01001110010010110101

00100100100101001110
01001011010100100100
1001
Cyber Crime Update

Kegiatan, Tanggal, Lokasi

 XecureIT

Gildas Arvin Deograt Lumy


An international expert in information and cyber security, cyber defense, SCADA security.

As consultant, auditor, authorized hacker, expert witness in court, trainer, writer, speaker in
national & international events, and source for major news media.

As expert for BI, Kemkominfo, Kemhan, Lemhanas, Lemsaneg, LKPP, OJK, PPATK, TNI, etc

© PT IMAN Teknologi Informasi


24 years experiences in IT, includes 19 years focusing in security.

Involved in more than 100 security projects in 15 countries for more than 80 organizations.
PROFESSIONAL CERTIFICATION

Certified Information Systems Auditor (CISA)

Certified Information Systems Security Professional (CISSP)

Certified Lead Security Incident Professional (CLSIP) / ISO 27035 Information Security Incident Management

ISO 27001 Information Security Management System Lead Auditor
CURRENT POSITIONS

Senior Information Security Consultant, XecureIT, since 2007

Cyber Defense Expert, Ministry of Defense, since 2013

Deputy Director Coordination and Mitigation Group, National Desk for Cyberspace, Coordinating Political,
Legal, and Security Affairs Minister, since 2014

President of Cyber Security Certified Professional (CSCP) Association, since 2013

Coordinator of Komunitas Keamanan Informasi (KKI), since 2005
CONTACT
[email protected] Signal/Telegram +62 813 1773 7474 www.linkedin.com/in/gildasdeograt

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 2

 XecureIT

© PT IMAN Teknologi Informasi

R U Sure U R Secure?
KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 3
 XecureIT

Some Quotes

 Trust, but verify.

 Trust is good, but control is better.
There is no security silver bullet.

© PT IMAN Teknologi Informasi



 No security hole is too small.

 Digital world is dangerous because it’s silent.
 Complexity is the biggest security enemy.
 Easier to implement and maintain by (security) system administrator.

Minimum impact (as “transparent” as possible) to end-users.
 If you can’t physically secure your computer, it’s not only belongs to
you anymore.
 Feeling secure is dangerous. It makes us complacent.

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 6

 XecureIT

Critical Infrastructure Interdependency

© PT IMAN Teknologi Informasi

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 7
 XecureIT

© PT IMAN Teknologi Informasi

Apa jawaban yang dipilih nasabah?
Siapa yang bertanggung-jawab?

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 8

 XecureIT

Anti Virus is (not) dead :'(

© PT IMAN Teknologi Informasi

90 Days, 68% Detection Rate
Sumber: http://labs.lastline.com/lastline-labs-av-isnt-dead-it-just-cant-keep-up
KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 9
 Zero Day Vulnerability: XecureIT

We are the sitting ducks

© PT IMAN Teknologi Informasi

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 10
 Zero Day Vulnerability: XecureIT

We are the sitting ducks


Pada korporasi, critical patch mulai dipasang paling cepat 1
minggu setelah diterbitkan.

© PT IMAN Teknologi Informasi


Mayoritas 6 bulan baru selesai dipasang pada seluruh sistem.

Pembuatan exploit dengan cara reverse engineering dari
patch hanya butuh waktu < 1 jam.

Statistik Kelemahan Keamanan 2015:

Tercatat 16.801 kelemahan pada 2.484 produk.

2.573 kelemahan diketahui publik sebelum patch dikeluarkan, 25
diantaranya sudah tersedia exploit.

1.114 kelemahan pada Top 5 Browsers.

