from creeper to stuxnet
DESCRIPTION
Important (i hope...) milestones in the history of information securityTRANSCRIPT
![Page 1: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/1.jpg)
From Creeper
to Stuxnet
Tell me and I’ll forget Show me and I may remember Involve me and I’ll understand
Shahar Geiger Maor,
VP & Senior Analyst
![Page 2: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/2.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
A Story With A Beginning And No End
![Page 3: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/3.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 3
The Beginning –Basic Terminology
Phreaking, Cracking and Hacking…
![Page 4: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/4.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 4
I’m A Creep(er)!
1960 1970 1980 1990 2000 2010
1971
The very first viruses: Creeper and Wabbit
![Page 5: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/5.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 5
Captain Zap
1960 1970 1980 1990 2000 2010
1981
first person ever arrested for a computer crime
![Page 6: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/6.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
Machine Of The Year
1960 1970 1980 1990 2000 2010
1982
![Page 7: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/7.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 7
War Games
1960 1970 1980 1990 2000 2010
1983
![Page 8: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/8.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 8
Introducing: MOD & LOD
1960 1970 1980 1990 2000 2010
1987
![Page 9: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/9.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 9
When Ideology meets Ego
1960 1970 1980 1990 2000 2010
1991
![Page 10: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/10.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 10
Professional conferences
1960 1970 1980 1990 2000 2010
1993
![Page 11: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/11.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 11
Celebrity
1960 1970 1980 1990 2000 2010
1995
![Page 12: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/12.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 12
The Rise of Malwares
1960 1970 1980 1990 2000 2010
1995
The Concept Virus
![Page 13: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/13.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 13
The Rise of Malwares
1960 1970 1980 1990 2000 2010
1999
The Melissa and Nimda Viruses
http://scforum.info/index.php?topic=2528.msg4935;topicseen
![Page 14: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/14.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 14
The Rise of Malwares
1960 1970 1980 1990 2000 2010
2000
The ILOVEYOU Worm
![Page 15: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/15.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 15
The Rise of Malwares
1960 1970 1980 1990 2000 2010
2008
Conficker
![Page 16: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/16.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
0
2000000
4000000
6000000
8000000
10000000
12000000
14000000
16000000Ja
n-0
0
Au
g-0
0
Mar
-01
Oct
-01
May
-02
Dec
-02
Jul-
03
Feb
-04
Sep
-04
Ap
r-0
5
No
v-0
5
Jun
-06
Jan
-07
Au
g-0
7
Mar
-08
Oct
-08
May
-09
Dec
-09
AV Signatures
The Increasingly Difficult Security Challenge
100s of millions of viruses. signature based scanning won’t keep up…
Source: Symantec
![Page 17: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/17.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
No Existing Protection Addresses the “Long Tail”
Unfortunately neither technique works well for the tens of millions of
files with low prevalence.
(But this is precisely where the majority of today’s malware falls)
Today, both good and bad software obey a long-tail distribution.
Bad Files Good Files
Pre
vale
nce
Whitelisting works
well here.
For this long tail a new
technique is needed.
Blacklisting works
well here.
Source: Symantec
![Page 18: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/18.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Growing Amount of Malware –Lower Rate of Detection
Submission-ID: 2009-
12-10_22-01_0002
Submission-ID: 2010-
01-15_22-14_0001
src: AV-Test.org src: AV-Test.org
AV Engine Time To Detect Time To Detect
Authentium Zero-hour No detection
Avast 24.28 hrs. 2.10 hrs.
AVG 10.18 hrs. 3.52 hrs.
CA-AV No detection Zero-hour
ClamAV 40.82 hrs. No detection
Dr.Web 3.68 hrs. 13.17 hrs.
Eset Nod32 2.35 hrs. Zero-hour
F-Secure Zero-hour 20.03 hrs.
Ikarus 2.55 hrs. 1.90 hrs.
ISS VPS No detection No detection
Kaspersky 6.70 hrs. 14.52 hrs.
McAfee 28.83 hrs. No detection
Microsoft 11.62 hrs. No detection
Norman Zero-hour No detection
Panda 76.48 hrs. No detection
Rising 71.27 hrs. No detection
Spybot S&D No detection No detection
Sunbelt No detection Zero-hour
VirusBuster 4.05 hrs. Zero-hour
![Page 19: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/19.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Secured Mediation Kiosks
Source: OPSWAT, STKI’s modifications
![Page 20: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/20.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Nor(malware) distribution
What about the long
tail?
