High-Profile Cyberattack Investigations: London’s Met Police Share Takeaways Raymond Black | Metropolitan Police About the Speaker • 1990 to 1996 - Uniformed officer working in various locations across South London • 1996 to 2000 - Detective working in various locations across South London • 2000 to 2006 - Territorial Support Group (Riot police) – (2002 to 2003 - Worked in private sector management in Durban South Africa for transport and construction company) • 2006 to 2014 - Operation Trident (proactive firearms and gangs unit) – (2012 to 2013 - Employed by European Union investigating government corruption in Guatemala) • 2014 to Present – Cyber crime investigator Specialist Cyber Crime Unit • Other deployments working in various roles in Jamaica, The Netherlands, Poland and the United States 2 #ISMGSummits ROCU Map 1. North East (NERSOU) 2. Yorkshire & Humber (ODYSSEY) 3. North West (TITAN) 4. Southern Wales (TARIAN) 5. West Midlands 6. East Midlands (EMSOU) 7. Eastern (ERSOU) 8. South West (ZEPHYR) 9. London 10. South East (SEROCU) NATIONAL COORDINATION 3 #ISMGSummits Remit of MPCCU To deal with the most serious offences of: • Cyber-crime facilitated by the use and control of malicious software (malware). • Cyber-crime facilitated by the use of online phishing techniques. • Computer and network intrusions (dependant upon motives and objectives). • Denial of service attacks and website defacement (dependant upon motives and objectives). • The online trade in financial, personal and other data obtained through cyber-crime. • The intentional and dishonest online provision of services, tools etc. to facilitate cyber-crime. 4 #ISMGSummits Threshold of MPCCU • Where life is put at risk • Targeting or impacting on public safety, emergency services or other public systems and services. • Threatening the solvency or continuing existence of the targeted organisation. • Criminality affects at least two police force areas (cross border) • Minimum financial loss or gain of over £100,000. (Subject to on-going review) • The units specialist skills, knowledge and resources are necessary for an effective investigation (the too difficult tray) • There is a significant opportunity to investigate a new or emerging criminal technique. 5 #ISMGSummits A few stats with regards to the UK • An estimated 3.6 million cases of cyber fraud and 2 million computer misuse offences, making these the U.K.'s most common offences. • The total number of all other recorded crimes stands at 6.5 million. • Gap between Police recorded and actual instances of Fraud and cybercrime represents a current under reporting of 90%. • Bank account fraud (phishing) was the most common type. • Costing the U.K. economy almost £11bn in past year. Equates to approx £210 per person over the age of 16 living in the U.K. • Unreported figure is believed to be much higher. • It is estimated that U.K. banks have managed to stop £6 in every £10 targeted by criminals. 6 #ISMGSummits London cyber crime stats • 20% of all national fraud victims reside within London, which equates to about 41,000 individuals. • The Metropolitan Police Service receive 35% of all cyber crime disseminations that are suitable for investigation. • Reported figures for London represent a year on year average increase of 123% in this crime type. • Due to this increase in demand, OP Falcon was launched in October 2014. Falcon's remit is to investigate all fraud and cyber-crime disseminations as well as all cyber dependant crimes (from these, the MPCCU investigate only the most serious crime type as per previous remit). • The original model for Falcon was designed for 12,000 disseminations for investigation per year, a figure surpassed in in the first 5 months of Falcon’s launch. • The number of investigations currently stands at about 27,000 investigations per year. • MPCCU consists of only 26 Detectives. • OP Falcon consists of only 155 Detectives. 7 #ISMGSummits Op Festiva - Disclaimer • Timing – First such presentation to this type of audience regarding this particular investigation. • I cannot tell you everything. • Everything that I will show is available online and can be found through open source searching. 8 #ISMGSummits OP FESTIVA – A case study James J Fox Ltd, London-based specialist retailer of imported handmade cigars. 11 September 2015 - www.jjfox.co.uk subject of an intrusion via SQL injection in which malicious code was injected via a website vulnerability resulting in customer personal data and email addresses being obtained. 9 #ISMGSummits James J Fox The company were unaware they had suffered a data breach until they received a number of emails from [email protected] and [email protected] initially demanding 20 bitcoins (£3103) (£18208 or $30,121 CAD) payment to be paid to 16C39YF8gAz7T6WaTZ1wJ8snigJnUgjS2 or all customer data would be leaked online. A deadline of 72 hours was posted. 