4 ivan buetler cyber_espionage
 

4 ivan buetler cyber_espionage

on

  • 805 views

 

Statistics

Views

Total Views
805
Views on SlideShare
533
Embed Views
272

Actions

Likes
0
Downloads
18
Comments
0

1 Embed 272

http://www.digicomp.ch 272

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

4 ivan buetler cyber_espionage 4 ivan buetler cyber_espionage Presentation Transcript

  • Ivan Bütler Compass Security AG, Schweiz Ivan.buetler@csnc.chCYBERFACES Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Ethical Hacker / Penetration Tester Gründer & CEO Compass Security AG Lecturer @ University of Applied Science Rapperswil Lecturer @ University of Applied Science Lucerne Lecturer @ University of St.Gallen Speaker @ BlackHat Las Vegas 2008 SmartCard (In) Security Speaker @ IT Underground Warsaw 2009 Advanced Web Hacking Speaker @ Swiss IT Leadership Forum Nice 2009 Cyber Underground Founder of Swiss Cyber Storm Sec Conference Board member of Information Security Society Switzerland (ISSS) Board member of Cyber Tycoons Anti-Warfare Foundation© Compass Security AG www.csnc.ch Slide 2
  • Agenda Hacking 1x1 Hacking for Fun and Honor Hacking for Profit Hacking for Companies / Espionage Hacking for States / Espionage Hacking in a War Conclusion© Compass Security AG www.csnc.ch Slide 3
  • Hacking 1x1 Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Hacking 1x1 Attack Attack Creation Exploitation Hacker Toolbox Attack Attack Improvement Maintenance© Compass Security AG www.csnc.ch Slide 5
  • Hacking Targets© Compass Security AG www.csnc.ch Slide 6
  • We are all „easy targets“Source: Symantec Internet Security Threat Report, H1, 2005 Advisory is published Patch 54 days Exploit 6 days[3] ETHZ Stefan Frei 2009 (Dissertation): We found that exploit availability consistently exceeds patch availability since 2000© Compass Security AG www.csnc.ch Slide 7
  • Human Proxy – Illusion – Social Eng.© Compass Security AG www.csnc.ch Slide 8
  • Direct AttackServer Exploitation BLOCKED PASSED BLOCKED© Compass Security AG www.csnc.ch Slide 9
  • Indirect Attack (I)Man in the Middle – Phishing© Compass Security AG www.csnc.ch Slide 10
  • Indirect Attack (II)Malware – Mobile Devices – W-LAN PASSED© Compass Security AG www.csnc.ch Slide 11
  • Drivers behind „Hacking“ Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Motivation for„Hacking“Hacking for Fun Cyber Crime Cyber Espionage Cyber Warfare © Compass Security AG www.csnc.ch Slide 13
  • Hacking for Fun or MoralHacking not for commerce – but for fun or moral ! Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Joy Rider – Hacking for Honor© Compass Security AG www.csnc.ch Slide 15
  • Moral Hacking© Compass Security AG www.csnc.ch Slide 16
  • Hacking for ProfitCyber Crime Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Who is the Enemy?Hacking for Fun Cyber Crime Cyber Espionage Cyber Warfare © Compass Security AG www.csnc.ch Slide 18
  • How to make Money? Business Case of „Hackers“Hacker-Tools Hacker-Services Trading „Rent a BotNet“ Illegal Goods „Spam the World“© Compass Security AG www.csnc.ch Slide 19
  • Example: SQL InjectionApproach: Direct AttackImpact: Credit Card Disclosure Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • SQL IntroductionProtocols HTTPS RMI SQL© Compass Security AG www.csnc.ch Slide 21
  • SQL IntroductionProtocols HTTPS + SQL Hacker Code RMI SQL© Compass Security AG www.csnc.ch Slide 22
  • Demo1: SQL InjectionApproach: Direct AttackImpact: Credit Card Disclosure Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • How to make Money? (1)Market for anonymous trading is required ! Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Show: Video 1: Cyber Market Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Trading of illegal goods Dumps Stolen Credit Cards Carders Provider of “Dumps” Carding Using Dumps WU Western Union WMZ Web Money WU Western Union LR Liberty Reserve CVVs Card Verification Value Drops Remailing Location Rippers CVV verification service© Compass Security AG www.csnc.ch Slide 26
