Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Dark Fiber: hackers, botnets, cyberwar

No description
by

Dr Teodor Mitew

on 26 August 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Dark Fiber: hackers, botnets, cyberwar

DARK FIBER
GameOver ZeuS / CryptoLocker
http://www.fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachev
Maksym Yastremski is alleged to be "Maksik," well-known in the underground as a top online seller of stolen credit and debit card information. In a U.S. indictment unsealed in August 2009, prosecutors alleged Yastremski earned more than $11 million selling stolen credit and debit card numbers and magstripe swipes from 2004 to 2006 alone.
http://www.wired.com/2009/01/hacking-godfath/
cyberwar
cybercrime
StuxNet worm
Dr Teodor Mitew
tedmitew.com
@tedmitew
#digc202
Global Networks
themes
cryptanalysis
the game of shadows
into the dark
http://www.huffingtonpost.com/2011/03/17/online-persona-management_n_837153.html
http://www.theguardian.com/world/2014/jul/08/darpa-social-networks-research-twitter-influence-studies
“Through the program, Darpa seeks to develop tools to support the efforts of human operators to counter misinformation or deception campaigns with truthful information."

However, papers leaked by NSA whistleblower Edward Snowden indicate that US and British intelligence agencies have been deeply engaged in planning ways to covertly use social media for purposes of propaganda and deception.

Documents prepared by NSA and Britain's GCHQ (and previously published by the Intercept as well as NBC News) revealed aspects of some of these programs. They included a unit engaged in “discrediting” the agency’s enemies with false information spread online.
According to the contract between US Central Command (Centcom) and California company Ntrepid, the software would let each user control 10 personas, each "replete with background, history, supporting details, and cyber presences that are technically, culturally and geographically consistent." The software would also be able to let personas "appear to originate in nearly any part of the world" and interact through "conventional online services and social media platforms," while using a static IP address for each persona to maintain a consistent online identity.

These false online personas, also known as "sock puppets," would be equipped to seem like real people while entering online discussion through blogs, message boards, chats, and more. With a false persona, a user could discredit opponents, or create the semblance of consensus.
http://politicalblindspot.com/leaked-intelligence-agencies-running-mass-number-of-propaganda-accounts-on-social-media/
A fake virtual army of people could be used to help create the impression of consensus opinion in online comment threads, or manipulate social media to the point where valuable stories are suppressed.

Ultimately, this can have the effect of causing a net change to the public’s opinions and understanding of key world events.
http://www.dailykos.com/story/2011/02/16/945768/-UPDATED-The-HB-Gary-Email-That-Should-Concern-Us-All
Persona management entails not just the deconfliction of persona artifacts such as names, email addresses, landing pages, and associated content. It also requires providing the human actors technology that takes the decision process out of the loop when using a specific persona. For this purpose we custom developed either virtual machines or thumb drives for each persona.

This allowed the human actor to open a virtual machine or thumb drive with an associated persona and have all the appropriate email accounts, associations, web pages, social media accounts, etc. pre-established and configured with visual cues to remind the actor which persona he/she is using so as not to accidentally cross-contaminate personas during use.
To build this capability we will create a set of personas on twitter,‭ ‬blogs,‭ ‬forums,‭ ‬buzz,‭
‬and myspace under created names that fit the profile‭ (‬satellitejockey,‭ ‬hack3rman,‭ ‬etc‭)‬.‭ ‬
These accounts are maintained and updated automatically through RSS feeds,‭ ‬retweets,‭ ‬and linking together social media commenting between platforms.

‬With a pool of these accounts to choose from,‭ ‬once you have a real name persona you create a Facebook and LinkedIn account using the given name,‭ ‬lock those accounts down and link these accounts to a selected‭ ‬#‭ ‬of previously created social media accounts,‭ ‬automatically pre-aging the real accounts.
Using the assigned social media accounts we can automate the posting of content that is relevant to the persona. In this case there are specific social media strategy website RSS feeds we can subscribe to and then repost content on twitter with the appropriate hashtags.

