• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Trends in network security   feinstein - informatica64

Trends in network security feinstein - informatica64






Total Views
Views on SlideShare
Embed Views



9 Embeds 3,333

http://campusvirtual.ull.es 1679
http://www.elladodelmal.com 1559
http://elladodelmal.blogspot.com 67
http://www.slideshare.net 18
http://static.slidesharecdn.com 6
http://www.elladodelmal.blogspot.com 1
http://translate.googleusercontent.com 1
http://webcache.googleusercontent.com 1
http://www.google.com.pe 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Harvey Mudd College, Claremont, California USA Co-op with Aerospace Corporation, El Segundo, California USA (2000) Federally Funded Research & Development Corporation (FFRDC) Supports national security, civil and commercial space programs Graduate of FBI Citizens’ Academy
  • ARPA renamed to DARPA in March 1972 Renamed ARPA again in February 1993 Renamed DARPA again in March 1996
  • Hawala – today, “probably used mostly for migrant workers’ remittances to their countries of origin” Chart source: International Monetary Fund, http://www.imf.org/external/pubs/ft/fandd/2002/12/elqorchi.htm Pony Express – 1860-1861; 2,000 miles from Missouri to Sacramento, California; 190 stations spaced at roughly 10 mile intervals (about the maximum distance a horse could run at full gallop). Riders carried along a mochila and changed horses at each station. Replaced by the telegraph.
  • Avprofit says it will pay affiliates roughly $1,000 for every 1,000 times they distribute this installer program, or about $1 per install.
  • Krebs on Security blog, written by Brian Krebs formerly of the Washington Post http://www.krebsonsecurity.com/category/smallbizvictims/ Formerly wrote Security Fix blog for the Washington Post http://voices.washingtonpost.com/securityfix/small_business_victims/ “ Computer Crooks Steal $100,000 from Ill. Town”, 2010-04-06 http://krebsonsecurity.com/2010/04/computer-crooks-steal-100000-from-ill-town/ “ Online Thieves Take $205,000 Bite Out of Missouri Dental Practice”, 2010-03-30 http://krebsonsecurity.com/2010/03/online-thieves-take-205000-bite-out-of-missouri-dental-practice/ “ Organized Crooks Hit NJ Town, Ark. Utility”, 2010-03-22 http://krebsonsecurity.com/2010/03/organized-crooks-hit-nj-town-arizona-utility/
  • Avalanche is fast-flux hosting network similar to Asprox
  • http://www.nytimes.com/2010/04/20/technology/20google.html
  • Reported in the October 2009 CTU Threat Intelligence webinar
  • Reported in the October 2009 CTU Threat Intelligence webinar
  • http://www.pandasecurity.com/homeusers/security-info/217587/information/ButterflyBot.A
  • http://www.symantec.com/connect/blogs/mariposa-butterfly-bot-kit
  • http://www.pandasecurity.com/homeusers/security-info/217587/information/ButterflyBot.A
  • http://www.pandasecurity.com/homeusers/security-info/217587/information/ButterflyBot.A

Trends in network security   feinstein - informatica64 Trends in network security feinstein - informatica64 Presentation Transcript

  • Trends in Network Security Ben Feinstein, CISSP GCFA Director of Research SecureWorks Counter Threat Unit℠
    • Friday, April 23 rd , 2010 Informática64 Móstoles, Spain
  • Introduction
  • Who Am I?
    • Native of Atlanta, Georgia USA
    • 12 years old, dial-up UNIX shell, telneting around the world
    • Professional software developer as a teenager
    • Bachelor of Science in Computer Science (c. Economics), 2001
      • Harvey Mudd College, Claremont, California USA
    • Author of RFC 4765 and RFC 4767
    • Software Engineer at a series of security start-ups, 2001 – 2006
    • Joined SecureWorks in 2006
    • Certified Information Systems Security Professional (CISSP)
    • SANS Global Information Assurance Certified Forensics Analyst (GCFA)
  • Who is SecureWorks?