  • 5000 Unexpired/Valid CC Dumps $2000Money Rule: How to pay the illegal goods? Payment with Liberty Reserve © Compass Security AG www.csnc.ch Slide 27
  • Liberty Reserve?-> Internet Currency (anonymous)© Compass Security AG www.csnc.ch Slide 28
  • Liberty Reserve as E-CurrencyBoth, seller and buyer need an LR accountThe LR account is anonymous Anonym Anonym© Compass Security AG www.csnc.ch Slide 29
  • LR requires „Exchanger“Real Money is exchanged into LR currencyDirect payment into LR account is not possibleMore than 100 LR enabled banks (exchanger banks) Trust© Compass Security AG www.csnc.ch Slide 30
  • How to make Money? (2)Money Mule and Money Laundry Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Example PostFinance (Phishing) Transaction with Money Mule© Compass Security AG www.csnc.ch Slide 32
  • MELANI says ...Response from Cyber Underground to MELANI request Reference: Marc Henauer, Leiter Melani ISSS St.Galler Tagung, 29. April 2010© Compass Security AG www.csnc.ch Slide 33
  • How to make Money? (3)Split Hacking from financial benefit Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Splitting „Hacking“ and Financial Benefit Financial Hacking Benefit© Compass Security AG www.csnc.ch Slide 35
  • Example: XML InjectionApproach: Direct AttackImpact: Credential Disclosure Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • XML EinführungProtokoll HTTPS + XML XML Query© Compass Security AG www.csnc.ch Slide 37
  • XML InjectionProtokoll HTTPS + XML Hacker Code XML Parser Attack© Compass Security AG www.csnc.ch Slide 38
  • Demo2: XML InjectionApproach: Direct AttackImpact: Credential Disclosure Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Cyber EspionageThey go after information ... Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Who is the Enemy?Hacking for Fun Cyber Crime Cyber Espionage Cyber Warfare © Compass Security AG www.csnc.ch Slide 41
  • How to rule the World © Compass Security AG www.csnc.ch Slide 42
  • Example: USB TrojanApproach: Indirect AttackImpact: Advanced Persistent Threat Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Virus Construction ToolkitCovert Channel Delivery with USB-Stick/CD-ROM Attacker controls the computer of the victim Start via Auto-Start Company Network Internet© Compass Security AG www.csnc.ch Slide 44
  • Demo3: USB TrojanerApproach: Indirect AttackImpact: Remote Control of Victim (RAT) Access to files Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Covert Channels I - DirektSimple Inside-Out Attack Corporate LAN InternetDirect Channels ACK tunnel TCP tunnel (pop, telnet, ssh) UDP tunnel (syslog, snmp) ICMP tunnel IPSEC, PPTP© Compass Security AG www.csnc.ch Slide 46
  • Covert Channels II - ProxifiedAdvanced Inside-Out Attack LAN Proxy Corporate LAN Internet DMZ ProxyProxified Channels Socks SSL tunnel HTTP/S tunnel (payload of http = tunnel) HTTP/S proxy CONNECT method tunnel DNS tunnel FTP tunnel Mail tunnel© Compass Security AG www.csnc.ch Slide 47
  • Advanced Persistent Threat Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Advanced Persistent Threat Agent Zombie Host Zombie Host Agent C&C ServerAgent Zombie Host Zombie Host © Compass Security AG www.csnc.ch Slide 49
  • Advanced Persistent ThreatCommand & Control Communication Client DNS Server POLL POLL POLL Command File CommandsCommands Execute commands1. POLL2. GET FILE TO CLIENT3. PUT FILE TO SERVER4. EXECUTE @ CLIENT5. EXIT CLIENT© Compass Security AG www.csnc.ch Slide 50
  • APT Design PatternFirst Infection Installation of a user-land virus or Trojan horse The virus does not require local admin privileges The virus talks back to the command & control server (C&C) Get latest updates from C&C – very important! If C&C is unreachable – self-destroy routinePrivilege Elevation Elevate privileges with 0-day exploit Keyboard Sniffer Create encrypted storage Evidence protection Get latest updates Send collected information - important If C&C is unreachable – sleep for 90 days© Compass Security AG www.csnc.ch Slide 51