2.219 kelemahan berkategori Highly Critical dan Extremely Critical.
KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 11
 XecureIT

Backdoors

© PT IMAN Teknologi Informasi

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 12
 XecureIT

Tantangan Keamanan = Peluang Bisnis

© PT IMAN Teknologi Informasi

Sumber: http://tinyurl.com/jqq25wf

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 13

 XecureIT

Internet Banking vs Mobile Banking

Internet Banking

© PT IMAN Teknologi Informasi

Client:
Browser Front End Servers:
Web Server

Mobile Banking Back End Servers

Client:
Mobile Banking Front End Servers:
Application Web Service
KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 14
 Mobile Banking Malware Hijacks XecureIT

20 Mobile Banking Apps

© PT IMAN Teknologi Informasi

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 15
 Pencurian Rp 245 juta via XecureIT

Internet Banking Bank Permata


Rekening Bobol Ratusan Juta, Nasabah Gugat Bank Permata Rp
32,2 Miliar http://tinyurl.com/jtjzeb7

© PT IMAN Teknologi Informasi


Nasabah melaporkan ke polisi walau bank Mau mengganti 50 persen
kerugian.

28 Agustus 2014, sekitar pukul 22.00 seseorang yang meminta
penggantian SIM card nomor ponsel milik nasabah di Grapari Telkomsel
dengan melampirkan fotokopi KTP dan surat kuasa palsu atasnama
nasabah.

Seseorang yang menghubungi layanan pelanggan Bank Permata untuk
melakukan reset password internet banking. Reset password berhasil
dilakukan sekitar pukul 01.17.

Pentransferan uang dari tabungan nasabah ke rekening Bank Danamon,
Bank Tabungan Negara, dan Bank Rakyat Indonesia dilakukan pada pukul
01.33, 01.37, 01.43, 01.47, 06,39, dan 11.15.
KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 16
 Pencurian Rp 245 juta via XecureIT

Internet Banking Bank Permata


Digugat Nasabah Rp 32,2 Miliar, Ini Penjelasan Bank
Permata http://tinyurl.com/jqr8qxb

© PT IMAN Teknologi Informasi


Hasil investigasi internal Bank Permata, transaksi tersebut
dinyatakan wajar karena telah berhasil dijalankan melalui
proses verifikasi dan otentikasi bertransaksi di layanan
PermataNet dengan User ID, password, dan Token yang valid.

User ID, password, dan Token tersebut hanya diketahui oleh
nasabah sendiri dan menjadi tanggung jawab nasabah untuk
menjaga kerahasiaannya.

9 Desember 2014, BI dan OJK menyampaikan kesimpulan
bahwa kasus tersebut tak masuk ke ranah perdata.

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 17

 XecureIT

“Sinkronisasi Token”


Kasus-kasus “sinkronisasi token”
http://tinyurl.com/guown7h

© PT IMAN Teknologi Informasi

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 18
 “Sinkronisasi Token” XecureIT

Serangan SSL Man in The Middle (MiTM)

© PT IMAN Teknologi Informasi

User HTTPS Server

Malware Injection, DHCP Routing

MITB, & ARP
& DNS
Host Poisoning, Poisoning,
Poisoning,
DNS Changer Rouge WiFi,
Connection
WiFi
Hijacking
Social Hijacking
Engineering
(Phishing, etc)

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 19

 “Sinkronisasi Token” XecureIT

Serangan SSL Man in The Middle (MiTM)

Normal SSL Connection
Original Original
Server Digital Server Digital
Certificate Certificate

© PT IMAN Teknologi Informasi

SSL SSL
User HTTPS Server

SSL MITM Connection

Original
Server Digital
Certificate

User HTTPS Server

SSL SSL
Fake
MITM
Server Digital
Certificate

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 20

 XecureIT

Malware Hijacks SmartCard and PIN

© PT IMAN Teknologi Informasi

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 21
 XecureIT

Layanan Telekomunikasi

© PT IMAN Teknologi Informasi

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 22
 XecureIT

Layanan Telekomunikasi


Prioritas aspek keamanan: Ketersediaan.

SIM Swop attack has been known since 2007.

© PT IMAN Teknologi Informasi


GSM (voice and SMS interception is cheap and easy.

