Moderator: Dr. Faith Heikkila, Ph.D, CIPP, CISM CISO .

Moderator:Dr. Faith Heikkila, Ph.D, CIPP, CISMCISO – Greenleaf Companies andInfraGard Michigan Members Alliance, Inc. PresidentPanelists:Gary Miliefsky, CISSP, Contributor to Hakin9 Magazine & Founder /CTO, NetClarity, Inc.Jon Oberheide, Co-Founder & CTO Duo Security

AgendaModerator andPanelistIntroductionsPresentations bythe PanelistsQuestions toPanelists Dr. Faith Heikkila Gary Miliefsky Jon Oberheide “Cybercrime andCyberwar” “5 LEO-Relevant CyberSecurity Myths” Moderator Questions Audience Questions Please use microphone2

Cybercrime and CyberwarStopping Cybercriminals andCyberterrorists in their tracksby Gary S. Miliefsky, FMDHS, CISSP 3

Fact: Nothing with an IP Address Is Secure No device is safe – all IP-based devices areexposed to exploitation:ItItItItItis a targetcan be spoofedcan be infectedcan be remotely controlledis probably already infected4

Fact: Wireless Will Never Be Secure! WEP was easy to crack; now WPA is also Recently deployed tools such as Back Track v4.0allow you to break wireless encryption by attackingthe smaller 24-bit session initiation key and thengaining full “trusted” access to a wireless router. Wireless Routers have Critical Flaws (CVEs)Now you can break into the admin interface of awireless router by sending malformed packets fromyour laptop and pringles can not worrying aboutthe encryption, see NVD.NIST.GOV and type in5“wireless”

IPS GRADE IS A “D-”NSS Labs Inc. tested13 of the world’s mostpowerful IPS productsin December 2010.They caught 62% of theattacks, missing 38%.While the NSS Labstest is revealing, mostof the attacks don’tcome through the frontdoor (the firewall orIPS) anyway, the comethrough the back door.6

Fact: Anti-virus is dead!No One Can Keep Up With New MalwareAccording toindependentmalware test labs,ALL ANTI-VIRUSsoftware agentsFAILED to stop ALLnew threats, knownas omhttp://blogs.zdnet.com/security/?p 5365http://av-test.orgReport: 48% of 22 million scanned computers infected with malware77

Fact: Everyone can be exploited!All of our Systems have Holes! (CVEs)According to theUSCERT, SANS, FBI andMITRE, over 95% ofsecurity breaches are adirect result of exploitinga Common Vulnerabilityand Exposure (CVE ).Vulnerability Growth Rate40000Total Vulns350003000025000200001500010000500002003See: http://nvd.nist.gov200420052006200720082009YearIn addition, 80% of all successful attacks occur from theinside (malicious insider, rogue wireless, the ‘cleaningcompany’ tapping of your network with an unknown anduntrusted laptop)888

Fact: Your Identity Was Stolen! 350M Americans & 516M records stolenPrivacyRights.org More than 516M Personally Identifiable Information (PII)records for more than 350M citizens in America. How manyhave been lost, hacked and stolen?According to PrivacyRights.org, the total number ofrecords containing sensitive personal informationinvolved in security breaches in the U.S. since January2005:516,942,944 RECORDS BREACHEDfrom 2,392 DATA BREACHES made public since 2005 Still think you are secure? Still believe your anti-virus and firewall can truly secure yournetwork or your personal computer?9

What is Cybercrime?1010

Cybercrime – Purely “Digital” Paradigm11

What is Cyberwar?12

Cyberwar – Nations AttackingNations, Digitally, Daily Distributed Denial of Service (DDoS) Espionage (Spyware, Backdoors, Data theft) Critical Infrastructure (Stuxnet, etc.) Propaganda (Facebook, Twitter, etc.) Covert Channels (MUDS, Avatars, VirtualWorlds, Proprietary Encryption)13

