How Safe is your Data?

5/12/2014 How Safe is Your Data?
http://127.0.0.1:3999/security-may2014.slide#1 1/33
How Safe is Your Data?
TAPPS
12 May 2014
Michael Soltys
McMaster University / Executek

Information Security
Key in a knowledge-based economy; key to safety: at a personal,
organizational, and national level
As technology evolves, so do the threats
User behavior:
- choose good passwords
- update software regularly
- authenticate
Advanced practice:
- comes down to the unsolved problem of writing correct software
- Big data analytics

Large scale attacks: U of Maryland
Attacks it can affect large numbers of people
In February 2014 the University of Maryland faced what it called a
"sophisticated cyber-attack"
which breached the records of more than 287,000 present and past students

Large scale vulnerabilities: Heartbleed Bug
allows an attack to read the memory of a web server
affects all versions of OpenSSL in the 1.0.1 series up to and including 1.0.1f
the defect could be used to reveal up to 64 kilobytes of the application's memory
CVE-2014-0160
Canadian Revenue Agency (CRA) closed down its electronic services website over
Heartbleed bug security concerns
OpenSSL validated under FIPS 140-2 by NIST!
(FIPS = Federal Information Processing Standards; NIST = National Institute of Standards
and Technology)

New types of attacks
The field is not static; new attacks are clever and inventive:
Drive-by downloads: where a browsing reader can accidentally download rogue
computer programs.
Spear phishing: where specific individuals or organisations are targeted with fake
emails to obtain confidential information.
Watering Hole: about one in 20 attacks uses this strategy where rather than trying to
break into an organisation's network directly, this targets other websites where
people might regularly visit, with the aim of infecting their computers and trying to
get the unwitting carrier to bring a virus back into their own network.

A typical attack: Malicious PDFs
In March 2014 a massive scam email was sent in Colombia, claiming to be from one of
the country's credit score agencies
The email contained an attachment file. The file does not show malicious payload when
scanned by antimalware software.
However, doing a "stream dump" of the file we see:
Malicious scripting: which instructs the reader to execute the URL. After downloading
the file shown in that URL, keylogger is downloaded.

2011: A Bad Year
When the history of 2011 is written, it may well be remembered as the Year of the Hack.
Stories of computer breaches were breaking almost every week:
Sony
Fox
the British National Health Service
and the Web sites of:
PBS
the U.S. Senate
and the C.I.A.
all fallen victim to highly publicized cyber-attacks. Many of the breaches have been
attributed to the groups Anonymous and LulzSec.

Operation Shady Rat
Operation Shady rat ranks with Operation Aurora (the attack on Google and many
other companies in 2010) as among the most significant and potentially damaging
acts of cyber-espionage yet made public.
Operation Shady rat has been stealing valuable intellectual property (including
government secrets, email archives, legal contracts, negotiation plans for
business activities, and design schematics) from more than 70 public and
private sector organizations in 14 countries.
The list of victims, which ranges from national governments to global
corporations to tiny nonprofits, demonstrates with unprecedented clarity the
universal scope of cyber-espionage and the vulnerability of organizations in
almost every category imaginable.

Operation Shady Rat
The vast majority of victims, 49, were U.S. based companies, government
agencies, and nonprofits. The category most heavily targeted was defense
contractors, 13 in all.
All the signs point to China.
Forensic investigation revealed that the defense contractor had been hit by a
species of malware that had never been seen before: a spear-phishing email
containing a link to a Web page that, when clicked, automatically loaded a
malicious program, a remote access tool, or rat, onto the victim's computer.
The rat opened the door for a live intruder to get on the network, escalate
user privileges, and begin exfiltrating data.

Victims don't want to be victims
McAfee sent emails to officials at four organizations, informing them that
their computer networks had been compromised.
Three of those organizations-including one whose breach is ongoing-made no
response to McAfee's notifications.
"Victims don't want to know they're victims. I
guess that's just victim psychology: if you
don't know about it, it's not really happening."
bit.ly/1iiKWoh(http://bit.ly/1iiKWoh)
0:00 / 3:21
CNN - Operation Shady RAT

An innocuous click
RSA is the security division of the high-tech company EMC. Its products protect
computer networks at the
White House
the Central Intelligence Agency
the National Security Agency
the Pentagon
the Department of Homeland Security,
as well as most top defense contractors, and a majority of Fortune 500
corporations.