    • Market leading provider of information security services
      • Managed Security Services Provider (MSSP)
      • Security and Risk Consulting (SRC)
    • Over 2,700 clients worldwide, including more than 10% of Fortune 500
    • Suite of managed information and network security services
      • Security Information Management (SIM) On Demand
      • Log Monitoring
      • Intrusion Prevention Systems (IPS) / Intrusion Detection Systems (IDS)
      • Threat Intelligence
      • Firewall
      • Host IPS
      • Vulnerability Scanning
      • Web Application Scanning
      • Log Retention
      • Encrypted Email
  • Agenda
  • Agenda
    • Computer Networks
    • Vulnerability Trends of 2009
    • Malware Trends of 2009
    • Information Disclosure
    • Aurora
    • Other Trends
    • The New .CN
    • Mariposa / ButterflyBot
    • Conclusion
    • Q & A
  • From Mainframes to Today’s Internet
  • The Development of Computer Networks
    • Advanced Research Projects Agency (ARPA)
      • Established in 1958 after Soviet launch of Sputnik satellite in 1957
      • Later renamed the Defense Advanced Research Projects Agency (DARPA)
      • Directly manages a $3.2B budget
    • ARPANET developed by ARPA for US Department of Defense (DoD)
      • Development work began in 1969
  • Decentralization of Computing Power
    • Mainframes gave way to Personal Computers (PCs)
    • Development of Local Area Networks (LANs)
    • Dial-up Internet
    • Broadband Internet
  • ARPANET, circa March 1977
  • Map of Internet Routers (2005), Opte Project
    • http://www.opte.org/
  • Map of Online Communities, xkcd #256
    • http://xkcd.com/256/ , Spring 2007
  • Some (Much) Older Networks to Remember
    • Hawala
    • Pony Express
    Source: International Monetary Fund
  • Network Security
  • The Network as an Attack Surface
    • Concept of Threat Modeling
    • Concept of an Attack Surface
    • Local Attacks vs. Remote Attacks
    • Common Vulnerability Scoring System (CVSS) version 2
      • Exploitability metrics
      • Access Vector: Local, Adjacent Network, Network
    • Widespread adoption of Firewalls
    • Widespread adoption of the Web
    • Web 2.0
  • Vulnerability Trends of 2009
  • 2009 Vulnerability Trends
    • Vulnerabilities disclosed for document readers and editors soared.
      • Office documents including spreadsheets and presentations
      • Portable Document Format (PDF) documents – the dubious champ
      • Favorite vector of “Spear Phishers”, including “Operation Aurora”
    • The appearance of new malicious Web links has skyrocketed globally in the past year.
      • Phishing, Malvertisements, Fake-AV, etc.
      • A large number of sophisticated web-attack toolkits are available for sale.
      • CSS and SQLi attacks primarily used to redirect web-surfers to an attack-toolkit!
    • Phishing attacks via email increased dramatically in the second half of 2009, with activity coming from countries not previously been in the game.
      • Attackers are shifting their geographical profiles due to various pressures
      • Lots and lots of money to be made
  • Vulnerability Metrics for 2H 2009
  • Malware Trends of 2009
  • 2009 Malware Trends
    • Malware authors and operators innovated
      • Koobface, Mariposa (Butterfly Bot), Zbot (ZeuS), and Mebroot increased compatibility with Vista and Windows 7
      • Complex and user friendly Banking Trojans (ZeuS, SpyEye, BlackEnergy2) are available as configurable kits
      • Sophisticated RATs (e.g. Aurora’s “Hydraq”) are also in use
    • Better prepared for takedowns and other countermeasures
      • Lessons learned from the days of The RBN
    • Taking advantage of “cloud” services – virtualized hosting environments, geographically distributed content delivery networks, and dynamic DNS services
      • DNS double and triple-flux technologies
  • 2009 Malware Trends
    • Man in the browser/endpoint
    • Trojan Horse is used to intercept and manipulate calls between the main application’s executable (the browser) and its security mechanisms or libraries
    • Common objective of this attack is to cause financial fraud by manipulating transactions of Internet banking systems, even when other authentication factors are in use
      • High-dollar Commercial OLB creds - compromised
      • Challenge secret questions – compromised
      • IP Geo-location - compromised
      • Email out-of-band - compromised
      • Hardware token - compromised
      • Device fingerprinting - compromised
      • Dual approver - compromised
      • SMS out-of-band - compromised
  • 2009 Malware Trends
    • Compromised web pages frequently vehicle of choice for mass malware distribution
      • Hence, most servers are compromised in order to compromise client
      • Those clients may then be used to compromise servers inside the enterprise! (Aurora!)