  • What to do if we find out we arecompromized?How to handle long-term attacks Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Advanced Persistent Threat Incident Handling – C&C Traffic Redirection Agent Zombie Host Zombie Host Agent Redirect C&C Server Update ServiceAgent Zombie Host Zombie HostProblems!!! Updates are Anti-APTEncrypted / Signed ZombieReverse Engineering required or C&C Host © Compass Security AG www.csnc.ch Slide 53
  • US ReportNov. 2008China has an active cyber espionage program. Since China’s current cyber operations capability is so advanced, it can engage in forms of cyber warfare so sophisticated that the United States may be unable to counteract or even detect the efforts. By some estimates, there are 250 hacker groups in China that are tolerated and may even be encouraged by the government to enter and disrupt computer networks© Compass Security AG www.csnc.ch Slide 54
  • Cyber WarCyber is a new military domain of operations Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • USA: Cyber CommandOn June 23, 2009, the Secretary of Defense directed the Commander of U.S. Strategic Command to establish USCYBERCOM. Director of NSA and Commander of Cybercom http://www.defense.gov/cyber© Compass Security AG www.csnc.ch Slide 56
  • USA: New Domain of Operations - CyberLandSeaAirSpaceCyberC⁴ISR (command and control, communications, computers, intelligence, surveillance, and reconnaissance)© Compass Security AG www.csnc.ch Slide 57
  • War Assets Critical Infrastructures Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Schweizhttp://www.bevoelkerungsschutz.admin.ch/internet/bs/de/home/themen/ski/kritische_infrastrukturen.html © Compass Security AG www.csnc.ch Slide 59
  • 1) Cyber Attack: Government© Compass Security AG www.csnc.ch Slide 60
  • 2) Cyber Attack: Power and Energy© Compass Security AG www.csnc.ch Slide 61
  • 3) Cyber Attack: Trash Recycling© Compass Security AG www.csnc.ch Slide 62
  • 4) Cyber Attack: Finance© Compass Security AG www.csnc.ch Slide 63
  • 5) Cyber Attack: Health© Compass Security AG www.csnc.ch Slide 64
  • 7) Cyber Attack: IT & Telekommunikation© Compass Security AG www.csnc.ch Slide 65
  • 8) Cyber Attack: Nahrung© Compass Security AG www.csnc.ch Slide 66
  • 9) Cyber Attack: Public Security© Compass Security AG www.csnc.ch Slide 67
  • 10) Cyber Attack: Traffic & Transport© Compass Security AG www.csnc.ch Slide 68
  • Cyber Defense in Switzerland? Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Divisionär Kurt Nydegger Er hat den Auftrag, eine Auslegeordnung zu machen und dem Bundesrat eine Verteidigungsstrategie vorzulegen. Die Aufgabe ist komplex, denn das Bedrohungsbild ist diffus.© Compass Security AG www.csnc.ch Slide 70
  • Conclusion & Recommendations Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Recommendations Setup Basic Security (against Script Kiddies) Identify critical assets which are essential for your business and secure them very strict, even make them secure against internal users (their computers could be compromized) Test your security – Penetration Tests Monitor your infrastructure day and night Prepare yourself for an APT incident case. Think about how you would monitor your perimeter network traffic, how to reverse- engineer encrypted C&C traffic. How to communicate with your employers, media, stakeholders, shareholders, management.© Compass Security AG www.csnc.ch Slide 72
  • Discussion/Questions Questions?!© Compass Security AG www.csnc.ch Slide 73
  • Thank You – Ivan BütlerCompass Security AGWerkstrasse 20P.O. Box 2037CH - 8645 Jona SGSwitzerlandTel. +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chivan.buetler@csnc.ch© Compass Security AG www.csnc.ch Slide 74