Supplement to the 2012/3 South African Cyber Threat Barometer
Brazil Case Study Report
Foreword Africa is considered to be the cradle of mankind. There is evidence that some of the earliest people lived in southern Africa. The hunter-gatherer San roamed widely over the area and the pastoral KhoiKhoi wandered in the wellwatered parts where grazing was available. Tribes from central Africa moved southwards into the eastern and central parts of the area known today as South Africa. Milestones in South African history: 1652 - Dutch Settlers arrive under the leadership of Jan van Riebeeck 1795 - British occupation of the Cape 1800 onwards - the Zulu kingdom under King Shaka rises to power 1835 - The Great Trek - Dutch and other settlers leave the Cape colony 1879 - Anglo-Zulu war 1880 - First Anglo-Boer war 1899 - Second Anglo-Boer War I am referring to the scourge of 1912 - The African National Congress (ANC) is founded cybercriminal activity that is rapidly 1961 - South Africa becomes a republic becoming a global concern and one 1990 - Mandela is freed after 27 years in prison and that we as Africans need to prioritise. opposition groups are unbanned We hope this project and proposed 1994 - South Africa's first democratic election initiatives will go a long way towards "rallying the troops" to urgently address the growing cyber threat facing South Africa has journeyed through many great obstacles our country. to become a nation whose dream of unity and common purpose is within grasp of all its people. We must not I wish to offer my sincere appreciation lose sight of this dream. As proud stakeholders of this to the British High Commission for great country we are now called upon to join hands in their funding and support to complete the fight against a new threat that is targeting all areas this vital research project. of our society - no organisation, community or child is immune to its impact. I also wish to convey my warmest thanks to all participating companies and teams for their input and For a copy of the full 2012/3 South African independent review of this report. Your Cyber Threat Barometer report and other country passion to make a positive impact in supplements please visit the research section this country has been amazing to of our website. witness. I would finally like to acknowledge the Wolfpack team for their dedication shown in the research, analysis, layout and distribution of this report. I am very proud of what we have achieved.
Corporate contact details: Building 1 Prism Office Park Ruby Close, Fourways Johannesburg, 2055 Telephone: +27 11 367 0613 Email: info@wolfpackrisk.com Website: www.wolfpackrisk.com
Craig Rosewarne Managing Director Wolfpack Information Risk (Pty) Ltd 1
Brazil History of Cyber Laws, Acts and organisations to combat cyber crime in Brazil Bill / Act
Description
2008
Code of Criminal Procedure of Brazil
• The Brazilian Chamber of Deputies approved a law amending the Code of Criminal Procedure. • According to the new law, criminal convictions for which the punishment exceeds 20 years of prison time will no longer trigger an automatic appeal for a new trial. The law also reduces the speaking time allotted to both the prosecution and the defense during a jury trial.
2010
Penal Code of Brazil Criminal Code 1940
• The Penal Code has two sections. The first distinguishes between felonies and misdemeanors and outlines the individual citizen's responsibilities under the law. The 1988 constitution proscribes capital punishment, except in case of war. The second section defines criminal behavior more comprehensively, spelling out crimes against persons, property, custom, public welfare, and public trust. Misdemeanors are also defined. • Law no. 10.467 of 11 June 2002 adds chapter II-A to Section XI of the Penal Code which rules on the crimes of money laundering and corruption. For instance, article 337-B defines active bribery in international bussines transactions as the "promising, offering or giving any improper advantage to a feorign public official". Traffic of influence in international transactions is also punished when any advantages are promised in exchange for influencing an official act.
2012
Legal Framework on Cybercrime
• Brazil has proposed a legal framework on cyber-crime to replace the Budapest Convention, judged too Euro-centric.
Brazilian Senate’s Substitute Act to the House Bill No.89 of 2003 (“Draft Law”)
• January, ARTICLE 19 analysed the Brazilian Senate’s Substitute Act to the House Bill No.89 of 2003 (“Draft Law”). The Draft Law proposes the creation of new provisions relating to the prevention, detection and punishment of crimes committed with the use of the Internet. • ARTICLE 19 is seriously concerned that a number of these provisions are antithetical to the rights to freedom of expression and information and therefore makes a number of recommendations to bring the Draft Law into compliance with international standards.
Year
2
Industry Collaboration, Partnership Developments and Initiatives in Cybersecurity Organisation / initiative
Description
Brasilia-based Centre of Cyber Defence (CDCiber)
• The government launched the Brasilia-based Centre of Cyber Defence (CDCiber) to protect Brazil’s protect private infrastructure from attack. The budget for the CDCiber in 2012 is US$45 million to be allocated to at least four other acquisitions that include equipment, software and training of at least 500 officers.
Brazilian Federal Police Computer Forensic Unit
• Has a strong increment of human and material resources due to the rising demand from BFP investigative teams. • At this moment the CFU (central office) has a team of 21 forensic examiners and 5 administrative personnel and counts 3 specialised sections: o An operational section, which runs forensic examinations and supports investigations; o A training section and o A research & development section. • Some Brazilian states don’t have specialised cybercrime and computer forensic units. The state police and their forensic labs are also authorised to investigate cybercrime and analyse electronic evidence. • The Federal or State Prosecution Offices are responsible for the prosecution on cybercrime. • The BFU CFU participates at the Interpol Latin-Caribbean cybercrime Working Group • The BFP CFU has acts as the national 24/7 point of contact.
