Tech-Ed 2010 Session Summaries 4: Andy Malone: Cybercrime- The Gathering Storm

Andy Malone has presented on security before this year, but this was my first chance to hear him speak. This was a very strong presentation, and I’m going to look up his other material most definitely. This session covered the tools, tactics, and backgrounds of contemporary cybercrime. It’s come a long way, and Malone helped us understand the threat it presents, and how to counter it. The summary below only covers the highlights of this deep dive.

Current targets of cybercrime: Top Phishing targets- mostly financial of course, at 54%. Payment services came in next at 26%. In addition, there as a curious category called “other”, with 9%; here Andy spent some time. These represent valuable but small and soft targets: dentists, doctors, hotels, etc. They are soft targets, but they offer nearly the same juicy fruit that banks do. They are also much less prepared.

Current avenues of cybercrime: In addition, third-party applications remain king of the hill when it comes to vulnerabilities: Adobe, Flash, pdf-readers, etc. Against this background, Andy identified the current cybercrime trends as being unpatched client-side software, vulnerable internet-facing web sites, zero-day vulnerabilities, and greatest of all, insider threats.

Current Contributing Trends: social engineering, social networking sites, file-sharing sites, pdf and flash files, and individual vulnerability to outsider temptation. The latter seems clearly to be the most serious, in which people within an organization succumb to temptation to just “copy one little file”, or get “just this one little thing”.

Just who does this?: So far this is all fairly standard stuff. But afterwards Malone started dishing the dirt. This started with an exploration of just _who_ undertakes cybercrime now. Not simply random hackers, but companies interested in corporate espionage, Russian criminal business groups, foreign government/military interests, con artists, etc. The widespread use of commonly-available hacker tools from standalone script kiddies to national/corporate spies. The recent break-in experienced by Google at the hands of Chinese agents is the best example of the latter.

The most likely career paths for these groups include coders and programmers, of course, to prepare new malwares but also distributors to provide and sell stolen data, tech experts to maintain and secure the organizations IT assets, hackers to identify and exploit vulnerabilities, fraudsters to conduct phishing and social engineering, hosted system providers, cashiers to manage accounts and money, money mules/smurfs, tellers to launder money, and of course organizational leaders, who might not even be technically savvy.

Malone didn’t just show powerpoints though for this; he displayed a Mandarin “Hacker Intrusion Activity Model Chart” from a hacking school to show how meticulously some groups in some countries have systematized this. Fortunately he also provided a translation.

Besides this obvious organization, there is a deep toolkit of resources and tactics; most are readily available, such as keystroke loggers, remote webcam activators, virus construction toolkits, etc. Malone gave the example of a disk he bought for five dollars in Moscow with over a hundred such tools.

Example: Here Malone gave an example of a small but potent group which sold credit card numbers (his example showed one US hotel chain being a source for these) and was allegedly involved in money laundering to the tune of $200,000,000. However, they did not stop their services here and also offered genuine passports and visas, including American ones. These and other attacks were all dependent upon insider assistance, either recruited or planted. The growing lack of commitment to organizations (and vice versa) only exacerbates this. And it is quite unlikely that the mutual lack of commitment seen with modern workers and employers will change any time soon.

Monitoring Resources. One solution is monitoring software of various types, though of course these are all two-edged swords. Malone gave the example of a keystroke logger which also logged web page visits, searches, chat sessions, etc. One of the most impressive apps he demonstrated was Maltego (he showed the full edition). With this tool, (among other functions) you type in a company’s phone number, adjust the desired granularity, and any site with any reference to this phone number in any way is displayed. These sites can themselves in turn be interrogated. Social networking sites are included in this.

Another powerful resource was Foca (carefully pronounced). With this you can specify all the files of a certain type (like pdf, for example) at a selected site. Then every single one from every single site is displayed, including sub-sites. Then, these files may be selected, and they can be downloaded. But that’s not all. Then, all the metadata from these docs can be extracted, including creators’ usernames, software used, cited email addresses, and even network information, such as every single IP address of every machine contaacted. As Malone says, it is “eye-popping”.

He also demoed Memorize, a website downloader. NetSparker, community edition, a vulnerability scanner, pulls down web sites and scans them for vulnerabilities. The full edition shows passwords as well.

Effects: This concluded his all-too-brief survey of mayhem. Put to systematic, coordinated, malicious ends, the mind boggles. The Georgian cyber attacks are a great example: as the Russian army was invading in August 2008, other Russian entities were launching devastating, strategic attacks on Georgia’s information infrastructure, using botnets and civilian volunteers with improvised software.

The Human Factor: This tight, reasonably technical section was followed a looser, catch-all sort of section about miscellaneous security lapses and funny mistakes, followed by a focus on inside man recruitment.

Malone posits three types of people: engaged/motivated (he mentioned Steve Balmer), not engaged (mentally checked out, typically government bureaucracies), the actively disengaged (negative, undermining, accessible). This third type often has great accesses and great potential for corruption.

How are these people recruited? They go to Black Hat conferences, DefCon, demonstrate their technical skills, advertise services by IRC or similar means. Such industrial espionage has a low cost of entry, a high rate of return, small probability off detection, even lower chance of prosecution, and even even lower chance of meaningful punishment.

Responses: Malone next discussed how to respond to cases of suspected espionage for organizations; this was fairly standard. This was followed by a review of basic forensic skills which should be available in every organization. Then he surveyed some useful, accessible tools for admins and forensics, such as simple ways to capture main configuration information for a computer, very similar to MS “Cofee”. Passware aids the recovery of passwords from files through dictionary, brute force attacks and resetting the local admin password (!), and other resources. An MS product, Security Compliance Manager, gives recommendations on proposed changes to make (depending on your requirements), and even does them for you- this includes settings such as local policy, etc.

Overall, extremely informative in terms of strategic insights (the nature of current threats) and tactical ones (apps mentioned above). Of all the batten-down-the-hatches security presentations this year, this was clearly the best one I attended.