 My name is Iftachi and Amit and today we're going to talk about cyber crime. I had to put this just because someone forced me so you can't read this. It's like in font 2 or something. This is the hacker me, alright? This is not the business me. I actually wear suits sometimes, but yeah, yeah, yeah. And this has nothing to do with what I'm actually working and doing. So don't blame me or attribute this to in any shape or form to my professional work. This is what we're going to talk about. I'm going to start by blabbering off about myself for like 60 seconds. We're going to talk about cyber war, attack and defense, cyber crime, attack and defense. And then we're going to try to connect them. You should have done some homework before coming in here or if you haven't, I highly recommend you to do that after this talk which is to see my DEF CON 17 talk because this is like a post text to what we found there. So what gives me the right to be here? I still haven't figured it out. I have computer science education and that's it. I'm not a CISSP or any other certification. I'm a hacker, I'm a researcher. I used to manage research for a few security companies focusing on cyber crime, malware, network forensics and stuff like that. I used to manage development. So I've been on that side too of trying to build software rather than break it. And in my whatever spare time that I have, I do some reserve duty for the Israeli Air Force. Again, cyber stuff. I'm going to say a lot of cyber today because there's just not other terms to that work. I'm really going to try for this. What's that? It's been built, Turkish. Oh, Tommy, there's a gun in your trousers. What is a gun doing in your trousers? Protection. Protection from what? The Germans. Yeah. If you do catch me fucking around and just throwing something at me so I know I'm wrong and please, please shout because I can't hear everyone from here. If you've got anything to say, if you want to go bullshit or something to stand up and say it, I'll be more than happy to amend this presentation and add info into it or remove info from it as needed. So a quick recap. This talk is basically, wouldn't be here if it was for my research from last year. Last year I talked about, I was doing some research on cyber crime and I tried to figure out how it works from behind the scenes. Beyond the technology, beyond the malware and the polymorphism and I'm going to wait with the A-bomb and all the technical stuff just to see how it works from behind the scenes. Who is commissioned to write the software? Who is commissioned to run it? How does money get transferred between those entities? How an actual criminal organization is being managed? And this is where we kind of left off from last year where we found, I'm sorry about the projection, it's a little dark but what you should see here are some documents that we found on a criminally operated server that we somehow managed to get access to. Again, watch the talk from last year. That really didn't have a lot of commercial sense. If you're talking about cyber crime, you're always talking about how to make money. Well, you can't really sell this in the open market. These are maps that were in a presentation, in a PowerPoint presentation denoting fighter target positions with their GPS coordinates on a satellite view and this is like a schedule for something. You can probably read it out later on the slides. And a lot of stuff that shouldn't have been really out there and I consider this out there because the way we got access to that criminal server is horrendously stupid. It's just like having it on the internet, which is how it was. This is finally declassified so I don't have to skip through it really quickly. That's a software that again was accessible or was stolen by this criminal organization. That software manages an air, scenery, whatever, situation for militaries and it controls the bombing and whatever. It's got a lot of nifty stuff that shouldn't be out there. But again, finally declassified. When I get some more information, track back the DEF-17 talk. It's a lot of fun. And at that point where we saw that kind of information on that server, we got hungry. Well, at least I got hungry. One of the conclusions from last year's talk was, well, maybe we should try to kind of lojack some of the information or lojack the server itself because it kept moving, which we actually did. We kind of fingerprinted the different files and the different data that was on the server and tried to figure out where it's going to pop up. And it popped up. And this is why we're all here and I can talk in DEF-17 again beyond cybercrime or where does cybercrime connect to beyond just the economic side of things. So in order to do those connections and the title is Cybercrime War Connecting the Dots, first let's visit what cybercrime or cyber war. What is this? Raise of hands. Bullet hole. Excellent. This is what we're dealing with on a daily basis. Why am I saying this? Because you don't know what that