Owasp security summit_2012_milanovs_final
Upcoming SlideShare
Loading in...5
×
 

Owasp security summit_2012_milanovs_final

on

  • 801 views

 

Statistics

Views

Total Views
801
Views on SlideShare
801
Embed Views
0

Actions

Likes
0
Downloads
12
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • OWASP testing guide per CISO
  • Gliscenarisonocambiatiradicalmentenegliultimidiecianni, inziutto I motivichesonodenaro e profitto in nuovi hackers fannao parte di organizazzioni dedicate allaperperpetuazione di crimine ma ancheallosviluppo di strumenti di attaccco molto sofisticati. I principalivittimesono le aziiendeed in particolareilsettorefinanziarioFinancial losses due to malware-based attacks are rising:In the U.S.A. alone, according to data from FDIC (Federal Deposit Insurance Corporation), during the third quarter of 2009 malware-based online banking fraud rose to over $ 120 millionIn the UK, according to data from the Cards Association, losses from the online banking sector in UK during 2009 totaled 60 million UK pounds.
  • Jonathan James, known as "cOmrade" on the Net, pleaded guilty to intercepting 3,300 emails, stealing passwords, and nicking data from 13 NASA computers - including some involved with the International Space Station.Between August 23, 1999, and October 27, 1999, James committed a series of intrusions into various systems, including those of BellSouth and the Miami-Dade school system.[4] What brought him to the attention of federal authorities, however, was his intrusion into the computers of the Defense Threat Reduction Agency, a division of the United States Department of Defense, the primary function of which is to analyze potential threats to the United States of America, both at home and abroad. James later admitted to authorities that he had installed an unauthorized backdoor in a computer server in Dulles, Virginia, which he used to install a sniffer that allowed him to intercept over three thousand messages passing to and from DTRA employees, along with numerous usernames and passwords of other DTRA employees, including at least 10 on official military computers.[1] This intrusion, when detected, caused NASA to shut down its computers for three weeks that July, costing $41,000 to check and fix its systems.[5]It was later revealed that the precise software obtained was the International Space Station's source code controlling critical life-sustaining elements. According to NASA, "the software supported the International Space Station's physical environment, including control of the temperature and humidity within the living space."[6]Between August 23, 1999, and October 27, 1999, James committed a series of intrusions into various systems, including those of BellSouth and the Miami-Dade school system.[4] What brought him to the attention of federal authorities, however, was his intrusion into the computers of the Defense Threat Reduction Agency, a division of the United States Department of Defense, the primary function of which is to analyze potential threats to the United States of America, both at home and abroad. James later admitted to authorities that he had installed an unauthorized backdoor in a computer server in Dulles, Virginia, which he used to install a sniffer that allowed him to intercept over three thousand messages passing to and from DTRA employees, along with numerous usernames and passwords of other DTRA employees, including at least 10 on official military computers.[1] This intrusion, when detected, caused NASA to shut down its computers for three weeks that July, costing $41,000 to check and fix its systems.[5]It was later revealed that the precise software obtained was the International Space Station's source code controlling critical life-sustaining elements. According to NASA, "the software supported the International Space Station's physical environment, including control of the temperature and humidity within the living space."[6]Jonathan James, known as "cOmrade" on the Net, pleaded guilty to intercepting 3,300 emails, stealing passwords, and nicking data from 13 NASA computers - including some involved with the International Space Station.Between August 23, 1999, and October 27, 1999, James committed a series of intrusions into various systems, including those of BellSouth and the Miami-Dade school system.[4] What brought him to the attention of federal authorities, however, was his intrusion into the computers of the Defense Threat Reduction Agency, a division of the United States Department of Defense, the primary function of which is to analyze potential threats to the United States of America, both at home and abroad. James later admitted to authorities that he had installed an unauthorized backdoor in a computer server in Dulles, Virginia, which he used to install a sniffer that allowed him to intercept over three thousand messages passing to and from DTRA employees, along with numerous usernames and passwords of other DTRA employees, including at least 10 on official military computers.[1] This intrusion, when detected, caused NASA to shut down its computers for three weeks that July, costing $41,000 to check and fix its systems.[5]It was later revealed that the precise software obtained was the International Space Station's source code controlling critical life-sustaining elements. According to NASA, "the software supported the International Space Station's physical environment, including control of the temperature and humidity within the living space."[6]Between August 23, 1999, and October 27, 1999, James committed a series of intrusions into various systems, including those of BellSouth and the Miami-Dade school system.