 243

7901015

16721963

1289

2372

4894

6704

5633

Annual Reported Vulnerabilities

Source: National Vulnerability Database

• It is common knowledge that you can eliminate 90% of your risk by applying patches in a timely manner

9

Obfuscation Changes The Game

10

Total Sample Growth

11

No One’s Fault But Our Own

12

Botnet Growth Continues

13

Black Market

14

Prices Have Fallen In 2009

Going Inside the Mind of the Cybercriminal

16

Mafiaboy’s Distributed Denial-of-Service (DDoS)

Author: Michael Calce, 15» St. Raphael Country Club

Botnet used in denial-of-service attack

» Yale, Harvard servers botted» CNN, Yahoo, Amazon, Dell, Excite, E-

trade attacked

Estimated $1.7 billion in damages

‘Mafiaboy’ hacker jailed – September 13, 2001

17

How it All Started

Excerpt from “How I Cracked the Internet and Why It’s Still Broken”

“…Someone knocked me offline by hitting me with so much data that my connection was severed. These punters seemed to have a huge amount of power over others on AOL. I was intrigued that an individual was able to “attack” someone else, regardless of the distance between them, using the internet. It seemed like harmless fun, almost a practical joke. The people punted off could simply sign on again and rejoin the chat room. Nobody got hurt. I wanted to punt someone. Badly.

… That’s when my real hunt for AOL hacking tools started. Once I found that first application, I stumbled across more and more. They were each brilliant in their own subversive way. I came across one site that had a huge list of applications. I decided to download all of them and browse their various functions. With these tools in hand, I began to feel like I was in control of the internet, rather than the other way around. The sense of power and possibility was intoxicating.”

17

18

Why the Internet Was Broken

Internet was relatively new and global security knowledge was lacking

» Many available tools that enabled attacks to be delivered with relative ease

» The internet was never intended to be a tool of Commerce

» The fundamental protocols the internet was built on are still flawed

» The lack of regulation between governments and companies

» Security was never incorporated into the architecture of ARPANET

» The lack of fundamental knowledge of the users who try to utilize the internet

19

Hacking Technique – Denial of Service

•What is a DoS?

» Causes loss of service to users, typically the loss of network connectivity and services

» Not designed to gain access to systems

•Three types of attack

19

» Consumption of computer resources such as bandwidth, disk space or CPU time

» Disruption of configuration information, such as routing information

» Disruption of physical network components

20

Attack Types – DoS and DDoS

•The attack on Yahoo was an ICMP flood

» ICMP traffic is the simplest kind of computer conversation - a ping, or a single bit of data sent to see if another computer is responding

» ICMP flood is when an attacking ping is sent to a target computer with a faked return address, which sends the attacked computer on an endless quest for a place to return the ping

•Attack on CNN was a Syn Flood

» Starts with a falsified synchronization packet which is sent by a computer when it wants to actually connect with another computer

» It sent so-called synchronization packets, or attempts to connect, to random ports, ranging from 2 to 400

» Each packet had to be approved by the ACL - normally, synchronization packets are followed by legitimate traffic which simply flows through the router

» Quickly, the router’s memory was consumed and stopped functioning

20

21

Why the Internet is Still Broken Today

Social Engineering

» Hackers rely on manipulation of naïve end-users

» Doesn’t have to be remote – they can dress up in uniform and literally walk into a company

