Download - Security threats facing SA businessess
Security ThreatsFacing
S.A Businesses
Security ThreatsFacing
S.A Businesses
©2001 SensePost (Pty) Ltd
charl van der waltwww.sensepost.com
www.sensepost.com
charl van der walt
INTRODUCTIONINTRODUCTIONINTRODUCTIONINTRODUCTION
• About me
• SensePost
• Objective
www.sensepost.com
charl van der walt
AgendaAgenda
• Is the Threat Real• “We are from .za, is it still Real?”• Types of attacks seen in the wild
» Application Layer» DDoS» Trojans & Worms» Semantic Attacks» Advanced IP Manipulation
www.sensepost.com
charl van der walt
www.sensepost.com
Haroon Meer
www.sensepost.com
charl van der walt
Is the Threat Real?Is the Threat Real?
• “In the last month, we have experienced single days of mirroring over 100 defaced web sites, over three times the total for 1995 and 1996 combined.”– Attrition.org. 21 May 2001
• Since the archive started– 16,070 defaced Websites
• Security Incidents on ARIS– In the last 24hrs: 27,406
– In the last 7 days: 465,267
www.sensepost.com
charl van der walt
INFORMATION SECURITY
AWARENESS
jaco van graan
www.sensepost.com
charl van der walt
INFORMATION SECURITY
AWARENESS
jaco van graan
www.sensepost.com
charl van der walt
DDoSDDoS
www.sensepost.com
charl van der walt
Feb FunFeb Fun
• Major attack launched between February 7 and 14 2000
• Approximately 1,200 sites affected
• Including a number of high profile sites:
– CNN.com, Yahoo, eBay, Amazon, Dell, Buy.com
• Simple bandwidth usage
• Yahoo! Attack lasted from about 10:30 a.m. till 1 p.m.
– requests totaled roughly 1 gigabit per second
• Canadian teen “Mafiaboy” arrested in April
– pleads guilty to 55 charges in Montreal, November 2000
– Faces 2 years & US$650
www.sensepost.com
charl van der walt
Feb Fun – the AftermathFeb Fun – the Aftermath
• FBI estimates that DoS attacks during
February 2000 cost $1.2 billion
• eBay‘s share price fell 25% the day after
its Website was taken down costing them
a total of US1,2bn.
• Reportedly spent US$ 100 000 in
securing their site against further attacks.
www.sensepost.com
charl van der walt
Who’s calling?Who’s calling?The Phonemasters!The Phonemasters!• 11 20-somethings• Phocused on telephone networks
– AT&T Corp
– British Telecommunications Inc
– MCI WorldCom
– Sprint Corp
• Could eavesdrop on phone calls & redirect communications at will.
• Access to portions of the national power grid & air-traffic-control systems
• Hacked their way into a digital cache of unpublished telephone numbers at the White House
• Redirected FBI phone numbers to chatlines• Prices: FBI's Crime Information Center = $100• Trapped at the end of 1998 using a PSTN sniffer
www.sensepost.com
charl van der walt
Is the Threat Ours?
www.sensepost.com
charl van der walt
www.sensepost.com
charl van der walt
Owned by aKt0r ...
Due to Y2K Problems we have lost all our customer information
and also our customers money.Im making history in SA… someone give me a decent job and mark gilmen interview me I think you roq...
Owned by aKt0r ...
Due to Y2K Problems we have lost all our customer information
and also our customers money.Im making history in SA… someone give me a decent job and mark gilmen interview me I think you roq...
www.sensepost.com
charl van der walt
Mr_Twig??Mr_Twig??
