• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cloud Ninja - Catch Me If You Can!
 

Cloud Ninja - Catch Me If You Can!

on

  • 941 views

Starting with just a browser, imagine you’ve signed into a control panel to manage your 100,000 node botnet, where you monitor the rate of DDoS attacks being launched from your automated rental ...

Starting with just a browser, imagine you’ve signed into a control panel to manage your 100,000 node botnet, where you monitor the rate of DDoS attacks being launched from your automated rental service. Then you set up a few more phishing sites that include payloads from the latest Chinese exploit packs. You then review the latest social security numbers, credit card numbers, and personal information extracted from yesterday’s network and application compromises. Your distributed search quickly aggregates all the latest valuable data and validates it before automatically posting it for resale. Now, what if I told you that was all done from a browser while utilizing machines provided from freely available cloud services? What happens when computer criminals start using friendly cloud services such as Dropbox, Google Apps, Heroku, Amazon EC2, and Yahoo Pipes for malicious activities. In this presentation we explore how to (ab)use the free public cloud for the business of computer crime. Oh! Also we violate the hell out of some terms of service. We built a framework to make the above scenarios a reality. What will organizations do when the origin of attack came from popular sites that can’t be blocked due to legitimate business purposes? How will the FBI successfully prosecute when the perpetrator doesn’t have any evidence of illegal activity in their possession? How will SaaS and cloud providers thwart these activities to maintain a safe reputation? We explore answers to these questions and more.

Statistics

Views

Total Views
941
Views on SlideShare
935
Embed Views
6

Actions

Likes
1
Downloads
8
Comments
0

2 Embeds 6

http://www.linkedin.com 4
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cloud Ninja - Catch Me If You Can! Cloud Ninja - Catch Me If You Can! Presentation Transcript

    • CLOUD NINJA Catch Me If You Can! Hacker Halted 2013 Atlanta 9/21/13
    • 2 …and Violating Terms of Service Building a Botnet with Free Cloud-based Services
    • 3 Main Topics • AUTOMATION – Automatically controlling resources from freely available service providers • STEALTH – Avoiding detection and bypassing security controls • PROTECTION – Anti-automation techniques and security controls cloud providers can use to defend services What are these guys talking about? Agenda
    • Automation Scripting the Cloud
    • 5 Platform as a Service Cloud PaaS Reference: http://goo.gl/AZ4nYp
    • 6 Automating Registration • Hurdles - Email address confirmation - CAPTCHA - Phone/SMS - Credit Card Usability vs Security Cloud Providers (In)Security
    • 7 Anti-Automation Fraudulent Account Registration More Anti-Automation Email Confirmation Only 66% 33% EMAIL CAPTCHA CREDIT CARD PHONE
    • 8 Anti-Automation Techniques • Email address confirmation • CAPTCHA • Phone/SMS • Credit Card Usability vs Security Cloud Providers (In)Security
    • 9 WHAT DID WE STEAL?
    • 10 WHO DID WE STEAL IT FROM?
    • 11 What do we need? • Unlimited email addresses - Free SMTP processing • Email verification - Confirmation tokens • Application activation - Add SSH keys - Deploy code Free Signups Registration
    • 12 Unlimited domains - freedns.afraid.org - Prevent detection - Thousands of unique email domains SMTP Services Plethora of Email Addresses
    • 13 Unlimited email addresses Free DNS Subdomains
    • 14 Automated email processing - Extract important information from incoming emails - Grep for confirmation token links and request them SMTP Services Email Confirmation Token Processing
    • 15 Account registration - Automatic request sent to account activation links Unique workflows - A framework for generic tasks - Ability to perform actions on edge cases SMTP Services Per Site Processing Logic
    • 16 Refer Fake Friends Unlimited Storage Space
    • Stealth Like a Ninja
    • 18 TOR provides anonymity Connect to TOR first - https://github.com/stef/torpy VPN provides privacy Then connect to a VPN - Setup your own VPN on a VPS - http://torguard.net/ Anonymity and Privacy TOR + VPN
    • 19 Random Identities • Be generic • Be realistic • Be human Randomness Avoiding Pattern Recognition
    • 20 Randomness Random Names
    • 21 Unlimited usernames - Prevent pattern recognition - Pull from real world examples Realistic Randomness Real Email Addresses
    • 22 What do we need? • Optical Character Recognition - OCR in Python using the Tesseract engine from Google - https://code.google.com/p/pytesser/ • Mechanical Turk - HITs - Human Intelligence Tasks - http://aws.amazon.com/mturk/ • Phishing - Coerce targets into submitting CAPTCHAs from other sites by promising Porn - http://blog.shubh.am/catpchajacking-a-new- approach-on-bypassing-the-captcha/ Bypassing Bot Detection CAPTCHA
    • 23 What do we need? • Voice Over IP - Use VOIP services such as Google Voice, PhoneBurner, and Hushed • Burner Phones - Buy cheap pre-paid phones with Visa gift cards Bypassing Phone Verification Phone/SMS
    • 24 What do we need? • Pre-paid Visa Cards - Valid credit card numbers - Not charged for free services • Test Credit Card Numbers - 411111111111 (four followed by 15 ones) Bypassing Credit Card Verification Credit Cards
    • Funtivities Botnets Are Fun!
    • 26 What can we do? • Distributed Network Scanning • Distributed Password Cracking • DDoS • Click-fraud • Bitcoin/Litecoin Mining • Data Storage Now we have a botnet! Fun! Botnet Activities
    • 27 What are we using? • Fabric - Fabric is a Python library and command- line tool for streamlining the use of SSH for application deployment or systems administration tasks. • fab check_hosts –P –z 20 - http://[REDACTED] • fab run_command - http://[REDACTED] Botnet C2 Command & Control
    • 28 Make money, money • Deploying miners - http://[REDACTED] • One command for $$$ All your processors are belong to us Litecoin Mining
    • 29 All your processors are belong to us Litecoin Mining
    • 30 All your processors are belong to us Litecoin Mining
    • DEMONSTRATION Deploying Miners
    • DEMONSTRATION Distributed Denial of Service (DDoS)
    • 33 Automatic Backups • Propagate to other similar services - e.g. MongoLab MongoHQ • Infrastructure across multiple SaaS Armadillo Up ™ Disaster Recovery Plan
    • Protection Bot Busters
    • 35 Adaptation Cloud Provider Registration
    • 36 Adaptation Cloud Provider Registration
    • 37 THE INTERNET IS DANGEROUS
    • 38 TIME TO CUT THROUGH THE BULLSHIT
    • 39 What should we do? • Analyzing properties of Sybil accounts • Analyzing the arrival rate and distribution of accounts • Flag accounts registered with emails from newly registered domain names • Email verification • CAPTCHAs • IP Blacklisting • Phone/SMS verification • Automatic pattern recognition At Abuse vs At Registration Protection Reference: https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_thomas.pdf
    • 40 At Abuse vs At Registration Protection Advanced techniques • Signup flow events - Detect common activities after signup • User-agent - A registration bot may generate a different user-agent for each signup or use uncommon user-agents • Form submission timing - A bot that doesn't mimic human behavior by performing certain actions too quickly can be detected Reference: https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_thomas.pdf
    • THANK YOU CONTACT@BISHOPFOX.COM