the year the internet fell apart
TRANSCRIPT
© 2015 IBM Corporation
2014The Year the Internet Fell Apart
© 2015 IBM Corporation
The Year the Internet Fell ApartJohn Kuhn
Senior Threat Researcher
IBM Security
Records Lost Per Industry Retail/Merchant
Medical Providers
Government and Military
Educational Institutions
Financial Services
Other
Nonprof it Organizations
Breaches Per IndustryOther
Financial and Insurance Services
Retail/Merchant
Government and Military
Medical Providers
Educational Institutions
Nonprof it Organizations
0
50000000
10000000
15000000
20000000
25000000
30000000
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Total Records Lost Per Year
Good News First….
2
0
100
200
300
400
500
600
700
800
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Number of Breaches Per year
Records Lost Per Industry Retail/Merchant
Medical Providers
Government and Military
Educational Institutions
Financial and Insurance Services
Other
Nonprof it Organizations
Data: http://www.privacyrights.org/data-breach
HeartBleed – Summary of Impact
• CVE-2014-0160 - OpenSSL
• Improper handling of Heartbeat extension packets resulting in
potential dataloss.
• The bug was introduced December 31, 2011
• Discovered on March 21, 2014 and made public on April 4th
• IBM Managed Security Services Statistics 2014
• Over 4 Million detected attacks
• Affected all industries
• Raised the Alertcon to level 2
3
Logo: Heartblead.com
0
50000
100000
150000
200000
250000
300000
350000
4/1
0/2
014
4/1
4/2
014
4/1
8/2
014
4/2
2/2
014
4/2
6/2
014
4/3
0/2
014
5/4
/20
14
5/8
/20
14
5/1
2/2
014
5/1
6/2
014
5/2
0/2
014
5/2
4/2
014
5/2
8/2
014
6/1
/20
14
6/5
/201
4
6/9
/20
14
6/1
3/2
014
6/1
7/2
014
6/2
1/2
014
6/2
5/2
014
6/2
9/2
014
7/3
/20
14
7/7
/20
14
7/1
1/2
014
7/1
5/2
014
7/1
9/2
014
7/2
3/2
014
7/2
7/2
014
7/3
1/2
014
8/4
/201
4
8/8
/20
14
8/1
2/2
014
8/1
6/2
014
8/2
0/2
014
8/2
4/2
014
8/2
8/2
014
9/1
/20
14
9/5
/20
14
9/9
/201
4
9/1
3/2
014
9/1
7/2
014
9/2
1/2
014
9/2
5/2
014
9/2
9/2
014
10
/3/2
014
10
/7/2
014
10
/11/2
014
10/1
5/2
014
10
/19/2
014
10
/23/2
014
10
/27/2
014
10
/31/2
014
11/4
/2014
11
/8/2
014
11
/12/2
014
11
/16/2
014
11/2
0/2
014
11/2
4/2
014
11
/28/2
014
12
/2/2
014
12
/6/2
014
12/1
0/2
014
12/1
4/2
014
12
/18/2
014
12
/22/2
014
12
/26/2
014
12/3
0/2
014
HeartBleed
Top 5 Targets
United States
Japan
France
Australia
Canada
Top 5 Attackers
United States
Switzerland
Netherlands
Ukraine
Japan
HeartBleed By The Numbers
4
ShellShock – Summary of Impact
• CVE-2014-7169 – Bash Shell
• Improper handling environment variables resulting in remote
command execution.