Choose any AV
software…
![Page 21: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/21.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Nor(malware) distribution
The long tail problem
remains
Choose many AV
software…
![Page 22: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/22.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 22
Organized Cybercrime
1960 1970 1980 1990 2000 2010
2009
![Page 23: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/23.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
M&As in the Cyber Underground…
http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/
SpyEye made headlines this year when investigators discovered it automatically searched for and removed ZeuS from infected PCs before installing itself
![Page 24: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/24.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Common “Positions” in the cyber-crime business
Programmers
Distributors
Tech experts Crackers
Fraudsters
Hosted systems
providers Cashiers
Money mules
Tellers
Leaders
http://www.fbi.gov/news/speeches/the-cyber-threat-whos-doing-what-to-whom
![Page 25: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/25.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Underground Economy
http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf
Price Products
From $2-$90 Credit card details
From $190 + cost of details Physical credit cards
From $200-$1000 Card cloners
Up to $35,000 Fake ATMs
From $80 to 700$ (with guaranteed balance) Bank credentials From 10 to 40% of the total $10 for simple account without guaranteed balance Bank transfers and cashing checks
From $80-$1500 with guaranteed balance Online stores and pay platforms
According to the project (not specified) Design and publishing of fake online stores
From $30-$300 (depending on the project) Purchase and forwarding of products
From $15 Spam rental
From $20 to $40 for three months SMTP rental
![Page 26: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/26.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 26
Cyber Wars
1960 1970 1980 1990 2000 2010
1990’s-2000’s-2010’s
![Page 27: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/27.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Growing Number of Incidents -US
Incidents of Malicious Cyber
Activity Against Department of Defense Information Systems, 2000–2009
http://www.uscc.gov/annual_report/2010/annual_report_full_10.pdf
![Page 28: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/28.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Sources of Attacks on gov.il
Source: CERT.gov.il
![Page 29: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/29.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Cyber-Warfare is Becoming A Giants’ Playground
http://www.bbc.co.uk/news/technology-11773146
![Page 30: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/30.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Operation Aurora
http://www.damballa.com/downloads/r_pubs/Aurora_Botnet_Command_Structure.pdf
![Page 31: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/31.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Advanced Persistent Threat (APT) –RSA Case Study
http://www.nytimes.com/2011/03/18/technology/18secure.html
“Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA”. Art Coviello Executive Chairman, RSA
http://www.rsa.com/node.aspx?id=3872
![Page 32: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/32.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Stuxnet:
http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=2&hp
(THE NEW YORK TIMES, 15/1/11)
![Page 33: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/33.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Stuxnet Timeline
Eraly 2008: Siemens cooperated with Idaho National Laboratory ,
to identify the vulnerabilities of
computer controllers that the company sells
2008-2009:
Suspected exploits have been created for
Siemens SCADA systems
July 2009:
Stuxnet began circulating around the
world
July 2010: Stuxnet is first discovered by
VirusBlokAda
![Page 34: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/34.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Rootkit.Win32.Stuxnet Geography
Source: http://ebiquity.umbc.edu/blogger/wp-content/uploads/2010/09/stuxnet.gif
![Page 35: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/35.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Stuxnet in Action: “A Game Changer”
10-30 developers (!!!)
Stuxnet has some 4,000 functions (software that runs an average email server has about 2,000 functions)
Exploits a total of four unpatched Microsoft vulnerabilities
compromise two digital certificates
• Self-replicates through removable drives
• Spreads in a LAN through a vulnerability in the Windows Print Spooler
• Copies and executes itself on remote computers through network shares
• Updates itself through a peer-to-peer mechanism within a LAN
• Contacts a remote command and control server
• modifies code on the Siemens PLCs
• Hides modified code on PLCs
![Page 36: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/36.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Vulnerability Timeline
Source: Burton Group
![Page 37: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/37.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
…Lets talk about Patch Management (PM)
• Mostly Microsoft, security-related patches
• “Its not the deployment, but the whole process evolving” AKA Pizza Night.
• 20%-50% FTE is dedicated for PM
• Common SLAs: 3…6…or sometimes 12 Months!!
• VIP patches: up-to a week
• Hardware\non-security patches’ SLA: Where upgrades\vendor support is needed
![Page 38: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/38.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Your Text here Your Text here
Shahar Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 38
![Page 39: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/39.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Generic Cyber Attacks
1. Individuals\Groups 2. Criminal\Nationalistic
background
3. Lots of intervals 4. Lots of targets 5. Common tools
39
![Page 40: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/40.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Distributed Denial Of Service (DDOS)
1. Targets websites, internet lines etc.
2. Legitimate traffic
3. Many different sources
4. From all over the world
5. Perfect timing
40
![Page 41: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/41.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Advanced Persistent Threat (APT)
1. Group/ Org./ State
2. Ideological/ Nationalistic background
3. Multi-layered attack
4. Targeted
5. Variety of tools
6. Impossible to detect in real time(???)
41
![Page 42: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/42.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Security “Threatscape”
![Page 43: From creeper to stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022052322/557631e1d8b42a015c8b4b99/html5/thumbnails/43.jpg)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 43
Scan Me To Your Contacts:
Thank You!