[4] What brought him to the attention of federal authorities, however, was his intrusion into the computers of the Defense Threat Reduction Agency, a division of the United States Department of Defense, the primary function of which is to analyze potential threats to the United States of America, both at home and abroad. James later admitted to authorities that he had installed an unauthorized backdoor in a computer server in Dulles, Virginia, which he used to install a sniffer that allowed him to intercept over three thousand messages passing to and from DTRA employees, along with numerous usernames and passwords of other DTRA employees, including at least 10 on official military computers.[1] This intrusion, when detected, caused NASA to shut down its computers for three weeks that July, costing $41,000 to check and fix its systems.[5]It was later revealed that the precise software obtained was the International Space Station's source code controlling critical life-sustaining elements. According to NASA, "the software supported the International Space Station's physical environment, including control of the temperature and humidity within the living space."[6]An American cybervillainConsider Jeanson James Ancheta. This 20-year-old Downey, California, resident worked in an Internet cafe and, according to an aunt, hoped to join the military reserves. Given his modest aspirations, Ancheta lived a rather luxurious lifestyle, often seen driving his 1993 BMW and spending upward of $600 a week on new clothes and car parts. Last week in a Los Angeles federal court, Ancheta pleaded guilty to four felony charges of violating United States Code Section 1030, Fraud and Related Activity in Connection with Computers, specifically subsections (a)(5)(A)(i), 1030 (a)(5)(B)(i), and 1030(b). According to the multiple-count indictment, Ancheta did what any wannabe botmaster would do: he authored a worm that allowed him to infect as many computers on the Internet as he could with off-the-shelf remote access Trojans (RATs). These include common home computers without firewall and antivirus protection. Ancheta's worm-compromised computers installed a custom version of rxbot, a commonly available Trojan horse, customized to listen to an IRC channel in Ancheta's control. Over time, he amassed about 40,000 worm-infected remote access computers (also known as bots). However, some of the bots included computers at the Defense Information Systems Agency (DISA) in Falls Church and at China Lake Naval Air Facility in California. The DISA offers network-based solutions for the President, the Vice President, and the Secretary of Defense. A parte mafiaboyanchemitnickHe hacked multiple computer and phone networks over the years, prompting law enforcement to tell a judge he had the ability to "start a nuclear war by whistling into a pay phone." Mitnick has been arrested and incarcerated several times. E Mr levin From his laptop in his St. Petersburg, Russia, apartment in 1994, Vladimir Levin transferred $10.7 million from Citibank clients to his own bank accounts. Authorities eventually recovered all but $400,000 of the stolen money. When Citibank noticed the transfers, they contacted the authorities, who tracked Levin down and arrested him at a London airport in March, 1995. He fought extradition for 30 months, but lost, and was transferred to the US for trial. He was convicted and sentenced to three years in jail, and ordered to pay Citibank $240,015. Four members of Levin's group pleaded guilty to conspiracy to commit bank fraud, and served various sentences.In 2005 an alleged member of the former St. Petersburg hacker group, claiming to be one of the original Citibank penetrators, published under the name ArkanoiD a memorandum on popular Provider.net.ru website dedicated to telecom market.[1] According to him, Levin was not actually a scientist (mathematician, biologist or the like) but a kind of ordinary system administrator who managed to get hands on the ready data about how to penetrate in Citibank machines and then exploit them. In his plea agreement he admitted to only one count of conspiracy to defraud and to stealing US$3.7 million. In February 1998 he was convicted and sentenced to three years in jail, and ordered to make restitution of US$240,015. Citibank claimed that all but US$400,000 of the stolen US$10.7 million had been recoveredArkanoiD emphasized all the communications were carried over X.25 network and the Internet was not involved. ArkanoiD's group in 1994 found out Citibank systems were unprotected and it spent several weeks examining the structure of the bank's USA-based networks remotely. Members of the group played around with systems' tools (e.g. were installing and running games) and were unnoticed by the bank's staff. Penetrators did not plan to conduct a robbery for their personal safety and stopped their activities at some time. One of them later handed over the crucial access data to Levin (reportedly for the stated $100).X.25 WAN consists of packet-switching exchange (PSE) nodes as the networking hardware, and leased lines, Plain old telephone service connections or ISDN connections as physical links. X.25 is a family of protocols that was popular during the 1980s with telecommunications companies and in financial transaction systems such as automated teller machines. X.25 was originally defined by the International Telegraph and Telephone Consultative Committee (CCITT, now ITU-T) in a series of drafts[1] and finalized in a publication known as The Orange Book in 1976.