Brazilian Internet Steering Committee
• The Working Committees (CTs) of the Brazilian Internet Steering Committee (CGI.br) are responsible for the design and management of projects in areas that are essential to the operation and development of the Internet in Brazil. • The mission of the CGI.br involves certain rights and responsibilities, which include: o Coordinating the allocation of Internet addresses (ips) and registration in the <.br> domain; o Establishing strategic directives related to the use and development of the Internet in Brazil; o Collecting, organizing and disseminating information on Internet services, including indicators and statistics.
Ccomgex
• The military completed tenders for the purchase of an antivirus solution and a program that simulates cyber attacks, for a total of about $ 3.3 million. Both programs will be developed by Brazilian companies. The Ccomgex, which coordinates the purchase of antivirus and cyber attack simulator is part of CDCiber. The Antivirus, with a value of US$ 442,000 will be delivered by the company BluePex, Campinas (in the state of São Paulo), within 12 months.
Computer Forensic Unit Cybercrime Unit
• 1996, The Brazilian Federal Police (BFP) established two units that are responsible for the investigation of cybercrimes and analysis of forensic evidence. • The Computer Forensic Unit is responsible, for the analysing of forensic evidence, its collection and in many cases for providing support to the Cybercrime Unit in its investigations. • The Cybercrime Unit is the primary agency responsible for the investigation of offences against computer systems and information as well as for the investigation of offences by means of computers. The BFP CFU duties are defined by an Internal Act from the General Director Office.
3
Organisation / initiative
Description
CSIRTs
• The Brazilian Research Network (RNP) created it’s own CSIRT (CAIS), followed by the Rio Grande do Sul State that created the CERT-RS. • Other institutions including Universities and Telecommunication Companies announced their CSIRTs. • More than 20 CSIRTs formed. Started a CSIRT contact Directory at NBSO, available at: http://www.nbso.nic.br/contact-br.html
Government Initiatives
The Presidential Security Office (GSI) has created task forces to discuss, among other subjects: • A CERT for the Government; • Internet Security Policies; • Legislation; • Use of Cryptography; • Use of Free Software.
Law Enforcement
• Ministry of Justice’s Federal Police initiatives: o 1995: first group of computer forensic experts was formed; o 1996: a department dedicated to computer forensics was created; member of the IOCE; o 1999: become a member of the International Web Police/InterGOV; o 2003: created their own CSIRT (CTR).
NBSO/Brazilian CERT
• NBSO/Brazilian CERT was created by the Brazilian Internet Steering Committee (CG-I.br) to respond to computer security incident reports and activity related to networks connected to the Brazilian Internet. • NBSO, Brazilian CERT, is a FIRST member. Services include: o Provide a focal point for reporting incidents related to Brazilian networks (.br and ips assigned to Brazil); o Provide coordinated support in incident response; o Establish collaborative relationships (law enforcement, service providers, telephone companies, etc); o Increase security awareness and help new csirts to establish their activities.
Organization of American States (OAS)
• With the Organization of American States (OAS), Brazil is contributing to a cyber-security culture in South America that also involves technical cooperation.
4
Case Studies – Cyber Threats, Attacks & Actions against Brazil Recently a group of hackers attacked the site of Brazil Central Bank and the pages of BMG banks, Citibank and PanAmericano were temporarily down. The group also claimed responsibility for attacks on the sites of banks Itaú, Bradesco, Banco do Brasil and HSBC, which took place recently. The attacks recorded so far include an attempted theft of keys and† a denial of service. Their general cyber warfare simulator will train officers in at least 25 scenarios of various types of network attack similar to those used in military situations. According to general cyber warfare simulator will train officers in at least 25 scenarios of various types of network attack similar to the Army. The service interruption of government websites and the disclosure of the supposedly personal data of top-ranking politicians claimed by hacking collective LulzSec is part of a string of cyber-attacks that have taken place in Brazil recently. This is considered the largest cyber offensive in Brazilian history. The Brazilian government and presidency websites, Brasil.gov.br and Presidencia.gov.br were brought down. Other websites operated by government departments were also hit by the hacking attacks, such as the tax collection agency and the Ministry of Sports. The latter department also had supposed staff login details for restricted areas of its website leaked. The website of oil giant Petrobras was also hit. The company attributed the collapse to “a high number of simultaneous accesses”, highlighting that no damage to data had been caused. In a You Tube video, a representative of the Anonymous Brazilian arm said: “Anonymous has been watching the widespread manipulation of information in Brazil for a long time and decided it’s time to take a stance on it. A government without transparency and citizens lacking information are the greatest threats to democracy and Brazil is heading towards a country that is taking away the little freedom the population has left.” Much of the information leaked was made public, but the attacks raise questions over the efficiency of the country’s primary cyber security efforts. The Brazilian government is set to launch a cyber defense unit staffed by the Armed Forces to protect the country’s critical infrastructure and enable the mitigation of cyber-attacks. A few days ago, a group of hackers attacked the site of Brazil Central Bank and the pages of BMG banks, Citibank and PanAmericano, which were temporarily malfunction. The group also claimed responsibility for attacks on the sites of banks Itaú, Bradesco, Banco do Brasil and HSBC, which took place recently. "The attacks we recorded so far are similar to those that happen in any company. Attempted theft of keys, denial of service, etc.. But the way in which you get a bank key is the same that can be used to obtain Confidential records of the Army. And since government sites had fallen, "said Guerra. According to general cyber warfare simulator will train officers in at least 25 scenarios of various types of network attack similar to the Army. Pricewatercooperhouse has recently released a study revealing that in 2011 hackers have stolen US$ 1 billion from companies in Brazil. On the top of that, BSA (Business Software Alliance) ranked Brazil the least prepared nation to adopt cloud computing technology among the 24 countries that account for 80 percent of the world’s information and communications technology.
5