4 ivan buetler cyber_espionage
TRANSCRIPT
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Ivan Bütler
Compass Security AG, Schweiz
CYBERCYBERCYBERCYBER
FACESFACESFACESFACES
Ethical Hacker / Penetration Tester
Gründer & CEO Compass Security AG
Lecturer @ University of Applied Science Rapperswil
Lecturer @ University of Applied Science Lucerne
Lecturer @ University of St.Gallen
Speaker @ BlackHat Las Vegas 2008SmartCard (In) Security
Speaker @ IT Underground Warsaw 2009
© Compass Security AG Slide 2www.csnc.ch
Speaker @ IT Underground Warsaw 2009Advanced Web Hacking
Speaker @ Swiss IT Leadership Forum Nice 2009Cyber Underground
Founder of Swiss Cyber Storm Sec Conference
Board member of Information SecuritySociety Switzerland (ISSS)
Board member of Cyber TycoonsAnti-Warfare Foundation
Agenda
� Hacking 1x1
� Hacking for Fun and Honor
� Hacking for Profit
� Hacking for Companies / Espionage
© Compass Security AG Slide 3www.csnc.ch
� Hacking for Companies / Espionage
� Hacking for States / Espionage
� Hacking in a War
� Conclusion
Hacking 1x1
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Hacking 1x1
AttackCreation
AttackExploitation
Hacker
© Compass Security AG Slide 5www.csnc.ch
AttackImprovement
Attack Maintenance
Hacker Toolbox
We are all „easy targets“
Source: Symantec Internet Security Threat Report, H1, 2005
Advisory ispublished
Patch
© Compass Security AG Slide 7www.csnc.ch
[3] ETHZ Stefan Frei 2009 (Dissertation): We found that exploit availability consistently exceeds patch availability since 2000
54 days
Exploit 6 days
Patch
Malware – Mobile Devices – W-LAN
Indirect Attack (II)
© Compass Security AG Slide 11www.csnc.ch
PASSED
Drivers behind „Hacking“
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Motivation for„Hacking“
Hacking for FunHacking for Fun Cyber CrimeCyber Crime Cyber EspionageCyber Espionage
© Compass Security AG Slide 13www.csnc.ch
Cyber Warfare
Hacking for Fun or Moral
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Hacking not for commerce – but for fun or moral !
Hacking for Profit
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Cyber Crime
Who is the Enemy?
Hacking for FunHacking for Fun Cyber CrimeCyber Crime Cyber EspionageCyber Espionage
© Compass Security AG Slide 18www.csnc.ch
Cyber Warfare
How to make Money?
� Business Case of „Hackers“
© Compass Security AG Slide 19www.csnc.ch
Hacker-Tools Hacker-Services Trading„Rent a BotNet“ Illegal Goods„Spam the World“
Example: SQL Injection
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Approach: Direct Attack
Impact: Credit Card Disclosure
SQL Introduction
Protocols
© Compass Security AG Slide 22www.csnc.ch
RMI
HTTPS + SQL Hacker Code
SQL
Demo1: SQL Injection
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Approach: Direct Attack
Impact: Credit Card Disclosure
How to make Money? (1)
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Market for anonymous trading is required !
Show: Video 1: Cyber Market
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Trading of illegal goods
� Dumps Stolen Credit Cards
� Carders Provider of “Dumps”
� Carding Using Dumps
� WU Western Union
� WMZ Web Money
© Compass Security AG Slide 26www.csnc.ch
� WMZ Web Money
� WU Western Union
� LR Liberty Reserve
� CVVs Card Verification Value
� Drops Remailing Location
� Rippers CVV verification service
5000 Unexpired/Valid CC Dumps $2000Money Rule: How to pay the illegal goods?
Payment with Liberty Reserve
© Compass Security AG Slide 27www.csnc.ch
Liberty Reserve as E-Currency
Both, seller and buyer need an LR account
The LR account is anonymous
© Compass Security AG Slide 29www.csnc.ch
Anonym Anonym
LR requires „Exchanger“
Real Money is exchanged into LR currency
Direct payment into LR account is not possible
More than 100 LR enabled banks (exchanger banks)
© Compass Security AG Slide 30www.csnc.ch
Trust
How to make Money? (2)
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Money Mule and Money Laundry
Example PostFinance (Phishing)
© Compass Security AG Slide 32www.csnc.ch
Transaction with Money Mule
MELANI says ...
Response from Cyber Underground to MELANI request
© Compass Security AG Slide 33www.csnc.ch
Reference: Marc Henauer, Leiter MelaniISSS St.Galler Tagung, 29. April 2010
How to make Money? (3)
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Split Hacking from financial benefit
Splitting „Hacking“ and Financial Benefit
HackingFinancial Benefit
© Compass Security AG Slide 35www.csnc.ch
Example: XML Injection
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Approach: Direct Attack
Impact: Credential Disclosure
XML Injection
Protokoll
© Compass Security AG Slide 38www.csnc.ch
XML ParserAttack
HTTPS + XML Hacker Code
Demo2: XML Injection
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Approach: Direct Attack
Impact: Credential Disclosure
Cyber Espionage
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
They go after information ...
Who is the Enemy?