[2]While X.25 has been, to a large extent, replaced by less complex protocols, especially the Internet protocol (IP), the service is still used and available in niche and legacy applications.http://articles.businessinsider.com/2010-12-13/tech/29982955_1_real-hackers-computer-virus-adrian-lamohttp://www.eweek.com/c/a/Security/The-Worlds-Top-10-Groundbreaking-Hackers-694168/Neglianni 2000 assitiamoallo shift dagliattachimotivatida “diventeremofamosi” a gliattachi “hack where the money is” i targets sonoquindimotivatidadenaropiuchedanotirieta’ Esempisonol’attacco code red nel 2001 lo sfruttamentodi buffer overflow in systemi web server IIS, long stream ofThe worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated character 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine. Kenneth D. Eichman was the first to discover how to block it, and was invited to the White House for such. [3]L’impatto e ancoradinotorieta, defacing do web site per caricare la paginaThe worm was named the .ida "Code Red" worm because Code Red Mountain Dew was what they were drinking at the time, and because of the phrase "Hacked by Chinese!" with which the worm defaced websites.[1]Il fattopiueclatante e’ chenel 2002Bill gatesdette vita a January: Bill Gates decrees that Microsoft will secure its products and services, and kicks off a massive internal training and quality control campaign. 2005 September 13: Cameron Lacroix is sentenced to 11 months for gaining access to T-Mobile USA's network and exploiting Paris Hilton'sSidekick.[19]
  • An American cybervillainConsider Jeanson James Ancheta. This 20-year-old Downey, California, resident worked in an Internet cafe and, according to an aunt, hoped to join the military reserves. Given his modest aspirations, Ancheta lived a rather luxurious lifestyle, often seen driving his 1993 BMW and spending upward of $600 a week on new clothes and car parts. Last week in a Los Angeles federal court, Ancheta pleaded guilty to four felony charges of violating United States Code Section 1030, Fraud and Related Activity in Connection with Computers, specifically subsections (a)(5)(A)(i), 1030 (a)(5)(B)(i), and 1030(b). According to the multiple-count indictment, Ancheta did what any wannabe botmaster would do: he authored a worm that allowed him to infect as many computers on the Internet as he could with off-the-shelf remote access Trojans (RATs). These include common home computers without firewall and antivirus protection. Ancheta's worm-compromised computers installed a custom version of rxbot, a commonly available Trojan horse, customized to listen to an IRC channel in Ancheta's control. Over time, he amassed about 40,000 worm-infected remote access computers (also known as bots). However, some of the bots included computers at the Defense Information Systems Agency (DISA) in Falls Church and at China Lake Naval Air Facility in California. The DISA offers network-based solutions for the President, the Vice President, and the Secretary of Defense. Nel 2007 ruba circa 130 milionidiaccontidi carte dicreditodainegozi Hannaford e TJX Max e daiBancomatsneinegoziSevenElevenE’ informant dell FBI per il takedown diShadowcrewUsaattacchidi SQL Injection per installaremalware sniffers per catturaretrasmissionedatifra POS e credit card processors (e.g. Hearthland Payment Systems)Rivende I numeridicartadidebiti, PINs al mercato hacker underground (Darknet) e realizzaprofittidallacontraffazionedelle carte via BancomatsAbout GonzalesGonzalez faces a minimum of 15 years and a maximum of 25 years in prison.Gonzalez had been the key informant in the 2004 takedown of Shadowcrew, a cyber criminal network that specialised in identity theft and bank card cloning, which he had helped run, the FT said.He faces fines of US$250,000 in both cases, but the fines could be increased to twice his gains and twice the victims' losses in the Boston case. http://en.wikipedia.org/wiki/Albert_GonzalezMay 2008 in New York for the Dave & Busters case (trial schedule September 2009)May 2008 in Massachusetts for the TJ Maxx case (trial scheduled early 2010)August 2009 in New Jersey in connection with the Heartland Payment case The indictement on NJ court includes Hearthland, Hannaford, 7-11 and retailers A &B attacks occurred two years ago in starting October 2007 to January 2008 includes Gonzales hacker 1, 2 and PTEarly November 2007, a related company of Hannaford wasthe victim of a SQL Injection Attack that resulted in the laterplacement of malware on Hannaford’s network and the theft ofapproximately 4.2 million credit and debit card numbers andcorresponding Card Data.Company A (major retailer )was the victimof a SQL Injection Attack that resulted in the placement of malware on its network.In or about January 2008, Company B was the victim of aSQL Injection Attack that resulted in the placement of malware onits network.In the court of Boston and San Diego on August 2008 11 were charged for breaches in TJ Maxx, DSW etc The T.J. Maxx heist and similar data breaches at BJ's Wholesale Club and OfficeMax (NYSE:OMX) were listed in the 20 charges to which Gonzalez, who used the screen name "segvec" during his hacking exploits, pleaded guiltyCharged to steal 130 million CC from Heartland Payment Systems, a New Jersey card payment processor; 7-Eleven, the Texas-based convenience store chain; and Hannaford Brothers, a Maine-based supermarket chain. In the Boston and New York cases, Gonzalez and his co-conspirators broke into retail credit card payment systems through a series of sophisticated techniques, including "wardriving" and installation of sniffer programs to capture credit and debit card numbers used at retail stores, according to the indictments. Engaged in ATM fraud by encoding the data on the magnetic stripes of blank cards and withdrawing tens of thousands of dollars at a time from ATMs, the DOJ said. Concealed and laundered their fraud proceeds by using anonymous Internet-based currencies both within the U.S. and abroad, and by channeling funds through bank accounts in Eastern Europe, http://www.wired.com/images_blogs/threatlevel/2009/08/gonzalez.pdfAlbert Gonzales :