10 #ISMGSummits James J Fox • On 16th September received another email from [email protected] titled “Last chance”– • ‘the price went up …7500’ Your business name will be ruined - how much have you lost already from no website. 7500 to the BTC wallet last chance. Or you out of luck and time’ 11 #ISMGSummits James J Fox • 21st September another email from [email protected]. • ‘Hi XXXXX, I’ve noticed that your site is back up and once again: I’m able to gain access to it. You should really just come to terms that you need to work with me on a deal. Please don’t make me ruin stuff once again.’ 12 #ISMGSummits James J Fox • 21st September (same day) another email from [email protected] • Offline again. where is our money? Your website is no more. Must we ruin your customers also? 13 #ISMGSummits James J Fox • 22nd October • A post was put onto pastebin.com saying – • To: Customers of www.jjfox.co.uk, your data is being leaked. Each day 2k (2000) customer details will be added to the page. If 2.5 bitcoins are paid to 197qcfpNbFozv9duGg1Fso3NJdha41RdZi and emailing [email protected] with the transaction ID you can be removed from the list’. 14 #ISMGSummits OP FESTIVA – Talk Talk • TalkTalk Plc, one of the UK’s largest Communication & Internet Service Providers. • 19 October 2015 – A significant increase in SQL ‘GET’ requests against 3 web pages that had exploitable SQL injection vulnerabilities. • 21 October 2015 - Established that they have been subject of intrusion and data breach. 15 #ISMGSummits Talk Talk • 21 October 2015 - 11 demand emails sent to Talk Talk staff, including CEO, from [email protected] signed off with ‘0xff’; Demand made for 465 Bitcoins (£81,677)(£2014625) to be paid into 197qcfpNbFozv9duGg1Fso3NJdha41RdZi or all customer data would be leaked on line. • ‘A few days ago I managed to compromise your entire (talktalk.com)’s 64 databases. I have extracted almost all of the data and your sysadmin walled me after most of the damage had been done’. 16 #ISMGSummits Talk Talk • Hi again, Downtime sucks right? Imagine if the data gets leaked it’ll cost more than what I’m asking for =) • At the end of day, your advisers are going to do what they are paid to do - advise against it, but if you want all these loses go away, just send that payment which is almost nothing in comparison to what will be lost. The fate of your company is in your hands now. 17 #ISMGSummits OP FESTIVA – A case study • Same email addresses and bitcoin wallets • Sample sets of both customer data were posted onto pastebin.com • Both sets of customer data were offered for sale on a website named dbs4sale.org and also on Alphabay, a dark web market place 18 #ISMGSummits Sigaint.org • Currently offline. • Law enforcement unfriendly. • Darknet email service available over the TOR network and pride themselves on providing an email service without revealing your location or identity. • They believe in freedom of speech and any requests from LE would be answered by an email saying that the data requested is impossible to retrieve. • They have never provided user data. • They quote – “Snowden showed us that if we give them an inch, they take a mile. The last shred of trust with law enforcement has been destroyed”. 19 #ISMGSummits Openmailbox.org • Server is located in France. • They promise to respect your privacy. • They claim to be totally independent of all the large service companies on the web. • Privacy is their priority and they’ll do everything they can to ensure the security of the data. • Paid for version with bitcoin. 20 #ISMGSummits Suspect 1 • Part pleaded guilty with regards to TT • Still under investigation for a number of other offences • Aged 15 21 #ISMGSummits Suspect 2 • Aged 16 22 #ISMGSummits Suspect 3 • Pleaded guilty, awaits sentencing • Aged 20 23 #ISMGSummits Suspect 4 • Has already pleaded guilty at a youth court for hacking offences against Talk Talk • Aged 16 24 #ISMGSummits Suspect 5 • Pleaded guilty to TT offences and awaits trial re another matter • Aged 18 25 #ISMGSummits In Summary • These 5 suspects are all known to each other online and are the main offenders against Talk Talk with regards to the SQL scanning, exploiting the vulnerability, the data breach. One of the suspects was identified as being responsible for both extortions. • All devices found to contain Talk Talk customer data and in some instances the vulnerability that was exploited. • Several other U.K. suspects were identified and arrested as having received the Talk Talk data. • There are still suspects, believed to be located in the U.S. and Canada. • Another suspect has been identified and located in The Netherlands and will be further mentioned later in this presentation. • Evidence of multiple server usage, of which one was used to store the Talk Talk data immediately after the breach. 26 #ISMGSummits In Summary • They were all initially released on police bail and most continued to offend whilst on bail.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages44 Page
-
File Size-