1 I canali di a.acco A.acchi, numeri e casi Chi difende i difensori? Panoramica sugli a.acchi. I numeri ad oggi. Renato Sabba8ni MINICORSI E- commerce e on- line banking: effeeva sicurezza cri.ografica Università degli Studi di Trento, Lab. di Matema8ca Industriale e Cri.ografia 27 Febbraio 2012 R. Sabba'ni Panoramica sugli a3acchi
2 I canali di a3acco A.acchi, numeri e casi Chi difende i difensori? I CANALI DI ATTACCO
3 I canali di a3acco A.acchi, numeri e casi Chi difende i difensori? I canali di a3acco Fisico Logico Distribuito Equipments tampering Skimmers Malware MitB attack Lost and stolen *ishing Centralizzato Physical intrusion Archives theft Data breach Malware Credentials misuse
4 ATTACCHI, NUMERI E CASI
5 Cosa Attacchi, i numeri VERIZONE Data Breach Investigations Report
6 Quanto Attacchi, i numeri VERIZONE Data Breach Investigations Report
7 Quanto Attacchi, i numeri ATM European ATM Security Team (EAST) has just published an ATM crime report covering the full year There has been a 14% drop in ATM related fraud losses in 2010, with total losses of 268 million reported (down 44 million from 312 million in 2009). This is the second successive annual drop, following on from the 36% fall reported for This fall is driven by a reduc'on in losses due to card skimming a3acks, which have fallen for the past six half yearly repor8ng periods, from a peak of 315 million in December 2007, to the current level of 123 million in December ATM related fraud a.acks fell by 7% with a total of 12,383 incidents reported (down from 13,269 incidents in 2009). The majority (82%) of ATM related card skimming losses are now interna8onal with most now occurring in countries outside of Europe. The risk of counterfeit EMV cards being used to withdraw cash fraudulently from ATMs in parts of the world that are not EMV compliant remains high and is leading some European card issuers to implement addi8onal security measures. Physical a3acks on European ATMs, have fallen by 16% when compared with 2009 (down from 2,468 to 2,062 incidents). Within this total the number of reported explosive and gas a3acks (278) has gone up for the second year in succession, an 88% increase when compared to Overall losses rose 18% to 33 million (up from 28 million in 2008).
8 Come Attacchi, i numeri VERIZONE Data Breach Investigations Report
9 Chi Attacchi, i numeri VERIZONE Data Breach Investigations Report
10 Da dove Attacchi, i numeri SYMANTEC - Report on Attack Kits and Malicious Websites
11 Dove Attacchi, i numeri VERIZONE Data Breach Investigations Report
12 Dove Attacchi, i numeri * VERIZONE Data Breach Investigations Report
13 Cos' Attacchi, i numeri SYMANTEC Annual Study - U.S. Cost of a Data Breach
14 Cos' Attacchi, i numeri SYMANTEC Annual Study - U.S. Cost of a Data Breach
15 Cos' Attacchi, i numeri SYMANTEC Annual Study - U.S. Cost of a Data Breach
16 Cos' Attacchi, i numeri SYMANTEC Annual Study - U.S. Cost of a Data Breach
17 Last minute: Report highlights Attacchi, i numeri Spam 69.0 percent (an increase of 1.3 percentage points since December 2011) Phishing One in s identified as phishing (an increase of 0.06 percentage points since December 2011) Malware One in s contained malware (a decrease of 0.02 percentage points since December 2011) Malicious Web sites 2,102 Web sites blocked per day (a decrease of 77.4 percent since December 2011) Spammers continue to take advantage of holidays and events Symantec Intelligence Report: January 2012
18 Last minute: Spam Attacchi, i numeri Symantec Intelligence Report: January 2012
19 Last minute: Phishing Attacchi, i numeri Symantec Intelligence Report: January 2012
20 Last minute: Virus Attacchi, i numeri Symantec Intelligence Report: January 2012
21 Last minute: Phishing Attacchi, i numeri Symantec Intelligence Report: January 2012
22 Last minute: Web- based malware Attacchi, i numeri Symantec Intelligence Report: January 2012
23 Attacchi, i numeri Last minute: Web Policy Risks from Inappropriate Use Symantec Intelligence Report: January 2012
24 Millions hit in South Korean hack Attacchi, i casi South Korea has blamed Chinese hackers for stealing data from 35 million accounts on a popular social network. The attacks were directed at the Cyworld website as well as the Nate web portal, both run by SK Communications. Hackers are believed to have stolen phone numbers, addresses, names and encrypted information about the sites' many millions of members. It follows a series of recent cyber attacks directed at South Korea's government and financial firms. The Nate portal gives people access to web services such as while the Cyworld social site lets people share images and updates with friends and allows them to create an avatar that inhabits a small virtual apartment. Popolazione della Corea del Sud: 48,860,500 (previsione a luglio 2012) (dati CIA) una intera nazione clonata. Almeno all interno del social network, l attaccante poteva assumere l identità di chiunque!!