  • 2010 Anonynmous attacks visa in retailation to wikileaks http://voices.washingtonpost.com/blog-post/2010/12/mastercardcom_hacked_by_wikile.html20112012 hamasattaccaisrael stock exchange e israelerisponde
  • Sony PlayStattion Network, Sony Online Enteraitement, Sony PicturesFurtodidatidicartadicredito e password for 100,000 usersEpsilon, sito con emails di AMEX, VISA, Retailers, Banche60 milionidi emails compromesseRSA, servers del sistemadiauthenticazione a chiavetta (SecureID token)Milionidiclientiimpattatihannodovutosostituire le chavietteHBgary Federal, emails di CEOs, reporticlientiVendetta del gruppo Anonymous, datisu server russoStratofor, strategic intelligence-reporting per clienti860K emails e 75K numeridicartadicreditodeiclientihttp://flowingdata.com/2011/06/13/largest-data-breaches-of-all-time/As I'm sure you know, Sony has been having all sorts of data breach problems lately — namely a million passwords from the Sony Pictures site, 77 million accounts from the PlayStation Network, and nearly 25 million user accounts from Online Entertainment. I was curious how these recent attacks compared to the largest known data loss incidents, so I headed over to DataLossDB. Sony now holds spots #4 and #10 for largest breaches of all time. That can't be good.Below: a timeline of all known Sony data breaches so far this year, the biggest on April 26 and the second biggest soon after on May 2. More to come?
  • 860,000 e-mail addresses and 75,000 unencrypted credit card numbers.Read more: http://news.cnet.com/8301-27080_3-57350361-245/hackers-release-credit-card-other-data-from-stratfor-breach/#ixzz1ouIhh3qR
  • Qualisono I principlai target e I datisensiibilipiurichiesti. Web application represenato la maggioranaze per % deidaticompormessimentre in % dii tipologiaattaccosono al terzopostoI tipi di datipiu a rischiosono I records di carte di creditoseguitidalle login di autenticazione
  • Incidents:Latest IncidentsLargest IncidentsMost Discussed IncidentsRecently Updated IncidentsData Types:CCNSSNNAAEMAMISCMEDACCDOBFINUNKPWDADDSectors:BizEduGovMedSources:OutsideInside - AccidentalInside - MaliciousInsideUnknownBreach Types:Disposal Computer | Disposal Document | Disposal Tape | Disposal DriveDisposal Mobile | Email | Fax | Fraud SeHack | Lost Computer | Lost Document | Lost DriveLost Laptop | Lost Media | Lost Mobile | Lost TapeMissing Document | Missing Laptop | Missing Media | Snail MailStolen Computer | Stolen Document | Stolen Drive | Stolen LaptopStolen Media | Stolen Mobile | Stolen Tape | UnknownVirus | Web |
  • Interessantevedere l impatto come onlien fraud, disolitosiparladi account take over, application contraffazzione, ma online frodi include un poditutto
  • Tecniche malware/hacking per furtodeidati e dellesessioni online banking (account takeover)
  • Questiesempi di MiTBservonoanche a caratterizzareiltipo di malware e a determinareunaazione di incident response
  • [edit] Account takeoverAccount takeover happens when a criminal tries to take over another person's account, first by gathering information about the intended victim, and then contacting their card issuer while impersonating the genuine cardholder, and asking for mail to be redirected to a new address. The criminal then reports the card lost and asks for a replacement to be sent.Some merchants added a new practice to protect their consumers and their own reputation, where they ask the buyer to send a photocopy of the physical card and statement to ensure the legitimate usage of a card.Zeus is a Trojan horse that steals banking information by Man-in-the-browserkeystroke logging and Form Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation,[1] it became more widespread in March 2009. In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek.[2]The various Zeus' botnets are estimated to include millions of compromised computers (around 3.6 million in the United States).[3] As of October 28, 2009 over 1.5 million phishing messages were sent on Facebook with the purpose of spreading the Zeus' trojan. On November 3, 2009 a British couple was arrested for allegedly using Zeus to steal personal data.[4] From November 14–15, 2009 Zeus spread via e-mails purporting to be from Verizon Wireless. A total of nine million of these phishing e-mails were sent.[5]In 2010 there were reports[6][7] of various attacks, among which one, in July, disclosed by security firm Trusteer, indicating that the credit cards of more than 15 unnamed US banks were compromised.[8][9]On October 1, 2010, FBI announced it had discovered a major international cyber crime network which had used Zeus to hack into US computers and steal around $70m. More than 90 suspected members of the ring were arrested in the US, and arrests were also made in the UK and Ukraine.[10]In May 2011, the then-current version of Zeus's source code was leaked [11][12] and in October the abuse.ch blog reported about a new custom build of the trojan that relies on more sophisticated peer-to-peer capabilities. [13]
  • https://zeustracker.abuse.ch/statistic.php
