New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1

Cyber Espionage Espionage has gone from Physical world into Cyber world. Black hat around world breaking into networks and stealing important corporate information. 2

Recent attacks on corporate Stealing of sensitive information in corporate leads to loss of 8 million $ contract to a Bangalore based company (source DNA newspaper) Is it true? 3

Are you in danger? Investment Required Information Worthiness(IRIW) What is worth of information for black hat to steal Is it only black hat or a competitor hiring a black hat who want information Your business turnover is 20 crores, profit is 5 crores Are you at risk with crucial information getting stolen? Cyber espionage contracts start above 10 lakhs. 4

Protection in corporate Gateway antivirus Corporate firewall Personal Antivirus and Firewall Some have RSA secure ID token! 5

Is this enough? No. Not all type of attacks can be prevented by these programs. Social Engineering Tunnel Remote Admin Tools with Proxy kernel level key logger (undetectable) delivery using MS office, PDF undetected vulnerability. 6

Type of attack Social engineering: Getting a from a friend or colleague with a attachment or weblink The weblink could clicked to read the article. The key logger or Trojan will be installed In case of net banking, phishing attack is nothing but social engineering. 7

Social engineering could come which looks like coming from friend as a greeting, web admin writing to you, picture file coming from a stranger or known person when you are on messenger. The threat need not come as attachment which is a program file. 8

Remote tunnel Trojan (proxy) Black hats use Trojans which can be deployed to a victim computer. The Trojan connects back to an intermediate server usually in china or Russia(RBN. St. Petersburg). These intermediate server are usually illegal networks and don’t co-operate for tracking the actual black hat hacker. The Trojan injects into victim machine IE or Explorer and connects using port HTTP or HTTPS Usually these programs cannot be detected even with an Intrusion Prevention System that detect anomaly. 9

Kernel Keylogger Advanced key loggers – Capture keystrokes, – Identify specific sites using windows title – Post logs using port 80(http), load through ftp, send via SMTP injection – Firewall bypassing feature working on windows kernel. 10

Undetectable Vulnerability Black hat discover new vulnerabilities in acrobat PDF and MS office files. These vulnerabilities are usually like adding a weblink inside the pdf or the doc In ms office files, black hat discover buffer overflows. When the office document is opened, the buffer overflow happens and control transfers to the trojan which is inside the ms office file. 11

Identity Theft Stealing of some one credentials making use of that credential privilege and doing transactions. Areas common for identity theft Net banking (web based) Identity theft of internal network credentials 12

Common tools used Phishing Key logger Trojans 13

Phishing from bank, provider asking for personal details credentials are stolen Sample s offering to return £ worth of tax to "every man aged between 30 and 55 years" From: UK Government & Ministry of Finance Age, marital status and number of children personal info can used to construct data for credit card forms and other online transactions As the UK Government is expected to make announcements relating to recession-busting tax cuts 14

Identity theft tools Advanced key loggers : – Capture keystrokes, – Identify specific sites using windows title – Post logs using port 80(http), load into ftp, send via SMTP use injection – Firewall bypassing feature working on windows kernel. Trojans: – Windows kernel level – Tunnel Trojan uses intermediate server(to ensure no trace) Like a proxy – Work on port 80, 443 (bypassing most firewall) – Can work at kernel level to avoid detection by antivirus 15

Netbanking Total of 80 cases on average pending in various law enforcement agencies relating to net banking per state Total of 2 crores for 80 cases per state on average. average money stolen is 2.5 lakh per case Banks pay? no? it is a consumer problem Bank protects the transmission, back end server not consumer desktop. It is a consumer, end point risk. 16

Netbanking Virtual keyboard in most banking sites are not safe The logic of virtual keyboard can broken by advanced researcher in a few minutes and a mouse logger tuned for specific bank can be written by black hat hackers In Europe two years back a mouse logger appeared that could almost intercept 121 different banks virtual keyboard. 17

Can Antivirus & Firewall Help? Antivirus works with signature and some with heuristics. Black hats normally write tools and test their tools against all antivirus, firewall before they deploy. They find way around heuristics, signature scans, anomaly and behavior blocking technologies. 18

Identity theft protector Consumer can protect themselves from netbanking, web based s passwords from getting stolen. Keyboard driver level encryption with browser plug-in Safe browser without a BHO Program that changes windows title bars 19

How can this be prevented Banks can hire white hat hackers and specifically research on writing an anti-identity theft program. This program can be signed by banks digital certificate. Customer can click on secure login button, signed Active-x can download this authenticated & signed anti-identity theft program. Making this process simple for end customer. 20

Thanking you Q&A Contact : 21