UNCLASSIFIED

Cyber ThreatscapeSA Raymond P. Martinez

FBI San Antonio

April 1, 2018

UNCLASSIFIED

Legal Disclaimer

The views and opinions of the presenter is the personal

views of the presenter and do not necessarily reflect the

official policy or position of any agency of the U.S.

government

This presentation should not be considered or construed

as legal advice on any individual matter or circumstance

The contents of this document are intended for general

information purposes only and may not be quoted or

referred to in any other presentation, publication or

proceeding without the prior written consent of the FBI.

2

UNCLASSIFIED

Cyber Threats

5

UNCLASSIFIED

Cyber Threats

6

UNCLASSIFIED

It Takes Time and Resources To Execute…and Recover

2012: Cyber attack wiped 75% of Saudi Aramco’s

workstations (Over 30,000 workstation HDD’s

destroyed)

2013: DarkSeoul attack wiped over 45,000

systems that crippled the financial sector of Korea

2014: Hackers wiped thousands of servers and

computers across the network of Las Vegas Sands

Corp.

2014: Tweet Caused Sony Exec’s Flight to Be

Diverted

2014: Sony Breach

7

UNCLASSIFIED

How Are Organizations Hacked?

8

Source: Mandiant “end-r31.pdf”

UNCLASSIFIED

I’m Not A Target!

9

Only amateurs attack machines;

professionals target people

UNCLASSIFIED

Internet Of Things (IOT)

Internet of Things (IoT) is the

interconnection within the

existing Internet infrastructure

According to Gartner, there

will be nearly 26 billion

devices on the Internet of

Things by 2020

What does this mean for you

in the future?

10

UNCLASSIFIED

Already Too Many Cyber Variables

http://www.insecam.org/

73,011 locations with unsecured security cameras in 256 countries

“Secured” with default usernames and passwords

“Designed in order to show the importance of security settings”

Does every digital device in your organization go through stringent security testing?

11http://www.networkworld.com/article/2844283/microsoft-subnet/peeping-into-73-000-unsecured-security-cameras-thanks-to-default-passwords.html

UNCLASSIFIED

Hackers Don’t Discriminate

12National Retail Foundation

UNCLASSIFIED

Small to Medium Business (SMB)

SMB make up 54 percent of all U.S. sales and about half of all private-sector payrolls*

Why attack SMB?

– Low risk and high returns

– Cyber tools are antiquated

– 38% use personal accounts for business+

According to National Cyber Security Alliance, 60 percent of small firms go out of business within six months of a data breach*

13* U.S. Small Business Administration. “Small Business GDP: Update 2002-2010.” January 2012.

+ http://www.mcafee.com/us/resources/white-papers/wp-combating-smb-threats.pdf

UNCLASSIFIED

“Technical Silver Bullet Solution”

2013 Target Thanksgiving Hack

$1.6M spent on a technical solution

Alerted by the system so their Bangalore team notified the Target Security Operations Center (SOC)

Stole credit card information from 1,797 stores in the US

– 40 million credit card numbers

– 70 million PII

Gained access through a HVAC company in Pennsylvania

14

UNCLASSIFIED

Home Depot – Not Quite An Insider…

A third-party vendor was used to gain access to the internal network

Ricky Joe Mitchell

– Hired by Home Depot in 2012

When Mitchell learned he was going to be fired in 2012 from EnerVestOperating, he

– “remotely accessed EnerVest’scomputer systems … essentially eliminating access to all the company’s data and applications”

In May of 2014, Mitchell was convicted

15

UNCLASSIFIED

How Are They Doing This?

17

UNCLASSIFIED

The Internet

18

UNCLASSIFIED

Why Do Email Scams Work?

19

“The user’s going to pick

dancing pigs over security

every time” Bruce Schneier

UNCLASSIFIED

CEO Fraud or Business Email Compromise

20

UNCLASSIFIED

Easily Manipulated – Case Study

21

Exploiting open

source and

normal business

processes

Social

engineering

– DIRECTV.COM

vs

DlRECTV.COM

– Lowercase “L”

UNCLASSIFIED

Business Email Compromise (BEC)

“Bank robbers don't rob banks

anymore…they hide behind their

computer screens and cover

their digital tracks”

$1.1 Billion loss in two years

Scoular Co, a 800-employee

company, lost $17.2 Million

UNCLASSIFIED

Reported On August 9, 2015

23

UNCLASSIFIED

What Does This All Mean?