  • The reality is that there is a market for bank account and credit card information in the black economy
  • Dipendedaltipodiattacco e compromise
  • CNP fraud keeps growing without limit Stephen Wilson, Tue 27 Sep 2011 - No CommentsThe Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. Lockstep monitors these figures, condenses them and plots the trend data. Here's the latest picture of card fraud in three major categories over the past five calendar years.http://lockstep.com.au/blog/2011/09/27/au-cnp-fraud-cy2010
  • Malicious Software/Hack compromises unknown number of credit cards at fifth largest credit card processor Records 130,000,000 Record Types CCN Breach Type Hack Data Family Electronic Source Outside Organization Heartland Payment Systems Other Affected/Involved Organizations Tower Federal Credit Union, Beverly National Bank Lawsuit? YES Data Recovered? NO/UNKNOWN Arrest? YES Submitted By: michaelcordes
  • EMV pickpocket threat example
  • Pericasidi compliant al FBI nel 2009 la maggioranza 17% sono FBI scams, 12% merciche non arrivano al mittente, 10% advanced fee fraud, 8% identity theft (che le MFA deveproteggere) overpayment fraud 7% spam 6% credit card fraud 6% e auction fraud 5.7%
  • Quale e’ statal’evoluzione ?
  • Stage I-Define the objectives: Identify business objectives and ensure an appropriate level of security requirements to support the business goals for the application yet meeting compliance with security standards. Identify preliminary security and compliance risks and their business impacts to the application.Stage II- Define the technical scope: Define the technical scope/boundaries of threat modeling as dependency on the various technologies, software and hardware, components and services used by the application. Categorize any architectural and technologies/components whose function is to provide security controls (e.g. authentication, encryption) and security features (e.g. protection of CIA)Stage III- Decompose the application: Decompose the application in essential elements of the application architecture (e.g. users, servers, data-assets) that can be further analyzed for attack simulation and threat analysis from both the attacker and the defender perspective.Stage IV- Analyze the threats: Enumerate the possible threats targeting the application as an asset. Identify the most probable attack scenarios based upon threat agent models, security event monitoring and fraud mapping and threat intelligence reports. The final goal is to analyze the threat and attack scenarios that are most probable and need to prioritize later for attack simulation.Stage V-Vulnerabilities & Weaknesses Analysis: The main goal of this stage of the methodology is to map vulnerabilities identified for different assets that include the application as well as the application infrastructure to the threats and the attack scenarios previously identified in the previous threat analysis stage. Formal methods that map threats to several generic types of vulnerabilities such as threat trees will be used to identify which ones can be used for attacking the application assets. Once these vulnerabilities are identified, will be enumerated as and scored using standard vulnerability enumeration (CVE, CWE) and scoring methods ( CVSS, CWSS)Stage VI: Analyze the Attacks: The goal of this stage is to analyze how the application and the application context that includes the users-agents, the application and the application environment, can be attacked by exploiting vulnerabilities and using different attack libraries and attack vectors. Formal methods for the attack analysis used at this stage include attack surface analysis, attack trees and attack libraries-patterns. The ultimate outcome of this stage is to map attacks to vulnerabilities and document how these vulnerabilities can be exploited by different attack vectors.Stage VII:Risk and Impact Analysis: The goal of this final stage is to derive risk and impact values for the application environments, determine the residual risks to the business after countermeasures are applied and existing compensating security controls-measures are considered and provide risk mitigation strategies for informed risk management decisions.
  • The Threats (e.g. the causes) Fraudster targeting on-line banking application for data theft and to commit fraud (e.g. un-authorized money transfer to fraudulent accounts)The Vulnerabilities (e.g. the application weakness) Flaws in authentication and session management; Vulnerabilities in data confidentiality and integrity; Gaps in auditing and logging fraudsters actions and security eventsThe Technical impacts (e.g. breaking security controls) Bypassing authentication with Challenge/Questions, KBA, OTPs; Bypassing customer validations to authorize financial transactions; Tampering web forms for account takeover Abuse session by impersonating the authenticated userThe Business Impact (e.g. financial loss, fraud, unlawful compliance etc) Financial loss due to fraud and un-authorized money transfer to money mules; Reputation loss due to disclosure of breaches of customer data, PII; Lawsuits from businesses victim of business account compromise, un-covered money losses; Unlawful non-compliance with regulations
  • Secondo gli esperti ci sono concordanze per quanto il fatto che la maggioranza degli incidenti sia a livello di applicazioni (70-75%) e correlazione con le vulnerabilita’ (70-90%) c’e’ concordanza con la riduzione dei costi al 75% se le vulnerabilita vengono ridotte del 50% e 83 % (per tutte le vulnerabilita’) se software vulnerabilities vengono rimediate durante la fase di codice.