bullet hole relates to. Is it part of a gang bank shootout in the streets of whatever, Detroit? Or is it bullet hole in some armored vehicle that was shot in the battlefield? We're dealing with the little fragments, with the little incidents, technical incidents all the time with the malware, with the exploit, with the vulnerability. And in this talk I'm going to try and do that zoom out and kind of take a look at the whole scenery. Try to figure out if this belongs to cybercrime or cyber war and what is really the connection between these two. So I was kind of looking at the definitions and what is cybercrime or war versus crime. And the bottom line is that it's not that different. It might have a little different financing, but it's still heavily financed. Management is a little different, but again, there's a lot of management, a lot of hierarchy, a lot of structure into how those things are being done. And when you go and look up what cyber war is, the Wikipedia definition, which I'm going to bash through the next 50 minutes, says cyber warfare, all knows what it is, is the use of computers and the internet in conducting warfare in cyberspace. Now, this definition is all nice and dandy, but again, it's missing a critical thing from my perspective, which we'll talk about in a few minutes. And if you're here in the U.S., you probably know this guy that was quoted saying there is no cyber war. Who is this? Shmiri, right. It might have been a poor slip of the tongue. It might have been politics or whatever it is. And there's always someone saying, well, there's no cyber war except when it happened in Estonia or maybe Georgia or India, Google, Adobe. I mean, there's always an exception and there's always someone that tries to break out of that mold because there isn't really a solid definition of what cyber war is and how to treat it in the modern day and age. And what we're going to try and do here is really make the connections between the dots, really do connect the dots. We're going to look at some past events, cyber war events and try to figure out where they came from, what was the MO, and how do these things connect in the global perspective. Cyber war is not only state versus state. It's not only Kremlin versus DC. It's neither just spy versus spy. There's a whole area for a cyber espionage which doesn't happen all the time and from my perspective, cyber espionage is the pretext of war. It's countries preparing for war. Therefore, they're conducting espionage on an active level to make sure that they're going to be ready when the actual war war is going to happen. And just like any war, civilian targets are going to be hit. There's going to be collateral damage at cyber war as well. We're not just talking about taking down a SCADA system here or taking down some military system over there. We're talking about carpet bombing, DDoSing, civilians and just like any war, propaganda and public image is also a big thing of it. There's been a lot of talk about cyber war and I'm just going to quote or steal some stuff from McAfee with permission of course. This is McAfee's virtual criminology report from 2009 where they kind of pointed out the countries developing advanced offensive cyber capabilities. They named five different countries including the US, France, Russia, China and Israel. A small country with a little dot in here. You can't even see it. But size doesn't matter. Trust me. In this talk, I do believe McAfee and I do believe that France has a lot of offensive capabilities until the Germans come over. In this talk though, I'm going to talk about all those countries minus France plus Iran because they have been a little more active as you probably know in this whole cyber thingy that everyone likes to talk about. And again, size doesn't matter. We're the smallest but the biggest. So without further ado, let's cover those five countries really quickly and then move over to the criminal side. So this is it, the US. Not a lot of secrets to unveil because everything is fairly well documented and there's a lot of stuff going on around cyber work. If you've been at the Meet the Feds talk yesterday, you've heard the number of open jobs that DOD and the Air Force and STRATCOM have for cyber warriors or experts or whatever you want to call them. They're recruiting massively. Setting up STRATCOM for example with General Keith Alexander if I'm not mistaken heading this joint effort from all the military sides as well as NSA and stuff like that. The usual suspects, NSA, the best TLA ever that I saw here was CAT. Anyone knows what CAT is? No? Oh come on. You should see the logo. It's kind of not presented well here. CAT is a cyber action team. It's a unit in the FBI responsible for cyber action. I wonder how much action do these guys get? Russia. Russia is again fairly well documented. The only problem with Russia is terminology. There's been a lot of movements there, especially post the Soviet Union, whatever. So a lot of agencies got new names and split up and