Attacks released at the biggest hacker conference this year


Published on

2013 - 09 - 09

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Infection rates. 650k subscribers over 2 days1/1000 devices47%. We're running iOS. 29% iOS 6Rest were androidInfection rate is higher than Market penetration49% infected with spy2mobileAdversary motivation is highAccess to all assetsSensorsvisibility that the device is affected vs on a computer. Longer infection
  • Need verbal description of attack It is the client telling the server that it can only accept 0 more bytes and you need to wait until I can receive more.So basically, “my buffer is full, hang on…”The server will wait, and wait for a really long timeRam is consumed and not released They claim you can kill a server permanently
  • Note that the memory stays pegged even after the attack stops.
  • Prince CloudFlare – The group that fought to stop the DDoS“Evil-DoS-Attacks-and-Strong-Defenses”
  • You’d think four straight days of New York Times coverage would get people cleaning up this problem, but I’m happy to report…
  • The biggest and baddest routers checkpoint and the other networking equipment companies sell only have 30 100 GB a second ports Fact check Make all the open resolvers attack each other They created this self destruct.C50 lines of C code which was released at Defcon
  • You could take a person or group of people and track them throughout the city lumping together groups of different devices that you learned over the course of your surveillance belongs to one given person.In a worst-case scenario, as imagined by the creator, a miscreant could plug in one of the devices under any Starbucks near a capital building to pick up the scent of a state senator and wait for them to do something compromising."You find somebody with power and exploit them," said O'Connor
  • Image from Dr. Horrible Sing-Along Blog, by Joss Whedon
  • {Stress this point} The real power of standards and certifications is that they allow us to communicate. They give us a common vocabulary and common understanding across a wide variety of areas, allowing the information security professional, IT professional, cloud provider and business to talk to each other and align on goals. To enable the business to get what it needs and agree on how to get there.When we can talk to one another and mean the same thing, we remove the storm of confusion, dis-information, doubt and, yes, fear. We can start with the premise that a solution is available and work together to find it.Notes:Photo Credit [Accessed: June 10, 2013] - URL
  • Three-level program which is based on ISO/IEC 27002. Developed in cooperation with international experts in their specific field
  • Attacks released at the biggest hacker conference this year

    1. 1. Interesting (at least to me) selections from BlackHat & Defcon 2013
    2. 2. BU Information Security Presenter  Quinn R. Shamblin  Executive Director & Information Security Officer, Boston University  CISM, CISSP, ITIL (previously PMP, GIAC Certified Forensic Analyst)   617-358-6310 2
    3. 3. BU Information Security Agenda  The Washington view of cyber threats & the role of government in the incident response  MDM solutions under attack  Spy Phones  Sockstress DDoS  The SpamHaus DDoS was easy (one person)  Creepy DOL 3
    4. 4. The Washington view of cyber threats & the role of government in the incident response
    5. 5. BU Information Security What is the level of the cyber threat?  Ambassador Joseph DeTrani [8/2/2013 Defcon]  President of the Intelligence and National Security Alliance (INSA).  Prior: • • • • • Senior Advisor to the Director of National Intelligence Director of the National Counter Proliferation Center National Intelligence Manager for Counter Proliferation North Korea Mission Manager for the ODNI CIA  The cyber threat is just as grave as other weapons of mass destruction, including… 5
    6. 6. BU Information Security 6
    7. 7. BU Information Security Similar level, but different character  If you take out an entire sector, you could cripple an entire country  Unlike the nuclear threat, MAD is not a factor  With nuclear one would be “mad” to use a nuclear attack. (Mutually Assured Destruction)  This is not necessarily true with cyber because of the problem of attribution  This may make a cyber attack more attractive to an aggressor  Ambassador DeTrani urges we look at this just as we did Nuclear, Chemical and Biological weapons after WWII  Treaties are needed 7