In fact using hashtags and gaming some location based check-in services we can make it appear as if a persona was actually at a conference and introduce himself/herself to key individuals as part of the exercise, as one example. There are a variety of social media tricks we can use to add a level of realness to all fictitious personas
https://firstlook.org/theintercept/2014/07/14/manipulating-online-polls-ways-british-spies-seek-control-internet/
The secretive British spy agency GCHQ has developed covert tools to seed the internet with false information, including the ability to manipulate the results of online polls, artificially inflate pageview counts on web sites, “amplif[y]” sanctioned messages on YouTube, and censor video content judged to be “extremist.”
https://firstlook.org/theintercept/2014/02/24/jtrig-manipulation/
[These] agencies are attempting to control, infiltrate, manipulate, and warp online discourse, and in doing so, are compromising the integrity of the internet itself.

Among the core self-identified purposes of JTRIG are two tactics: (1) to inject all sorts of false material onto the internet in order to destroy the reputation of its targets; and (2) to use social sciences and other techniques to manipulate online discourse and activism to generate outcomes it considers desirable. To see how extremist these programs are, just consider the tactics they boast of using to achieve those ends: “false flag operations” (posting material to the internet and falsely attributing it to someone else), fake victim blog posts (pretending to be a victim of the individual whose reputation they want to destroy), and posting “negative information” on various forums.
http://news.bbc.co.uk/2/hi/7783640.stm
These commentators are used by government departments to scour the internet for bad news - and then negate it. They post comments on websites and forums that spin bad news into good in an attempt to shape public opinion.

A document released by the public security bureau in the city of Jiaozuo in Henan province boasts of the success of this approach. It retells the story of one disgruntled citizen who posted an unfavourable comment about the police on a website after being punished for a traffic offence.

One of the bureau's internet commentators reported this posting to the authorities within 10 minutes of it going up. The bureau then began to spin, using more than 120 people to post their own comments that neatly shifted the debate. "Twenty minutes later, most postings supported the police - in fact many internet users began to condemn the original commentator," said the report.
distributed network
distributed control
key role of nodes in the network architecture
pc + modem =
trouble
the electronic frontier
hacker ethos
don't damage computer systems you break into
don't change the information in those systems
share information
myth of
the internet remembers
the internet is a river of copies...
data is infinitely recombinant
and it wants to be free
that includes your selfies
online
everything
is re
corded, and you don't know by whom
it is
cheaper to
record
and keep everything, than record and
figure
out what to
dele
te
the internet doesn't like deletion
it's default setting is to record - and keep
offline, we have protocols for creating memories
people know the gestures associated with taking pictures
recording a conversation without tacit approval is creepy
collecting all this data is part of a dynamic of total surveillance
while the net is still distributed in principle, in practice the way we use it is thoroughly centralised within feudal walled gardens
#AfterSnowden
we now
know the dirty secret of the iFeudals -
they spy
for those in power
and even if you don't mind the iFeudals,
their centralisation is a vulnerability
case
>>
encrypted p2p botnet
trojan
ransomware
2011-2014
the botmaster
Gameover could be considered the most advanced variant of Zeus, and unlike other variants such as the Citadel and IceX Trojans, it is not for resale. The botnet can be used to facilitate financial fraud on a large scale by hijacking thousands of victims' online banking sessions. The group behind Gameover Zeus uses it to perform these fraudulent activities in real time. Gameover Zeus is typically distributed through an email which poses as an invoice. Once an infected user visits their banking website through a compromised computer, Gameover intercepts their online session using a technique commonly known as man-in-the-browser (MITB). It can bypass two factor authentication and display fraudulent banking security messages to the user to obtain information for transaction authorization. As soon as the attackers get these details, they can modify the users’ banking transactions and steal their money.
http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network
Cryptolocker is one of a large number of ransomware threats, all of which attempt to extort money from the victim by locking their computer or encrypting their files. Cryptolocker is one of the most dangerous variants of ransomware in circulation, since it employs strong encryption that cannot be broken. The threat first appeared in September 2013 and, while it still only comprises a small percentage of overall ransomware infections, it has captured public attention because victims who don’t have their files backed up are liable to lose them unless they pay the ransom.