• Defaced in 2001
• www.callacar.co.za • www.itweb.co.za • www.metrofm.co.za • www.infosat.co.za • rf.nokia.co.za • www.pnet.co.za • www.nedcore.co.za • www.atlassecurity.co.za • www.durbanexports.co.za • www.curriespost.co.za • www.dcs.co.za • www.dap.co.za • www.aids2000.co.za • www.nnp.org.za
www.sensepost.com
charl van der walt
• JSE-listed NetActive reportedly experienced
two attacks in April 2000
• The Edcon group reportedly lost R1m when a
disgrunteled programmer brought down 600
stores for a whole day
• irc.posix.co.za
– January 2001
– Classic SMURF
– Killed the server
– Affected all POSIX clients
RSADoS (in the motherland)RSADoS (in the motherland)RSADoS (in the motherland)RSADoS (in the motherland)
www.sensepost.com
charl van der walt
Types Of AttacksTypes Of Attacks
Types of attacks seen in the wild
• Application Layer• DDoS• Trojans & Worms• Semantic Attacks• Advanced IP Manipulation
www.sensepost.com
charl van der walt
• "I would put patching in the top two things an admin can do to secure their computers" – Lance Spitzner, Honeynet Project.
• Failing to responsibly patch computers led to 99 percent of the 5,823 Web site defacements last year– Attrition.org
• wu-FTP– Discovered June 2000– Still being used by Ramen worm
• MS IIS ‚RDS‘ (MDAC) vulnerability– Released June 1998– Patched in July 1998 – Advisory released again July 1999– and again in July 2000– Still # 4 on SANS Top 10 (www.sans.org/topten.html)
• IIS ISAPi bug used to deface > 9000 servers to date
Application Level AttacksApplication Level AttacksApplication Level AttacksApplication Level Attacks
www.sensepost.com
charl van der walt
Types Of AttacksTypes Of Attacks
Types of attacks seen in the wild
• Application Layer
• DDoS• Trojans & Worms• Semantic Attacks• Advanced IP Manipulation
www.sensepost.com
charl van der walt
DoS using Amplifiers - SMURFDoS using Amplifiers - SMURFDoS using Amplifiers - SMURFDoS using Amplifiers - SMURF
www.sensepost.com
charl van der walt
SYN floodsSYN floodsSYN floodsSYN floods
• TCP connection is established via a 3-way handshake
– SYN
– SYN/ACK
– ACK
• SYN flood is based on an incomplete handshake
– SYN but not ACK
• TCP/IP stack adds an entry in a table in kernel memory for each SYN received.
– Wait a while before deleting entry
– Can‘t accept connections when aleady full
• A heavy flood can prevent legitimate connections.
www.sensepost.com
charl van der walt
New Kid on the block - DDoSNew Kid on the block - DDoSNew Kid on the block - DDoSNew Kid on the block - DDoS
www.sensepost.com
charl van der walt
Profile of a typical attackProfile of a typical attackProfile of a typical attackProfile of a typical attack
• Initiate a scan phase in which a large number of hosts (100,000 or more) are probed for a known vulnerability.
• Compromise the vulnerable hosts to gain access.
• Rootkit
• Install the tool on each host.
• Use the compromised hosts for further scanning and compromises.
• Via automated processes a single host can be compromised in under 5 seconds
www.sensepost.com
charl van der walt
Types Of AttacksTypes Of Attacks
Types of attacks seen in the wild
• Application Layer• DDoS
• Trojans & Worms• Semantic Attacks• Advanced IP Manipulation
www.sensepost.com
charl van der walt
The Worm WorryThe Worm WorryThe Worm WorryThe Worm Worry
• Virus vs Worm
– Worm propagates via human interaction
– Virus can replicate itself
– Actually used interchangeably
• Worms have been around since the beginning
– Morris Worm 1988
• Typical Characteristics:
– ‘Infect’ system via some know vulnerability
– Typically create ‘root kit’ or backdoor
– May attempt to hide their tracks
– Typically have some reproductive algorithm
– Often reports infection to ‘controller’
– Often export compromised information
– Often offer remote control functionality
www.sensepost.com
charl van der walt
Usual suspects: Usual suspects: ILOVEYOUILOVEYOUUsual suspects: Usual suspects: ILOVEYOUILOVEYOU
• Spread via email attachment or IRC/DCC
• Disguised Visual Basic script
• Modifies Registry to ensure startup
• Changes IE startup page to auto-download an EXE
– Mails cached Windows passwords to attacker
• Redistributes itself as HTML via Outlook Address Book
• Overwrites a number of files with copies of itself
– Can spread via the NetBios network
• Cleans up registry to hide its tracks
• Changes file attributes and file extensions to hide its tracks
www.sensepost.com
charl van der walt
Usual suspects: sadmind/IISUsual suspects: sadmind/IISUsual suspects: sadmind/IISUsual suspects: sadmind/IIS
• Self-propagating software exploit
• Uses Solaris host to exploit MS IIS Servers
– buffer overflow vulnerability in the Solstice sadmind
• Two years old!