Here’s What We’ve Faced this Year 1. Retail and E-tail Outlet Attacks will Outpace Attacks Targeting Banks2. Hospitals will become the Most Exploitable of All Vertical Markets3. Cloud Computing and Virtual Machines (VM) will be specificallytargeted4. New and innovative attacks will be launched by rogue and competingNations5. Early stages of Growing Cellphone and PDA attacks6. New and Sophisticated VoIP Attacks are coming7. Exponential Growth of More Intelligent Zero-day Malware8. New Sophisticated UTM firewall and IPS exploits are coming9. More Creative Social Engineering for Cyber Crime Profits10. Increases in Microsoft Windows Application Layer Vulnerabilitiesleading to Rapid Exploitation11. Growing Privacy Rights Violations by Governments and theirContractors in the name of Cyber Defense.14

With Sophisticated New Malware Virus Trojan Worm Rootkit Botnet Zombie Keylogger Adware SpywareBLENDED THREATS designed mostly for Cybercrimeand Cyberterrorism .15

Malware Root Cause - CVEs Common Vulnerabilities and Exposures (CVEs)1. Although there might be 9,000,000 signatures in yourMcAfee or Symantec anti-virus scanner database (andgrowing exponentially), there are only 47,000 CVEs. Ifyou close just one CVE, for example, you can block morethan 110,000 variants of the W32 malware.2. If you aren’t visiting http://nvd.nist.gov to see what kindof exploitable holes you have in your network, cybercriminals CERTAINLY are 3. Everything with an IP address has a CVE, you need tofigure out which ones are critical holes and how to patch,reconfigure and remove them—i.e. system hardening. and MALWARE LOVES TO EXPLOIT THESE HOLES 16

WHAT CAN YOU DO ABOUT IT? Get More Proactive Learn and use the FOUR D’s Manage the RISK FORMULA Document Policies Educate Employees Harden systems regularly Review logs regularly Review and Enforce Policies regularly Encrypt Everything You Can Deploy PAC, NAC, UBAP and HIPS (huh?)17

In appreciation of your time today Please feel free to download: “Extended Edition” of this PowerPoint,50 Slides with links to free tools andmuch more information Full year of Hakin9 Magazinefor educational purposes all zippedup in PDF formatGrab these online at:http://www.netclarity.com/michigan2011.zip(The url goes straight to the file for an anonymous download )

QUESTIONS?garym@netclarity.netThank you.Gary S. Miliefsky, FMDHS, CISSP NetClarity, Inc. http://www.netclarity.net19

Introduction My background Academic Defensive Duo Security, no vendor pitches allowed!Offensive BS, MS, PhD from University of MichiganI write kernel exploits when I'm boredMy goal Confuse, offend, or provoke you into asking aquestion to the panel afterwards! :-)Michigan Cyber Security Summit 2011

Myth #1: You have a chanceMyth #1: You have a chanceagainst motivated adversaries.Michigan Cyber Security Summit 2011

Only takes one What does it take to compromise yournetwork? One exploit?How large is yourclient-side attacksurface? IE, Firefox, Flash,Adobe Reader,Office, etcMichigan Cyber Security Summit 2011

Users are the weakest link Employees names and email addresses areenumerable on social networking sites?Employees answer external email andaccess web sites on the same machine thatthey handle sensitive data?Are their e-mail addressesfirstname.lastname@company.com?Michigan Cyber Security Summit 2011

Exploit markets Well-developed markets to buy and sell 0dayvulns/exploits How much does an average client-side 0day cost? Estimated 50k-100k USD Adobe JBIG2 exploit sold for 75k on underground market Underground, corps, defense contractors, governmentsIf cost(exploit) value(your network), you're alreadyownedDoes your adversary have that kind of fundingavailable? Most definitely, yes.Michigan Cyber Security Summit 2011

Myth #2: Trust your toolsMyth #2: You can trust your tools.Michigan Cyber Security Summit 2011

Anti-Forensics“Attempts to negatively affect the existence,amount and/or quality of evidence from a crimescene, or make the analysis and examination ofevidence difficult or impossible to conduct.” Anti-forensics (AF) is not new Passive countermeasures are well known Munging timestamps, identifiers, etcMichigan Cyber Security Summit 2011

Targeting the investigator/examiner Parsing is hardExploits targetingEnCase, FTK, etcMichigan Cyber Security Summit 2011

Cellebrite UFEDRecognize this? Michigan LEO should. ;-)Do you know when Cellebrite last patchedtheir jpeg/png parsing libraries?Michigan Cyber Security Summit 2011