  • CREIERI MINIMI RISK MITIGATION e COMPLIANCEMitigation of new hacking and malware threats targeting web sites and if already being data breached, implementation of countermeasures to prevent other similar data breaches-incidents to occur Meeting of industry specific compliance requirements for web applications (e.g. FFIEC, PCI-DSS) From the perspective of deciding "how much money to budget for application security" the following criteria can be used: Estimate of the impact of the costs incurred in the event of an security incident Quantitative risk calculation of the annual cost for losses due to a security incident Optimization of the security costs in relation to cost of incidents and cost of security measures The return of security investment

Owasp security summit_2012_milanovs_final Owasp security summit_2012_milanovs_final Presentation Transcript

  • L’evoluzione delle minaccie e degli impatti hacking e malware per il settore finance Marco Morana Global Industry Committee OWASP FoundationOWASPSecurity SummitMilano21-22 Marzo 2012 Copyright © 2011 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org
  • Conoscete OWASP ? OWASP 2
  • Agenda Della Presentazione PARTE I: L’evoluzione degli scenari di computer e internet hacking, attacchi ed agenti di minacciaPARTE II: Analisi delle minaccie di hacking malware e degli impatti per il settore finance PARTE III: Evoluzione ed efficacia dellecontromisure e criteri per la mitigazione dei rischi di hacking-malware OWASP 3
  • PARTE I: L’evoluzione degli scenari di internet hacking, attacchi ed agenti di minaccia OWASP 4
  • Evoluzione delle minaccie hacking-malware Lo scenario delle minaccie e’ cambiato negli ultimi 10 anni: • Ieri: attacchi isolati di script kiddies (adolescenti) con obbiettivi di diffondere virus fare denial of service e diventare famosi • Oggi: attacchi di gangs organizzate nella vendita di cybercrime. Obbiettivi sono soprattutto profitti dal furto dati di identita’, dal furto carta di credito per vendita e contraffazione, frodi online, denial of service ai siti per motivi politici/hacktivism SOURCE: Cisco: Threat Control and Containment: New Strategies For A Changed Threat Landscape OWASP 5
  • Profili “threat agents” degli anni 1990-2000 Anno1999 Jooseph aka “c0mrade” James installa Anno 1994 sniffer e Vladimir Levin intercetta le aka ArkanoID passwords trasferisce 10 US Dept of milioni di $ da Defense citibank nel suo conto corrente by hacking X.25 financial Anno 2000 Onel networks Deguzman autore del virus Anno 2000 ILOVEYOU, Michael Calce diventa famoso alias MAFIABOY attaccando circa All’eta di 15 anni, 10 milioni di mette offline i computers nel siti di yahoo, mondo., danno ebay, cnn, estimato 5.5 amazon. Etrade miliardi $ per disconnesso per disinfestare iil 90 minuti usando virus file sharing software OWASP 6
  • Threat agents famosi degli anni 2001-2010 Anno 2004 Anno 2006 Jeanson James Svem Ancheta primo autore di Jascham botnet in affitto a spammers autore del ed hacker, infetta e controlla Sasser worm in totale 1/2 milione di con un computers inclusi quelli della impatto Defense Information stimato di 10 Systems Agency (DISA) milioni di host infettati 2007 Albert Gonzales ruba circa 130 milioni di acconti di carte di credito dai negozi Hannaford e TJX Maxx e dai Bancomats nei negozi SevenEleven Usa SQL Injection per installare malware sniffers e dati fra POS e credit card processors (e.g. Hearthland Payment Anno 2010 la corte di giustizia di Systems) Rivende i numeri NY sentenzia 37 hackers colpevoli di carta e PINs nel mercato di frodi bancarie su scala globale hacker underground per 3 milioni di $ usando malware (Darknet) e realizza profitti Zeus dalla contraffazione delle carte via Bancomats OWASP 7
  • Scenari di minaccia per siti financial: hackivism OWASP 8
  • Principali incidenti per volume di perdita dati OWASP 9
  • Gli incidenti di data breach piu’ recenti (2011)  Sony (PlayStattion Network) Furto di dati di carta di credito e password for 100,000 users  Epsilon, sito con emails di AMEX, VISA, Retailers, Banche, 60 milioni di emails compromesse  RSA, servers del sistema di authenticazione a chiavetta (SecureID token), milioni di clienti impattati hanno dovuto sostituire le chaviette  HBgary Federal, vendetta del gruppo Anonymous, emails di clienti CEOs pubblicati su un server in Russia  Stratofor, strategic intelligence-reporting per clienti, 860K emails e 75K numeri di carta di credito dei clienti OWASP 10