merged back. I'm just going to name the few that are actually active on that front. GRU is the main directorate of the Russian armed forces. They do a lot of cyber espionage and foreign stuff. SVR and FSB are internal and external. Kind of the equivalent of NSA and FBI to give or take. FSB used to be called the KGB. These are the same guys. Again, terminology. I love their logos, by the way. Really, really cool. I mean, if you could get those for laptop stickers, please do. Shoot me an email. One of my favorite agencies is just called the Center for Research of Military Strength of Foreign Countries. So there's no hiding about it. It's like me walking yesterday in Vegas with an I'm a liability t-shirt. It's like, you know, no surprises. And the last but not least, there's a thing in Russia called Nashi. It's the National Youth Associations. There are several of these. They're kind of political party for teenagers or, I don't know. It's kind of Boy Scouts, but with a political flavor into it. Tightly coupled with actual political parties, if you can say that, in Russia. And these guys carry out a lot of actions that the party wants them without being directly connected to government decisions. So remember these, we're going to talk about them in like 20 minutes. China. There have been enough talks about China. Again, reader Northrop Grumman Report. It's got a lot of information that was kind of available before, but they just kind of concentrated it and summarized it very, very well. Some people call it old. I just told them, you know, read it through, because it's got a lot of scattered information that was available before. So it might be a little old, but in a very well-formed manner. These guys run the third and fourth general staff departments for electronic countermeasures and SIGINT. And SIGINT intelligence, which basically mean offense and defense, respectively. And yes, these guys have been practicing. All right, Titerain, Google, whatever. They have the capabilities, they have the knowledge, and they definitely have the infrastructure and the hierarchy to run all those attack and defense. Iran. That's a little kind of shady. Not a lot of information. The one thing that you may notice in Iran is the amount of growth they went through in the past five years in terms of internet connectivity, and this is fiber connectivity. And by the way, the telecommunication infrastructure company, it's like the monopoly for internet communication in Iran, is the government telecom monopoly and works very, very closely with Iranian armed forces. So everything is controlled by them. If you thought that the Chinese Great Firewall is strict, check out Iran. All right, it's even worse. Last but not least, Israel. You're not going to see anything interesting here because this is all Google stuff. I can't really tell you from the trenches stuff, so it's going to be a little boring. Google it, there's a lot of information, and again, it's going to give you some perspective on what's going on. IDF is like the main actor in terms of cyber offense and defense, adding a lot of attack capabilities. Again, Google, you'll find this. In the IDF they have C4OIs, which you guys have here as well, command control, communication, computers and intelligence, branches in all the different branches of the military. So you have intelligence, air force and Navy. Staffing is mostly homegrown, and people get actually trained in the army to do cyber stuff, which is a little different again than here, where you can recruit people to join the government or the military to do some cyber stuff after they've gained their profession out in the industry. And again, last but not least, Mossad. Again, it's a fancy word for NSA or some spy agency, but it's not that secretive anymore. They have a website, sorry. They have a website with job section on it, so you can actually check out the jobs, and based on the open jobs they post there, you can figure out what they're doing in terms of capability building and infrastructure. So let's get back to cyber war, and let's bash once and for all the Wikipedia definition. In my book, cyber war or at least an attack in cyber war is a highly selective targeting of military and critical resources. Again, we're fearing away from just military and bouncing in critical resources as well. In conjunction with the kinetic attack. Right, this is war. This is, you know, strategy broken down into tactics. So you move, you know, tanks and platoons on the ground here, and to support them or to complement their movement and attack or in defense and whatever it is, you run a cyber attack, all right, on the military that they're facing, on the area that they're going into, you want to blanket out whatever it is. Or just DDoS, a region, okay? Have everyone put their finger on the death grip of the iPhone involuntarily or whatever it is to blanket out a region to get the public's attention or to deny the public accessibility to up-to-date information. Very effective, works all the