• The bug was introduced September, 1989
• Discovered on September 9, 2014 and made public on
September 24
• IBM Managed Security Services Statistics 2014
• Over 14 Million detected attacks
• Affected all industries
• Raised the Alertcon to level 3
5
Logo: Symantec.com
0
200000
400000
600000
800000
1000000
1200000
9/2
6/2
01
4
9/2
8/2
01
4
9/3
0/2
01
4
10
/2/2
01
4
10
/4/2
01
4
10/6
/201
4
10
/8/2
01
4
10/1
0/2
01
4
10
/12
/20
14
10
/14
/20
14
10/1
6/2
01
4
10
/18
/20
14
10/2
0/2
01
4
10
/22
/20
14
10
/24
/20
14
10/2
6/2
01
4
10
/28
/20
14
10/3
0/2
01
4
11
/1/2
01
4
11
/3/2
01
4
11
/5/2
01
4
11
/7/2
01
4
11/9
/201
4
11
/11
/20
14
11
/13
/20
14
11
/15
/20
14
11
/17
/20
14
11/1
9/2
01
4
11
/21
/20
14
11/2
3/2
01
4
11
/25
/20
14
11
/27
/20
14
11/2
9/2
01
4
12
/1/2
01
4
12/3
/201
4
12
/5/2
01
4
12
/7/2
01
4
12/9
/201
4
12
/11
/20
14
12/1
3/2
01
4
12
/15
/20
14
12
/17
/20
14
12
/19
/20
14
12
/21
/20
14
12/2
3/2
01
4
12
/25
/20
14
12
/27
/20
14
12
/29
/20
14
12
/31
/20
14
ShellShock
Top 5 Attackers
United States
Brazil
Lithuania
China
Germany
ShellShock Geo-Attack Data
6
Top 5 Targets
United States
Japan
Canada
France
Australia
0
200000
400000
600000
800000
1000000
12000004
/10
/20
14
4/1
5/2
01
44
/20
/20
14
4/2
5/2
01
44
/30
/20
14
5/5
/20
14
5/1
0/2
01
45
/15
/20
14
5/2
0/2
01
45
/25
/20
14
5/3
0/2
01
46
/4/2
01
46
/9/2
01
46
/14
/20
14
6/1
9/2
01
46
/24
/20
14
6/2
9/2
01
47
/4/2
01
47
/9/2
01
47
/14
/20
14
7/1
9/2
01
47
/24
/20
14
7/2
9/2
01
48
/3/2
01
48
/8/2
01
48
/13
/20
14
8/1
8/2
01
48
/23
/20
14
8/2
8/2
01
49
/2/2
01
49
/7/2
01
49
/12
/20
14
9/1
7/2
01
49
/22
/20
14
9/2
7/2
01
41
0/2
/20
14
10
/7/2
01
41
0/1
2/2
01
41
0/1
7/2
01
41
0/2
2/2
01
41
0/2
7/2
01
41
1/1
/20
14
11
/6/2
01
41
1/1
1/2
01
41
1/1
6/2
01
41
1/2
1/2
01
41
1/2
6/2
01
41
2/1
/20
14
12
/6/2
01
41
2/1
1/2
01
41
2/1
6/2
01
41
2/2
1/2
01
41
2/2
6/2
01
41
2/3
1/2
01
4
HeartBleed ShellShock
HeartBleed vs ShellShock - 2014
7
© 2015 IBM Corporation
The Year the Internet Fell ApartAlain-Désiré Kamenyero
Sr. Manager, Cyber Security Services
Scotiabank
History of the Internet
9
The ARPANET was the first wide area packet switching network, the "Eve"
network of what has evolved into the Internet we know and love today.
“Everything was built with performance,
NOT SECURITY, in mind”, Dr. Shrobe
said. “We left it to programmers to
incorporate security into every line of
code they wrote. One little mistake is all
it takes for the bad guy to get in.”
Fast forward in 2014, Year the Internet Fell Apart.
10
The Vulnerabilities Explained
The OpenSSL project was founded in
1998 to invent a FREE set of encryption
tools for the code used on the Internet.
2/3 world’s webservers use OpenSSL
Vulnerability age: 2 1/2 Years
Relative ease of exploitation
Remote execution
OpenSource
HeartbleedApril 4th, 2014
logo: vpnexpress.net
Bash is a Unix shell written by Brian Fox in
1989 for the GNU Project as a FREE
software replacement for the Bourne shell.
70% of devices that access the internet
Vulnerability age: 26 Years
Arbitrary commands execution
Rated 10 on a 10-point severity scale
OpenSource
ShellshockSeptember 24th, 2014
logo: heartbleed.com
11
Major Vulnerabilities, a New Norm
11
1887
1492 14881612
1705
0
500
1000
1500
2000
2010 2011 2012 2013 2014
High Severity Vulnerabilities 2009 - 2014
8%
68%
24%
High Severity Vulnerabilities 2014
Low Medium High
0
1500
3000
4500
6000
7500
2009 2010 2011 2012 2013 2014
# of Vulnerabilities
7,038 new security vulnerabilities were
added to the NVD database in 2014.
