1 / 81

Geolocation In Cyberwar

Geolocation In Cyberwar. Commander Mukesh Saini ( Retd .) Vice President –IT Security. Cyber wars are politico-military matter & its nature is similar to Naval warfare. TALLINN MANUAL ON THE INTERNATIONAL LAW APPLICABLE TO CYBERWARFARE.

truong
Télécharger la présentation

Geolocation In Cyberwar

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Geolocation In Cyberwar Commander Mukesh Saini (Retd.) Vice President –IT Security

  2. Cyber wars are politico-military matter & its nature is similar to Naval warfare

  3. TALLINN MANUAL ON THE INTERNATIONAL LAW APPLICABLE TO CYBERWARFARE

  4. Rule 11-Definition of Use of Force. A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force. Rule 30-Definition of Cyber Attack. A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.

  5. Rule 2-Jurisdiction : Without prejudice to applicable international obligations a State may exercise its jurisdiction: • over persons engaged in cyber activities on its territory; • over cyber infrastructure located on its territory; and • Extraterritorially, in accordance with international law.

  6. Rule 21-Geographical Limitations. Cyber operations are subject to geographical limitations imposed by the relevant provisions of international law applicable during an armed conflict.

  7. Apps Apps

  8. Parts of Computrace

  9. Agent communicate with Absolute Monitoring Centre at regular interval -or- -or- (from OS) MISSING MISSING MISSING Reinstalled Reinstalled Reinstalled Persistent Module installed in BIOS / Firmware (Non-removable part of BIOS) Self-healing capability repair the Persistent Module in case BIOS flashed!!

  10. This is How actual Recovery process works: Once Computer Agent installed & Computer Stolen Owner contact Absolute Software Absolute Software coordinate with Law Enforcement Agency to recover Stolen Laptop Location of Stolen Laptop identified by (IP Address, Region) Absolute Theft Recovery Team remotely communicate with stolen Laptop once online

  11. Computrace partners Computrace partnered with mentioned firm to embed Computrace-agent-module in firmware of their machines

  12. Some facts about computrace

  13. Hardware backdoors are lethal, because: • They can be injected at manufacturing time • (without your knowledge) • They are small & stealth • (requires less than 200kb of disc space & bandwidth) • They can’t be removed by any known means • (formatting/OS reinstallation/AV/HDD replacement) • They can circumvent other types of security • (because of a trusted, small, stealthy & persistent module) Hardware backdoor is no more an imagination, its practical

  14. Hardware backdoor is no more an imagination, it’s practical Schneier: possible backdoor in IPMI, iDRAC, IMM2, iLO Click image to read paper

  15. Hardware backdoor is no more an imagination, it’s practical Click image to read main article Captured Intel Drone – An American Intelligence Disaster? “In the case of the stolen CIA drone, the hardware with the backdoor was most likely embedded within the telemetry system, which is the multi-function brain of the drone, in fact every system within the drone is routed through the telemetry system, every sensor, every control, everything” “Once that hardware is triggered it is programmed to change the all the other frequencies used to control the secret drone and allow the Iranians to take total and complete control.”

  16. What if Computrace like technology misused? • Can become a perfect backdoor • Persistent • Stealthy • Portable (hardcoded in motherboard) • Remote Access & Remote update • No platform dependency • Non-detectable by AV consider the impact of a compromised device in a military environment, or in a massive distribution of technological systems of large diffusion.

  17. Realistic Attack Scenario what if someone hardcoded this type of backdoor in a motherboard and put it up for sell

  18. Realistic Attack Scenario or what if a nation state / government make use of this technology to access your private information

  19. Cyber-conflicts through ages

  20. Cyber-conflicts through ages

  21. Operation Stuxnet

  22. Source : Rayn Mayer http://www.youtube.com/watch?v=scNkLWV7jSw

  23. State Sponsored Multi-disciplinary groups of work force Knowledge of deep internals of PLC Specific Target Knowledge of personnel behavior of target Use of score of zero-day vulnerability at one go Use of Authentic (stolen) Digital Signatures Against a specific state

  24. Stuxnet Geographical Distribution Source : Symantec Security Response

  25. Stuxnet & family Source : http://www.securelist.com/en/analysis/204792257/Kaspersky_Security_Bulletin_2012_Cyber_Weapons on 10 April 2013

  26. Operation Orchard

  27. Operation Orchard 6th September 2007 Israel's 2007 bombing of an alleged atomic reactor in Syria was preceded by a cyber attack which neutralized ground radars and anti-aircraft batteries.

  28. Operation Neptune’s Spear

  29. 255 Kms 145 Kms

  30. Key Findings • APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (总参三部二局), which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398 (61398部队). • APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously. • APT1 focuses on compromising organizations across a broad range of industries in English-speaking • Countries.

  31. Key Findings • In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language. • The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.

  32. Source

  33. OPERATION HANGOVER The name, “Operation Hangover”, was derived from the name of one of the most frequently used malwares. The project debug path is often visible inside executable files belonging to this family.

More Related