close

Вход

Забыли?

вход по аккаунту

?

Anatomy of Ownage

код для вставкиСкачать
Anatomy of Ownage:
The painful lessons learned by others
Matt Linton
IT Security Specialist
NASA Ames Research Center
Overview
Schadenfreude
пѓ� Optimism Bias
пѓ� HBGary
vs Anonymous
пѓ� Sony, Inc. vs
The internet
пѓ� ???????
vs RSA Security
пѓ� ???????
vs Iran Nuclear Enrichment Program
пѓ�
Anatomy of Ownage
—2—
Schadenfreude
Schadenfreude is
“Pleasure derived from the misfortunes of others”
i.e.
“Wow, I'm glad I'm not those guys right now.”
Anatomy of Ownage
—3—
Schadenfreude
Just to be clear,
We're not happy they got hacked.
We are happy we're not them.
But ditch your optimism bias for a moment, because
It can happen to us too.
Anatomy of Ownage
—4—
OPTIMISM BIAS
“The demonstrated, systematic tendency for people to be
overly optimistic about the outcome of planned actions.”
пѓ�
Symptoms include:
пѓ� Over-estimating the likelihood of positive events
пѓ� Under-estimating the likelihood of negative events
пѓ� Illusion of control
пѓ� Illusion of superiority
Anatomy of Ownage
—5—
OPTIMISM BIAS
Anatomy of Ownage
—6—
Ding, ding! Round 1.....
Anatomy of Ownage
—7—
HBGary vs Anonymous
VS
Anatomy of Ownage
—8—
HBGary vs Anonymous
SETTING THE STAGE:
HBGary Federal needs positive press to grow, decides to
capitalize on the controversy surrounding Anonymous's
defense of Wikileaks.
CEO Aaron Barr issues press releases taunting
Anonymous, claiming to have identified them and
threatening to expose them to law enforcement.
Internally, his staff warns him that this is a bad idea and his
data is wrong but he persists.
Anatomy of Ownage
—9—
HBGary vs Anonymous
The Damage:
Anatomy of Ownage
—10—
HBGary vs Anonymous
The Damage:
- Company servers penetrated
- Internal company emails (incl. Potential evidence of criminal activity
by the company) leaked to public
- All of Barr's emails leaked to public
- Barr's iPad remotely wiped
- Company data erased
- Company backups erased too
- General humiliation of the company
Anatomy of Ownage
—11—
HBGary vs Anonymous
The vector:
- Attackers compromised company's public-facing CMS
with SQL Injection (sql injection)
- Attackers use rainbow tables to reverse unsalted MD5
password hashes from CMS (bad pw storage)
- Attackers use those passwords to log into company
bastion hosts (single factor auth)
- Attackers use unpatched local exploit to privilege
escalate to root (unpatched system)
(see next slide)
Anatomy of Ownage
—12—
HBGary vs Anonymous
- Attackers use CEO and COO's passwords, gain entry to
their Google Mail (SAAS) accounts (password re-use, simple
passwords)
- Attackers reset GMail password for Greg Hoglund, CEO
of parent company and owner of rootkit.com
- Using Hoglunds' email, attackers socially engineer a
support tech into disclosing the root password on
rootkit.com (poor general practice)
Anatomy of Ownage
—13—
HBGary vs Anonymous
HOW NOT TO GET OWNED LIKE THIS:
- Follow OWASP to check for and prevent SQL injection
- Salt your hashes! Hash without salt is just potatoes.
- Perform social engineering / phishing awareness
- Hold leadership to same best practice standards as
everyone else
- Do NOT re-use passwords in multiple locations
Anatomy of Ownage
—14—
Ding, ding! Round 2.....
Anatomy of Ownage
—15—
Sony, Inc. VS The Internet
VS
Anatomy of Ownage
—16—
Sony, Inc. VS The Internet
SETTING THE STAGE:
Sony locks Linux hackers out of PS3 via firmware update,
angering geeks who bought PS3 to install Linux
George Hotz (GeoHotz) finds a way to work around
firmware update, informs community.
Sony sues GeoHotz.
PS3 hackers and Anonymous issue call to action in
defense of GeoHotz.
Anatomy of Ownage
—17—
Sony, Inc. VS The Internet
The Damage:
- 20 hacks in 5 weeks, by 5+ different groups, in 4+
countries
- PS3 Network (now required to play any games) shut
down for weeks, angering all legitimate customers