    • Drive-by downloads – malware code using everything from simple UU-encoding techniques to elaborate self-decoding JavaScripts
    • Sophisticated software development
      • Authors of malware kits (Trojan toolkits, web-attack toolkits, droppers, rootkits, etc.) are becoming very responsive to their client-base and are producing highly usable, modular and upgradeable software at a tremendous rate.
      • For instance, the BlackEnergy2 Trojan-builder kit has a fully modular plug-in architecture which allows for the separate sale of plug-ins for different purposes and designed to target specific PKI schemes, etc.
  • 2009 Malware Trends
    • Greater efficiency and targeting
    • Dasient: 5.5 million web pages on 560,000 websites infected with malware Q4 2009.
    • Two years ago, infected web pages would infect users' computers with an average of at least a dozen pieces of malware; the most recent figures have that number falling to just 2.8
      • Smaller number of malicious programs means that users are less likely to notice an attack.
    • Operators learning valuable business lessons
      • Operate 24/7 network of login-interceptors for high-value accounts
      • Operators are singling out SMBs that tend to have cash on hand and no real IT
      • Extremely sophisticated and profitable money-mule/laundering infrastructure now exists
  • Contemporary ACH / Wire Fraud
    • Automated Clearing House (ACH)
    • 1 - 4 victims / day
    • Average take $100,000 / victim
    • $500K - $1M/week
    • $100M attempted in 2009
    • $40M+ unrecovered
    • > All US bank robberies combined
    • Losses borne by victims due to ACH rules
    • ALL done by ONE Eastern European crew
  • Recent ACH Fraud Cases
    • XXXX County - $415,000
    • XXXX Corp - $447,000
    • XXXX Energy - $200,000
    • XXXX Construction - $588,000
    • XXXX Industrial - $1,200,000
    • XXXX School District - $117,000
    • XXXX XXXX School - $150,000
    • XXXX University - $189,000
  • Source: myNetWatchman
  • Source: myNetWatchman
  • Source: myNetWatchman
  • Information Disclosure: Lessons from Airplanes and ATMs
  • Information Disclosure
    • Failing to redact documents correctly
    • Not removing document metadata
    • Not sanitizing hard drives and other media
    • Unencrypted data
  • Information Disclosure
    • TSA published a SOP manual with sensitive information redacted
  • Information Disclosure
    • The TSA added black bars on top of text and images to prevent it from being seen
  • Information Disclosure The NSA specifically states that this will not work in their manual on redacting safely: Google: “Redact Confidence”
  • Information Disclosure [Source: Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF]
  • Information Disclosure
    • 40% of hard drives purchased from eBay contain personal information
      • 36% Financial data
      • 21% Emails
      • 11% Corporate Documents
      • [source: Kessler International]
    • Wipe drives before they leave your control
    • There are several bootable programs that will wipe all media attached to a computer
    • DBAN – Darik’s Boot and Nuke
  • Information Disclosure
    • A security researcher purchased an ATM via Craig’s List
    • He found 1,000 debit card numbers stored in the machine
    • Who has access to your data?
    • What are their controls on it?
    • Imperva notified rockyou.com of a SQL injection flaw on Dec 4 th
    • Rockyou.com fixed the problem over the weekend
    • The database stored passwords in plaintext
    • A hacker disclosed that he had copied the entire database before the flaw was fixed
    Information Disclosure
  • Information Disclosure
    • The database contains the usernames and passwords for over 32 million account
    • Included in the database were also passwords for partner websites
    • This is a classic example of where defense in depth would have offered superior protection
  • Aurora
  • Background: Titan Rain intrusion set
    • An intrusion set is a collection of evidence, data, artifacts, logs, malware samples or other items that is all related in some way
    • Titan Rain was one such intrusion set
      • Coordinated intrusions of US Gov’t & Defense Industrial Base, circa 2003
      • Labeled as Chinese in origin
      • Nature of and identities of adversaries unknown
  • Background: Advanced Persistent Threat (APT)
    • Advanced: Adversary has capability to use anything from simple, public exploits to performing their own vulnerability discovery work and developing 0-day attacks.
