330 likes | 564 Views
Cyber Threats. ABMTS – Cincinnati, OH. Malcolm Sykes, CISSP & Terry Lewis. The IRS as Target. Largest IT environment of any U.S. civilian agency. 700 + POD’s. More PII than any other government agency. Process $2.5T of revenues. Complex & diverse IT infrastructure.
E N D
Cyber Threats ABMTS – Cincinnati, OH Malcolm Sykes, CISSP & Terry Lewis
The IRS as Target • Largest IT environment of any U.S. civilian agency • 700 + POD’s • More PII than any other government agency • Process $2.5T of revenues • Complex & diverse IT infrastructure • Complex & diverse business processes utilizing many channels (e-file, paper, internet, phone, walk-in)
The Threats & Vectors • Malware (Trojans, viruses, worms, spyware, etc.) • Web browsing • E-mail • Removable Media • Data Disclosure & Integrity • Authorized Users • Lost & stolen equipment • Network Penetration • Denial Of Service • Botnets • Insider attacks
Emerging Threats Intrusion Worm Virus Blended Threat + + = • Memory Based root kits & other malware • Mobile Malware (Blackberry, iPhone, iPad) • Cloud Computing • Infrastructure & Contractor Outsourcing • Cross Platform Malware • Includes virtualized environments • Blended Threats (multiple vectors)
Computer Hackers Who are they? No longer just techno-geeks.
The Attackers • Criminal gangs • Financially or Politically motivated • Employ individuals or groups of hackers to steal PII, credit card & banking information. • Hacker Gangs • Create & sell botnets & hacker tools • Sometimes engage in activity to wage cyber war on each other or to boost their reputation • Political or religious groups • Hacking for military and commercial secrets & to inflict damage • Well resourced • Funded by criminal enterprises, nations, political or religious entities
Political or Religious Groups • Highly motivated, professionally trained & equipped adversaries • Espionage and sabotage aimed at US Government, Military & Commercial sites • Strategic & Tactical Attacks • Threat to the military & economic security of the United states
Botnet Attack1 • Distributed Denial of Service (DDOS) attack launched on weekend of July 4, 2009 • Targeted 27 American and South Korean government agencies and commercial Web sites • US Government targets included the White House, Secret Service, Federal Trade Commission, Transportation Dept.& the Treasury Dept. (but not IRS) • US Commercial targets included the New York Stock Exchange, Nasdaq, Yahoo & The Washington Post • South Korean targets included the presidential Blue House, Defense Ministry, National Assembly, Shinhan Bank, the Chosun Ilbo newspaper & top Internet portal Naver.com • Estimated over 50,000 IP addresses were participating in this attack • Rated as unsophisticated • Full Recovery less than one week As reported in the New York Times July 8, 2009
Vulnerabilities & Mitigations • IRM Requirements & Policy Checkers • Standard workstation COE image based on the FDCC • Default machine configurations are inherently insecure • Patching & updating is often delayed in large organizations due to testing & implementation restrictions • Assigned staffs, timeframes & tracking of updates • Absent, disabled or outdated anti-virus programs, firewalls, etc. • Compliance reviews • Risky web-surfing & e-mail behavior • Security awareness presentations & materials • AV software, firewalls, site blocking software, network monitoring & IDSs • Social Engineering • Security awareness presentations & materials
Targeting End-users Attackers no longer need to penetrate security perimeters • This is a byproduct of the move towards financially motivated malicious activity • Malicious activity has moved away from targeting computers & towards targeting end users themselves • Specifically, attackers are targeting confidential end-user information that can be used in fraudulent activity for financial gain as well as in attacking systems
“ElectronicallyTransmitted Diseases” • More employees are using mobile media • CDs, DVDs, thumb drives, MP3 players (iPods), external hard drives • Mobile media is used by criminals as another vector to spread their malware. In addition to mobile media containing software, music, etc. purchased from flea markets, found in parking lots, etc. some commercially produced software has contained code that makes systems vulnerable to root kits & other malware • Mobile media connected to a non-IRS system will be exposed to any malware left behind from previously installed ETDs • Internal Revenue Manual (IRM) 10.8.1.5.2.5 prohibits the use of personally owned equipment, including software & media on IRS systems & vice versa
Cybersecurity Misconceptions • No one knows who I am on the Internet • The Internet is a virtual world, so nothing bad can happen to me • Security software (anti-virus, firewall, etc.) will protect me • The IRS will protect me • Law enforcement will protect me • Who believes all this?