- > $300 million in losses to Sony for PS3N outage +
Incident response costs
Anatomy of Ownage
—18—
Sony, Inc. VS The Internet
The Damage:
- 70 million customer credit cards lost
- 24 million customers' personal information lost
- 11 thousand customers' bank information lost
- millions of customers' email address + passwords lost
- And the stock price for the company?
Anatomy of Ownage
—19—
Sony, Inc. VS The Internet
Anatomy of Ownage
—20—
Sony, Inc VS The Internet
Common vectors and mistakes:
(see: http://attrition.org/security/rants/sony_aka_sownage.html)
- SQL Injection, leading to compromise of....
- Passwords stored in plaintext,
- User information stored in accessible databases
unencrypted
- Sony ignored reports of vulnerabilities on several
disclosure lists
- Reportedly no firewalls, and old apache versions on
multiple of their developer networks
Anatomy of Ownage
—21—
Ding, ding! Round 3.....
Anatomy of Ownage
—22—
RSA Security vs ??????
VS
Anatomy of Ownage
—23—
RSA Security vs ??????
SETTING THE STAGE:
RSA Security owns the “SecurID” product, a two-factor
token that is very popular with governments and defense
industry to protect critical data and systems.
Somewhere deep within RSA is a set of secret seed
numbers which, if known, defeats all the security
afforded by the SecurID token.
Guess what happens next?
Anatomy of Ownage
—24—
RSA Security vs ??????
Anatomy of Ownage
—25—
RSA Security vs ??????
The Damage:
- RSA's secret seed database is compromised
- Lockheed-Martin and others have been compromised as
well, directly related to their RSA keys
- Unknown damage yet to be discovered
Anatomy of Ownage
—26—
RSA Security vs ??????
The vector:
- Attackers send crafted excel spreadsheet titled “2011 recruitment
plan” to select company insiders. (phishing)
- Attackers embed Zero-day Adobe Flash exploit into the excel
spreadsheet (adobe flash)
- Using administrative privileges gained through zero-day,
Attackers install “Poison Ivy RAT” tool to remotely access systems
- Using these systems, they sniffed and discovered through the
internal network (local network trust issues)
- Once they escalated to the keystore, they stole the keys
Anatomy of Ownage
—27—
RSA Security vs ??????
HOW NOT TO GET OWNED LIKE THIS:
- Train users about phishing, AND test them
- Reconsider whether your users really NEED things like
Flash, PDFs with active code embedded, etc – and
disable them if you can
- Reconsider whether end users really NEED
administrative level access to their operating systems
- Employ multiple trust zones within your networks, and
SECTION OFF critical areas of the company from
administrative networks
- Discourage, prevent & prohibit password re-use among
said zones
Anatomy of Ownage
—28—
RSA Security vs ??????
PART TWO...
Shortly thereafter, US Defense Contractor LockheedMartin was broken into.
Compromised RSA SecurID token values comprised part
of the attack!
Anatomy of Ownage
—29—
Ding, ding! Round 4.....
Anatomy of Ownage
—30—
Iran vs ?????
VS
Anatomy of Ownage
—31—
Iran vs ?????
SETTING THE STAGE:
Iran grows dangerously close to bringing online their
countrys' first Nuclear Fuel Enrichment center.
Many countries suspect it is not for peaceful use.
In March of 2010, power plant operators and industrial
centers began reporting about a strange computer worm
that had penetrated their SCADA control systems.
Anatomy of Ownage
—32—
Iran vs ?????
SETTING THE STAGE:
Unlike most computer worms, this one didn't seem to DO
anything – just hang around.
Deeper research into the worm revealed that it was very
advanced, and appeared to only attack SCADA systems
with very specific characteristics.
Then, without explanation, Iran's nuclear enrichment
activity ground to a halt.
Anatomy of Ownage
—33—
Iran vs ?????
The Damage:
Computers in a dozen countries were infected but
operational
60% of the computers worldwide infected with Stuxnet
were in Iran