This means an average of 19 new
vulnerabilities per day.
Planning For The Future
12
• Reliable and refreshed Inventory
• Keep up with threat intelligence
• Implement mitigating controls
• Create and practice a broad Incident
Response Plan
Fast track threat intelligence in security
controls
Pro active threat analysis
Security posture awareness
Better communication to stock holders
Gartner, FBI, NSA, and AV companies have conditioned us to
always assume there are “rats in the attic” …
We should be Ready and Prepared
© 2015 IBM Corporation
UNICORN(CVE-2014-6332)Robert Freeman
Manager, IBM X-Force Research
Impact and what was affected
• Every version of Internet Explorer since 3.0 on any Windows OS from 95 or later
• Originally part of code written for Microsoft Excel 20-some years ago
• Allows remote code execution via a data-only attack, which bypasses security controls meant to prevent remote code execution from memory corruption bugs
• Can circumvent Enhanced Protection Model sandbox in IE 10/11
• Can circumvent Microsoft EMET anti-exploitation tool
• Vulnerability details:• X-Force Database Entry: 93141
• CVE Entry: CVE-2014-6332
CVSS Base Score
9.3
How the vulnerability works – High level
A serial action is needed to exploit the vulnerability,
ultimately resulting in “free reign” allowing data exfiltration.
A bad actor takes advantage of a hand-off
process in VBScript execution within IE to
resize a memory request
The resize permits a data attack leveraging the
memory leak
A subsequent memory overwrite makes the
script engine believe it’s running in a trusted
environment
1 2 3
How the vulnerability works - Technical• In VBScript, the COM SafeArrays have a fixed element size (16 bytes) with a WORD specification
for variant type
• Typically, through this WORD you can only control 8 bytes of this data through the Variant type (for Double values or Currency values)
• The vulnerability allows for in-place resizing of these arrays through a “redim preserve” command
• SafeArrayRedim() will swap out the old array size with the newly requested size
• The re-dimension task is farmed to OleAut32.dll
• If the size request isn’t reset before returning to from OleAut32.dll, it can allow for a request for data beyond the intended range, which is the same as a memory leak.
Exploitation could have been prevented if VBScript invalidated the “On Error Resume Next” when OleAut32 returns with an error
• Exploit will take advantage of the difference in the alignment of the arrays (16 bytes) and alignment of the Windows heap (8 bytes). This provides two important opportunities:
• Change the data type in an element of an adjacent array
• Reading that content back through the original array reference.
As a result, an attacker can
request object execution by
running unsafe COM objects like
ActiveX with arbitrary parameters
These possibilities permit a data attack that
leverages a memory leak leading to the
VBScript class object instance
AND
Subsequent memory overwrite lead the script
engine to believe that it is running in a trusted
environment.
What can be gained
• Exploiting the vulnerability causes various memory leaks in Microsoft IE, one of which relates to the internal data structure for Visual Basic.
• By exploiting, attackers can:
• Conduct reliable code execution for COM objects
• Exfiltrate data exfiltration straight out of IE
• Install of additional malware on the system
• This can be exploited similar to a technique used by Yang Yu, called the “Vital Point Strike” presented at the BlackHat 2014 session “Write Once, Pwn Anywhere”.
• Scripts can complete the same job as shellcode.
• The script interpreter engine in IE can execute malicious scripts as long as they have an elevated privilege.
Notices and Disclaimers
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or
transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been
reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM
shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY,
EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF
THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT
OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the
agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without
notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are
presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual
performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products,
programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not
necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither
intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal
counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s
business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or
represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any
IBM patents, copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document
Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,
PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,
pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,
urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of
International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on
the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
Thank YouYour Feedback is
Important!
Access the InterConnect 2015
Conference CONNECT Attendee
Portal to complete your session
surveys from your smartphone,
laptop or conference kiosk.