the anatomy and security of an anonymous operation july 2012 terry ray – vp ww security...
TRANSCRIPT
![Page 1: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/1.jpg)
The Anatomy and Security of an Anonymous OperationJuly 2012
Terry Ray – VP WW Security Engineering
![Page 2: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/2.jpg)
What is Anonymous?
Perception
“[Anonymous is] the first Internet-based
superconsciousness.” —Chris Landers. Baltimore City Paper, April 2,
2008
Hacktivists fighting for moral causes.
The 99%.
Reality
“Anonymous is an umbrella for anyone to hack anything for
any reason.” —New York Times, 27 Feb 2012
Targets include porn sites, Mexican drug lords, Sony, government agencies, banks, churches, law enforcement and Vladimir Putin.
Anyone can be a target.
2
![Page 3: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/3.jpg)
The Plot
Attack took place in 2011 over a 25 day period.
Anonymous was on a deadline to breach and disrupt a website, a proactive attempt at hacktivism.
10-15 skilled hackers. Several hundred to
thousands supporters.
3
![Page 4: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/4.jpg)
How They Attack: The Anonymous Attack Anatomy
4
![Page 5: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/5.jpg)
Anonymous Attack on Customer SiteWeb Application Protection Use Case
PHASE I
Phase III
PHASE II
Scanners such as Nikto
Havij SQL injection tool
LOIC application
SecureSphere stopped all phases of attack
Business Logic Attack
Technical Attack
Technical Attack
![Page 6: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/6.jpg)
On the Offense
Skilled hackers—This group, around 10 to 15 individuals per campaign, have genuine hacking experience and are quite savvy. Broad use of anonymizing services (aProxy & TOR).Nontechnical—This group can be quite large, ranging from a few dozen to a few hundred volunteers. Directed by the skilled hackers, their role is primarily to conduct DDoS attacks by either downloading and using special software or visiting websites designed to flood victims with excessive traffic.
6
![Page 7: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/7.jpg)
On the Defense
Deployment line was network firewall, IDS, WAF, web servers, network anti-DOS and anti-virus.
Imperva WAF+ SecureSphere WAF version 8.5 inline, high availability+ ThreatRadar reputation (IP Reputation)+ SSL wasn’t used, the whole website was in HTTP
7
![Page 8: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/8.jpg)
1Recruiting and Communications
8
![Page 9: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/9.jpg)
Step 1A: An “Inspirational” Video
9
![Page 10: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/10.jpg)
Step 1B: Social Media Helps Recruit
10
![Page 11: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/11.jpg)
Setting Up An Early Warning System
11
![Page 12: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/12.jpg)
Example
12
![Page 13: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/13.jpg)
2Recon and Application Attack
13
“Avoid strength, attack weakness: Striking where the enemy is most vulnerable.”
—Sun Tzu
![Page 14: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/14.jpg)
Step 1A: Finding Vulnerabilities
Tool #1: Vulnerability Scanners Purpose: Rapidly find application vulnerabilities. Cost: $0-$1000 per license. The specific tools:
+ Acunetix (named a “Visionary” in a Gartner 2011 MQ)+ Nikto (open source)
14
![Page 15: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/15.jpg)
Hacking Tools
Tool #2: Havij Purpose:
+ Automated SQL injection and data harvesting tool.
+ Solely developed to take data transacted by applications
Developed in Iran
15
![Page 16: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/16.jpg)
Vulnerabilities of Interest
16
Day 19 Day 20 Day 21 Day 22 Day 230
500
1000
1500
2000
2500
3000
3500
4000
Directory TraversalSQL injectionDDoS reconXSS
Date
#ale
rts
SQLi
DT
XSS
![Page 17: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/17.jpg)
Comparing to Lulzsec Activity
• Lulzsec was/is a team of hackers focused on breaking applications and databases.
• ‘New’ Lulzsec taking credit for recent attacks. Militarysingles.com.
• Our observations have a striking similarity to the attacks employed by Lulzsec during their campaign.
• Lulzsec used: SQL Injection, Cross-site Scripting and Remote File Inclusion (RFI/LFI). RFI
index.php
![Page 18: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/18.jpg)
Lulzsec Activity Samples
1 infected server ≈ 3000 bot infected PC power 8000 infected servers ≈ 24 million bot infected PC power
![Page 19: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/19.jpg)
Automation is Prevailing
In one hacker forum, it was boasted that one hacker had found 5012 websites vulnerable to SQLi through automation tools.
