SPICON: The Future of Cybercrime and the Changing Threat from the Web

This was the most interesting of the sessions I attended. Paller is super knowledgable at a technical level, and at a global level. I could've gone to ten of these.

Allan Paller, SANS

How cybercrime has changed

• Moved from ameteur to full-time professional
• From recreational "explorers" to financial
• From hackers to killers
• From individuals to organized groups
• From financial criminals to terrorists and nation-states

A massive cyber crime wave - mostly because of demographic changes online (primarily Asia).

How do they make money?

• Exortion
• Spam from zombies
• Identity theft for stealing bank balances or credit card fraud
• Spyware
• Web defacement

DoS Extortion
A huge source of extortion - threaten a gambling site with further DoS if they don't pay up. Many are paying multiple extortionists.

How widespread is Cybercrime?
"Any organized crime group that isn't using these techniques should be sued for malpractice"

Extortion in Government
Amundsen-Scott South Pole Station. Romanian Pair. Extorted Money from NSF. Why worry?

Identity Theft: Viruses, Phishing
Why worry? Keyloggers Spyware. Botnets.

SANS Threat Map
Really useful.

What can attackers do with this?
About anything they want.
Normal users should not be admins. Some applications force it - QuickBooks, for example.

Financial use of zombies

• Spam
• Collect zombies
• Zombies can be rented for really cheap DDoS/extortion attack and spamming
• Zombies can be infected with spyware
• Can be used to compromise VPN channels

Interesting Q - one guy is mostly scared about the home user - those are where the botnets are. Paller says education simply doesn't work, so we have to work on other security - more secure OS's; red and green internet; reference to EDUCAUSE - but it's only motivational for the people who see it, and only for a limited time.

Web Defacing
Changing "official information". Changed information on the front page to not believe something else on the site, which altered the stock price.

US State Department Reports
Terrorists raise money for bombs using the same techniques. Imam Samudra - al Qaeda in Indonesia is a hacker who's using hacking to earn money for al Qaeda. Wrote a really good book on how to be a hacker.

US Government Computers Hacked
British Government first disclosed it - lots of information available in the Ukraine.

Where are the bad guys going now?
Changing targets because there are so many of them (bad guys) that there's no space. So the attackers are working to innovate.
Attacks are now moving to the web application space. There aren't any users left to get, so the attackers are going after the applications.

@RISK - Weekly vulnerabilities list
Application vulnerabilities outnumber Windows and Unix vulnerabilities 4 to 1

Where will they go next?
Places they can extort money if they own them. Where they can get in to unprotected resources. Appliances (printers, for example).

Strategies for dealing with the new attacks

• Tools
• Secure Programming Skills
• Contracts

Must-have tools
Webapp security testing
Vulnerability testers that stay up to day
IPS
Exfitreation monitors

Can your programmers code secure web applications?
SANS is working on an exam to determine if a company's developers are capable of writing secure code.