– IIS Unicode Directory Traversal Problem
• August 2000
• Uses SensePost Proof-of-Concept
• Creates backdoor by adding “+ +” in .rhosts
– Free access via rlogin & rshell
• Modify index.html after 2000 IIS hits
• Creates a rootshell listening on TCP port 600
• Searches for other Solaris targets
– Scans random IP ranges on port 111 f**k USA Government
f**k PoizonBOxcontact:
f**k USA Governmentf**k PoizonBOx
contact: [email protected]
www.sensepost.com
charl van der walt
Types Of AttacksTypes Of Attacks
Types of attacks seen in the wild
• Application Layer• DDoS• Trojans & Worms
• Semantic Attacks• Advanced IP Manipulation
www.sensepost.com
charl van der walt
Semantic Attacks – BBCSemantic Attacks – BBCSemantic Attacks – BBCSemantic Attacks – BBC
http://www.bbc.co.uk&today=@3290317573/hires/za/english/news/300973.htmlhttp://www.bbc.co.uk&today=@3290317573/hires/za/english/news/300973.html
www.sensepost.com
charl van der walt
www.sensepost.com
charl van der walt
Hacking the mindHacking the mindHacking the mindHacking the mind
• Straight disinformation
– “How to Play With Your Food”
• Chainletters & Rumours
– Banks satanic logo
• Email Spoofing
– “Emulex Corp CEO Resigns”
• Stock drops 61%
• URL obfuscation
• DNS poisoning and domain hijacking
– Nike.com
• Social engineering
• Banner adds
– E.g. Google Adwords
• Search engine manipulation
www.sensepost.com
charl van der walt
Types Of AttacksTypes Of Attacks
Types of attacks seen in the wild
• Application Layer• DDoS• Trojans & Worms• Semantic Attacks
• Advanced IP Manipulation
www.sensepost.com
charl van der walt
IP ManipulationIP ManipulationIP ManipulationIP Manipulation
• IP was designed for connectivity, not security– Spoofing
• 6th Sense & DDoS
– IP Flag fraud• HPING etc
– Complex Applications• FTP
– Configuration errors• FW-1 default DNS
– Programming / Logical errors• ECEPass
www.sensepost.com
charl van der walt
IP Abuse TechniquesIP Abuse Techniques
•Multipurpose sniffer/interceptor/logger for switched LAN.• It supports active and passive dissection of many protocols (even ciphered ones)
www.sensepost.com
charl van der walt
www.sensepost.com
charl van der walt
“Who do you want to Spy on Today??”
www.sensepost.com
charl van der walt
“Sorry, Did you Say something??”
www.sensepost.com
charl van der walt
“Point and Click IP Abuse”
www.sensepost.com
charl van der walt
“Doh!”
www.sensepost.com
charl van der walt
IP Abuse TechniquesIP Abuse TechniquesIP Abuse TechniquesIP Abuse Techniques
www.sensepost.com
charl van der walt
www.sensepost.com
charl van der walt
IPSec & Today’s ThreatsIPSec & Today’s Threats
• There are no silver bullets– Be requirement driven
• IPSec can address:– Confidentiality for data in transit
• EtterCap
– Effective network-level access control• IP Manipulation
– Defense against physical-level attacks• Upstream security issues
• Four data security objectives– Can all be achieved using cryptography
www.sensepost.com
charl van der waltquestions?questions?
