Cyber terrorism/warfareA packet can’t fly a plane…Typical types of attack:  –Denial of service  –Breeching the perimeterPr...
What we really need is…Attacks that are:  –Targeted / Closely focused (T)  –Closely coordinated  –Wide enough to cripple a...
Part I: A very nasty worm…Internal networks are weakPerimeters are strongInternal network:  –Machines are never patched  –...
Part I: A very nasty worm…Let’s see:   1.   Microsoft IIS Unicode / 2x decode   2.   Microsoft IIS MSADC   3.   Microsoft ...
Part I: A very nasty worm…Finding more food   Targeting on internal network and Internet      very different.   1. Find yo...
Part I: A very nasty worm…Denial of service on internal networks is fun:   –Wire speed flooding   –ICMP redirection   –MAC...
IP/MASK   TRACEROUTE                        LOCAL EXE INFECTIONSNMP      BRUTE FORCE                                      ...
Part II: DeliveryWho needs 0day silent delivery when you  can mail an EXE to someone:   •   Using the correct language   •...
Part II: DeliverySome stats:– Target group : IT security team – bank– 13 people in group– 8 downloaded the EXE– 5 executed...
Part III: Targeted deliveryHow do you find someone on the Internet?•     Google is your friend•     +@companyXX.com -www.c...
Part III: Footprinting a countryWe can extract email addresses from companies   – we need to find companies for each   cou...
Part III: Footprinting a countryPrivate sector/Public sectorPrivate:•    Problems with online directories (e.g.     Google...
Part III: Footprinting a countryPrivate sector/Public sectorPublic – government and militaryConcept of sub TLD – e.g. gov....
Part IV: Putting it all togetherYears in the industrytaught us well-you need a GUI…!
We love Turkey                            Conclusion            Focused cyber attacks are possible            This method ...
Putting the tea back into cyber terrorism
Upcoming SlideShare
Loading in...5
×

Putting the tea back into cyber terrorism

1,093
-1

Published on

Presentation by Charl van der Walt, Roelof Temmingh and Haroon Meer at BlackHat USA 2003.

This presentation is about targeted, effective, automated attacks that could be used in countrywide cyberterrorism. A worm that targets internal networks is discussed as an example of such an attack.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,093
On Slideshare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
18
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Putting the tea back into cyber terrorism

  1. 1. Cyber terrorism/warfareA packet can’t fly a plane…Typical types of attack: –Denial of service –Breeching the perimeterProblems with these attacks –Does not hurt enough –Not effective
  2. 2. What we really need is…Attacks that are: –Targeted / Closely focused (T) –Closely coordinated –Wide enough to cripple a country –Very effective (E) –Too fast for human intervention – i.e. automated (A)
  3. 3. Part I: A very nasty worm…Internal networks are weakPerimeters are strongInternal network: –Machines are never patched –Installed with unpatched software –New machines are added –Not segmented on network layerA multi–exploit worm’s paradise
  4. 4. Part I: A very nasty worm…Let’s see: 1. Microsoft IIS Unicode / 2x decode 2. Microsoft IIS MSADC 3. Microsoft IIS .printer extensions 4. Microsoft IIS WebDAV 5. Microsoft SQL with blank SA configured 6. Blank local administrator passwords on Microsoft Windows hosts 7. …slammer… 8. Apache Chunked Encoding 9. OpenSSL < 0.9.6
  5. 5. Part I: A very nasty worm…Finding more food Targeting on internal network and Internet very different. 1. Find your current network/mask 2. SNMP queries all around 3. Traceroute to Internet 4. Pingsweep one class C higher and lower 5. …brute force…
  6. 6. Part I: A very nasty worm…Denial of service on internal networks is fun: –Wire speed flooding –ICMP redirection –MAC/ARP table trickery –DHCP lease exhaustion –Hijacking of TCP connectionsSince we are here…: –DOC/XLS/ZIP/MDB file corruption –BIOS flashing –Pop-up messages –Disable all routers you can find – island-ification
  7. 7. IP/MASK TRACEROUTE LOCAL EXE INFECTIONSNMP BRUTE FORCE FLOODS TESTER BIOS FLASH ETC POP-UPS MAC/ARP POISON COPY REMOTE EXEC DHCP EXHAUST MESSAGE PROTOCOL
  8. 8. Part II: DeliveryWho needs 0day silent delivery when you can mail an EXE to someone: • Using the correct language • From marketing@companyXX.com • Subject: “New screensaver for companyXX – click here” • With HTTPS link to intranet.companyXX.com…and then some funny characters…☺ • SSL neatly bypass all content level filters(even PowerPoint thinks its valid)
  9. 9. Part II: DeliverySome stats:– Target group : IT security team – bank– 13 people in group– 8 downloaded the EXE– 5 executed itOne guy executed it 3 times…
  10. 10. Part III: Targeted deliveryHow do you find someone on the Internet?• Google is your friend• +@companyXX.com -www.companyXX.com• Scrape it (TOC of Google)• Example…Hurriyet Newspaper in Turkey # perl emails.pl hurriyet.com.tr Received 83 Hits: [bavci@hurriyet.com.tr] [tturenc@hurriyet.com.tr] [ecolasan@hurriyet.com.tr] [yatakan@hurriyet.com.tr] [dhizlan@hurriyet.com.tr] [fsever@hurriyet.com.tr] [rcaglayangil@hurriyet.com.tr] </snip>
  11. 11. Part III: Footprinting a countryWe can extract email addresses from companies – we need to find companies for each country in the following sectors: – Telecommunication – Energy providers (hydro, nuclear, fossil fuel, oil etc.) – Government departments / Military – Media providers – Financial services – Prominent businesses – Emergency services – Transport
  12. 12. Part III: Footprinting a countryPrivate sector/Public sectorPrivate:• Problems with online directories (e.g. Google/DMOZ)• Solution is specialized directories• Some online (http://www.world-newspapers.com/), some better to extract (pros/cons)• Challenge – mapping company name to domain name• Method – page 9 of paper.
  13. 13. Part III: Footprinting a countryPrivate sector/Public sectorPublic – government and militaryConcept of sub TLD – e.g. gov.zaNot the same for every country – e.g. France (gouv.fr)Interested in sub domains – maps to departments• We have Google scraper• We scrape gov.za (for example)• Look at all the subdomains• These becomes targetsMany military domains contained in gov sub TLD.Recursive scraping…finding *all* the sub domains
  14. 14. Part IV: Putting it all togetherYears in the industrytaught us well-you need a GUI…!
  15. 15. We love Turkey Conclusion Focused cyber attacks are possible This method would most likely have negative impact How does it compare to real life attacks? Is this YABMT? (yet another bigger mouse trap) What’s the chances of this happening? Should we worry?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×