Ransomware, including Cryptolocker, has proven to be exceptionally lucrative for attackers. Symantec research indicates that on average, 3 percent of infected users will pay the ransom. We believe that ransomware distributors have without doubt earned tens of millions of dollars over the past year.

Victims are usually infected by spam emails which use social engineering tactics to try and entice opening of an attached zip file. If victims opens the attachment, they will launch an executable file disguised to look like an invoice report or some other similar document, depending on the email theme. This executable file is will download Trojan.Zbot, aka Zeus. Once infected with Zeus, infected computer also downloads Trojan.Cryptolocker onto the system. Cryptolocker then contacts a command and control server (C&C), whose address is generated through a built-in domain generation algorithm (DGA). Once a C&C is found, Cryptolocker will download the public key that is used to encrypt the files on to the infected computer. The linked private key, which is required for decrypting the files, remains on the C&C server.
http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network
http://www.trendmicro.com.au/cloud-content/us/pdfs/security-intelligence/white-papers/wp-beyond-online-gaming-cybercrime.pdf
http://www.trendmicro.com.au/cloud-content/us/pdfs/security-intelligence/white-papers/wp-beyond-online-gaming-cybercrime.pdf
http://www.trendmicro.com.au/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-revisited.pdf
http://www.trendmicro.com.au/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-revisited.pdf
http://www.trendmicro.com.au/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-revisited.pdf
http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-target/
credit cards, passports, trojans, exploits, rootkits, botnets, phishing kits, credentials
all is for sale
and it pays, for a while...
the art of internet forensics, or the adventures of Brian Krebs [http://krebsonsecurity.com]
TIME, 21 Aug 1995
https://firstlook.org/theintercept/article/2014/08/25/icreach-nsa-cia-secret-google-crisscross-proton/
To allow government agents to sift through the masses of records on ICREACH, engineers designed a simple “Google-like” search interface. This enabled analysts to run searches against particular “selectors” associated with a person of interest—such as an email address or phone number—and receive a page of results displaying, for instance, a list of phone calls made and received by a suspect over a month-long period. The documents suggest these results can be used reveal the “social network” of the person of interest—in other words, those that they communicate with, such as friends, family, and other associates.
into the bizarre...
surveillance, subversion, hacking, impersonation, hardware attacks, 0-day attacks, exploits, DDOS, sock puppets
The process of scanning entire countries and looking for vulnerable network infrastructure to exploit is consistent with the meta-goal of "Mastering the Internet", which is also the name of a GCHQ cable-tapping program: these spy agencies try to attack every possible system they can, presumably as it might provide access to further systems. Systems may be attacked simply because they might eventually create a path towards a valuable espionage target, even without actionable information indicating this will ever be the case.

Using this logic, every device is a target for colonization, as each successfully exploited target is theoretically useful as a means to infiltrating another possible target. Port scanning and downloading banners to identify which software is operating on the target system is merely the first step of the attack. Top secret documents from the NSA seen by Heise demonstrate that the involved spy agencies follow the common methodology of online organized crime: reconnaissance is followed by infection, command and control, and exfiltration.
http://www.heise.de/ct/artikel/NSA-GCHQ-The-HACIENDA-Program-for-Internet-Colonization-2292681.html
case>>
cyberwarfare against industrial control systems
attack against Iran's nuclear facilities at Natanz
http://www.kaspersky.com/about/news/virus/2010/Kaspersky_Lab_provides_its_insights_on_Stuxnet_worm
2010 - ?
"I think that this is the turning point, this is the time when we got to a really new world, because in the past there were just cyber-criminals, now I am afraid it is the time of cyber-terrorism, cyber-weapons and cyber-wars," said Eugene Kaspersky, co-founder and chief executive officer of Kaspersky Lab.

"This malicious program was not designed to steal money, send spam, grab personal data, no, this piece of malware was designed to sabotage plants, to damage industrial systems," he said.

"I am afraid this is the beginning of a new world. 90-ies were a decade of cyber-vandals, 2000's were a decade of cybercriminals, I am afraid now it is a new era of cyber-wars and cyber-terrorism," Kaspersky added.
http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=0
http://www.timesofisrael.com/stuxnet-gone-rogue-hit-russian-nuke-plant-space-station/
thank you
Full transcript