25 Attacchi, i casi China-Based Hacking of 760 Companies Shows Cyber Cold War (Dec. 9 (Bloomberg) Google Inc. (GOOG) and Intel Corp. (INTC) were logical targets for China-based hackers, given the solid-gold intellectual property data stored in their computers. An attack by cyber spies on ibahn, a provider of Internet services to hotels, takes some explaining. ibahn provides broadband business and entertainment access to guests of Marriott International Inc. and other hotel chains, including multinational companies that hold meetings on site. Breaking into ibahn s networks, according to a senior U.S. intelligence official familiar with the matter, may have let hackers see millions of confidential s, even encrypted ones, as executives from Dubai to New York reported back on everything from new product development to merger negotiations. More worrisome, hackers might have used ibahn s system as a launching pad into corporate networks that are connected to it, using traveling employees to create a backdoor to company secrets, said Nick Percoco, head of Trustwave Corp. s SpiderLabs, a security firm.. China has made industrial espionage an integral part of its economic policy, stealing company secrets to help it leapfrog over U.S. and other foreign competitors to further its goal of becoming the world s largest economy, U.S. intelligence officials have concluded in a report released last month.. In one instance, a ranking officer in China s People s Liberation Army, or PLA, employed the same server used in cyber-spying operations to communicate with his mistress. For now, administration officials have correctly assessed that they lack the leverage to compel China to change its alleged criminal behavior, he said. The Cold War is a pretty good analogy, Falkenrath said. There was never any serious effort to change the internal character of Soviet state. At a minimum, the November intelligence agency report does throw down a marker in that conflict, said Estonian Defense Minister Mart Laar. Estonia, which suffered a massive cyber attack in 2007 it said originated from Russia -- is pushing for a NATO cyber defense alliance.
26 Attacchi, i casi Saudi hackers claim release of Israeli credit card info (CNN) A group claiming to be Saudi Arabian hackers is posting the credit card information and other identifying data of thousands of Israelis online, prompting an international investigation. The group first posted a message Tuesday, which included claims that 400,000 credit card numbers had been published. "Hi, it's OxOmar from group-xp, largest Wahhabi hacker group of Saudi Arabia," read a statement posted on an Israeli sports website the group hacked into. "We are anonymous Saudi Arabian hackers. We decided to release first part of our data about Israel. The Bank of Israel released a statement Tuesday saying that based on information from credit card companies, only about 15,000 credit card numbers were exposed, and those cards were blocked for use in Internet and telephone purchases. Thursday, the group claimed to have released another 11,000 credit card numbers and threatened to publish many more. Yoram Hacohen, the head of the Israeli Law, Information and Technology Authority at the Israeli Ministry of Justice, told CNN in a phone interview Friday he's more concerned about the private information that was released, not the credit card numbers. Saudi hackers attack Israel's stock exchange and national airline The websites of the Tel Aviv stock exchange and the Israeli national airline have been attacked by hackers identified with a known Saudi group. There have been attacks in the past two weeks on Israeli businesses with details of credit cards posted online.. According to OxOmar, "I want to harm Israel in any way possible. I can harm them in Cyber world so I would do anything for this world. I'll let Israeli authorities cry and suffer.". "OxOmar" also demanded apology from the Deputy Foreign Minister Danny Ayalon, who said that the hackers' activities were acts of terror.. BBC reports that after the hacker attack that affected at least 20,000 active credit cards, an Israeli hacker retaliated, publishing details of hundreds of Saudi credit cards online, portending a possible escalation of cyber-war in the Middle East.