  • Ok, let’s take a step back.. OWASP 11
  • PARTE II: Attacchi di hacking : analisi degli minaccie e degli impatti OWASP 12
  • Quali sono le cause e gli effetti degliincidenti ? OWASP 13
  • Principali cause degli incidenti con perdita di dati ( Fonte Verizon, 2011)  La maggioranza sono causate da hacking e diffusione di malwareSource: Verizon Data Breach investigation Report: http://www.verizonbusiness.com/Products/security/dbir/ OWASP 14
  • Tipologia di dati compromessi da attacchi malware-hacking (Fonte Verizon 2011)  I tipi di dati piu’ a rischio sono carte di credito seguiti dai dati di authenticazioneSource: Verizon Data Breach investigation Report: http://www.verizonbusiness.com/Products/security/dbir/ OWASP 15
  • Cause delle perdite di dati personali etipologia di attacco (Fonte datalossDB) Cause No1 e’ hacking (32%) dall’esterno (53%) Source: DataLossDb.org http://www.datalossdb.org OWASP 16
  • Gli effetti di hacking e malware: tipologia di frodionline Account takeover transferimenti di denaro online via ACH/wire Card non present fraud :pagamenti online con dati carte rubate Contraffazione carte credit/debit e frodi via eATM/ABM, POS Cattura dati di carta e sensibili con Man In the Middle e Man in the Browser e installazione di data sniffers nei canali POS Carding validazione dati di carta/debito usando online form Application fraud: Usare dati compromessi online per aprire un conto corrente, applicare per una carta di credito (application fraud) Attacchi e scams cross-border Money-laundering usando money mules Phishing e vishing ai fine di catturare dati di carta (CVV, PINs, ACC) OWASP 17
  • Le tecniche malware/hacking per frodi onlinebanking: account takeover  Attacchi diretti al client (browser, PC)  Sfruttano le vulnerabilita’ del browser (Iframes, Flash, Plugins) e del client PC (no AV/AS) privilegi administrator  Social engineering e phishing attraveso vari canali (email, facebook etc)  Attacchi diretti al sito online banking  Sfruttamento di vulnerabilita’ del sito (e.g. autenticazione login, debole, SQL injection, XSS, Iframe injection, Invaldiated Redirection)  Mancansa di misure server di filtering/white-listing, monitoring eventi (e.g. no WAF, no SIEM, no blocking of malicious cookies/HTTP agents)  Attacchi diretti alle transazioni di pagamento/ bonifico  Sfruttano mancanza di verifica origine della transazione (e.g. call back, verificazione tranazione su canale indipendente)  Sfruttano mancanza autentificazione esterna (e.g. OOBA, SMS/voice, maker/checker dual person authorization) OWASP 18
  • Esempio di attacco sul browser utente: ManIn The Browser OWASP 19
  • Il ciclo delle frodi online usando malware (fonte FBI) Malware coder scrive il codice oer attaccare Hacker compra il crimeware la banca (crimware) o lo prende in affitto Banking malware cattura i dati in tastiera ed online Hacker si collega al server , accede al computer dellaUtente online banking vittima e si collegaPC viene infettato con il all conto online con ibaking malware dati del server Hacker si collega all conto online con i dati del server Hacker fa un bonifico ad un Bonifico viene trasferito al conto terzo (money mule) conto del hacker Source: of the image from http://en.wikipedia.org/wiki/Zeus (Trojan_horse) The Zeus Fraud Scheme OWASP 20
  • Zeus banking malware: tracking dei siti controllati dai fraudsters (dati in real time dal sito abuse.ch)Source: https://zeustracker.abuse.ch/statistic.php OWASP 21
  • La lista prezzi dati carte e log-ins, hacking tools e servizi cybercrime (fonte PandaLabs 2011)Source PANDA labs: http://ww.pandasecurity.com OWASP 22
  • Quale attenzione dedichiamo alla possibilita’di futuri incidenti ? OWASP 23
  • Monetizzazione del possibile impatto di unaperdita di dati per un exploit di vulnerabilita’di SQL injection 1. Calcolare la probabilita’ dell’attacco Assumi i seguenti dati statistici: - il 11 % delle perdite dei dati avviene online (dati datalossDB) - il 19 % degli attacchi sfruttano SQL injection (dati del WHID) Probabilita’ e’ 2 % di perdere dati online per un attacco di SQL injection 2. Calcolare il valore dell’ asset (i dati) - 400 Euro per record (500-2000 as range) - Sito con 300,000 utenti registrati online Valore dell asset = 120 milioni di euro Liabilita di attacco SQL injection = Probabilita X Valore Asset = 2.4 milioni di euro o 80 Euro/customer OWASP 24