    8. 8. MDM solutions under attack
    9. 9. BU Information Security Mobile Device Management solutions  Talk: Practical attacks against mobile device management solutions [Brodie]  Features  Set security policies on systems  Create a “secure container” In which to run a business applications • Encrypt business data • Encrypt communications • Detect jailbreak/rooting of devices 9
    10. 10. BU Information Security Mythbusting  A secure container is only as secure as the underlying OS  Just as with regular computers  There’s a huge, highly incentivized community working every day to break into mobile phones  Jailbreak detection mechanisms are limited  There are no techniques to detect privilege escalation  “Current [secure container] solutions are useless" 10
    11. 11. BU Information Security Active attack  The authors of this talk released concepts and proof of concept code to root and own phones with MDM secure containers.  Both Android and iPhone  Their attack waits until the user reads the supposedly secured message. When it is decrypted into the UI so that the user can read it, their code just goes and picks it up…  This was tried using the five most popular sandbox technologies 11
    12. 12. BU Information Security 12
    13. 13. BU Information Security What is MDM still good for?      Management Compliance enforcement (preventing user actions) DLP Physical loss Portal – (VM, citrix)  Not protecting your data from malware 13
    14. 14. Spy Phones V 2.0
    15. 15. BU Information Security Your phone, spying on you  All phone content may be exposed  Location  Audio  Video  Texts  Email  Phone conversation recordings  Photos  Android attack, but could easily be ported 15
    16. 16. BU Information Security Attack vector     Injection into popular apps Getting around the app stores Pay attention Mitigation  Don’t jailbreak  IM/Text links  Email links  Rogue femtocells – MITM mobile phones  Intercept anything sent over the network 16
    17. 17. Sockstress DDoS Killing boxes dead
    18. 18. BU Information Security Attack  Sockstress  Establish a handshake  Set window size to 0  Send that back as your ACK 18
    19. 19. BU Information Security 19 Application  This is a layer 4 attack. It will work over the internet  From inside a network, can simulate a botnet worth of addresses with a single box  Use an ARP poisoning script to tell anyone who asks that any IP address is me. Attacks then come from 126 IP addresses to a dozen or so ports (Slackware)  Almost everything with a TCP/IP stack is vulnerable to this at the moment
    20. 20. BU Information Security Sockstress Impact 20
    21. 21. BU Information Security Mitigation  Now: Set firewalls to block packets with small window sizes  Long term: Vendors need to supply an OS patch to reclaim ram  This attack was created five years ago but has not been used popularly since, because the person that created it died before he could spread the word...  With the Power and effectiveness of the SpamHaus DDoS, it will be way more popular soon 21
    22. 22. The SpamHaus DDoS was easy
    23. 23. BU Information Security “Breaking the Internet”  Talk: Evil DOS Attacks and Strong Defenses [Scott Bowne and Matthew Prince]  The SpamHaus attack push 300 GB of sustained traffic a second  It did not actually “break the Internet”, But it did break DDoS records …and could easily have been much worse  It was executed by one person using one laptop and five servers, that’s it. 23
    24. 24. BU Information Security Ingredients  You don’t need…  …a bot net  …to coordinate large groups of anonymous people  …a ton of technical skill  You need…  …a list of open DNS resolvers  …a few servers on networks that allow for IP address spoofing • And you don’t need many… 24
    25. 25. BU Information Security Open DNS resolvers  Not “OpenDNS” the company  Misconfigured DNS resolvers  Pretty much every Android phone with wifi share points turned on…  Home wifi points with Bind misconfigured  DNS servers. Those that respond to anyone and DNS anything that sent to them 25
    26. 26. BU Information Security One command  DNS query (nslookup)  -set all (Query to return all the resources available)  -t ANY (Any DNS record there)  -edns=0 (Give me all the of contents: dnssec, etc…)  -notcp (Send up everything over UDP)  -buffer=4096 (The largest you can set for UDP packet)  Amplification  64 byte query  3363 byte response  50x amplification factor 26
