Why Cyber Security is the Right Career Choice---------NOW NSF --- Information Assurance/Information Security/Digital Forensics Conference May 7 th, 09.

Why Cyber Security is the Right Career Choice---------NOW

NSF---Information Assurance/Information

Security/Digital Forensics Conference

May 7th, 09

Paul M. Joyal

Managing Director, Public Safety and Homeland Security Practice

Cyber and Information Warfare“The growing role of information-technology is rapidly lowering the

barrier between war and peace.”

Mary C. FitzGerald

www.nationalstrategies.com

Cyber Security: Network Threats and Policy Changes, Hearing, May 1, 2009

“Previous attempts to deal with cyber security in isolation have failed,” Melissa Hathaway, acting senior director for cyberspace for the National Security Council and Homeland Security Council.

“We are now at the point where we must realize that economy and cyber security are opposite sides of the same coin,” added. Larry Clinton, President of the Internet Security Alliance We cannot address one issue without the other.”

.

Subcommittee on Communications, Technology, and the Internet, testimony

“Attacks are cheap and relatively easy to conduct,” he explained. “Profits are enormous. The defensive perimeter is virtually endless and defensive measures are expensive.” Altering these economics is the challenge.

Today’s Cyber Warfare Realty

McAfee stated in their 2007 annual report that approximately 120 countries have been developing ways to use the Internet as a weapon and target financial markets, government computer systems and utilities.

In activities reminiscent of the Cold War, which caused countries to engage in clandestine activities, intelligence agencies are routinely testing networks looking for weaknesses. These techniques for probing weaknesses in the internet and global networks are growing more sophisticated every year. [3]

Cyber Warfare Today

Jeff Green, senior vice president of McAfee Avert Labs, states "Cybercrime is now a global issue. It has evolved significantly and is no longer just a threat to industry and individuals but increasingly to national security." They predicted that future attacks will be even more sophisticated. "Attacks have progressed from initial curiosity probes to well-funded and well-organized operations for political, military, economic and technical espionage,"

Cyber Counterintelligence

Cyber counter-intelligence are measures to identify, penetrate, or neutralize foreign operations that use cyber means as the primary tradecraft methodology, as well as foreign intelligence service collection efforts that use traditional methods to gauge cyber capabilities and intentions.

What the US is doing in Cyber DefenseOn April 7, 2009, The Pentagon announced more than $100 million was spent in the last six months responding to and repairing damage from cyber attacks and other computer network problems.

On April 1, 2009, U.S. lawmakers pushed for the appointment of a White House cyber security "czar" to dramatically escalate U.S. defenses against cyber attacks, crafting proposals that would empower the government to set and enforce security standards for private industry for the first

time.

New DHS Secretary calls for a review of Cyber Security

On February 9, 2009, the White House announced that it will conduct a review of the nation's cyber security to ensure that the Federal government of the United States cyber security initiatives are appropriately integrated, resourced and coordinated with the United States Congress and the private sector.

How did we get here“Ancient History” Internet-style

• 2004 – the “Russian Spam Gang” identified as one of the top spam producers. Headed by MIT- and UMass-educated Leo Kuvayev.

• Tom Reilly, Massachusetts Attorney General, sued Kuvayev for $37 Million. Leo fled back to St. Petersburg.

“Rock Phish” – 2005 to 2007

• From 2005 until 2007, unknown phishers operating from St. Petersburg and Moscow stole more than $400 Million from more than 50 financial institutions.

Russian Business Network

• In November of 2006, the Rock Phish “mothership”, the hub of a distributed network of botnet data collection points, was operating on IP addresses owned by:

Russian Business Network12 Levashovskiy pr.197110 Saint-PetersburgRussia

RBM Prime Time Locations

RBN 2006

• At the time, the same Network was hosting a malware distribution network called “iframemoney.biz”, which infected computers by showing them banner ads from legitimate websites.

• They also hosted hundreds of child porn domains, and had strong ties to Intercage, Atrivo, and EST Domains

Stock Manipulation 2006

• In December 2006, the SEC froze the assets of one Evgeny Gashichev for manipulating the value of various stocks through “Stock Pump and Dump” scams.

• At the time 41 year old Gashichev was running his Estonian based business from his home in St. Petersburg, Russia.

• Gashichev had run the scams since at least 1998, earning millions of dollars by manipulating the US stock exchange

Russian Government on RBN

• Queries to the Russian government were greeted by the news that the Russian Business Network was based in Panama. As evidence, copies of the “WHOIS” data were provided.