time. It's the equivalent of the Vietnam, you know, throwing leaflets from B-52s on civilian population. So this is cyber war, again, in my book. You can argue all you want, all right, that's what I think. You want to take it out of the bar, that's fine. So there is cyber war and there was acts of cyber war, as we'll see in a few minutes. On the defense side, yeah, we're not really there. And because targets are never just military, we're talking about civilian as well. And civilian is, you know, beyond critical infrastructure. It can be media, it can be hospital, it can be hospitality, it can be a lot of other things that can affect the public opinion and the public view of things. Physical and logical protections as a defensive side should be considered as a last act of defense, all right? And the ability to shut down a service voluntarily in order, while preventing access from civilian population is in the book of, you know, acts and tactics to retain that survivability of the service or whatever it is. So this should be considered a valid tactic in terms of defense, actually shutting down things or preventing access to, you know, fight against the DDoS or whatever it is. Okay, so we've covered cyber war, attack defense fairly easy. Let's talk about cyber crime before we connect it to. If this doesn't show up when you're talking about cyber crime, you're doing it wrong, all right? You're missing something. Look for this, very easy, all right? And you might be surprised sometimes. I was, gotta tell you, surprised a lot of times when this popped up in weird places. So this is in my book, definitions of cyber crime. These guys work. These guys are like the Gordon Gekos of the crime world. They have a very well organized methodical infrastructure and hierarchy, and they work just like any Fortune 500 company. There's the CEO, there are VPs, there are marketing channels, there are guys on the ground, there's an IT department, they outsource a hell of a lot of stuff because it's cheap and it's easy. And again, check out the talk from last year to get some more information on how this actually works in terms of cyber crime. In terms of attacks, this is the stuff that we're all kind of seeing all the time, every day. Usual channels, web mail, open services, where we get all the spam and the malware and the PDFs and stuff like that that steals our social security numbers and runs transactions for us. Targeted attacks are gonna happen on premium resources. I'm not gonna say it, but I'm gonna say it. Google and stuff like that is a prime target. Specific companies with specific assets are prime targets. F-35. Carpet bombing is gonna be used for most attacks. The standard ops are gonna be with farming and fishing and stuff like that, but they're gonna be very, very geographically targeted because you can't send Bank of America spam to guys in France. And you can't send Deutsche Bank spam to customers in the UK. So everything is very, very geographically targeted and segmented in terms of marketing, hence, again, the structure above it. Bodies or organizations specializing in specific regions. Secondary infections will happen through the initial ones, so once you get a foothold on one asset or on one organization or market segment, it's usually gonna be based to pivot off additional attacks. This is how it looks like. And again, this is from last year, sorry for not updating this. These are the effects of a single criminal server in terms of the sites that it infected or compromised to carry on their attacks. So we mapped out, we lit up a point. This is obviously an approximation. It's not like... For every domain and URL that was compromised to include malicious attack code, and we put it geographically. Now, you have to remember that that server from last year did cater for at least five different criminal organizations. This is like SaaS for criminals. So everyone was running their own regional thing. And again, you can kind of see that with the focus on East and West Coast of the US, the Western part of Europe and some scattered attacks in East Asia, Australia, and some of Brazil and South America. This is how it looks like in terms of the actual groups. Once you start tracking back whose account is it on the server that runs the attack on those URLs and whose account is another one, and you map it out with intelligence information from law enforcement and your own kind of open source intelligence, you can kind of focus down on the groups that actually run the criminal operations. So again, it's not a big surprise. These groups specialize in their specific geographical regions. In terms of ammunition, this is one of my favorites, Zeus, if you don't know it. If you want to copy, just ping me. Very easy, alright? And this steal baffles like 99% of AVs. If you click here, build loader, you're going to get a new copy of the actual Trojan executable with a very, very low detection rate. And if it's not low enough for you, just click again. And again, and again, and again, you