Note:
• Due to automation, hackers can be effective in small groups – i.e. Lulzsec.
• Automation also means that attacks are equal opportunity offenders. They don’t discriminate between well-known and unknown sites.
![Page 20: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/20.jpg)
US is the ‘visible’ source of most attacks
United States61.3%
United Kingdom
1.1%
Other19.2%
France2.1%
Undefined2.1% China
9.4%
Sweden4.4% United States
United KingdomOtherFranceUndefinedNetherlandsChinaSweden
During the Anonymous attack 74% of the technical attack traffic originated from anonymizing services and was detected by IP reputation.
![Page 21: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/21.jpg)
Mitigation: AppSec 101
Code Fixing
Dork Yourself
Blacklist + IP Rep
WAF
WAF + VA
Stop Automated Attacks
![Page 22: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/22.jpg)
3Application DDoS
22
![Page 23: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/23.jpg)
LOIC Facts
Low-Orbit Ion Canon (LOIC) Purpose:
+ DDoS+ Mobile and Javascript variations
Other variations – HOIC, GOIC, RefRef
LOIC downloads+ 2011: 381,976 + 2012 (through May 10): 374,340+ June 2012= ~98% of 2011’s downloads!
23
![Page 24: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/24.jpg)
Anonymous and LOIC in Action
24
Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 280
100000
200000
300000
400000
500000
600000
700000
Average Site Traffic
LOIC in Action
Tra
nsac
tions
per
Sec
ond
![Page 25: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/25.jpg)
Application DDoS
25
The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched
yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe
organizations will rush to patch this flaw en masse before being hit.—The Hacker News, July 30, 2011
![Page 26: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/26.jpg)
But That Much Sophistication Isn’t Always Required
26
![Page 27: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/27.jpg)
But That Much Sophistication Isn’t Always Required
27
Meet your target URL
![Page 28: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/28.jpg)
4Non-Mitigations
28
![Page 29: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/29.jpg)
I have IPS and NGFW, am I safe?
IPS and NGFWs do not prevent web application attacks.
+ Don’t confuse “application aware marketing” with Web Application Security.
WAFs at a minimum must include the following to protect web applications:
29
• Web-App Profile• Web-App Signatures• Web-App Protocol Security• Web-App DDOS Security• Web-App Cookie Protection• Anonymous Proxy/TOR IP
Security• HTTPS (SSL) visibility
Security Policy Correlation
![Page 30: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/30.jpg)
I have IPS and NGFW, am I safe?
IPS and NGFWs do not prevent web application attacks.
+ Don’t confuse “application aware marketing” with Web Application Security.
However, IPS and NGFWs at best only partially support the items in Red:
30
• Web-App Profile• Web-App Signatures• Web-App Protocol Security• Web-App DDOS Security• Web-App Cookie Protection• Anonymous Proxy/TOR IP
Security• HTTPS (SSL) visibility
Security Policy Correlation
![Page 31: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/31.jpg)
31
Church of ScientologyMuslim BrotherhoodZappos.comMilitarySingles.comAmazonAustria Federal ChancellorHBGary FederalMexican Interior MinistryMexican SenateMexican Chamber of DeputiesIrish Department of JusticeIrish Department of FinanceGreek Department of JusticeEgyptian National Democratic PartySpanish PoliceOrlando Chamber of CommerceCatholic Diocese of OrlandoBay Area Rapid TransitPayPalMastercardVisa
Recent attacker targets….
Yahoo VoiceLinked InLast.fmFormspringeHarmonyUS Department of JusticeUS Copyright OfficeFBIMPAAWarner BrothersRIAAHADOPIBMISOHHOffice of the AU Prime MinisterAU House of ParliamentAU Department of CommunicationsSwiss bank PostFinanceEgyptian GovernmentItauBanco de BrazilUS SenateCaixa
How many of these organizations have AV, IPS and Next Generations Firewalls?
Why are the attacks successful when these technologies claim to prevent them?
![Page 32: The Anatomy and Security of an Anonymous Operation July 2012 Terry Ray – VP WW Security Engineering](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649d215503460f949f64ce/html5/thumbnails/32.jpg)
5Demo
32