“5568” <A> Billing: Pxxx xxx <A> xxx xxx Road <A> Suite 400 <A> xxx, CA xxx <A> US <A> Phone: xxxxxx7605 <A> e-mail: pxxx.xxx@atf.gov <A> Payment Method: Credit Card <A> Name On Card: Pxxx x. xxx <A> Credit Card #: 5568xxxxxxxxxxxx <A> Credit Type: MasterCard <A> Expires: 05/2009 <A> CVV2: 421
Capturing Card Number & PIN • Organization database attacks • Social engineering via e-mail, web site, telephone or postal mail • Dumpster diving & trash collection • Man in the middle web site attacks • Bank ATM modifications • Equipment disguised to look like normal ATM • Wireless “skimmer” & video camera transmit scanned card information & PIN • Criminals copy cards & use PINs to withdraw cash
Wireless Scanner • Equipment being installed on top of existing bank card slot.
Wireless Video Camera • PIN reading camera being installed on the ATM is housed in an innocent looking leaflet enclosure.
From Patch to First Attack Oct. 17, 2000 Patch MS00-078 Sept. 18 2001 Nimda 336 Days Jul. 24, 2002 Patch MS02-039 Jan. 25 2003 Slammer 185 Days Aug. 11 2003 Jul 16, 2003 Patch MS03-026 Blaster 26 Days Apr. 13, 2004 Patch MS04-011 April 30 2004 17 Days Sasser June 2005 0-Day JView Jul. 12, 2005 Patch MS05-037
Zero-Day Exploits • Sometimes discovered by hackers & kept secret prior to use • High risk, undocumented vulnerabilities with no approved patch • Some patches not released timely (RPC memory overflow – over 4 years) • CSIRC released 10 Critical Advisories & 1 Bulletin for zero-day exploits since Jan 1, 2009 • Multiple zero-day exploits targeted IRS Business Units via e-mail
Zero-Day Exploit Against IRS • In February 2009, an e-mail was sent to 2 IRS e-mail accounts • Attachments utilized a Microsoft Excel Zero-Day exploit • Malware designed to export data to a remote IP address • Used custom encryption (non SSL) over TCP port 443 • Target IRS e-mail Addresses included: • Former Employee (Account/Email disabled) • Distribution List (e-mail forwarded to 10 employees) • Analysis confirmed outbound connection attempts were blocked & no data was exported
CNN Phishing • Spam e-mail was circulating in January 2009 containing factual information about the Israeli/Hamas conflict • It appeared to originate from CNN & contained a link to a website posing as CNN, which contained what looked like a video file • All links on the website actually resolved to the valid CNN website • Visitors who attempted to view the video were prompted to update to a new version of the Adobe Flash Player • Update was actually malicious code
IRS Response to CNN Phishing • IRS initiated Content Filtering to block the e-mail • Only 11 of 38 AV products could detect stage one • Only 2 of 38 AV vendors’ signatures could detect stage two • Analysis revealed 36 IRS systems visited the fraudulent CNN website (Stage One) • Additional analysis identified 1 IRS system issuing HTTP GET requests to the Russian IP address every 20 minutes (Stage Two) • Further analysis confirmed that no data was exported
“Just Surfing the Web” • In November 2009, an employee performs a search via Yahoo! for “1979-2007 vehicle wiring diagrams”.
“Just Surfing the Web” • First (non-sponsored) URL listed by the search engine was malicious • Embedded HTML executed a PHP file, downloading the malware file 45096.exe • Malware executes & begins beaconing home to: kinoarts.com over TCP port 80 • Analysis revealed 2 additional call back sites not being blocked by IRS • Further analysis confirmed outbound connection attempts were blocked & no data was exported
Beacons • A beacon is an intentionally conspicuous device designed to attract attention to a specific location • In the cyber world, a beacon is a system that repeatedly attempts to make a hidden connection with one or more systems outside of its network • Ordinary user traffic is fairly random, so traffic generating a significant regular pattern is indicative of a beacon
Beaconing Activity • Beaconing from infected IRS system attempting to “call home” to a website in China for further instructions. • Website was a known malicious website that was blocked
SCADA • Supervisory Control & Data Acquisition • Provides data display, alarming, trending, reporting, & control for devices & equipment in remote locations (via LAN, modem, wireless technologies, or Internet) • Think US Critical Infrastructure
Cyber Attacks on SCADA • Unintentional consequences caused by internal personnel or mechanisms (testing software on operational systems or unauthorized system configuration changes) • Unintentional consequences or collateral damage from malware • Intentional attacks such as gaining control or DoS attack • Aurora - Simulated cyber attack on SCADA system in March 2007 • Both unintentional and intentional attacks on SCADA systems have been documented