27 Attacchi, i trend Cybercrime Trend 1. Trojan Wars Con+nue, but Zeus will Prevail as the Top Financial Malware Cybercrime Trend 2. Cybercriminals will Find New Ways to Mone+ze Non- Financial Data Cybercrime Trend 3. Fraud- as- a- service Vendors Will Bring New Innova+ons Cybercrime Trend 4. Out- of- band Methods Will Force Cybercriminals to Innovate Cybercrime Trend 4. The Rise of Hack+vism Cybercrime Trend 4. BeLer Informa+on Sharing will Lead to More Crackdowns on Cyber Gangs and Botnet Operators RSA cyber-crime trends report
28 Mobile! Attacchi, i trend IBM - X-Force Trend and Risk Report
29 Mobile! Attacchi, i trend IBM - X-Force Trend and Risk Report
30 Mobile! Attacchi, i trend Smartphones and other mobile devices serve the same func8ons as laptop computers, with comparable compu8ng power, but with li.le or no endpoint security. Malicious Mobile Threats - Report 2010/ Juniper Networks Global Threat Center Research
31 Mobile! Attacchi, i trend Malicious Mobile Threats - Report 2010/ Juniper Networks Global Threat Center Research
32 I canali di a.acco A.acchi, i numeri Chi difende i difensori? CHI DIFENDE I DIFENSORI? (e di chi ci fidiamo?)
33 I canali di a.acco A.acchi, i numeri Chi difende i difensori? I difensori a3acca' : Chi difende i difensori? The Comodo Affair Generazione di una serie di cer'fica' fasulli che avrebbero permesso all a3accante di impersonare alcuni dei più famosi si' supportando il protocollo SSL (il famoso lucche.o!) Non sembra abbia provocato danni, ma certamente ha minato la confidenza degli uten8 nei confron8 di una modalità di sicurezza universalmente acce.ata (fino ad oggi) Anche in questo caso l a.acco ha un risvolto geo- poli8co The Black Tulip Affair (fonte ENISA Cer'ficate authori'es lose authority) DigiNotar, a digital cer8ficate authority (CA), recently suffered a cyber- a.ack which led to its bankruptcy No immediate incident repor'ng: DigiNotar did not immediately report the cyber- a.ack to customers or government authori8es, which put the security and privacy of millions of ci8zens at risk. Fundamental weaknesses in the design of HTTPS: In the current setup, browsers and opera8ng systems (e.g. Microsod s cer8ficate store) place trust by default in a large number of CAs (hundreds) by default, so a failure with one of them creates a risk for all users and all websites. Failure to implement basic security measures: The Fox- IT report shows that basic security measures were not taken, no an8- virus in place, weak administrator passwords and insufficient logging (DigiNotar was audited yearly by an independent auditor against the ETSI standard (TS101456) for cer+ficate authori+es) The RSA Affair A.acco molto sofis+cato portato contro l infrastru.ura di una delle più importan8 società di soluzioni di sicurezza e di monitoraggio del cyber- crime In realtà, le voci di corridoio parlano del più banale degli errori, l apertura di un allegato in una e- mail So.razione di informazioni rela8ve al sistema di auten'cazione a due fa3ori SecurID La comunicazione dell a3acco è stata molto lacunosa, e ha scatenato ogni 8po di dietrologia
34 I canali di a.acco A.acchi, i numeri Chi difende i difensori? I difensori a3acca' : The Symantec Affair Chi difende i difensori?. (Reuters) - Symantec Corp, the top maker of security software, said hackers had exposed a chunk of its source code, which is essentially the blueprint for its products, potentially giving rivals some insight into the company's technology. The developer of the popular Norton antivirus software said the hackers stole the code from a third party and that the company's own network had not been breached, nor had any customer information been affected. The software maker would not confirm the claim of a group called the Lords of Dharmaraja, who said that they had obtained Symantec's source code by hacking the Indian military. Some governments ask their security vendors to provide their source code to ensure there is nothing in the code that could act as spyware, said Rob Rachwald, director of security strategy at data security firm Imperva.. (CNET News) Backtracking on earlier statements blaming a third party, the security software maker acknowledges