apresentação allen es

The Anatomy of an Anonymous

May 2012

Carolina Bozza

Security Engineer

Imperva ?Imperva ?

Who we are and what we do

2

Next Generation Threats Require New Approach

Tech. AttackProtection

Logic AttackProtection

UsageAudit

User RightsManagement

ExternalCustomers

Staff, PartnersHackers

InternalEmployees

Malicious InsidersCompromised Insiders

Data CenterSystems and Admins

FraudPrevention

AccessControl

Imperva’s Mission is to Provide a Complete Solution

© Copyright 2012 Imperva, Inc. All rights reserved. 3

Hacktivism

From Wikipedia:

HACK + ACTIVISM - the use of

computers and computer networks as a

means of protest; (…) hacktivism could

be defined as "the nonviolent use of be defined as "the nonviolent use of

legal and/or illegal digital tools in

pursuit of political ends". These tools

include web site defacements, denial-of-

service attacks, information theft, (…)

Acts of hacktivism are carried out in the

belief that proper use of code will be

able to produce similar results to those

produced by regular activism or civil

disobedience.4

What is Anonymous?

What they claim to be:

Anonymous is an Internet meme (…),

representing the concept of many

Reality

“Anonymous is an umbrella for

anyone to hack anything for any

reason.” representing the concept of many

online and offline community users

simultaneously existing as

an anarchic, digitized global brain.

Hacktivists fighting for moral causes.

reason.” —New York Times, 27 Feb 2012

Targets include porn sites, Mexican

drug lords, Sony, government agencies,

banks, churches, law enforcement ,

airline, São Paulo’s Mayor and Vladimir

Putin.

Anyone can be a target.

5

The Plot - The anatomy of an Anonymous Attack

� Attack took place in 2011 over a 25

day period.

� Anonymous was on a deadline to

breach and disrupt a website, a

proactive attempt at hacktivism.proactive attempt at hacktivism.

� 10-15 skilled hackers or “geniuses.”

� Several hundred to a thousand

supporters.

6

On the Offense

Skilled hackers—This group, around 10

to 15 individuals per campaign, have

genuine hacking experience and are

quite savvy.

Nontechnical—This group can be quite

large, ranging from a few dozen to a few

hundred volunteers. Directed by the

skilled hackers, their role is primarily to

conduct DDoS attacks by either

downloading and using special software

or visiting websites designed to flood

victims with excessive traffic.

7

On the Defense

� Deployment line was network firewall, WAF, web servers and anti-virus.

� Imperva WAF

+ SecureSphere WAF version 8.5 inline, high availability

+ ThreatRadar reputation

+ SSL wasn’t used, the whole website was in HTTP

� Unnamed network firewall and IDS

� Unnamed anti-virus

8

Phase #1

Recruiting and Communications

9

An “Inspirational” Videos

10

Social Media Helps Recruit

11

Phase #2Phase #2

Recon and Application Attack

12

“Avoid strength, attack weakness: Striking where the enemy is most vulnerable.”

—Sun Tzu

Finding Vulnerabilities

� Tool #1: Vulnerability Scanners

� Purpose: Rapidly find application vulnerabilities.

� Cost: $0-$1000 per license.� Cost: $0-$1000 per license.

� The specific tools:

+ Acunetix (named a “Visionary” in a Gartner 2011 MQ)

+ Nikto (open source)

13

Hacking Tools

� Tool #2: Havij

� Purpose:

+ Automated SQL injection

and data harvesting tool.

+ Solely developed to take

data transacted by data transacted by

applications

� Developed in Iran

14

Phase #3

DDoS

15

Hacking Tools

� Low-Orbit Ion Canon (LOIC)

� Purpose:

+ DDoS

+ Mobile and Javascript variations

+ Can create 200 requests per second per browser window

16

Anonymous and LOIC in Action

400000

500000

600000

700000

LOIC in Action

Tran

sact

ions

per

Sec

ond

17

0

100000

200000

300000

400000

Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 28

Average Site Traffic

Tran

sact

ions

per

Sec

ond

LOIC Facts

� LOIC downloads

+ 2011: 381,976

+ 2012 (through March 19): 318,340

+ Jan 2012=83% of 2011’s downloads!

� Javascript LOIC:� Javascript LOIC:

+ Easy to create

+ Iterates up to 200 requests per minute

+ Can be used via mobile device.

18

Anybody can be an anonymous!

Let’s Demo!!19

I’ve spent a lot of money…I’ve spent a lot of money…

And why I’m not Safe Yet?

20

I have IPS and NGFW, am I safe?

� IPS and NGFWs do not prevent web application attacks.+ Don’t confuse “application aware marketing” with Web Application Security.