Myth #3: Training scalesMyth #3: You can train your way to success.Michigan Cyber Security Summit 2011

Training at a local level Training is expensive! Specialization vs. generalization Specialization and deep expertise needed But infeasible at small scaleAnd in the end. Attackers don't care how many acronyms you haveafter your nameMichigan Cyber Security Summit 2011

Training at a federal level USCYBERCOM Recruit, train, retain? Traditional military training Recruit Boot camp Soldier“Cyber” military training Easy, medium, hard!Recruit ? l33t h4x0r?Organizational, culture incompatibilitiesMichigan Cyber Security Summit 2011

How to build a cyber armyMichigan Cyber Security Summit 2011

Myth #4: Supply chain and vendorsMyth #4: Your supply chain is secure.Michigan Cyber Security Summit 2011

Built on sand How do you build a secure infrastructure,when the underlying components areuntrusted?Operation Cisco RaiderSam King @ UIUCMichigan Cyber Security Summit 2011

RSA breach RSA, defense contractor breach If you're a hard target Go after your vendors instead!To butcher a Fight Club quote: “On a long enough timeline, everyone gets owned.”Michigan Cyber Security Summit 2011

Myth #5: Cyber war and terrorismMyth #5: You should be frightened bycyber warfare and cyber terrorism.Michigan Cyber Security Summit 2011

What is cyber warfare? Hacktivism? Comodo hacker? Maybe.Titan Rain? NO.Stuxnet? NO.I suppose.Attribution is hard.Michigan Cyber Security Summit 2011

Cyber terrorism What is “cyber terrorism”?“If you ask 10 people what 'cyberterrorism' is, you will get at least ninedifferent answers!When those 10 people are computer security experts, whose task it is tocreate various forms of protection against 'cyberterrorism', thisdiscrepancy moves from comedic to rather worrisome.When these 10 people represent varied factions of the governmentalagencies tasked with protecting our national infrastructure and assets, itbecomes a “critical e/cyberterrorism.pdfMichigan Cyber Security Summit 2011

Not even close.“Keylogger jihad”? NO!Michigan Cyber Security Summit 2011

SCADA attacks SCADA attacks? Yes, but extortion is more lucrativethan terrorism.Michigan Cyber Security Summit 2011

Wrap-up LEO faces the same problems as theprivate sector Your adversaries are more skilled Your tools are broken Your analysts are undertrained Your vendors are owned Your terminology is misunderstoodSufficiently provoked yet? ;-) Ask a question!Michigan Cyber Security Summit 2011

Questions from the Audience42

Questions to Panelists:1. Who is the biggest target from a) cybercrimestandpoint, b) cyber-terror and why?2. Do you have any suggestions as to how lawenforcement can more effectively combatBitCoin (digital anonymous currency oftendouble spent) and Zeus/SpyEye (a bankingTrojan middleman) attacks?43

Questions to Panelists:3. As companies place their confidential data in thecloud, what are the cybercrime threats that shouldbe considered and mitigated?4. If you are so sure Anti-virus is dead, thenwhat’s the alternative?44

Questions to Panelists:5. What tool would you recommend be in lawenforcement investigator’s cyber toolbox?6. With regard to the rise in data securitybreach incidents and the exposure of so manypeople’s personally identifiable information(PII), how can law enforcement assistcompanies with preventing these types ofcyberattacks?45

Questions to Panelists:7. Why are you so certain that CVEs are thebiggest holes we need to plug?8. How has encryption use by cybercriminalschanged the landscape for cybercrime lawenforcement investigations? Anyrecommendations for combatting encryptionusage?46

Questions to Panelists:9. Do you think that hackivists (unidentifiedpolitical hackers) are working under foreigngovernment support/direction or are trulymerely committing acts of civildisobedience?47

Faith M. Heikkila, Ph.D., CIPP, CISM E: MI-InfraGard-President@charter.net Gary Miliefsky, FMDHS, CISSP E: garym@netclarity.net Jon OberheideE: jon@oberheide.org

scene, or make the analysis and examination of . double spent) and Zeus/SpyEye (a banking Trojan middleman) attacks? 43. Questions to Panelists: 3. As companies place their confidential data in the cloud, what are the cybercrime threats that should be considered and mitigated?