An innocuous click
Sometime in the winter of 2011, lying there in the junk-mail folder, in the
spammy mess of mortgage offers and erectile-dysfunction drug ads, an email from
an associate with a subject line that looked legit caught the man's eye.
The subject line said "2011 Recruitment Plan."
The man clicked on the message, downloaded the attached Excel spreadsheet file,
and unwittingly set in motion a chain of events allowing hackers to raid the
computer networks of his employer, RSA.
The parent company disclosed the breach on March 17, 2011, in a filing with the
Securities and Exchange Commission. The hack gravely undermined the reputation
of RSA's popular SecurID security service.

An innocuous click
Experts found evidence that the attack on RSA had come from China.
They also linked the RSA attack to the penetration of computer networks at some
of RSA's most powerful defense-contractor clients, among them:
Lockheed Martin, Northrop Grumman, L-3 Communications
Few details of these episodes
have been made public.
BIG DATA →
bit.ly/1iiLc6I(http://bit.ly/1iiLc6I)

Operation Aurora
in 2010 Google became the first major company to blow the whistle on Chinese
hacking when it admitted to a penetration known as Operation Aurora, which also
hit:
Intel
Morgan Stanley
and several dozen other corporations
Most companies have preferred not to talk about or even acknowledge violations
of their computer systems, for fear of panicking shareholders and exposing
themselves to lawsuits.
Or for fear of offending the Chinese and jeopardizing their share of that
country's exploding markets.

Operation Aurora
Chinese hackers who breached
Google's servers several years
ago gained access to a sensitive
database with years' worth of
information about U.S.
surveillance targets, according to
current and former government
officials.
bit.ly/1iiLtXt(http://bit.ly/1iiLtXt)
The breach appears to have been aimed at unearthing the identities of Chinese

Attempted logins

Attempted logins
#!/usr/bin/perl
$i=1;
$test=0;
$packets=0;
sub compute_ip {
$IP=`dig @_ +short`;
if ($IP) {
print "tt IP= $IP <br>";
}
else {
print "tt IP= ? <br> n";
}
}
sub compute_location {
$country=`/sw/bin/geoiplookup @_`;
$country =~ m/([ A-Za-z]*)$/;
$country_short = $1;
if ($country_short) {
print "tt Country= $country_short <br>nn";
}
else {
print "tt Country= ? <br> nn";

Esotnia 2007
In the Spring of 2007, government computer systems in Estonia experienced a
sustained cyberattack (cyber-{warfare, terror, crime}).
On April 27, officials in Estonia moved a Soviet-era war memorial commemorating
an unknown Russian who died fighting the Nazis. The move stirred emotions, and
led to rioting by ethnic Russians, and the blockading of the Estonian Embassy
in Moscow.

Estonia 2007
The event marked the beginning of a series of large and sustained Distributed Denial-
Of-Service (DDOS) attacks launched against several Estonian national websites.
In the early days of the cyberattack, government websites that normally receive around
1,000 visits a day reportedly were receiving 2,000 visits every second. This caused the
repeated shut down of some websites.
The cyberattacks against Estonia were unusual bec. the rate of the packet attack was
very high, and the series of attacks lasted weeks, rather than hour or days, which is
more commonly seen for a DoS attack.
Eventually, NATO and the United States sent computer security experts to
Estonia to help recover from the attacks, and to analyze the methods used and
attempt to determine the source of the attacks.
youtu.be/PTv3QrhGPC8?t=42m34s(http://youtu.be/PTv3QrhGPC8?t=42m34s)

Estonia 2007
A persistent problem during and after any cyberattack is accurate
identification of the attacker:
was it sponsored by a nation?
was it the independent work of a few unconnected individuals?
was it initiated by a group to instill frustration and fear by damaging the
computerized infrastructure and economy?
The uncertainty of not knowing the initiator also affects the decision about
whom should ultimately become a target for retaliation, and whether the
response should come from law enforcement or the military.
After some investigation, network analysts later concluded that the
cyberattacks targeting Estonia were not a concerted attack, but instead were
the product of spontaneous anger from a loose federation of separate attackers.

Botnets
Botnet = "Robot Network"
Botnets are made up of vast numbers of compromised computers that have been
infected with malicious code, and can be remotely-controlled through commands sent
via the Internet.
Hundreds or thousands of these infected computers can operate in concert to:
disrupt or block Internet traffic for targeted victims
harvest information
distribute spam, viruses, or other malicious code.

Botnets
Botmasters can reportedly make large sums of money by marketing their technical
services.
For example, Jeanson Ancheta, a 21-year-old hacker and member of a group called the
Botmaster Underground, reportedly made more than $100,000 from different Internet
Advertising companies who paid him to download specially-designed malicious adware
code onto more than 400,000 vulnerable PCs he had secretly infected and taken over.
He also made tens of thousands more dollars renting his 400,000-unit botnet herd to
other companies that used them to send out spam, viruses, and other malicious code
on the Internet.
PPI: Pay-per-Install - The Commoditization of Malware Distribution
In 2006, Ancheta was sentenced to five years in prison (FBI operation Bot Roast).
Symantec reported that it detected 6 million bot-infected computers in the second half
of 2006.