� WAFs at a minimum must include the following to protect

web applications:

21

• Web-App Profile

• Web-App Signatures

• Web-App Protocol Security

• Web-App DDOS Security

• Web-App Cookie Protection

• Anonymous Proxy/TOR IP Security

• HTTPS (SSL) visibility

Security Policy Correlation


� IPS and NGFWs do not prevent web application attacks.+ Don’t confuse “application aware marketing” with Web Application Security.

� However, IPS and NGFWs at best only partially support the

items in Red:

22

• Web-App Profile

• Web-App Signatures

• Web-App Protocol Security

• Web-App DDOS Security

• Web-App Cookie Protection

• Anonymous Proxy/TOR IP Security

• HTTPS (SSL) visibility

Security Policy Correlation


• IPS & NGFW Marketing – They have at least one web-app feature so

they market themselves as a solution.

• IPS & NGFW gaps to WAF – WAFs provide far more web-app features than

IPS and NGFWs. IPS and NGFWs do not even meet the most minimal requirements of

web application security.

23

web application security.

• False Sense of Security - IPS and NGFWs are creating a false sense of security

with their claims and are leaving organizations like the ones we have previously

mentioned susceptible to web application penetration.

Anonymous targets that we know of, so far…

US Department of Justice

US Copyright Office

FBI

MPAA

Warner Brothers

RIAA

HADOPI

BMI

Sony

Amazon

Church of Scientology

SOHH

Office of the AU Prime Minister

Polish Prime Minister

Polish Ministry of Foreign Affairs

Polish Internal Security Agency

French Presidential Site

Austria Ministry of Justice

Austria Ministry of Internal Affairs

Austria Ministry of Economy

Austria Federal Chancellor

Slovenia NLB

Mexican Interior Ministry

Mexican Senate

Mexican Chamber of Deputies

Irish Department of Justice

Muslim Brotherhood

UMG

PayPal

Mastercard

Visa

US Senate

CIA

Citibank

Itau

Banco do Brazil

Caixa Econômica Federal

Tim Celular Brasil

Presidência da República

24

Office of the AU Prime Minister

AU House of Parliament

AU Department of Communications

Swiss bank PostFinance

Fine Gael

New Zealand Parliament

Tunisia Government

Zimbabwe Government

Egyptian Government

Malaysian Government

Polish Government

Polish Police

Polish President

Polish Ministry of Culture

Irish Department of Justice

Irish Department of Finance

Greek Department of Justice

Egyptian National Democratic Party

HBGary Federal

Spanish Police

Orlando Chamber of Commerce

Catholic Diocese of Orlando

Rotary Club or Orlando

Bay Area Rapid Transit

Syrian Defense Ministry

Syrian Central Bank

Syrian Ministry of Presidential Affairs

Various Pornography sites

Presidência da República

Petrobrás

Receita Federal

Ministério dos Esportes

Rede Globo de Televisão

Cielo (Visa)

Banco Central

HSBC Brasil

Bradesco

Itau (Brasil)

Dilma (President)

Kassab (São Paulo Mayor)

55

Mitigations

25

First, some interesting facts

�No bots;

�No Malwave;

26

�No Malwave;

�No Phishing;

�Public Recruitment.

Mitigation

� Monitor social media� Twitter, Facebook, YouTube, blogspot, pastebin etc.

� Use Google alerts

� Protect applications� Web application firewalls, VA and code reviews

27

� Analyze the alert messages generated by your security devices� The DDoS attack was preceded by a few-days-long phase of reconnaissance.

Daily analysis of alert information may help better prepare for tomorrow’s

attack.

� IP reputation is very valuable� Most of the reconnaissance traffic could have been blocked

� Threat Radar

Anonymous Attack on Customer Site

Web Application Protection Use Case

PHASE I

Scanners such as Nikto

SecureSphere stopped all phases of attack Technical Attack

Phase III

PHASE II

Havij SQL injection tool

LOIC application

Business Logic Attack

Technical Attack


� Web Application ProtectionCompliance and Legal

Web Application Security Use Cases

� Application Virtual Patching� DDoS Protection

IT Operations

� Site Scraping Prevention� Fraud Prevention� Legacy Application Security� Hosted Application Protection

Line of Business


Dynamic Profiling

Attack Signatures

HTTP Protocol Validation

Cookie Protection

Technical AttackProtection

The Defenses Required to Protect Web AppsC

orr

ela

ted

Att

ack

Va

lid

ati

on

Cookie Protection

Malware Fraud DetectionFraud Prevention

Business Logic Attack Protection

Co

rre

late

d A

tta

ck

Va

lid

ati

on

IP Geolocation

IP Reputation

Anti-Scraping Policies

Bot Mitigation Policies


Dynamic Profiling

Attack Signatures

HTTP Protocol Validation

Cookie Protection

Technical AttackProtection

IPS & NG Firewall Web Security Features C

orr

ela

tio

n (

We

b P

rofi

le C

orr

ela

tio

n)