    27. 27. BU Information Security Amplifying the amplification  To attack others you need one more thing: A network that allows source IP address spoofing  Good routers drop packets “originating” from networks that are not their own [BCP38].  Such packets are damaged or spoofed.  UDP has no handshake,  The source can be easily spoofed in the nslookup command  Like the old Smurf attack (ICMP) 27
    28. 28. BU Information Security A normal DDoS attack 28
    29. 29. BU Information Security The SpamHaus DDoS attack 29
    30. 30. BU Information Security The SpamHaus attack “The DDoS and that almost broke the Internet” 309 Gbps for 28 minutes 30,956 open DNS resolvers 3 networks that allowed spoofing 5-7 compromised servers Sent 9Gbps of requests to 0.1% of the open resolvers = 300Gbps attack  All done by 1 guy with 1 laptop       30
    31. 31. BU Information Security This guy  (Not really. This was a friend of his. The one that talked on the record to the NY Times…) 31
    32. 32. BU Information Security Solving the problem  Can’t solve the problem from an open resolver standpoint     Anyone can install Bind (likely misconfigured) 2013-03-24: 22761875 2013-08-11: 28348485 Check yourself @  Well, you can’t solve it legally… 32
    33. 33. BU Information Security Imagine the possibilities  Sent 9Gbps of requests to 0.1% of the open resolvers = 300Gbps attack  0.2% 600 Gbps  1% 3 Tbps  8% 12 Tbps  The entire U.S. Internet backbone is 24 TB  The core choke point routers of the Internet are directly addressable 33
    34. 34. BU Information Security Solution from the other direction  BCP38  “Best current practice” guidance released 13 years ago (2000) by the IETF (Internet Engineering Task Force)  Block spoofed queries  Every router (the devices that connect the internet) understands which addresses should be coming from which direction. If a packet arrives from inside the network but the packet claims that it is coming from an IP address outside the network, that packet should be dropped.  Easy. And yet…  Almost 25% of networks are not set up according to BCP 38  We need vendors to enforce BCP38 or at minimum make this be the default and force people to turn it off if they really need to… (!?) 34
    35. 35. Creepy DOL
    36. 36. BU Information Security 36
    37. 37. BU Information Security CreepyDOL Cheap Distributed Stalking  Talk: Stalking a City for Fun and Frivolity [Brendan O'Connor –]  How much data can be extracted through passive monitoring of wireless signals  Legal (technically)  Large-scale sensor network without centralized communication  Cheap 37
    38. 38. BU Information Security Cheap  For less than $60.00 you can build a sensor that can be used to track people’s movements throughout your city  Raspberry Pi, model A: $8.25  Case: $4.61  USB hub: $5.00 99 cents  Wifi: (2x) $6.52  SD card: $6.99  USB Power: $1.45  Total: 57.08 per node 38
    39. 39. BU Information Security Open Source  Radical: Leaderless command and control  “Contagion network”  Tor + client side SSL + CouchDB + Nginx  Grenade-style encryption – pull Pin  Visualization: Unity game engine  Runs on an iPad or Xbox360 39
    40. 40. BU Information Security Results (I unfortunately have no real screenshots of his real product) 40
    41. 41. Other Cool Stuff
    42. 42. BU Information Security Too many topics to go in to…     Pwning the Pwnplug Hacking a Prius Hacking driverless vehicles A charger to hack your iPhone  TONS of talks on mobile phone hacking  Owning Networked Home Security Systems       Unlocking your house Spying on you through your own cameras SmartTV = SurveillanceTV MITM IPv6 Hacking Implantable Medical Devices A file designed to own forensic software 42
    43. 43. 43 The Status Is Not Quo
    44. 44. 44 So what do we do about all this?  Have staff dedicated to information security  Train them  Technology, security and business needs  Give them the tools and opportunities to keep up to date  Listen to them
    45. 45. 45 The People Factor  The needs of the world are shifting  We must answer the demands of many areas  Certifications in all these areas are available from EXIN
    46. 46. 46 Security-focused training from EXIN     Certifications cover core competencies and intersections Based on International Standards Developed by Intl experts Demonstrate  Command of the base of knowledge  Practical skills and application
    47. 47. BU Information Security Quinn Shamblin Boston University +1 617 358 - 6310 47 Milena Andrade EXIN Brasil +55 11 3032 - 4111