• Strangely, the only “upstream” provider of RBN at the time was St. Petersburg Telecom.

RBN Reports

• David Bizeul, Verisign iDefense have produced analyst reports on RBN, suggesting ties to banking trojans, such as Torpig, and password stealing schemes, such as Gozi, which have infected millions of computers around the world.

• blog.wired.com/defense/files/iDefense_RBNUpdated_20080303.doc

• www.bizeul.org/files/RBN_study.pdf

ShadowServer on RBN

ShadowServer, a security research organization, prepared this diagram showing how 2,664 different malware programs made connection back to 94 hosts (the big dots) controlled by the Russian Business Network

A closer look at AS40989

Each malicious program was found to connect to either a “Command & Control” server, or a data drop on one of the RBN Computers, such as 81.95.146.204

RBN Goes Dark

• The ShadowServer Foundation report, showed that the RBN Network, known as “AS40989” ranked #10 out of the 1,447 networks known to host malware worldwide.

• On November 6, 2007, in direct response to public pressure created by Brian Krebs’ articles in the Washington Post, the Russian Business Network disappeared.

RBN Franchises

• Those of us who monitor such things began to see “RBN-like” activity on networks around the world, most notably, InterCage, SoftLayer, Layered Technologies, UKRTelegroup, Turkey Abdallah Internet Hizmetleri, and HostFresh.

• Despite their new locations, it was clear that the RBN team was still in control.

Rampant Credential Theft

Credential Stealing

• Since May 30th, a long series of Password Stealing scams have been sent to American’s via email. The Stolen credentials are all sent back to one of the RBN Franchises (in the Ukraine)

• This sample was the morning after the election. Others have used “Classmates.com” or “Bank of America” or other scams to trick users into infecting themselves.

• In each case, five “.cn” – Chinese registered domains were used.

• In reality, the domains are registered by a “reseller” of BizCN.com – who lives in St. Petersburg, Russia

Anti-Virus is No Defense

This week’s version of the “Snifula / Gozi” password stealing malware was unknown to 33 of the 39 antivirus products we tested it against.

We received 810 emails on March 10th which pretended to be an invitation to “ClassMates.com”

Stealing Information

Yesterday’s ClassMates Malware Today’s version of the ClassMates.com Malware steals email

passwords, website passwords, ftp passwords, and more . . .

It’s using these five newly created domain names:

Installserverversion10.com, Clieckfordownload.com, Unionmeetflash.com

Videoplayer11version.com, Updtadeyouwinplayer.com

The Stolen Passwords are being sent to 58.65.232.17 -- which is on HostFresh, one of the RBN Affiliate Networks

The same botnet that hosts these domains is also hosting:

Sparkasse phishing sites

Alliance & Leicester phishing sites

Fifth Third Bank phishing sites

Fifth Third Example

On March 10th, this phishing site was hosted on:

ifiili.li, jjf1.com, j1ffj.com, j1ffj.net, idsrt-d04.eu,idsrt-d05.eu, idsrt-d09.eu, dk1ili.eu, biili.eu, bllli.eu, dkllli.eu, billl.eu

$8 for 1000 userids and passwords! The password

stealing is so successful, the Russians are now selling passwords for email accounts at a rate of $8 per 1000.

How many Government employees use Hotmail, Yahoo, and Gmail accounts to avoid email problems at work?

Microsoft: Infections increasing

In the first half of 2008, Microsoft says 11.2% of American computers had been infected with some form of malware – an increase of 38% from the previous half year.

Microsoft Security Intelligence Report v.5-1

Some malware families tied to RBN had Increased by as much as 163% from the previous reporting period.

Botnets used to anonymize criminal traffic . . .

ДДос сервис (DDOS Service)

ДДос сервис (DDOS Service)

• Russian sites use these networks of captured computers (botnets) to sell DDOS services

• XAKEPY.RU, the “Portal of Russian Hackers” has hundreds of hackers selling DDOS services delivered via Botnets, many of which are controlled on the RBN “franchises”

Typical RBN Attack Profile

From Georgia to Georgia

• After the “.gov.ge” domains failed, they were relocated to the United States – to Atlanta, Georgia, (Tulip Systems) which gave us much greater visibility into the botnets being used for the attacks.

• One of the main attacking bots was the “MachBot” , a signature of the RBN DDOSers.

Fingers on the Trigger?

• The Spam that went out in the middle of July accused the President of Georgia of being homosexual.

• It was traced to the same spam botnets that have been used to send the Canadian Pharmacy spam hosted on the RBN networks.