can test it on the virus total or test it yourself. It's got a GUI, I mean, seriously. It's got a config file, you tell it what you want to do, which websites you want to attack, which websites you want to alter on the user's browser. This is, alright, and again, I'm going to get a lot of crap for it, an APT. It's an advanced persistent threat. It stays on PC, it goes fairly well undetected, and it's very advanced. You can do a lot of neat stuff with Zeus. It's got a web portion to it as well. That's the command control center. So every bot, every instance of that loader that you've built that gets installed on a victim's machine pops up here, you can filter this by, again, geographical regions, you can group them together to form different administrative groups. This caters for multiple users. So you can have, and again, you can have different permissions for different users managing this system. This is, you know, this is the shit. You can drill down, obviously, issue commands, look at the data that was harvested from those PCs. You can filter them by connection speed so that you can group the fastest connections into a group called DDoS and the slowest ones for a group called Check Later and so on and so forth. It's very easy to use. Again, you don't need to be like an Uber hacker from DEF CON to do this. You can be, you know, my mom. This is fire and forget. Defense. Again, I hate those size, but, you know, what can you do? We have antivirus, malware, spyware, rootkit, Trojan, tons of companies that make a lot of money, but seriously, when was the last time you've seen one of those actually work against a really, really good threat? All right, this is, again, I've just ran the click loader thing, the build loader thing, and you can very easily go to this, get to this stage where the results are zero out of 42 antiviruses that detected this as malicious, not even suspicious, all right? We are lacking on the defense side. And then you have guys saying, well, but we have firewalls and IDSs and IPSs and stuff that runs on the network with agents and Trojan and stuff like that, but seriously, all of those attack vectors go through port 80 and 443 and 53. And what happens over SSL? Your IPS and IDS is blind to most of the encrypted stuff that goes on your network. You don't even know what's going on there. You want your IDS to do something about it? Yeah. So we have a problem. How do these two connect? I've talked about cyber crime, I've talked about cyber war, and my claim is that cyber crime is being used to conduct cyber war, all right? These are the dirty workers of the governments that carry out their nasty attacks. And I can claim this all day, but without proof, we're going to go nowhere. So again, I'm only going to talk about stuff that I can attest to, that I've seen, that I have data for. You're going to probably want to say, hey Ian, you missed this and that and fine, I might have, but I haven't seen actual data from it, so I'm not going to include it here. One of the things, the first thing that comes to mind when you talk about cyber war is Estonia. It's been bashed to death, and I don't feel like talking about it because it's fairly boring, and it didn't have a real kinetic act in it. So yes, a lot of people made their careers over analyzing this to death, read about it, it's interesting. Next, Israel. Let's cover some interesting events. Cyber war in Israel. We have two events that can be constituted as cyber war events in Israel. They happen during caste-led and the Second Lebanon War. Again, Google it, it's not that difficult if you're kind of weak on Middle East history. I don't blame you. One of the interesting incidents is that the Palestinian TV was hacked as propaganda. So you just hacked the TV and broadcast whatever shit you want. Love Israel and stuff like that. Run for your houses, your leaders don't like you, whatever you want to say there. Easy, everyone's got a TV these days, even the guys in Gaza. Another event which is much more interesting is this. Anyone knows what this is? What? Syria. Syria, all right. This was my birthday present, September 6. Remember, you want to send me some stuff. 2007, this came out. This is a Syrian nuclear facility. This is how it looked like on December 6, 2007. Operation Cold, Operation Orchard. Again, look it up, the link to the Wikipedia article is here. This stuff blew up allegedly by Israeli Air Force bombers. Now, if you know your geography a little bit, you know that to get from Israel to Syria, you've got to pass another country or two. I'm saying allegedly because none of those countries in the middle, namely Lebanon and Turkey, have any recollection or any evidence on the radars that there was any Israeli aircraft passing by. This just blew up out of thin air. Again, Google it, there's a lot of funny stories about it. The Syrian reaction initially was it didn't happen, and there's an actual picture missing here. I need to find it and update this, where they actually bulldozed that area