� High rate of false positives and negatives Cookie Protection

Malware Fraud DetectionFraud Prevention

Business Logic Attack Protection

IP Geolocation

IP Reputation

Anti-Scraping Policies

Bot Mitigation Policies

Co

rre

lati

on

(W

eb

Pro

file

Co

rre

lati

on

)

because of lack of app awareness

� Easy for hackers to evade via encoding,

custom app vulnerabilities


Challenges for payment processor:

� Costly, time-consuming vulnerability fix cycles

� Target of Web attacks

Vulnerabilities imported into WAF

Virtual Patching Use Case

SecureSphere:

� Reduces window of exposure,

cost of manual app fixes

� Offers visibility for developersCompany scans site with app scanner


� SecureSphere can import scan results and instantly

create mitigation policies

� Eliminated payment processors’ emergency fix and

test cycles

Virtual Patching Through Scanner Integration

Customer Site

Scanner finds vulnerabilities

SecureSphere imports scan results

Web applications are protected


DEPLOYTESTTest for vulnerabilities

DESIGN & CODE Block attacks

Monitor and report

Software Development Lifecycle

Architect and

Improve Application Development Processes

Virtually patch vulnerabilities

Monitor and report exploits

Detect leaks, errors

Architect and implement code

Fix errors and vulnerabilities

Imperva SecureSphere

Manual processes or third party tools


A bank inherited a treasury app

� App had 50+ vulnerabilities,

would cost $ millions to fix

� Wouldn’ t allow vulnerable

app into new data center

Legacy Application Security Use Case

� Paying $1M a month to keep

legacy app in old data center

Imperva SecureSphere WAF:

� Mitigated vulnerabilities

� Periodic scans confirm app

is secureVulnerable Legacy Application


SecureSphere tracks fraud details

A bank needed to:

� Stop Man-in-the-Browser

attacks

� Address FFIEC compliance

Fraud Prevention Use Case

SecureSphere & ThreatRadar Fraud:

� Detects devices with fraud malware

� Requires no changes to apps for

initial rollout or policy changes

ClientDevices

SecureSphere


� SecureSphere integrates with Trusteer to detect users infected with malware like SpyEye, Zeus, Gozi, & Silon

1. User accesses Website

2. SecureSphere redirects browser to Trusteer

3. Browser downloads, runs malware check

ThreatRadar Fraud Prevention

Is this endpoint safe?

Pass / Block

3. Browser downloads, runs malware check

4. Result sent to WAF


Websites

RV Manufacturer:

� Received DDoS that took

down Website for 3 days

Websites

DDoS Protection Use Case

WebsitesDDoS attack traffic

is blocked

2 Gbps

20 Mbps

Cloud DDoS Protection:

� Stopped SYN Flood in less

than 2 hours from phone call

� Stopped follow-on attack


� Stops all DDoS threats

+ Application & network attacks

+ Proprietary technology differentiates humans from bots

– Analyzes HTTP redirect, cookie, and JavaScript execution capabilities

Attacker MaliciousBot

SearchEngine

Full Web-based DDoS Protection

– Analyzes HTTP redirect, cookie, and JavaScript execution capabilities

� Scales beyond your Internet

connection limit

+ Support DDoS attacks that

burst to 2 Gbps or 4 Gbps

Cloud DDoS Protection dashboard


Retailer:

� Had upcoming PCI audit

� Needed to protect

Website & meet PCI 6.6

� Hosted apps in the cloud

Bots

Hackers

Legitimate Users

Hosted Application Protection Use Case

Imperva Cloud WAF:

� Helped retailer meet PCI

� Fast, easy deployment

Company’sWebsite

Scrapers

Comment Spammers

Imperva Cloud WAF Dashboard


� Full, PCI-Certified Web application firewall

+ Leverages years of Imperva security expertise

� Stops SQL injection, XSS, OWASP Top 10, bots

� Protects both on-premise and hosted Websites

Web Application Firewall in the Cloud

� Cost-effective managed WAF service

� Satisfies PCI DSS #6.6

360° Global Threat Detection: Early detection of threats based on attacks to other protected sites

Globally Distributed, High-Performance Proxy Network


Bots

Web Attacks

App DDoS

Scrapers

SecureSphere

Complete Protection Against Web Threats

Known Attackers

Undesirable Countries

Malware-based Fraud

Phishing Sites

Comment Spammers

Vulnerabilities

Web Apps


The Anatomy of an Anonymous Operation

May 2012

Carolina Bozza

Security Engineer

apresentação allen es

Technology

anonymous attack attack

application attack

attack weakness

tools tool

specific tools

vulnerabilities tool

use of computers

havij purpose