Internal IT hackers are more of a threat than remote exploits or DoS attacks

» Employees don’t necessarily care about the company, just about the paycheck

» Sabotage / retribution for loss of job or internal dispute

21

22

Why the Internet is Still Broken Today

Web 2.0 and Cloud Computing

» Ease of data access

» Inevitably less secure technology

» Further enables social engineering

Time to Market Valued Over Security

» New technology developed before predecessors are secured

» Zero-day exploits - people are unaware of them and patches don’t exist yet

22

23

Evolving Hacker Techniques

Low-level attacks – script-kiddie attacks, viruses

Medium level attacks – more technical, leveraging recent vulnerabilities

High level attacks – stealthy, zero-day, polymorphic, designed NOT to be caught

23

24

Evolution of Hacker Motives

• Intoxicating power over others

• Intellectual challenge

•Vengeance

•Exploration of technology

•Self-expression and peer recognition

•Mischief or Curiosity

•Terrorism

•Financial Gain

» Data is worth a lot on the black market

» Easier and less traceable than robbing a bank

24

25

Why Organizations are At Risk - Hacker’s Perspective

25

•The lack of concern for security

•Easy exploitable loopholes that aren’t patched

•Not having properly trained IT employees

•Default’s left untouched

•Flaws in the software or operating systems they use

•Networks aren’t properly monitored

•Lack of funding to the IT department

•No outside pen testing

•Unprotected valuable data

Zero Day Threat – Why Businesses Still Don’t Get It

27

Convergence / Integration of Criminal Pursuits

• Pharm spam• Pump-and-dump spam• Spear phishing• Drive by downloads• Web spam• Banking Trojans• Cross site scripting• SQL injections• Zero day exploits• Tainted banner ads• Extortionist denial of service• Cross-platform Web attacks• Vishing• Poly-morphic Javascript

28

Two Criminal Markets

•Stealing data

•Using stolen data

29

Three Main Ways to Steal Data

•Corrupted email spam (port 25)•Phishing•Bad attachments/ tainted URLs

•Tainted Web links (port 80)•Drive-by downloads•Tainted banner ads•Corrupted search results

•Database breaches•Direct hacks - SQL injections; Cross site scripting• Insider theft

30

Attacks Move to the Web Layer

Source: Scan Safe

Feb. 2009 – Keystroke logger spike

Mar. 2009 –banking Trojan spike

Tainted Web links - port 80

31

Corrupted Search Results and Ads on Popular Sites

Source: Finjan

hxxp://antivirusquickscanv1.com/1/?id=2006-40&smersh=a54b37c24&back=%3DzQ21zT3MAQNMI%3DM

Source: Purewire

32

Corrupting Major Software Vendors

33

Corrupting Social Media

Address replicator; social engineering

Koobface messaging spam exploits trust-level

34

Corrupted Tweets

35

Botnets Micro

Botnet driven operations--Worm spreads via address replicator

--Members trust downloads

MALWARE installed:

--Pitches scareware

--Steals cookies

--Installs Waldac email spamming engine

--Installs ZeuS banking Trojan

--Carries out click-through fraud

Sample CAPTCHA: smwm

CAPTCHA protection

Member

account

Koobface unleashed with help of CAPTCHA breakers

36

Latest Techniques

USA Today, 03 Apr. 2009, p. 1A - 2A USA Today, 10 Jun. 2009, p. 1B-2B

37

Conficker – Multi-faceted Threat

RPC-Dcom worm – like

MSBlast

USB toggles

Unpatched PCs

Open shares

Weak passwords

Source: Tech Republic Source: Panda Security

38

USA Today, 12 Nov. 2008 p. 1B – 2B

Why Businesses Still Don’t Get It

39

What Needs To Be Done

•Macro View» Select and empower an effective cyber czar

» Set forth effective mix of incentives and regulations

» Foster private/public partnerships

» Engender global cooperation

•Micro View» Think of data as a valuable asset

» Make data privacy and security a core competency

» Keep antivirus/antispyware updated

» Install ALL updates

» Realize social media applications are festering with malware

40

Byron Acohidolastwatchdog.comhttp://lastwatchdog.com360 297-5566byron@lastwatchdog.com

Q&A via Chat or…Twitter - send us your questions using hashtag: #TOPHCKR1

Follow on Twitter:Lumension @_Lumension

Byron Acohido @lastwatchdogPaul Henry @phenrycissp

Global Headquarters

15880 N. Greenway-Hayden Loop

Suite 100

Scottsdale, AZ 85260

1.888.725.7828

info@lumension.com