4 ivan buetler cyber_espionage

Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch

Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil

Ivan Bütler

Compass Security AG, Schweiz

[email protected]

CYBERCYBERCYBERCYBER

FACESFACESFACESFACES

Ethical Hacker / Penetration Tester

Gründer & CEO Compass Security AG

Lecturer @ University of Applied Science Rapperswil

Lecturer @ University of Applied Science Lucerne

Lecturer @ University of St.Gallen

Speaker @ BlackHat Las Vegas 2008SmartCard (In) Security

Speaker @ IT Underground Warsaw 2009

© Compass Security AG Slide 2www.csnc.ch

Speaker @ IT Underground Warsaw 2009Advanced Web Hacking

Speaker @ Swiss IT Leadership Forum Nice 2009Cyber Underground

Founder of Swiss Cyber Storm Sec Conference

Board member of Information SecuritySociety Switzerland (ISSS)

Board member of Cyber TycoonsAnti-Warfare Foundation

Agenda

� Hacking 1x1

� Hacking for Fun and Honor

� Hacking for Profit

� Hacking for Companies / Espionage


� Hacking for Companies / Espionage

� Hacking for States / Espionage

� Hacking in a War

� Conclusion

Hacking 1x1



Hacking 1x1

AttackCreation

AttackExploitation

Hacker


AttackImprovement

Attack Maintenance

Hacker Toolbox

Hacking Targets


We are all „easy targets“

Source: Symantec Internet Security Threat Report, H1, 2005

Advisory ispublished

Patch


[3] ETHZ Stefan Frei 2009 (Dissertation): We found that exploit availability consistently exceeds patch availability since 2000

54 days

Exploit 6 days

Patch

Human Proxy – Illusion – Social Eng.


Server Exploitation

Direct Attack

BLOCKED


PASSED

BLOCKED

Man in the Middle – Phishing

Indirect Attack (I)


Malware – Mobile Devices – W-LAN

Indirect Attack (II)


PASSED

Drivers behind „Hacking“



Motivation for„Hacking“

Hacking for FunHacking for Fun Cyber CrimeCyber Crime Cyber EspionageCyber Espionage


Cyber Warfare

Hacking for Fun or Moral



Hacking not for commerce – but for fun or moral !

Joy Rider – Hacking for Honor


Moral Hacking


Hacking for Profit



Cyber Crime

Who is the Enemy?



Cyber Warfare

How to make Money?

� Business Case of „Hackers“


Hacker-Tools Hacker-Services Trading„Rent a BotNet“ Illegal Goods„Spam the World“

Example: SQL Injection



Approach: Direct Attack

Impact: Credit Card Disclosure

SQL Introduction

Protocols


HTTPS

RMI

SQL

SQL Introduction

Protocols


RMI

HTTPS + SQL Hacker Code

SQL

Demo1: SQL Injection




Impact: Credit Card Disclosure

How to make Money? (1)



Market for anonymous trading is required !

Show: Video 1: Cyber Market



Trading of illegal goods

� Dumps Stolen Credit Cards

� Carders Provider of “Dumps”

� Carding Using Dumps

� WU Western Union

� WMZ Web Money


� WMZ Web Money

� WU Western Union

� LR Liberty Reserve

� CVVs Card Verification Value

� Drops Remailing Location

� Rippers CVV verification service

5000 Unexpired/Valid CC Dumps $2000Money Rule: How to pay the illegal goods?

Payment with Liberty Reserve


Liberty Reserve?

-> Internet Currency (anonymous)


Liberty Reserve as E-Currency

Both, seller and buyer need an LR account

The LR account is anonymous


Anonym Anonym

LR requires „Exchanger“

Real Money is exchanged into LR currency

Direct payment into LR account is not possible

More than 100 LR enabled banks (exchanger banks)


Trust




Money Mule and Money Laundry

Example PostFinance (Phishing)


Transaction with Money Mule

MELANI says ...

Response from Cyber Underground to MELANI request


Reference: Marc Henauer, Leiter MelaniISSS St.Galler Tagung, 29. April 2010




Split Hacking from financial benefit

Splitting „Hacking“ and Financial Benefit

HackingFinancial Benefit


Example: XML Injection




Impact: Credential Disclosure

XML Einführung

Protokoll


HTTPS + XML

XML Query

XML Injection

Protokoll


XML ParserAttack

HTTPS + XML Hacker Code

Demo2: XML Injection




Impact: Credential Disclosure

Cyber Espionage



They go after information ...

Who is the Enemy?