BANK ROBBERY LOSS IS $3.19 MILLION NATIONALLY…

PER MONTH (2011)

INTERNET FRAUD LOSS IS $14.6 MILLION IN LOS

ANGELES AREA…

PER MONTH (2015)24

UNCLASSIFIED

Social Engineering and Social Media

Non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures

ALMOST ALL businesses and executives have web presence

Results of Social Engineering

– 78% of ex-burglars believe modern thieves use Facebook, Twitter, and Foursquare to find empty homes to rob

– 15% of Americans use social media to report when they have left the home*

25

UNCLASSIFIED

Indirect and Direct Targeting

Targeting a community service group

– Leaders listed their jobs

LinkedIn targeting

– Profession-based group targeting

Online Dating

– Targeting based on location and jobs

Activities on WORK networks

– Victim let them in through the front door and bypassed ALL defense

“60% of profile pictures on Internet dating site contains GPS coordinates” – James Lynn

26

UNCLASSIFIED

Robin Sage

Mid-20s

Degree from MIT

Interned at the NSA

Current position at the Naval Network Warfare Command

300 friends on LinkedIn

27

UNCLASSIFIED

“Getting In Bed with Robin Sage” - BlackHat

Special Forces training exercise

Social Network Connections

– Employee of the Joint Chiefs of Staff

– CIO of the NSA

– Intelligence director for the U.S. Marines

– Chief of staff for the House of Rep

– Northrop Grumman

– Booz Allen Hamilton

What did she get?

– Job offer from Lockheed Martin

– Dinner and dates

Someone wrote this message to her…“I am a Senior Business Development…with 20 years+ in the Federal Government Homeland Security/Civilian/DoD Security Marketplace” with “expertise in the Cyber‐Security”

28

UNCLASSIFIED

But I Use Apple…So I’m Okay

According to GFI, top three most vulnerable operating system are: Apple Mac OS X, Apple iOS, Linux kernel

– Mac OS X - Total 147 vulnerabilities were reported, 64 of which were rated as high-severity

– Apple’s iOS - Total 127 vulnerabilities were reported, 32 of which were rated as highly-severity

– Linux Kernel - Total 119 vulnerabilities were reported, 24 of which were rated as high-severity

Microsoft’s Windows 7, 8 and 8.1 Operating Systems were the least vulnerable OS,

29

UNCLASSIFIED

App Store malware 'infected 4,000 apps’

30

UNCLASSIFIED

Cyber Defense

31

UNCLASSIFIED

SUNWALKRAINDRIVE

34

UNCLASSIFIED

But Don’t Use the Same Password

If one website was hacked and its credentials were posted online, hackers can try your password on other services

Have different emails & passwords for critical services such as financial services (banks, PayPal, etc.) versus online shopping, stores, and other non-essential services

55% use the same password for most, if not all, websites*

37https://nakedsecurity.sophos.com/2013/04/23/users-same-password-most-websites/

UNCLASSIFIED

LastPass Hacked

38

"We are confident that our encryption measures are sufficient to protect the vast majority of users," Joe Siegrist CEO

UNCLASSIFIED

Check Yourself!

39

UNCLASSIFIED

Keep Your Systems Updated

One of the easiest ways to protect your systems

Applies to EVERY devices

– Computer systems

– Tablets

– Smartphones

Each application will have updates

– Office

– Adobe

– Anti-virus

Many of the compromises can be avoided with this simple step

40

UNCLASSIFIED

Backup Your Data!

Where is your backup Hard Drive?

– Mother Nature

– Hardware failure

– Compromised systems

– Ransomware

Photographs and memories are irreplaceable

Use online backup services

– Most of them have a monthly subscription fees

– Multi-device backup solutions41

UNCLASSIFIED

Who Are These “SOPHISTICATED” Hackers?

42

UNCLASSIFIED

Sextortion | “Mistah X”

Luis Mijangos a paraplegic wounded in a gang shooting

Victims: 230 (mostly women), of those 44 were under age

Tools:

– Email, OUTDATED Malware, Intimidation

What did the Trojan do?