Fake BTS attack is “common”

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 23

 XecureIT

Untrusted Browser


Malware in The
Browser

© PT IMAN Teknologi Informasi


Malware as a
Browser

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 24

 Malware Attacks Mobile Banking XecureIT

March 2016


Stealing Password and SMS based 2 Factor
Authentication from 20 Autralian Banks

© PT IMAN Teknologi Informasi

Customers

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 25

 XecureIT

Targeted Banks


Westpac 
Kiwibank

Bendigo Bank 
Wells Fargo

© PT IMAN Teknologi Informasi


Commonwealth Bank 
Halkbank

St. George Bank 
Yapı Kredi Bank

National Australia Bank 
VakıfBank

Bankwest 
Garanti Bank

Me Bank 
Akbank

ANZ Bank 
Finansbank

ASB Bank 
Türkiye İş Bankası

Bank of New Zealand 
Ziraat Bankası
KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 26
 XecureIT

Malware Tidak Membutuhkan Akses Root

© PT IMAN Teknologi Informasi

As fake Flash Player as Device Administrator, Not Root.

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 27

 XecureIT

Malware Communication With Server

© PT IMAN Teknologi Informasi

Command and Control servers:
Malware can forward, modify http://94.198.97.202
and/or delete incoming SMS. http://46.105.95.130
http://181.174.164.138

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 28

 XecureIT

Malware Communication With Server

© PT IMAN Teknologi Informasi

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 29
 XecureIT

Ransomeware

© PT IMAN Teknologi Informasi

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 30
 XecureIT

Ransomeware

© PT IMAN Teknologi Informasi

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 31
 XecureIT
Ransomeware
http://tinyurl.com/jdmpuv7


The average ransom demand has more than
doubled and is now $679, up from $294 at the

© PT IMAN Teknologi Informasi

end of 2015.

The shift towards crypto-ransomware has
continued. All bar one of the new variants
discovered so far in 2016 are crypto-
ransomware, compared to around 80 percent
last year.

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 32

 XecureIT

© PT IMAN Teknologi Informasi

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 33
 XecureIT

Advance Persistent Threat (APT)

© PT IMAN Teknologi Informasi

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 34
 XecureIT

Hacker's inside ;)

© PT IMAN Teknologi Informasi

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 35
 XecureIT

Hacker's Mindset

© PT IMAN Teknologi Informasi

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 36
 XecureIT

IT Auditor vs Hacker

IT Auditor Hacker

Objective Securing target Securing / compromising target

© PT IMAN Teknologi Informasi

Purpose How to find the root Good: How to improve the human
cause and improve the life through technology. ++
process . ++ Bad: How to steal or damage
others through technology.

Mindset Inside the box. Think out of the box.

How to check (risk How to hack (technology based)
based) ++

Time Limited Unlimited ++

Target Limited by scope of work Unlimited ++
Learning Process Based on job description Based on passion ++

Support Consultant (Paid) Community (Free) ++

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 37

 XecureIT

The Biggest Challenge:

To Change The Mindset

© PT IMAN Teknologi Informasi

“I feel convenience if...
I use the good safety belt and helmet properly and
the car has the effective breaking system to go fast !”
KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 38
 Keamanan: XecureIT

Komprehensif dan Konsisten

© PT IMAN Teknologi Informasi

80% Orang dan Perangkat Klien

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 39

 XecureIT
Redefine Cyber Security Architecture:
Integrated Information Security

SAKTTI is a high grade

© PT IMAN Teknologi Informasi

information security
architecture to
effectively implement
integrated information
security concept.

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 40

 XecureIT


Free eBook :)
Request to

© PT IMAN Teknologi Informasi



[email protected]

KKI I2/R2/K2 Cyber Crime Update 20160728 Hal. 41

 TERIMAKASIH :)

www.xecureit.id
[email protected]
+628119127001

PT. IMAN Teknologi Informasi

"TRUSTED Security CARES, Our PASSION"
Consultancy.Assurance.Research.Education.Solution