new trends on cyber security - cyber espionage & identity theft by k s yash, cro...
TRANSCRIPT
New trends on cyber security - Cyber Espionage & Identity theft
By K S Yash, [email protected]
1www.avslabs.biz
Cyber Espionage
Espionage has gone from Physical world into Cyber world. Black hat around world breaking into networks and stealing important corporate information.
2 www.avslabs.biz
Recent attacks on corporate
Stealing of sensitive information in corporate leads to loss of 8 million $ contract to a Bangalore based company (source DNA newspaper)
Is it true?
3 www.avslabs.biz
Are you in danger?
Investment Required Information Worthiness(IRIW)
• What is worth of information for black hat to steal• Is it only black hat or a competitor hiring a black hat
who want information• Your business turnover is 20 crores, profit is 5 crores• Are you at risk with crucial information getting stolen?• Cyber espionage contracts start above 10 lakhs.
4 www.avslabs.biz
Protection in corporate
• Gateway antivirus• Corporate firewall• Personal Antivirus and Firewall• Some have RSA secure ID token!
5 www.avslabs.biz
Is this enough?
No. Not all type of attacks can be prevented bythese programs.
• Social Engineering• Tunnel Remote Admin Tools with Proxy• kernel level key logger (undetectable)• delivery using MS office , PDF undetected
vulnerability.
6 www.avslabs.biz
Type of attack
Social engineering: • Getting a email from a friend or colleague with
a attachment or weblink• The weblink could clicked to read the article.
The key logger or Trojan will be installed• In case of net banking, phishing attack is
nothing but social engineering.
7 www.avslabs.biz
Social engineering
• Email could come which looks like coming from friend as a greeting, web admin writing to you, picture file coming from a stranger or known person when you are on messenger.
• The threat need not come as attachment which is a program file.
8 www.avslabs.biz
Remote tunnel Trojan (proxy)
• Black hats use Trojans which can be deployed to a victim computer.• The Trojan connects back to an intermediate server
usually in china or Russia(RBN. St. Petersburg).• These intermediate server are usually illegal networks
and don’t co-operate for tracking the actual black hat hacker.• The Trojan injects into victim machine IE or Explorer
and connects using port HTTP or HTTPS• Usually these programs cannot be detected even with
an Intrusion Prevention System that detect anomaly.
9 www.avslabs.biz
Kernel Keylogger
Advanced key loggers– Capture keystrokes, – Identify specific sites using windows title– Post logs using port 80(http), load through ftp,
send via SMTP injection– Firewall bypassing feature working on windows
kernel.
10 www.avslabs.biz
Undetectable Vulnerability
• Black hat discover new vulnerabilities in acrobat PDF and MS office files.
• These vulnerabilities are usually like adding a weblink inside the pdf or the doc
• In ms office files , black hat discover buffer overflows. When the office document is opened, the buffer overflow happens and control transfers to the trojan which is inside the ms office file.
11 www.avslabs.biz
Identity Theft
Stealing of some one credentials making use of that credential privilege and doing transactions.
Areas common for identity theft• Net banking• Email (web based)• Identity theft of internal network credentials
12 www.avslabs.biz
Phishing
• Email from bank, email provider asking for personal details credentials are stolen• Sample e-mails offering to return £450 - 650 worth of
tax to "every man aged between 30 and 55 years"• From: UK Government & Ministry of Finance• Age, marital status and number of children• personal info can used to construct data for credit card
forms and other online transactions• As the UK Government is expected to make
announcements relating to recession-busting tax cuts
14 www.avslabs.biz
Identity theft toolsAdvanced key loggers : – Capture keystrokes, – Identify specific sites using windows title– Post logs using port 80(http), load into ftp, send via SMTP
use injection– Firewall bypassing feature working on windows kernel.
Trojans:– Windows kernel level– Tunnel Trojan uses intermediate server(to ensure no trace)
Like a proxy– Work on port 80, 443 (bypassing most firewall)– Can work at kernel level to avoid detection by antivirus
15 www.avslabs.biz
Netbanking
• Total of 80 cases on average pending in various law enforcement agencies relating to net banking per state
• Total of 2 crores for 80 cases per state on average. average money stolen is 2.5 lakh per case
• Banks pay? no? it is a consumer problem• Bank protects the transmission, back end server
not consumer desktop. It is a consumer, end point risk.
16 www.avslabs.biz
Netbanking
• Virtual keyboard in most banking sites are not safe
• The logic of virtual keyboard can broken by advanced researcher in a few minutes and a mouse logger tuned for specific bank can be written by black hat hackers
• In Europe two years back a mouse logger appeared that could almost intercept 121 different banks virtual keyboard.
17 www.avslabs.biz
Can Antivirus & Firewall Help?
• Antivirus works with signature and some with heuristics.
• Black hats normally write tools and test their tools against all antivirus, firewall before they deploy.
• They find way around heuristics, signature scans, anomaly and behavior blocking technologies.
18 www.avslabs.biz
Identity theft protector
Consumer can protect themselves from netbanking, web based emails passwords from getting stolen.
• Keyboard driver level encryption with browser plug-in
• Safe browser without a BHO• Program that changes windows title bars
19 www.avslabs.biz
How can this be prevented
• Banks can hire white hat hackers and specifically research on writing an anti-identity theft program.
• This program can be signed by banks digital certificate.
• Customer can click on secure login button, signed Active-x can download this authenticated & signed anti-identity theft program. Making this process simple for end customer.
20 www.avslabs.biz