how safe is your data?

5/12/2014 How Safe is Your Data?

http://127.0.0.1:3999/security-may2014.slide#1 1/33

How Safe is Your Data?TAPPS12 May 2014

Michael SoltysMcMaster University / Executek



Information Security

Key in a knowledge-based economy; key to safety: at a personal, organizational, and national level

As technology evolves, so do the threats

User behavior:

- choose good passwords

- update software regularly

- authenticate

Advanced practice:

- comes down to the unsolved problem of writing correct software

- Big data analytics



Large scale attacks: U of Maryland

Attacks it can affect large numbers of people

In February 2014 the University of Maryland faced what it called a

"sophisticated cyber-attack"

which breached the records of more than 287,000 present and past students



Large scale vulnerabilities: Heartbleed Bug

allows an attack to read the memory of a web server

affects all versions of OpenSSL in the 1.0.1 series up to and including 1.0.1f

the defect could be used to reveal up to 64 kilobytes of the application's memoryCVE-2014-0160

Canadian Revenue Agency (CRA) closed down its electronic services website overHeartbleed bug security concerns

OpenSSL validated under FIPS 140-2 by NIST!

(FIPS = Federal Information Processing Standards; NIST = National Institute of Standardsand Technology)



New types of attacks

The field is not static; new attacks are clever and inventive:

Drive-by downloads: where a browsing reader can accidentally download roguecomputer programs.

Spear phishing: where specific individuals or organisations are targeted with fakeemails to obtain confidential information.

Watering Hole: about one in 20 attacks uses this strategy where rather than trying tobreak into an organisation's network directly, this targets other websites wherepeople might regularly visit, with the aim of infecting their computers and trying toget the unwitting carrier to bring a virus back into their own network.



A typical attack: Malicious PDFs

In March 2014 a massive scam email was sent in Colombia, claiming to be from one ofthe country's credit score agencies

The email contained an attachment file. The file does not show malicious payload whenscanned by antimalware software.

However, doing a "stream dump" of the file we see:

Malicious scripting: which instructs the reader to execute the URL. After downloadingthe file shown in that URL, keylogger is downloaded.



2011: A Bad Year

When the history of 2011 is written, it may well be remembered as the Year of the Hack.Stories of computer breaches were breaking almost every week:

Sony

Fox

the British National Health Service

and the Web sites of:

PBS

the U.S. Senate

and the C.I.A.

all fallen victim to highly publicized cyber-attacks. Many of the breaches have beenattributed to the groups Anonymous and LulzSec.



Operation Shady Rat

Operation Shady rat ranks with Operation Aurora (the attack on Google and many other companies in 2010) as among the most significant and potentially damaging acts of cyber-espionage yet made public.

Operation Shady rat has been stealing valuable intellectual property (including government secrets, email archives, legal contracts, negotiation plans for business activities, and design schematics) from more than 70 public and private sector organizations in 14 countries.

The list of victims, which ranges from national governments to global corporations to tiny nonprofits, demonstrates with unprecedented clarity the universal scope of cyber-espionage and the vulnerability of organizations in almost every category imaginable.



Operation Shady Rat

The vast majority of victims, 49, were U.S. based companies, government agencies, and nonprofits. The category most heavily targeted was defense contractors, 13 in all.

All the signs point to China.

Forensic investigation revealed that the defense contractor had been hit by a species of malware that had never been seen before: a spear-phishing email containing a link to a Web page that, when clicked, automatically loaded a malicious program, a remote access tool, or rat, onto the victim's computer.

The rat opened the door for a live intruder to get on the network, escalate user privileges, and begin exfiltrating data.



Victims don't want to be victims

McAfee sent emails to officials at four organizations, informing them that their computer networks had been compromised.

Three of those organizations-including one whose breach is ongoing-made no response to McAfee's notifications.

"Victims don't want to know they're victims. Iguess that's just victim psychology: if youdon't know about it, it's not really happening."

bit.ly/1iiKWoh (http://bit.ly/1iiKWoh)

0:00 / 3:21

CNN - Operation Shady RAT



An innocuous click

RSA is the security division of the high-tech company EMC. Its products protect computer networks at the

White House

the Central Intelligence Agency

the National Security Agency

the Pentagon

the Department of Homeland Security,

as well as most top defense contractors, and a majority of Fortune 500 corporations.



An innocuous click

Sometime in the winter of 2011, lying there in the junk-mail folder, in the spammy mess of mortgage offers and erectile-dysfunction drug ads, an email from an associate with a subject line that looked legit caught the man's eye.

The subject line said "2011 Recruitment Plan."

The man clicked on the message, downloaded the attached Excel spreadsheet file, and unwittingly set in motion a chain of events allowing hackers to raid the computer networks of his employer, RSA.