    • Persistent: Adversary has well defined goals and objectives and is persistent at pursuing them. Adversary will try various avenues of attack, looking for one that will yield the desired outcome.
    • Does not typically refer to things like ZeuS
  • Aurora
    • Publicly disclosed hacking incident inside Google and other major companies
    • Belief within infosec community that PRC has been waging a long term, persistent campaign of “espionage-by-malware”
    • Titan Rain, GhostNet
    • Grown bolder over time
  • Aurora
    • In May of 2009 a number of actors in Mainland China began a targeted attack on Google and several other major US-Based corporations with the intent of exfiltrating sensitive data for political and financial gain.
    • The Aurora team used a privately-held IE-7 0-day exploit as well as an Adobe PDF vulnerability to infect workstations at Google and others with sophisticated RATs
      • Social-engineering using methods similar to Fake-AV campaigns was also used
    • Once the Aurora team had access to internal systems, they quickly compromised source-code repositories, email databases, and other extremely sensitive financial and operational data from the inside
  • Aurora
    • “ Aurora” is taken directly from strings within some custom software components of the attack
      • Debug symbol file path in custom code
  • Aurora
    • Known samples of main backdoor trojan used in attacks no older than 2009
    • Attack may have been in works for some time
      • Custom modules in Aurora codebase with timestamps as old as May 2006
      • Timeframe just after Titan Rain had blown up and PRC’s limited arsenal of mostly “COTS” trojans were being increasingly detected by commercial AV
  • Aurora
    • With a completely original code base and its use restricted to highly targeted attacks, Hydraq seems to have escaped detection until now
    • Compiler leaves many clues in a binary
      • PE resource section may reveal language code
      • Aurora author was careful to either compile on English-language system, or to modify the language code in the binary after the fact
  • Aurora
    • Peculiarities and origins of CRC algorithm used suggest author familiar w/ simplified Chinese
  • Aurora
    • Partial JavaScript code used to exploit Google
      • If only they were using Chrome…
  • New Details Emerge
    • April 19 – New York Times reported that Aurora stole source code to Google’s single sign-on (SSO) system “Gaia”
      • “ Cyberattack on Google Said to Hit Password System”, John Markoff
    • Aurora had access to “Moma”, Google’s internal employee database
    • May have used information from Moma to target the individual developers working on Gaia
    • Source code exfiltrated to Rackspace servers, and then onto ???
  • Other Trends
  • Other Trends
    • Social engineering
      • Phishing / Spearphishing
        • E.g., Rogue AV
        • Hybrid attacks
        • Targeted verticals and enterprises
        • Advanced Trojans
    • Social Networks (Facebook, Twitter)
      • Trusted relationships
      • Superb ROI platform for URL-based attacks
    • Botnet sophistication and innovation
      • Spread of infection by reputable or legit websites
      • continuously evolving attacks and malware methods
    • Threats come more from organized crime
      • However, involvement of state actors has finally come to the forefront
  • Other Trends
    • 0-day black market
      • Premium paid for 0-days
      • Tipping Point has heard of governments offering $1 million for a good one
      • Good guys can’t compete at those prices
      • ‘ Aurora’ used an IE 0-day that it had developed
    • Weak economy in US fosters fraudsters’ recruitment of unwitting, desperate money mules
    • Weak economy abroad has led to a large number of highly skilled IT experts in desperate situations
    • Global cooperation in these cases is still in its infancy
  • Other Trends
    • Clients vs. Servers
      • For the moment, the pendulum has swung away from servers
      • Servers are now more likely to be compromised as a means to compromise a large number of clients
      • While the very large financial database breaches do occur, they are now more likely to come from a compromised workstation with privileged access on the inside
      • The weakest-link rule is true now more than ever
  • The new .CN
  • The new .CN
    • In December 2009, published a bulletin regarding new restrictions on purchasing .CN ccTLD domain names
    • The new restrictions consisted of:
      • Webmasters to submit paper application and show ID when registering a domain name
      • Business license if applicable
      • Have to submit the information within 5 days or risk losing the domain
    • Continued to monitor domains hosting malicious executables and have noticed an interesting trend
    • Domains registered with a ccTLD of .CN have slightly declined where domains registered with a ccTLD of .IN have started to increase starting right around the timeframe of the CNNIC announcement
  • The new .CN
  • The new .CN
    • .RU domains have also seen an increase since the .CN registration requirements were announced.