and just wiped out any evidence that there was any building there. Kind of like saying, what building? It didn't blow up. So, yeah, it was kind of awkward because again, you need to get planes from here to here, but there's no evidence that this happened. So, again, obviously there was on top of the kinetic, and you can obviously there's a kinetic effect here, on top of the kinetic effort, there was some kind of electronic cyber something effort that affected two different countries. So, yeah, stuff happens. Let's talk about a more cast-led and second-hand war. If you look at all the events that happened throughout that period, all the attacks on both Israeli and Arabic targets are attributed to hacktivists. Surprisingly enough, those attacks mostly happened in conjunction with kinetic attacks in a fairly well-synchronized manner. One of my favorites is this. This was a website that promoted pro-Israelis to download software that will be used to DDoS different targets. So, yeah, who needs Zeus when you can just tell people to download this stuff? Let's talk about another organization in this whole scheme of things. It's a hacker forum by the cybercrime operations by night. It's a very popular Arabic-speaking forum that have this. Wow, you can't really see this. There's like political posts, anti-Israel, pro-Gaza, pro whatever it is, I'm not going to get into politics, that goes around on the hacktivist side and it looks very, you know, from the trenches. On the other hand, they're buying and selling cards for half their balance and selling 1600 Visa cards in bulk. So, it's kind of a dual-hat thing going on. On one hand, it's a proper crime organization, very organized, all the stuff that we've talked about in the past years. On the other hand, it's kind of hacktivism. Let's talk about politics and stuff like that. So again, connecting the dots is not that difficult over there. Georgia, off from Israel to a little northwest. This was, from my perspective, the most interesting incident or case that you can analyze from a cyber war, cybercrime perspective. It is the most interesting because it had the most synchronized kinetic and cyber attacks in a campaign. The targets were mostly civilian, mostly civilian, mostly media outlets and like general public websites, the president's website and stuff like that. And all the attacks were launched from civilian networks. It's not like, you know, Kremlin.ru was the source for all those command control communications or the actual attacks. Now, in order to talk about Georgia and the Georgia-Russia conflict, you have to talk about Russia first. Wow, I'm losing like half my slides here. There's a big dilemma in Russia. The dilemma revolves around the connection between criminal organizations and state or government. If any of those names make sense to you, you know what I'm talking about. All right, these are all companies, like legitimate companies that are Russia-based or Russia-connected that have a very, very strong affinity to criminal outlets and to criminal activities. Obviously, RBN, a trivial, Estee Domains, Mekolo. Remember Mekolo from last year? All right. These all have connections back into the Russian government and the Russian politicians that basically allow these things to keep running. Let's map out just a few of those connections. Again, this is like an offhand, quick connection that I'm sure there's more, but just to understand things. HostFresh and the UkrR telegroup are hosted by a trivial, which is a customer of Estee Domains, which is a customer of RBN, the Russian Business Network. If you remember the Russian Business Network, it went down in 2008. When it went down, it was moved to China. HostFresh. Then it came back up to Russia and kept running because, again, there's no one to stop it there. It's not like people got sued or fined. RBN's network providers are also UkrR telegroup and HostFresh. All right, very highly connected. When you talk about Estee Domains and Mikolo, you know these guys are actually bad guys, all right? There's no doubt about it. There's enough proof to say they have criminal affinity. If you talk about RBN, you know they're highly connected to the Russian government. If you talk about Mikolo, you know that the guy that committed suicide was like a cousin of some Politburo in Russia that allowed this whole thing to actually run. So you got my point. So back to the actual attack in Georgia. This is what started the cyber aspect of it, all right? You start seeing commands issued from the standard C&C servers basically saying flood, you know, president.gov.ge over HTTP, UDP, and TCP. HTTP, TCP, and ICMP. The C&Cs were shut down and then brought up again. And the second attack started as troops started crossing the border towards Georgia, all right? Again, very, very highly synchronized, kinetic and cyber attacks. Now, the interesting thing about those command control servers is that they were, again, they were used to attack all those media outlets on the president's website and Kasparov's website because there's a thing in Russia because Kasparov was Georgian and they don't like him. So they're like, yeah, add Kasparov to the thing. At the same time, the same command control servers were still operating business as usual and business in cyber crime is making money. So they're still, you know, attacking foreign sites to get, to extort them, adult escort services, Nazi, Nazi and racist sites, carter forums, gambling sites, you know, the usual dealing and scheming of cyber crime. Connecting the dots, not that difficult, I think, all right? And the facts are all out there. I ran, I've got 10 minutes, I'm going to blow through this. You know Twitter? Anyone doesn't know Twitter? Good, all right. Great crowd. 