Botnets
Some botnet owners reportedly rent their huge networks for US$200 to $300 an
hour, and botnets are becoming the weapon of choice for fraud and extortion.
Newer methods are evolving for distributing bot software that may make it
even more difficult in the future for law enforcement to identify and locate
the originating botmaster.
Botnets organize themselves in an hierarchical manner, with a central command
and control location (sometimes dynamic) for the botmaster.
This central command location is useful to security professionals because it
offers a possible central point of failure for the botnet.
However, in the near future, attackers may use new botnet architectures that
are more sophisticated, and more difficult to detect and trace, e.g., P2P.

E.g., Wordpress
A fantastic piece of software for blogging; but consists of many parts:
MySQL; Apache; PHP; HTML; JavaScript; Mac OS X Server
absolutely essential to have the latest versions and strong password.

Passwords
Your password must be a minimum of 8 characters in length and must include
characters from at least three of the four groups below:
Uppercase letters: A, B, C, ... ,Z
Lowercase letters: a, b, c, ...,z
Numerals: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Symbols: ~ ! @ # $ % ^ & * ( ) _ + ` - = { } | ] [ : " ; < > ? , . / '
Do not use any of your last five previous passwords.
Passwords cannot contain your account name or parts of your full name.
Generate with a seed, a name, and an MD5 hash generator
E.g., myname@gmail.com use seed 5a63y@h& to obtain:
hash: ae19e19070a052b85306fc758146ef8e

Uncovered during Executek audits
A client's computer we discovered that the data was kept in a Dropbox folder,
and someone who was not supposed to see it had constant access to the latest
version.
Most clients use dictionary passwords, never change them; sometimes they write
them down on sticky notes placed on the monitor. Employees who leave keep
passwords, which are not changed immediatelly, etc.
Software is seldom updated.
The server is secured but the backup module is not.

Sophisticated attacks
Control hijacking attacks: exploits and defenses
Dealing with legacy code: sandboxing and isolation
Exploitation techniques and fuzzing
Tools for writing robust application code
Principle of least privilege, access control, and operating systems security
Security problems in network protocols: TCP, DNS, SMTP, and routing
Unwanted traffic: denial of service attacks

Authentication

Apache Security
Apache HTTP server access:
.htaccess
.htpasswd
The first file is the policy and the second the password:
AuthType Basic
AuthName "Networks & Security Readings 2014"
AuthUserFile cs3c03-w14/ReadingList/.htpasswd
require valid-user
The second file contains the username and a hash of the password; two examples:
nets2014:9bn3EF/hJS5J6
netsec2013:$apr1$fr2JPfTa$HEzejdyg5DE2MFGVCIzd21

Apache Security Challenge
I tell my students that the first to break the first password, obtained with
the command:
htpasswd -cbd ./.htpasswd nets2014 a5e1c054
gets extra marks. Note the password is not a dictionary word.
Still, it takes about 15min with, for example,
ochHashcat-plus
software. On the other hand, breaking the second password, obtained with the
command:
htpasswd -cbm ./.htpasswd netsec2013 tigerblood
is practically impossible (crypt vs md5).

Executek: Breaking into a Super-User account
Obtained the SHA1 hash of the password from "shadow file":
cat /private/ var/db/shadow/hash/[...] | cut -c 169-216
which turns out to be:
[...]:4AC8F24F7CE9DBF6C81ECEAA9885401E3221147179FB9178
and then used:
John the Ripper 1.7.3.1
software to reverse engineer the password: onegod
it took about 20 minutes
because the password was a dictionary word!

References
CRS Report for Congress 2008(http://www.fas.org/sgp/crs/terror/RL32114.pdf)
Vanity Fair: Operation Shady Rat 2011(http://rdd.me/5sihotjz)
Vanity Fair: Enter the Cyber-Dragon 2011(http://rdd.me/todxjx9k)
Malicious PDF (ISC)(https://isc.sans.edu/forums/diary/17875)
Networks Course Password Cracking Challenge(http://bit.ly/1paMuDy)

Thank you
Michael Soltys
McMaster University / Executek
soltys@mcmaster.ca(mailto:soltys@mcmaster.ca)
http://www.cas.mcmaster.ca/~soltys(http://www.cas.mcmaster.ca/~soltys)
@MichaelMSoltys(http://twitter.com/MichaelMSoltys)

How Safe is your Data?

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie How Safe is your Data?

Ähnlich wie How Safe is your Data? (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

How Safe is your Data?