corporate security: a hacker perspective
TRANSCRIPT
![Page 1: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/1.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Corporate Security:A Hacker Perspective
Mark “Simple Nomad” LovelessLISA’06 – Washington, DC
08Dec2006
![Page 2: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/2.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
About Myself
Senior Security Researcher, VernierNetworks Inc NAC/IPS
Founder, NMRC Hacker collective
![Page 3: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/3.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Agenda
Attacker world
Attack trends
Attack techniques
Mitigation
![Page 4: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/4.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Random Thought #1
Seeing :wq in a /var/log/* file is a BadThing
Bad because you see it, but real badbecause you’ve been 0wn3d by someonewho is so lame they can’t edit logfiles
![Page 5: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/5.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Attacker World
![Page 6: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/6.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Attacker Goals and Dreams
0day – the attacker goal Remote root access – the attacker dream Remote root 0day – the holy grail The nature of the 0day forms the nature of
the attack 0days are worth more now than they’ve
ever been
![Page 7: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/7.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
What is 0day?
Number of days a commercial piece of software hasbeen on the market Having a cracked copy of a new game before it even shipped
was wicked cool
Security flaw, usually remote (and preferably rootaccess), vendor and sys admins do not know about theflaw As soon as vendor/admin community is aware, no longer 0day
Currently 0day seems to be: An unpatched flaw that the vendor and sys admins know about
Non-public working exploit for a patched flaw
![Page 8: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/8.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
The Disclosure Cycle
Researcher finds a flaw Researcher reports flaw to vendor Vendor develops fix Vendor releases patch Researcher releases advisory
A responsible researcher releases technicaldetails after a suitable patch period, assumingthat is possible
![Page 9: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/9.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
The “Other” Disclosure Cycle
Blackhat finds a flaw Blackhat shares flaw with very few friends Usage of flaw is done to minimize vendor
notification Blackhat tries to find yet another flaw before first
flaw is discovered Once discovered or blackhat bored, blackhat
may sell the exploit The object may be to sell the exploit anyway
![Page 10: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/10.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
When Disclosure Cycles Meet
Vendor releases patch Researcher releases advisory Unpatched and patched versions of “fix” files are
reverse engineered Bindiff w/IDA, OllyDbg, advisory clues etc
Exploit code is developed based upon flaw Whitehats use this to develop IDS/IPS signatures Blackhats use this to develop attack code Both hats look for “silent” patches
![Page 11: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/11.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Targeted Penetration
Still around, but by proportions not growing
The “Hacking Exposed” generation Statistically most targeted penetrations are successful
by any skilled attacker
Tactics have changed substantially, most focus ondefeating perimeter security
![Page 12: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/12.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Random Thought #2
What is the difference between someone beingbad and a Bad Thing?
An inbound connection to port 4444 is someonebeing bad
Before each MetaSploit exploit module runs, ittries to connect on the assigned port in case it isalready open Port 4444 connection failed followed by a few packets
then port 4444 connection succeeded is a Bad Thing
![Page 13: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/13.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Attack Techniques
![Page 14: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/14.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Various Attack Techniques
“Click on this” Also applies to “preview this”
Inject and input manipulation Buffer overflows Heap overflows Format strings
![Page 15: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/15.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
New Recon Techniques
Repeated attacks from throw-away hosts
Single packet/connection OS detection E.g. Windows PPTP gives up major build version
Port 0 scanning
Attackers using dark IP space
![Page 16: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/16.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
IDS/IPS mapping
Compromise DNS server, create subzone Map out related dark IP space
Launch attacks from subzone
Note DNS queries to subzone
Trigger simple and well known attacks fromthrow-away hosts Did we get a response or a “response”?
Work on mapping IDS/IPS vendor based upon what iscaught/not caught is underway
![Page 17: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/17.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
One 0day per Target
Prudent usage of 0day Only used for a foothold, usually just past the
perimeter
Normal non-0day usage for remainder of theattack (this is usually all that is needed onceinside)
![Page 18: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/18.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Random Thought #3
Apparently working for Microsoft is evil butworking for spammers is not….
![Page 19: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/19.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Attack Trends
![Page 20: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/20.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
A Professional Blackhat
Works for a single spammer/spyware/id theftorganization Many are extremely organized
Doesn’t worry (too much) about IDS/IPS/Anti-virus Goal is to hit fast and hit hard Pay is decent, around $200k per year for decent quality
work Foreign governments/nation states/organized cybercrime
willing to pay $40k-$120k for remote root 0day
![Page 21: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/21.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Freelance Professional Blackhat
Works for spammer organizations Works for information brokers Involved with identity theft rings More concerned with keeping 0days 0day Extremely proficient at reverse
engineering At the high end, mad wicked skills == mad
wicked money
![Page 22: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/22.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Finding Flaws
Fuzzing still works Checking for silent patches via BinDiff Checking for similar flaws in different parts
of the code Checking for lousy fixes
![Page 23: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/23.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
What’s Hot!
Anything WiFi/Bluetooth Client flaws are big
No firewall needed Targeted malware
No more Code Red, it incites patching, awareness,and remediation
Expect more buzz with handhelds (e.g.Blackberry)
My botnet is bigger than your botnet Six figure-sized botnets are not unheard of Leasing and timesharing
![Page 24: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/24.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
What’s Not
Cross side scripting Big with spammers, not with hacker types
Individual compromises As stated, proportionately not growing Everything is done en masse
![Page 25: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/25.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Current Hotspots
Anything WiFi Client-side flaws Problems during protocol exchanges Microsoft big, Apple even bigger The caring and feeding of botnets
![Page 26: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/26.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Random Thought #4
On the plane home, fire up your laptoparound midflight
Note how many laptops are advertising apeer-to-peer network
You can connect to these, and ifunpatched, attack them
![Page 27: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/27.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Mitigation
![Page 28: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/28.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Lock It Down
Patch Mean time to exploit from patch is getting
smaller Many large banks have adopted a “patch and
fix” policy Harden
Limit access to only what is needed Locking down ACLs can save your bacon with
regards to 0day
![Page 29: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/29.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Looking Forward
Understand your porous perimeter Perimeter security is dead
Consider new technologies to mitigateattacks Network access management (yes,
shameless plug) Intelligent IPS solutions
![Page 30: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/30.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Bad News, Good News
Thousands of computers are beingcompromised every day
The good news is that we are probablycloser to the “every vulnerable box iscompromised” end of the scale, soeventually the level of compromisedsystems will roughly stablize
![Page 31: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/31.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
A Note on Pen Tests
Don’t have the pen tester only test for knownbugs, or with public exploits
There is no reason why a pen tester is the onlytype of person with a private collection of non-public exploit code for publicly known flaws Blackhats do the exact same thing
While using HE techniques catches low-hangingfruit, a real pen tester will use these advancedtechniques to get in
![Page 32: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/32.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Random Thought #5
On that flight home, if you get that First Classupgrade, and if you identify a WinCE device viabluetooth, do not connect to it
It is a Boeing plane that did not get the upgradeto turn off the “default on” for Bluetooth on theWinCE system running the navigation displaysystem
Don’t point this out midflight, nice people withhandscuff will help you off the plane
Have a great flight home!
![Page 33: Corporate Security: A Hacker Perspective](https://reader031.vdocuments.us/reader031/viewer/2022012512/618aa71ca97a43351e3e3739/html5/thumbnails/33.jpg)
© Vernier Networks, Inc. Proprietary and confidential. All rights reserved.
Q&A
Contact me:
Web:
http://www.verniernetworks.com/