The parent company disclosed the breach on March 17, 2011, in a filing with the Securities and Exchange Commission. The hack gravely undermined the reputation of RSA's popular SecurID security service.



An innocuous click

Experts found evidence that the attack on RSA had come from China.

They also linked the RSA attack to the penetration of computer networks at some of RSA's most powerful defense-contractor clients, among them:

Lockheed Martin, Northrop Grumman, L-3 Communications

Few details of these episodeshave been made public.

BIG DATA →

bit.ly/1iiLc6I (http://bit.ly/1iiLc6I)

http://bit.ly/1iiLc6I



Operation Aurora

in 2010 Google became the first major company to blow the whistle on Chinese hacking when it admitted to a penetration known as Operation Aurora, which also hit:

Intel

Morgan Stanley

and several dozen other corporations

Most companies have preferred not to talk about or even acknowledge violations of their computer systems, for fear of panicking shareholders and exposing themselves to lawsuits.

Or for fear of offending the Chinese and jeopardizing their share of that country's exploding markets.



Operation Aurora

Chinese hackers who breachedGoogle's servers several yearsago gained access to a sensitivedatabase with years' worth ofinformation about U.S.surveillance targets, according tocurrent and former governmentofficials.

bit.ly/1iiLtXt (http://bit.ly/1iiLtXt)

The breach appears to have been aimed at unearthing the identities of Chinese

http://bit.ly/1iiLtXt



Attempted logins



Attempted logins

#!/usr/bin/perl

$i=1;

$test=0;

$packets=0;

sub compute_ip {

$IP=`dig @_ +short`;

if ($IP) {

print "\t\t IP= $IP <br>";

}

else {

print "\t\t IP= ? <br> \n";

}

}

sub compute_location {

$country=`/sw/bin/geoiplookup @_`;

$country =~ m/([ A-Za-z]*)$/;

$country_short = $1;

if ($country_short) {

print "\t\t Country= $country_short <br>\n\n";

}

else {

print "\t\t Country= ? <br> \n\n";



Esotnia 2007

In the Spring of 2007, government computer systems in Estonia experienced a sustained cyberattack (cyber-{warfare, terror, crime}).

On April 27, officials in Estonia moved a Soviet-era war memorial commemorating an unknown Russian who died fighting the Nazis. The move stirred emotions, and led to rioting by ethnic Russians, and the blockading of the Estonian Embassy in Moscow.



Estonia 2007

The event marked the beginning of a series of large and sustained Distributed Denial-Of-Service (DDOS) attacks launched against several Estonian national websites.

In the early days of the cyberattack, government websites that normally receive around1,000 visits a day reportedly were receiving 2,000 visits every second. This caused therepeated shut down of some websites.

The cyberattacks against Estonia were unusual bec. the rate of the packet attack wasvery high, and the series of attacks lasted weeks, rather than hour or days, which ismore commonly seen for a DoS attack.

Eventually, NATO and the United States sent computer security experts to Estonia to help recover from the attacks, and to analyze the methods used and attempt to determine the source of the attacks.

youtu.be/PTv3QrhGPC8?t=42m34s (http://youtu.be/PTv3QrhGPC8?t=42m34s)

http://youtu.be/PTv3QrhGPC8?t=42m34s



Estonia 2007

A persistent problem during and after any cyberattack is accurate identification of the attacker:

was it sponsored by a nation?

was it the independent work of a few unconnected individuals?

was it initiated by a group to instill frustration and fear by damaging thecomputerized infrastructure and economy?

The uncertainty of not knowing the initiator also affects the decision about whom should ultimately become a target for retaliation, and whether the response should come from law enforcement or the military.

After some investigation, network analysts later concluded that the cyberattacks targeting Estonia were not a concerted attack, but instead were the product of spontaneous anger from a loose federation of separate attackers.



Botnets

Botnet = "Robot Network"

Botnets are made up of vast numbers of compromised computers that have beeninfected with malicious code, and can be remotely-controlled through commands sentvia the Internet.

Hundreds or thousands of these infected computers can operate in concert to:

disrupt or block Internet traffic for targeted victims

harvest information

distribute spam, viruses, or other malicious code.



Botnets

Botmasters can reportedly make large sums of money by marketing their technical services.

For example, Jeanson Ancheta, a 21-year-old hacker and member of a group called theBotmaster Underground, reportedly made more than $100,000 from different InternetAdvertising companies who paid him to download specially-designed malicious adwarecode onto more than 400,000 vulnerable PCs he had secretly infected and taken over.

He also made tens of thousands more dollars renting his 400,000-unit botnet herd toother companies that used them to send out spam, viruses, and other malicious codeon the Internet.