  • Monetizzazione del possibile impatto dihacking-malware account take over ? 1. Calcolare la probabilita’ dell’attacco Assumi i seguenti dati statistici: - in UK circa 100,000 PC sono infetti da malware Zeus (Trusteer) su una numero di PC in UK di 36 milioni la probabilita e’ 0.2 % Probabilita’ e’ 0.2 % di frode online a causa di un attacco malware Zeus 2. Calcolare il valore della transazione wire/ACH - valore massimo di transfer via ACH online : 5,000 £ - numero di clienti gold con depositi medi ( > 10,000 £): 50,000 Valore della transazione (cumulativo) = 250 milioni di £ Liabilita di account take over online = Probabilita X Valore Asset = 500,000 £ o 10 £/customer OWASP 25
  • Monetizzazione degli impatti per frodi con uso di dati di carte compromesse o contrafatteSource: Australian Payments Clearing Association (APCA) referred inhttp://lockstep.com.au/blog/2011/09/27/au-cnp-fraud-cy2010 OWASP 26
  • Impatti tangibili (monetary) ed intangibili(percezione) Source: DataLossDb.org http://www.datalossdb.org OWASP 27
  • PARTE III: Evoluzione delle delle misure di prevenzione e riduzione del rischi e criteri di investimento OWASP 28
  • Nuove technologie offrono nuove opportunita diattacco e nuove sfide per la sicurezzaTechnologie di ieri Technologie di oggi OWASP 29
  • Nuove technologie, nuovi rischi e percezioniSource: http://www.newschannel5.com/story/15982718/high-tech-pickpockets-can-steal-credit-card-info OWASP 30
  • Evoluzione delle misure di sicurezza vs.evoluzione delle minaccie alcuni esempi Le frodi per contraffazione care sono diminute dal 2004-2006 ma sono autmentate dal 2006 in poi (*) 2011 FFIEC stabilische nuove linee guida per mitigare il riischio malware/account 2006 FFIEC take over stabilische che simple log-in non e’ piu sufficiente per transazioni a rischio (**)(*) Source http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf(**) Source FBI http://www.ic3.gov/media/annualreport/2009_IC3Report.pdf OWASP 31
  • Evoluzione della security governance negliultimi 20 anni Build Security In Maturity Model http://bsimm.com/ OWASP 32
  • Chi non evolve si addatta per paura FEARUNCERTAINTIY incertezza o DOUBT dubbioF  Fear of failing audit/non compliance => additional fines, restrictions and controls (e.g. SEC, PCI etc)  Fear of bad reputation => public disclosure of data breach of PII in most US states (SB1386)  Fear of lawsuits => fraudU losses from private’s business and customers  Uncertainty on business impacts => Are we the target? How much money we loose from fraud incidents?  Doubts on risk mitigationD measures => Not trusting our own security technology, people, processes OWASP
  • Chi si evolve adotta application risk management(e.g. NIST, TM, FAST, OCTAVE, PASTA) OWASP 34
  • Approccio application risk managementapplicato alle minaccie hacking-malware  Valutare le minaccie (le cause) hacker prende di mira on-line banking application per i dati e per condurre frodi (transferimento non autorizzato di denaro)  Identificare le vulnerabilita’ (debolezze dell’applicazione) Errori nel design di autenticazione e session management; Vulnerabilita’ in garantire confidenzialita’ e integrity dei dati; mancanza di logs e di tracciabilita’ degli eventi e azioni degli hackers sui sistemi  Determinate l’impatto tecnico (compromissione dei controlli) By-passamento di authenticazione multi-fattore (Challenge/Questions, KBA, OTPs;) By-passamento logica di identificazione del client prima di autorizzare transazioni; Compromissione delle web forms al fine di ottenere dati dall’utente. Abuso session di autenticazione.  Determinare l’impatto per il business (perdita denaro) Perdite per Frodi/transferimento di denaro a mules; Perdita di data sensibili; Azioni legali per copertura danni account; Multe per non essere a norma con standards di sicurezza OWASP 35
  • Quali criteri per la decisionedell’investimento in application security ? 1) “75% degli incidenti prende di mira applicazioni web”- 2) “Piu del 70% delle vulnerabilita’ sono a livello applicativo e non network” 3) “Ridurre le vulnerabilita nel codice/software del 50% porta ad un risparmio del 75% sul costo totale della rimediazione delle vulnerabilita’ 1,2,3 Sources: Gartner OWASP 36
  • Vantaggi economici della sicurezza “built into”nello sviluppo di software sicuro (SDLC) Rimediare le vulnerabilita’ in di design e coding produce un risparmio del OWASP 37
  • Criteri guida per investimenti in applicationsecurity: la OWASP Appsec guide per CISOsSource: https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs OWASP 38
  • QUESTIONS ANSWERS OWASP 39