2009, Twitter went down, DNS hacked. The political connections of that specific attack are just too obvious to ignore. It was the elections in Iran. Right around the UN Council of Decisions to ban Iran and do bad stuff to them and protests against the leadership in Tehran. This is what the attack looked like, all right? Again, I hit those slides. This is what Twitter looked like when you tried to access it during the attack and if you try to Google it, you'll get that, you know, this Arabic speaking or Persian speaking page and basically saying this is the Iranian cyber army and we protest this and we don't like you and Twitter's down so get your 140 characters somewhere else. This was taken down. This thing happened on December 18, 2009, all right? And again, the attack was attributed to this Iranian cyber army. Until December 2009, by the way, if you were following those kind of intelligence forums and stuff like that, there was no Iranian cyber army, all right? This is like a new thing that happened just for Twitter. But if you, again, closely look at the affiliations between the groups, you realize that the Iranian cyber army is actually part of a group called ASEAN. It's a Shiite group of, again, hackers and activists and stuff like that running inside Iran. And ASEAN's, you know, kind of defacement logo and technologies and techniques are very, very, very, very similar to what we've seen in the Iranian cyber army back on Twitter, all right? Again, this is from Atrician. You can see the actual defacements and the actual same HTML template to push on to the defaced sites. And again, just check out the forum. Get someone who speaks Farsi or Arabic and you can see how it operates. To make things a little easier, this is a peek from the Iranian cyber army subgroup inside the ASEAN forums. They have a section called War Games. Shit you're not. And in those War Games, you can see the post from one of the trainers or whatever you want to call them, leaders, saying, all right, the War Game target for this week, month, whatever it is, is this website. They have rules of engagement, scoring. It's kind of like capture the flag, but for real. Yeah. And the targets of that capture the flag is not some, you know, here's a VM image you need to protect it or attack it. Chester County Natural Gas Authority, all right, out of South Carolina somewhere. This is a target practice, okay? You can't make this shit up. It's in the forums. Go see. And the target changes every time there's a new War Game. So these guys are actually practicing on critical infrastructure or Chester County. Just infrastructure targets as a practice for the actual, you know, D-day when things are going to really happen. Now, let's take a look at another quick look at the 18th. What other big thing happened on December 18th? Can anyone point out like a big event? No? Oh, seriously. The same day that Twitter went down, everyone was so fucking busy complaining that they can't tweet from the restroom or whatever it is that the Iranians seized an Iraqi oil well across the border. Okay? No one remembers this? Come on, it's ground troops moving the border, crossing the border. It's ours now. And no one notices this. Why? Because Twitter's down and everyone's busy trying to get Twitter back up. Is this an incident? I don't know, maybe. I don't think so. Baidu, again, another incident between Iran and China this time. A little more recent than this 2009 thing. Again, same thing. Look at what happened around the time when Baidu was taken down. So let's sum things up a little bit on the Iranian kind of cyber crime connections. They're a subgroup. Their usual kind of MO is DDoS, side defacement, credit cards, botnet hurting, the usual stuff. Iranian cyber army is a subgroup running inside ASEAN doing strategic attacks and war games and training uncritical targets or interesting targets in the US and China. Okay? The line deficient between cyber crime is not that clear anymore, right? Connecting the dots? Very easy. Let's talk really quickly about China because we're running out of time. China was very interesting in terms of the recent happenings, APT, Google stuff. Google was down, not as, you know, Twitter, we lost a few hours of DNS. It was down on its knees, begging for, yeah. Adobe, same