PPI: Pay-per-Install - The Commoditization of Malware Distribution

In 2006, Ancheta was sentenced to five years in prison (FBI operation Bot Roast).

Symantec reported that it detected 6 million bot-infected computers in the second halfof 2006.



Botnets

Some botnet owners reportedly rent their huge networks for US$200 to $300 an hour, and botnets are becoming the weapon of choice for fraud and extortion.

Newer methods are evolving for distributing bot software that may make it even more difficult in the future for law enforcement to identify and locate the originating botmaster.

Botnets organize themselves in an hierarchical manner, with a central command and control location (sometimes dynamic) for the botmaster.

This central command location is useful to security professionals because it offers a possible central point of failure for the botnet.

However, in the near future, attackers may use new botnet architectures that are more sophisticated, and more difficult to detect and trace, e.g., P2P.



E.g., Wordpress

A fantastic piece of software for blogging; but consists of many parts:

MySQL; Apache; PHP; HTML; JavaScript; Mac OS X Server

absolutely essential to have the latest versions and strong password.



Passwords

Your password must be a minimum of 8 characters in length and must includecharacters from at least three of the four groups below:

Uppercase letters: A, B, C, ... ,Z

Lowercase letters: a, b, c, ...,z

Numerals: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9

Symbols: ~ ! @ # $ % ^ & * ( ) _ + ` - = { } | ] [ \ : " ; < > ? , . / '

Do not use any of your last five previous passwords.

Passwords cannot contain your account name or parts of your full name.

Generate with a seed, a name, and an MD5 hash generator

E.g., [email protected] use seed 5a63y@h& to obtain:

hash: ae19e19070a052b85306fc758146ef8e



Uncovered during Executek audits

A client's computer we discovered that the data was kept in a Dropbox folder, and someone who was not supposed to see it had constant access to the latest version.

Most clients use dictionary passwords, never change them; sometimes they write them down on sticky notes placed on the monitor. Employees who leave keep passwords, which are not changed immediatelly, etc.

Software is seldom updated.

The server is secured but the backup module is not.



Sophisticated attacks

Control hijacking attacks: exploits and defenses

Dealing with legacy code: sandboxing and isolation

Exploitation techniques and fuzzing

Tools for writing robust application code

Principle of least privilege, access control, and operating systems security

Security problems in network protocols: TCP, DNS, SMTP, and routing

Unwanted traffic: denial of service attacks



Authentication



Apache Security

Apache HTTP server access:

.htaccess

.htpasswd

The first file is the policy and the second the password:

AuthType Basic

AuthName "Networks & Security Readings 2014"

AuthUserFile cs3c03-w14/ReadingList/.htpasswd

require valid-user

The second file contains the username and a hash of the password; two examples:

nets2014:9bn3EF/hJS5J6

netsec2013:$apr1$fr2JPfTa$HEzejdyg5DE2MFGVCIzd21



Apache Security Challenge

I tell my students that the first to break the first password, obtained with the command:

htpasswd -cbd ./.htpasswd nets2014 a5e1c054

gets extra marks. Note the password is not a dictionary word.

Still, it takes about 15min with, for example,

ochHashcat-plus

software. On the other hand, breaking the second password, obtained with the command:

htpasswd -cbm ./.htpasswd netsec2013 tigerblood

is practically impossible (crypt vs md5).



Executek: Breaking into a Super-User account

Obtained the SHA1 hash of the password from "shadow file":

cat /private/ var/db/shadow/hash/[...] | cut -c 169-216

which turns out to be:

[...]:4AC8F24F7CE9DBF6C81ECEAA9885401E3221147179FB9178

and then used:

John the Ripper 1.7.3.1

software to reverse engineer the password: onegod

it took about 20 minutes because the password was a dictionary word!



References

CRS Report for Congress 2008 (http://www.fas.org/sgp/crs/terror/RL32114.pdf)

Vanity Fair: Operation Shady Rat 2011 (http://rdd.me/5sihotjz)

Vanity Fair: Enter the Cyber-Dragon 2011 (http://rdd.me/todxjx9k)

Malicious PDF (ISC) (https://isc.sans.edu/forums/diary/17875)

Networks Course Password Cracking Challenge (http://bit.ly/1paMuDy)



Thank you

Michael SoltysMcMaster University / [email protected] (mailto:[email protected])

http://www.cas.mcmaster.ca/~soltys (http://www.cas.mcmaster.ca/~soltys)

@MichaelMSoltys (http://twitter.com/MichaelMSoltys)

how safe is your data?

Data & Analytics

exfiltrating data

information security

victims computer

large scale attacks

publicized cyberattacks

operation aurora

sophisticated cyberattack

static new attacks