    • RU-CENTER has stated they will implement rules similar to CNNIC starting April 1st
  • The new .CN
  • Mariposa / ButterflyBot
  • Mariposa / ButterflyBot
    • Publicly sold botnet kit called “BFBOT”
      • Distributed as binary “builder” kit, full source code is not available
      • Author has since “retired”, but perhaps not
    • Very typical of generic botnet kits, e.g. Rbot, Agobot, Phatbot
    • Uses console-based master control program
      • Not likely to catch on with script kiddies due to complexity of setup/use and lack of new development
  • Mariposa / ButterflyBot
    • Named after a domain that it was contacting
      • butterfly [dot] sinip [dot] es
    • Initially discovered early 2009
    • Sold on bfsecurity.net
      • “ Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods. (sic)”
      • The three spreaders are MSN, USB, and P2P. Listed P2P networks were “ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire. (sic)”
  • Commercial Market for ButterflyBot Source: Panda Security
  • ButterflyBot Capabilities
    • Information Theft
      • Steal data from Internet Explorer (protected storage and Autocomplete (IE 7+) password stealing)
      • Mozilla Firefox (stored passwords stealing)
    • Downloader
      • Download files via HTTP and execute them on the infected computer
    • DDoS
      • TCP SYN or UDP packet flooding
    • Propagation
      • MSN Instant Messenger
      • USB autorun
      • Copying itself to well-known P2P application download directories
    • VNC Server Scan
      • Scan for VNC (Virtual Network Computing) servers that may allow AUTHBYPASS or NOAUTH access.
  • ButterflyBot Console Source: Symantec
  • ButterflyBot Master Client Source: Panda Security
  • ButterflyBot Configuration Tool Source: Panda Security
  • Mariposa Takedown
    • Botnet size fluctuated between 500K and 1 million infected hosts spanning more then 190 countries
    • Botmasters made money by allowing other cybercrooks to utilize parts of the botnet
      • This lead to a variety of malware being installed
        • Advanced keyloggers
        • Various Banking trojans
        • RATs (Remote access Trojans)
        • Fake AV
  • Mariposa Takedown
    • Due to a coordinated effort between law enforcement and the security community, three individuals were identified and arrested
      • “ netkairo” of Balmaseda age 31
      • “ jonyloleante” of Molina de Segura age 30
      • “ ostiator“ of Santiago de Compostela age 25
    • Action taken on domains December 23, 2009 at 1700 Spanish time
      • US FBI and Spanish Civil Guard
      • Believed that suspects would be less able to react due to Christmas holiday and time with family
    • Suspects unknown, using VPNs from Swedish provider Relakks
    • During counter attack, “netkairo” make a fatal mistake
      • Did not use VPN, revealed IP address in Spain
      • IP provided to Civil Guard
  • Mariposa Takedown
    • “ netkairo” apprehended by agents of the Civil Guard on February 12, 2010 at his home in Balmaseda, Spain
    • Digital forensics of seized computers lead to 2 further arrests in Spain
    • Cases in front of Judge Garzón of the National Court
  • Conclusion
  • Conclusion
    • Defenders remain at a significant disadvantage
    • Must attack both sides of the risk vs. reward equation
    • Closer cooperation is needed between security community and law enforcement
    • Human weakness is arguably more important than technological vulnerabilities in today’s cyber crime ecosystem
      • Attractive ROI of Social Engineering
  • Q & A
  • Special Thanks
    • Chema Alonso & Informática64
    • Maite Villalba and the Universidad Europea de Madrid
    • You, my audience!