thing. And I'm just quoting this because the wording from the statement, the PR statements from both Adobe and Google were kind of similar. I was fortunate enough to help analyze or whatever it is other companies that were hit by the same attack. So, you know, the MO was an ODE in IE to get into Adobe, Google and other, you know, 40 different companies. The initial reaction was that, you know, the Chinese are here. It's like the Germans. The only problem was that all of the attacks had the same, you know, kind of mark of a cyber crime attack. Just like the ones we've seen before. APT was used because everyone was fucking baffled. It's like, what? We're just going to say it's malware again? No, this is APT. It's very sophisticated. The U.S. responds to it, again, very funny, beg my non-political correctness. We look to the Chinese government for an explanation. The ability to operate with confidence, the cyberspace is critical in modern society, blah, blah, blah. So we look to the Chinese government. Why are you looking at the Chinese government when it could be anyone that launched the attack from China and the mark is very clear that this is like a very criminal, you know, MO. The Chinese reaction was classic. Wasn't it? You look, it wasn't me? You can't argue with that. You just can't. Try arguing with a four-year-old. Wasn't it? But it wasn't me. All right, we got it. It wasn't you. Classic, all right? Yeah. The connection between state and crime, the incentive and the mutual benefits are very, very obvious. If you let people run off your infrastructure or stuff in your country, Internet doesn't have borders. So attribution, first time I said it in a cyber crime talk, wow, a cyber warfare talk, attribution is a problem and you're not going to get it. It's a win-win situation for every country and for every state that wants to, you know, launder their dirty business through a criminal outlet in another state to attack a third state, it's child's play, okay? Everything is accessible, everything is very easy. Let's take a one-minute look at the future, all right? An illustrated look at the future. So our Oracle, you know, says what this is. What is this? All PC, all right. You know how these things work, right? Now what if you give a lot of these, all right, and one of them gets infected and you give them into a country that doesn't really have the capital to start purchasing services and antiviruses and protection and stuff like that, you get one of the biggest botnets on earth, all right? So take a look at this. Wonder why OLPC didn't make it the first round? Well, yeah, security. They didn't think it out, they didn't think it through and sending it to like third world countries that are not going to put, you know, McAfee or Kraspersky on it or Semantic or sorry if I missed anyone. Some more future. There's no weapons of mass destruction, all right? Contrary to common belief, well, now there is. The Internet kill switch. But yeah, seriously, weapons of mass destruction in the future is still connectivity. Okay? The more connectivity you have, the more power you have, especially if it's dispersed around the world, all right, back to attribution. And what's better than connectivity? Cloud. Cloud is the dream of signals and countries alike. Because again, it even further distances attribution and gives you more power, you know, on demand. Okay? So look for more malware malicious stuff on the cloud. Again, I'm not going to do that, you know, look at Amazon EC2 and malicious servers talk because someone else did it. So let's up some things up and I'll be right on time, hopefully. The good and the bad, as usually, all right, the good thing is that this is getting some proper attention. And again, I was very happy to listen to the Meet the Fed talk yesterday. You see a lot of governments training and adding capabilities to handle these kind of scenarios, all right, and starting to realize that their policies from four or five years ago aren't worth the paper they're printed on. And they print a lot of paper for some reason. And the best side is is that commercial development of malware is still king, all right. If you want to have a really cool malware, you get it outsourced, all right. You buy it off someone and believe me, in that criminal world it's happening all the time. As usual, when you mix good and bad, you get the ugly and good meets bad. Money changes hands, less tracks to cover, criminal ops already creating the weapons for the countries that don't have the skills. So while you're training your people who's going to carry out the actual attacks? The guys that already have it. Fix the future, all right. You're not going to fix cyber war before fixing cyber crime. So whatever we're doing in making law enforcement's talk across borders, again, internet is borderless, apply that later on for state versus state. And that's it for this, before I get kicked off if you have any questions, we'll be in room 112. 112. Thank you very much, have a good day.