• Alexandr A Boykov, of 13 Sedova St in St. Petersburg registered the domains used by that botnet.

Where Cyber and Military Might Combined for War Fighting Advantage.

Paul M. Joyal, Managing Director

Public Safety and Homeland Security

The Brave New World of the 5 Day War

Russian analysts Yevgeniy Korotchenko and

Nikolay Plotnikov conclude in 1993:

“We are now seeing a tendency toward a shift in the center of gravity away from traditional methods of force and the means of combat toward non-traditional methods, including information. Their impact is imperceptible and appears gradually… Thus today information and information technologies are becoming a real weapon. A weapon not just in a metaphoric sense but in a direct sense as well.”

Two Aspects of Parity and Defense Sufficiency (1993)

Russian Admiral V.S. Pirumov

"... that a war's main objective, shifting away from seizure of the opponent's territory and moving towards neutralizing his political or military-economic potential - eliminating a competitor - and ensuring the victor's supremacy in the political arena or in raw materials and sales markets.”

General Viktor Samsonov, Chief of the Russian General Staff stated 23 Dec 96

“The high effectiveness of ‘information warfare’ systems, in combination with highly accurate weapons and ‘non-military means of influence’ makes it possible to disorganize the system of state administration, hit strategically important installations and groupings of forces, and affect the mentality and moral spirit of the population. In other words, the effect of using these means is comparable with the damage resulting from the effect of weapons of mass destruction.”

Developments to this doctrinal

understanding have evolved in the 90’s with

the dynamism of the information era

I. Today information warfare doctrine has expanded to include target country information systems, communications networks and economic infrastructure. The role of intelligence services accelerated these developments. US and coalition forces learned important information on warfare operations during the first Gulf War contributed to these developments.

II.Cyberspace has clearly emerged as a dimension to attack an enemy and break his "will" to resist. This is an extension of the traditional Soviet intelligence “Active Measure” doctrine. Active Measures are an array of overt and covert techniques for influencing events and behavior, and the actions of targeted foreign countries.

Information age technologies have created a

new cyberspace environment in which to

conduct warfare.

Russia's response to the information age highlights the potential for challenges to the existing military balance and global security. This was brought vividly home during the 5 Day Russian Georgian War.

Countries around the globe are increasingly vulnerable to information warfare as cyberspace and social networking increases dependence expands. The gap between the emerging information age environment and the doctrine, capabilities and strategies for defending against and prosecuting information warfare are now being globally confronted.

Tectonic shift in military affairs:

6th Generation warfare will change the laws of

combat and the principles of military science

1. The Russians foresee impending sixth generation of information warfare technology as a potential for cyber warfare to inflict decisive military and political defeat on an enemy at low cost and without occupying enemy territory

2. Thinking of the enemy as a system is the basis to understanding how cyberspace could be used to exploit warfare.

Psychological Operations and Information Warfare

1. According to Russian military scientists new weapons will exert a deep influence on the methods, ultimate objectives and definitions of victory in future wars.

2. The use of new information and cyber weapons will be directed primarily at achieving the most important political and economic objectives without direct contact of the opposing forces and without armed combat .

3. These weapons and techniques are designed to destroy the state and societal institutions, create mass disorder, degrade the functioning of society, and ultimately the collapse of the state.

CYBERWARThe New “Active Measure”

1. Intelligence subunits of the new cyber military are involved in preparing and conducting psychological operations reinforce the actions of sabotage and reconnaissance, military intelligence and public information services during combat operations.

2. The organization of such is regulated by special directives and manuals developed by military and intelligence services.

3. These CYBER PSYOPS support combat operations in the preparatory period of combat and during combat.

Russian Cyber Warfare Doctrine also addresses the optimum time to strike.

Prior to an “information strike”, all targets should be identified (including enemy information systems), enemy access to external information should be denied, credit and monetary circulation should be disrupted, and the populace should be subjected to a massive psychological operation--including disinformation and propaganda.

The New Age of Cyber Warfare

• A criminal network runs unchecked, controlling HUNDREDS OF THOUSANDS of computers, and running servers in Russia, China, Turkey, Hong Kong, Malaysia, Ukraine, Netherlands, and even the United States

• This network is a loaded gun, which can be pointed and fired at any network resource to please the politics and ideologies of its masters.

The future is Now----Cyber Defense and Security

• Careers in cyber security and defense offer a stable growth track with tremendous job prospects, especially in the Washington area.

• Billions will be spend to defend our new Web 2.0 government

• Cyber security in both civilian and government positions will increase