– Control the victim’s webcam

• Surreptitiously obtain naked photos

– Control the girl's microphone

• Recorded conversations

Why did the victims open the email?

– Trojan appeared to be files of popular songs or videos

43

UNCLASSIFIED

Operation Hackerazzi

44

“Man hacked into numerous celebrity phones and then distributed the ill-gotten photos to third parties, never asking for any money. He did it because he got a charge out of it.

The FBI says the investigation was dubbed, ‘Operation Hackerazzi.’” 6*

TMZ, 10/12/2011

http://www.tmz.com/2011/10/12/fbi-operation-hackerazzi-phone-hacking-arrest-scarlett-johansson-jessica-alba-vanessa-hudgens/

UNCLASSIFIED

The Beginning

In December 2010, semi-nude photos of Christina Aguilera was leaked on the Internet

– Photos were PRIVATE

Initial news reported that her CELL PHONE was hacked

No malware or suspicious activity on her phone…but

45

UNCLASSIFIED

Initial Investigation

Additional “hacked” photographs appeared online of other celebrities including Scarlett Johansson

All the victims stated that their “cell phones” were hacked

Based on victim statements, the FBI initially focused on mobile devices

– Super malware?

46

UNCLASSIFIED

Investigation Continues

After additional interviews, the FBI discovered that the subject “hacked” into the victims’ email and entered a forwarding email address in the victims’ email account

Essentially an illegal wire/data – tapping

FBI identified various celebrity victims with the same forwarding address!

47

UNCLASSIFIED

Challenges

The subject used a Virtual Private Network (VPN) to hide his true location

FBI began tracking his login information

The subject made a mistake and logged in from his home computer

– Tracked the IP address to Florida

48

UNCLASSIFIED

Search Warrant

In 2011, the FBI conducted a search warrant at the subject’s residence based on the IP addresses

Investigation identified the subject as Christopher Chaney

During the search warrant Chaney confessed to the FBI that he hacked into emails

49

UNCLASSIFIED

Operation Hackerazzi – Who Is This Hacker?

Christopher Chaney, 35, of Jacksonville, Florida

Once he “hacked” one celebrity, his target list grew from their contact list

Tools:

– VPN Service

– Intelius, Peoplefinder, Google, etc

How the heck did he hack the victims?

50

UNCLASSIFIED

Technical Skills?

No TECHNICAL SKILL

He simply guessed their secret questions!

– Birthday, Spouse’s name, Anniversary date, etc

51

UNCLASSIFIED

Email Hacking Services

UNCLASSIFIED

Anatomy of the Hack

UNCLASSIFIED

Hacker for Hire

Needapassword.com

FBI Los Angeles arrested 5 subjects from Arkansas, China and India

$100 - $500 per hack

Customers motivation included revenge, stalking, and jealousy

“Technical skills” of the customers?

54

UNCLASSIFIED

What Can I Do?

55

UNCLASSIFIED

Is This Your Cyber Defense

56

UNCLASSIFIED

Information Security Industry Scape (04/2015)

57

https://digitalguardian.com/blog/information-security-industryscape

UNCLASSIFIED

Planning For A Cyber Attack

Easy for me to theorize and recommend…so

Have a plan!

Identify the company’s crown jewels and most critical systems

– Organizational versus C-Suites’ perceptions

Rise in cyber attacks

– Incident Response Plan

Plan for disruptions

– Malicious attacks and accidental

Technical communication plan

– Cell phone, social media, email, etc.?

Tabletop exercise

– Practiced, realistic, and tested

58

UNCLASSIFIED

Sometimes…No Matter How Much You Plan..

59

UNCLASSIFIED

Working With Law Enforcement?

Establish a working relationship with your Law Enforcement before the breach

Legal Concerns

– Disclosure to LE or public?

– Brand Protection?

Goals are different between your organization and the FBI

– Cooperate

– Leave actors in place for intelligence collection

60

UNCLASSIFIED

Questions?SA Raymond P. Martinez

FBI San Antonio

Telephone: 310.650-6250

Email: rpmartinez@fbi.gov