The Bashir and Natanz enrichment facilities in Iran were
knocked offline and valuable equipment destroyed
Anatomy of Ownage
—34—
Iran vs ?????
The Vector:
- Stuxnet first infected Iranian SCADA systems via USB stick carried into the
plant by a Russian contractor
- Utilizing an exploit 'warhead' of four Windows embedded zero-days, Stuxnet
spread among the SCADA systems
- Targeting only systems which matched the vendor, manufacturer and
configuration characteristics of nuclear fuel centrifuges (the 357 and 415
payloads)
- Stuxnet would lie in wait until the optimal time to disrupt enrichment activity &
destroy industrial equipment
Anatomy of Ownage
—35—
Iran vs ?????
HOW TO KEEP FROM GETTING OWNED LIKE THIS:
- SCADA systems are built with incredibly weak host level
controls. This is their nature.
- Strictly separate SCADA networks from the world and do
not provide an internet route
- Strictly control the interfaces on which SCADA network
configuration and operation are performed
- Carefully audit any incoming media
- Watch your optimism bias!!
Anatomy of Ownage
—36—
RSA Security vs ??????
Q&A, Criticism, Flames, & Heckling
matt@nasa.gov
mattatnasa
Anatomy of Ownage
—37—
RSA Security vs ??????
OK, so I blew through the slides and need something
to talk about still.
How about a little Jerry Springer?
Anatomy of Ownage
—38—
LIGATT vs LIGATT?
VS
Anatomy of Ownage
—39—
LIGATT vs LIGATT?
SETTING THE STAGE:
Gregory D. Evans founds LIGATT security, begins
referring to himself as “Worlds' #1 hacker”. Evans was
previously convicted of Fraud and served 2 years in
prison.
Despite this and a lack of credentials, he begins media
tours. His Charisma earns him a welcome spot in the
news media, which he relishes.
Anatomy of Ownage
—40—
LIGATT vs LIGATT?
LIGATT's first product is a re-skinned and branded copy of
NMAP, his latest book reportedly 99% plagiarized.
Critics on twitter begin pointing this out and discussion
ensues among authors of (allegedly) plagiarized
content. A website, ligattleaks, is formed to chronicle
the mis-statements.
Gradually a picture is painted of a media-savvy but
technically incompetent man.
So, this happens:
Anatomy of Ownage
—41—
LIGATT vs LIGATT?
Anatomy of Ownage
—42—
LIGATT vs LIGATT?
THEN THIS HAPPENS:
Anatomy of Ownage
—43—
LIGATT vs LIGATT?
Anatomy of Ownage
—44—
LIGATT vs LIGATT?
SO WHAT HAPPENED?
Anatomy of Ownage
—45—
LIGATT vs LIGATT?
A LIGATT Insider became public whistleblower, exposing
all the companys' internal email (as well as Evans') to
the full-disclosure email list
Details of internal company politics, harrassment, (alleged)
investigations into employees' personal lives by private
detectives were among the leaked documents
Anatomy of Ownage
—46—
LIGATT vs LIGATT?
Evans, who until then had been a constant presence on
news media programs, began to be the subject instead
of the expert commentator.
Feb. 2011 – CBS News runs a series “Hacker or Hoax”,
laying out the internets' charges against Evans.
Anatomy of Ownage
—47—
LIGATT vs LIGATT?
Signs you may be headed down his path:
- You start referring to yourself as “World's #1” at
something, without a gold medal to back it up.
- Your first instinct at facing criticism is to call your lawyer
- The hackers that people make fun of, are making fun of
you.
- Your own employees are considering whistleblowing
about you. On twitter.
I'm sure you can figure out how to avoid the above......
Anatomy of Ownage
—48—
Sources:
LIGATT vs LIGATT?
- http://www.youtube.com/watch?v=O3Ms8UZnOoA
- http://en.wikipedia.org/wiki/Stuxnet
- http://www.youtube.com/watch?v=scNkLWV7jSw
- http://attrition.org/errata/charlatan/gregory_evans/
- http://attrition.org/security/rants/sony_aka_sownage.html
http://bits.blogs.nytimes.com/2011/04/02/the-rsa-hackhow-they-did-it/
Anatomy of Ownage
—49—
Документ
Категория
Презентации
Просмотров
22
Размер файла
5 258 Кб
Теги
1/--страниц
Пожаловаться на содержимое документа