that hackers infiltrated its own networks. Symantec said today that a 2006 security breach led to the theft of source code for some of its flagship products, backtracking on earlier statements that its network had not been hacked. The security software maker, which had previously blamed the theft on a third party, acknowledged that hackers had infiltrated its own networks. The hackers obtained 2006-era source code for Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack), and PCAnywhere, the company said in a statement. "Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006," a Symantec representative said in a statement. The software maker said that due to the age of the exposed source code, most Symantec customers are not in any increased danger of cyber-attacks as a result of the code's theft. However, the company said users of its remote-access suite PCAnywhere may face a "slightly increased security risk," and that the company is in the process of notifying those users of the situation and providing them a remedy to protect their data.
35 I canali di a.acco A.acchi, i numeri Chi difende i difensori? Chi difende i difensori?
36 I canali di a.acco A.acchi, i numeri Chi difende i difensori? Conclusioni
37 I canali di a.acco A.acchi, i numeri Chi difende i difensori? Conclusioni.. We live in a tough world full of liars and deceivers. Competition is fierce and unforgiving. People lie... Pete Herzog, co-fondatore di ISECOM (Institute for Security and Open Methodologies), nella di presentazione dell evento TROPPERS 12 Make the world a safer place che si terrà a Heidelberg a Marzo
38 I canali di a.acco A.acchi, i numeri Chi difende i difensori? Regional Card Blocking (Geo-blocking) Conclusioni Regional Card Blocking, or geo-blocking, is becoming more common in Europe. This is when card issuers block their cards from being used in specified countries or regions. Typically customers then have to opt-in to have their cards approved for use outside of Europe. EAST first provided information on geo-blocking with an update from Norway in the December 2010 Monthly Update Why is geo-blocking becoming popular with EMV card issuers? Most EMV (Chip and PIN) cards also have a magnetic stripe and this stripe is still vulnerable to being copied or skimmed by criminals. Cloned cards made from copied EMV data cannot typically be used at EMV compliant ATMs or payment terminals, because there is no Chip. However they can be used in countries where there are no EMV terminals, or where signature-based transactions are still common. The implementation of geo-blocking means that skimming related card losses can fall significantly. In January 2011 the Belgian Banks introduced geo-blocking for debit card usage outside of Europe. The results were spectacular, with dramatic falls in the number of card skimming incidents and also in skimming related losses. Several banks in Germany have also started to implement geo-blocking and banks in other European countries are starting to follow suit. What do cardholders think? EAST carried out a research poll on Smart Card Security in January and February The result showed that 60% of the respondents were in favor of action being taken as follows: 1. 28% indicated that they would be happy to contact their bank to have the stripe on their card activated before travelling outside Europe; 2. 12% indicated that they would be happy to carry a chip only card, and to apply for a separate stripe card should they need to travel outside Europe; 3. and 20% agreed with both approaches. And geo-blocking is not just happening in Europe. By June of this year all Singaporean banks will block ATM and ATM-linked debit cards from being used overseas, unless individual customers request otherwise. It seems that, as long as some countries do not adopt the EMV standard, geo-blocking is here to stay! European ATM Security Team (EAST) February 2012 Update
39 I canali di a.acco A.acchi, i numeri Chi difende i difensori? Conclusioni Forse, oltre a tutto quello che stiamo facendo in ambito DLP (Data loss prevention), abbiamo bisogno anche di azioni orientate a - DBDP (Data breach disaster recovery) - DVR (Data value reduction) Grazie!