Hacking for FunHacking for Fun Cyber CrimeCyber Crime Cyber EspionageCyber Espionage
© Compass Security AG Slide 41www.csnc.ch
Cyber Warfare
Example: USB Trojan
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Approach: Indirect Attack
Impact: Advanced Persistent Threat
Covert Channel
Virus Construction Toolkit
Delivery with USB-Stick/CD-ROM
© Compass Security AG Slide 44www.csnc.ch
InternetCompany Network
Start via Auto-Start
Attacker controls thecomputer of the victim
Demo3: USB Trojaner
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Approach: Indirect Attack
Impact: Remote Control of Victim (RAT)
Access to files
Covert Channels I - Direkt
Simple Inside-Out Attack
Corporate LAN Internet
© Compass Security AG Slide 46www.csnc.ch
� Direct Channels� ACK tunnel
� TCP tunnel (pop, telnet, ssh)
� UDP tunnel (syslog, snmp)
� ICMP tunnel
� IPSEC, PPTP
LAN Proxy
Covert Channels II - Proxified
Advanced Inside-Out Attack
© Compass Security AG Slide 47www.csnc.ch
Corporate LAN Internet
DMZ Proxy
� Proxified Channels� Socks SSL tunnel
� HTTP/S tunnel (payload of http = tunnel)
� HTTP/S proxy CONNECT method tunnel
� DNS tunnel
� FTP tunnel
� Mail tunnel
Advanced Persistent Threat
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Advanced Persistent Threat
Zombie HostZombie Host
Agent
Agent
C&C Server
© Compass Security AG Slide 49www.csnc.ch
Zombie Host
Agent
Zombie Host
Advanced Persistent Threat
Command & Control Communication
Client DNS Server
POLL
POLL
POLL
© Compass Security AG Slide 50www.csnc.ch
Command File
Commands
Execute commandsCommands
1. POLL
2. GET FILE TO CLIENT
3. PUT FILE TO SERVER
4. EXECUTE @ CLIENT
5. EXIT CLIENT
APT Design Pattern
First Infection� Installation of a user-land virus or Trojan horse
� The virus does not require local admin privileges
� The virus talks back to the command & control server (C&C)
� Get latest updates from C&C – very important!
� If C&C is unreachable – self-destroy routine
Privilege Elevation
© Compass Security AG Slide 51www.csnc.ch
Privilege Elevation� Elevate privileges with 0-day exploit
� Keyboard Sniffer
� Create encrypted storage
� Evidence protection
� Get latest updates
� Send collected information - important
� If C&C is unreachable – sleep for 90 days
What to do if we find out we are compromized?
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
How to handle long-term attacks
compromized?
Advanced Persistent Threat
Incident Handling – C&C Traffic Redirection
Zombie HostZombie Host
Agent
Agent
C&C ServerRedirectUpdate Service
© Compass Security AG Slide 53www.csnc.ch
Zombie Host
Agent
Zombie Host
Anti-APT Zombie or C&C Host
Problems!!! Updates areEncrypted / SignedReverse Engineering required
US ReportNov. 2008
China has an active cyber espionage program. Since China’s current cyber operations capability is so advanced, it can engage in forms
© Compass Security AG Slide 54www.csnc.ch
cyber operations capability is so advanced, it can engage in forms of cyber warfare so sophisticated that the United States may be unable to counteract or even detect the efforts. By some estimates, there are 250 hacker groups in China that are tolerated and may even be encouraged by the government to enter and disrupt computer networks
Cyber War
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Cyber is a new military domain of operations
USA: Cyber Command
On June 23, 2009, the Secretary of Defense directed the Commander of U.S. Strategic Command to establish USCYBERCOM.
Director of
© Compass Security AG Slide 56www.csnc.ch
Director of
NSA and
Commander
of Cybercom
http://www.defense.gov/cyber
USA: New Domain of Operations - Cyber
Land
Sea
Air
Space
© Compass Security AG Slide 57www.csnc.ch
Space
Cyber
C⁴ISR (command and control, communications, computers, intelligence, surveillance, and reconnaissance)
War Assets
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Critical Infrastructures
Schweiz
http://www.bevoelkerungsschutz.admin.ch/internet/bs/de/home/themen/ski/kritische_infrastrukturen.html
© Compass Security AG Slide 59www.csnc.ch
Cyber Defense in Switzerland?
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Divisionär Kurt Nydegger
Er hat den Auftrag, eine Auslegeordnung zu machen und
© Compass Security AG Slide 70www.csnc.ch
Auslegeordnung zu machen und dem Bundesrat eine Verteidigungsstrategie vorzulegen. Die Aufgabe ist komplex, denn das Bedrohungsbild ist diffus.
Conclusion & Recommendations
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Compass Security AGGlärnischstrasse 7Postfach 1628CH-8640 Rapperswil
Recommendations
� Setup Basic Security (against Script Kiddies)
� Identify critical assets which are essential for your business and secure them very strict, even make them secure against internal users (their computers could be compromized)
� Test your security – Penetration Tests
© Compass Security AG Slide 72www.csnc.ch
� Test your security – Penetration Tests
� Monitor your infrastructure day and night
� Prepare yourself for an APT incident case. Think about how you would monitor your perimeter network traffic, how to reverse-engineer encrypted C&C traffic. How to communicate with your employers, media, stakeholders, shareholders, management.
Thank You – Ivan Bütler
Compass Security AGWerkstrasse 20
P.O. Box 2037
CH - 8645 Jona SG
Switzerland
Tel. +41 55 214 41 60
Fax +41 55 214 41 61
© Compass Security AG Slide 74www.csnc.ch
www.csnc.ch