Cyber Warfare

How to rule the World


Example: USB Trojan



Approach: Indirect Attack

Impact: Advanced Persistent Threat

Covert Channel

Virus Construction Toolkit

Delivery with USB-Stick/CD-ROM


InternetCompany Network

Start via Auto-Start

Attacker controls thecomputer of the victim

Demo3: USB Trojaner



Approach: Indirect Attack

Impact: Remote Control of Victim (RAT)

Access to files

Covert Channels I - Direkt

Simple Inside-Out Attack

Corporate LAN Internet


� Direct Channels� ACK tunnel

� TCP tunnel (pop, telnet, ssh)

� UDP tunnel (syslog, snmp)

� ICMP tunnel

� IPSEC, PPTP

LAN Proxy

Covert Channels II - Proxified

Advanced Inside-Out Attack


Corporate LAN Internet

DMZ Proxy

� Proxified Channels� Socks SSL tunnel

� HTTP/S tunnel (payload of http = tunnel)

� HTTP/S proxy CONNECT method tunnel

� DNS tunnel

� FTP tunnel

� Mail tunnel

Advanced Persistent Threat




Zombie HostZombie Host

Agent

Agent

C&C Server


Zombie Host

Agent

Zombie Host


Command & Control Communication

Client DNS Server

POLL

POLL

POLL


Command File

Commands

Execute commandsCommands

1. POLL

2. GET FILE TO CLIENT

3. PUT FILE TO SERVER

4. EXECUTE @ CLIENT

5. EXIT CLIENT

APT Design Pattern

First Infection� Installation of a user-land virus or Trojan horse

� The virus does not require local admin privileges

� The virus talks back to the command & control server (C&C)

� Get latest updates from C&C – very important!

� If C&C is unreachable – self-destroy routine

Privilege Elevation


Privilege Elevation� Elevate privileges with 0-day exploit

� Keyboard Sniffer

� Create encrypted storage

� Evidence protection

� Get latest updates

� Send collected information - important

� If C&C is unreachable – sleep for 90 days

What to do if we find out we are compromized?



How to handle long-term attacks

compromized?


Incident Handling – C&C Traffic Redirection

Zombie HostZombie Host

Agent

Agent

C&C ServerRedirectUpdate Service


Zombie Host

Agent

Zombie Host

Anti-APT Zombie or C&C Host

Problems!!! Updates areEncrypted / SignedReverse Engineering required

US ReportNov. 2008

China has an active cyber espionage program. Since China’s current cyber operations capability is so advanced, it can engage in forms


cyber operations capability is so advanced, it can engage in forms of cyber warfare so sophisticated that the United States may be unable to counteract or even detect the efforts. By some estimates, there are 250 hacker groups in China that are tolerated and may even be encouraged by the government to enter and disrupt computer networks

Cyber War



Cyber is a new military domain of operations

USA: Cyber Command

On June 23, 2009, the Secretary of Defense directed the Commander of U.S. Strategic Command to establish USCYBERCOM.

Director of


Director of

NSA and

Commander

of Cybercom

http://www.defense.gov/cyber

USA: New Domain of Operations - Cyber

Land

Sea

Air

Space


Space

Cyber

C⁴ISR (command and control, communications, computers, intelligence, surveillance, and reconnaissance)

War Assets



Critical Infrastructures

Schweiz

http://www.bevoelkerungsschutz.admin.ch/internet/bs/de/home/themen/ski/kritische_infrastrukturen.html


1) Cyber Attack: Government


2) Cyber Attack: Power and Energy


3) Cyber Attack: Trash Recycling


4) Cyber Attack: Finance


5) Cyber Attack: Health


7) Cyber Attack: IT & Telekommunikation


8) Cyber Attack: Nahrung


9) Cyber Attack: Public Security


10) Cyber Attack: Traffic & Transport


Cyber Defense in Switzerland?



Divisionär Kurt Nydegger

Er hat den Auftrag, eine Auslegeordnung zu machen und


Auslegeordnung zu machen und dem Bundesrat eine Verteidigungsstrategie vorzulegen. Die Aufgabe ist komplex, denn das Bedrohungsbild ist diffus.

Conclusion & Recommendations



Recommendations

� Setup Basic Security (against Script Kiddies)

� Identify critical assets which are essential for your business and secure them very strict, even make them secure against internal users (their computers could be compromized)

� Test your security – Penetration Tests


� Test your security – Penetration Tests

� Monitor your infrastructure day and night

� Prepare yourself for an APT incident case. Think about how you would monitor your perimeter network traffic, how to reverse-engineer encrypted C&C traffic. How to communicate with your employers, media, stakeholders, shareholders, management.

Discussion/Questions

Questions?!


Questions?!

Thank You – Ivan Bütler

Compass Security AGWerkstrasse 20

P.O. Box 2037

CH - 8645 Jona SG

Switzerland

Tel. +41 55 214 41 60

Fax +41 55 214 41 61


[email protected]

www.csnc.ch

[email protected]

4 ivan buetler cyber_espionage

Technology

honor compass security

targets compass security

warconclusion compass

world compass security

hackingcompass security

1x1compass security

ivan btlercompass security

joy rider hacking