Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BSI Lagebericht 2014

1,349 views

Published on

German BSI yearly report, strong emphasis on the failure of companies to fix basic security problems

Published in: Internet
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

BSI Lagebericht 2014

  1. 1. BSI Lagebericht 2014 Wolfgang Kandek, Qualys, Inc 28 Januar 2015
  2. 2. BSI Lagebericht 2014 • Bundesamt für Sicherheit in der Informationstechnik • Bundesministerium des Inneren – Minister Maizière • 2014, 2013 (kurz), 2011, 2009, 2007 – Anfang 2015 wieder • Die Lage der IT-Sicherheit in Deutschland 2014
  3. 3. BSI Lagebericht 2014 • Bundesamt für Sicherheit in der Informationstechnik • Bundesministerium des Inneren – Minister Maizière • 2014, 2013 (kurz), 2011, 2009, 2007 – Anfang 2015 wieder • Die Lage der IT-Sicherheit in Deutschland 2014 • Aktuelle Gefährdungslage: kritisch • Anzahl der schweren Sicherheitslücken zu hoch • Angriffswerkzeuge werden ständig verbessert
  4. 4. BSI Lagebericht 2014 • Bundesamt für Sicherheit in der Informationstechnik • Bundesministerium des Inneren – Minister Maizière • 2014, 2013 (kurz), 2011, 2009, 2007 – Anfang 2015 wieder • Die Lage der IT-Sicherheit in Deutschland 2014 • Aktuelle Gefährdungslage: kritisch • Anzahl der schweren Sicherheitslücken zu hoch • Angriffswerkzeuge werden ständig verbessert • Ziele der Angriffe: Wirtschaft, Kritische Infrastruktur, Staatliche Stellen, Forschung aber auch Bürgerinnen und Bürger
  5. 5. Vorfälle 2014 Statistik der Bundesverwaltung 2014 • 60.000 verseuchte E-mails pro Monat • 15-20 neue (dem AV unbekannte) Malware pro Tag • 1 Angriff pro Tag nachrichtendienstlich • 3500 Zugriffe auf Schadcodeservern pro Tag • 1 DoS Angriff pro Monat • 0 Mobilangriffe
  6. 6. Vorfälle 2014 Wirtschaft 2014 • Angriff auf Stahlwerk richtet Schaden an Hochofen an • Energiebetreiber in DE generiert Probleme in Österreich • Dragonfly Gruppe greift mehrere Duzend Industrieanlagen an und zieht Daten ab • WindigoKampagne infiziert 30000 Linux Rechner in DE • Bankrott in GB • Hochfrequenzhandel in USA
  7. 7. Angriffskategorien • Spam: unter Kontrolle
  8. 8. Angriffskategorien • Spam: unter Kontrolle • Malware: Defensive Tools mit zweifelhafter Wirkhaftigkeit
  9. 9. Angriffskategorien • Spam: unter Kontrolle • Malware: Defensive Tools mit zweifelhafter Wirkhaftigkeit • Drive-by und ExploitKits: nutzen typischerweise bekannte Schwachstellen und können mit Patchen abgedeckt werden
  10. 10. Angriffskategorien • Spam: unter Kontrolle • Malware: Defensive Tools mit zweifelhafter Wirkhaftigkeit • Drive-by und ExploitKits: nutzen typischerweise bekannte Schwachstellen und können mit Patchen abgedeckt werden • Botnetze: über 1 Million Maschinen in DE
  11. 11. Angriffskategorien • Spam: unter Kontrolle • Malware: Defensive Tools mit zweifelhafter Wirkhaftigkeit • Drive-by und ExploitKits: nutzen typischerweise bekannte Schwachstellen und können mit Patchen abgedeckt werden • Botnetze: über 1 Million Maschinen in DE • Social Engineering: Benutzerausbildung hilft
  12. 12. Angriffskategorien • Spam: unter Kontrolle • Malware: Defensive Tools mit zweifelhafter Wirkhaftigkeit • Drive-by und ExploitKits: nutzen typischerweise bekannte Schwachstellen und können mit Patchen abgedeckt werden • Botnetze: über 1 Million Maschinen in DE • Social Engineering: Benutzerausbildung hilft • Identitätsverwaltung: problematisch Username/Passwort
  13. 13. Angriffskategorien • Spam: unter Kontrolle • Malware: Defensive Tools mit zweifelhafter Wirkhaftigkeit • Drive-by und ExploitKits: nutzen typischerweise bekannte Schwachstellen und können mit Patchen abgedeckt werden • Botnetze: über 1 Million Maschinen in DE • Social Engineering: Benutzerausbildung hilft • Identitätsverwaltung: problematisch Username/Passwort • DoS: in DE nicht besonders verbreitet
  14. 14. Angriffskategorien • Spam: unter Kontrolle • Malware: Defensive Tools mit zweifelhafter Wirkhaftigkeit • Drive-by und ExploitKits: nutzen typischerweise bekannte Schwachstellen und können mit Patchen abgedeckt werden • Botnetze: über 1 Million Maschinen in DE • Social Engineering: Benutzerausbildung hilft • Identitätsverwaltung: problematisch Username/Passwort • DoS: in DE nicht besonders verbreitet • APT: auf gewisse Bereiche (Rüstung, Hochtechnologie, Autos, Schiffe, Raumfahrt) gezielt, noch keine Lösung
  15. 15. Schwachstellen mit hoher Relevanz “Hauptproblem: Veraltete Patchstände von OS und Applikationen” • Microsoft Internet Explorer, Office und Windows • Adobe Flash und Reader • Oracle Java • Mozilla Firefox und Thunderbird • Apple OS X, Quicktime und Safari • Google Chrome • Linux Kernel • Schwachstellenampel CERT-Bund
  16. 16. Beispiel Exploit Kit Angler • Zuletzt genutzt ISC (Bind9) Website – 22. Dezember • ISC Website basiert auf Wordpress, WP backdoor installiert • Attackvektor unbekannt, wahrscheinlich durch WP plugin
  17. 17. Beispiel Exploit Kit Angler • Zuletzt genutzt ISC (Bind9) Website – 22. Dezember • ISC Website basiert auf Wordpress, WP backdoor installiert • Attackvektor unbekannt, wahrscheinlich durch WP plugin
  18. 18. Beispiel Exploit Kit Angler • Zuletzt genutzt ISC (Bind9) Website – 22. Dezember • ISC Website basiert auf Wordpress, WP backdoor installiert • Attackvektor unbekannt, wahrscheinlich durch WP plugin • Angler Exploitkit installiert • Adobe Flash CVE-2014-8440/8439/0515/0497 + CVE-2013-2551 • Internet Explorer CVE-2014-1776/0322 + CVE-2013-2551 • Silverlight CVE-2013-3896/0074
  19. 19. Beispiel Exploit Kit Angler • Zuletzt genutzt ISC (Bind9) Website – 22. Dezember • ISC Website basiert auf Wordpress, WP backdoor installiert • Attackvektor unbekannt, wahrscheinlich durch WP plugin • Angler Exploitkit installiert • Adobe Flash CVE-2014-8440/8439/0515/0497 + CVE-2013-2551 • Internet Explorer CVE-2014-1776/0322 + CVE-2013-2551 • Silverlight CVE-2013-3896/0074 • Patchlevel • Adobe Flash – November 2014 • Internet Explorer – MS14-021 21 April 2014 (0-day) • Silverlight – MS13-087 Oktober 2014
  20. 20. Beispiel Exploit Kit Angler - Update • Januar 2015: Angler und Exploits für 2 * 0-days • 0-day: bekannte Schwachstelle ohne Patch • Security Researcher Kafeine - @kafeine
  21. 21. Beispiel Exploit Kit Angler - Update • Angler und Exploits für 2 * 0-days • 0-day: bekannte Schwachstelle ohne Patch • Security Researcher Kafeine
  22. 22. Beispiel Exploit Kit Angler - Update • Januar 2015: Angler und Exploits für 2 * 0-days • 0-day: bekannte Schwachstelle ohne Patch • Security Researcher Kafeine - @kafeine • CVE-2015-0310 – APSB14-02 22. Januar • CVE-2015-0311 – APSB14-03 +- 24. Januar
  23. 23. Beispiel Exploit Kit Angler - Update • Januar 2015: Angler und Exploits für 2 * 0-days • 0-day: bekannte Schwachstelle ohne Patch • Security Researcher Kafeine - @kafeine • CVE-2015-0310 – APSB14-02 22. Januar • CVE-2015-0311 – APSB14-03 +- 24. Januar • Flash unter Google Chrome nicht angegriffen
  24. 24. Beispiel Exploit Kit Angler - Update • Januar 2015: Angler und Exploits für 2 * 0-days • 0-day: bekannte Schwachstelle ohne Patch • Security Researcher Kafeine - @kafeine • CVE-2015-0310 – APSB14-02 22. Januar • CVE-2015-0311 – APSB14-03 +- 24. Januar • Flash unter Google Chrome nicht angegriffen • EMET verhindert Angriff • Enhanced Mitigation Experience Toolkit – Zwangsjacke für Windows
  25. 25. Beispiel Exploit Kit Angler - Update • Januar 2015: Angler und Exploits für 2 * 0-days • 0-day: bekannte Schwachstelle ohne Patch • Security Researcher Kafeine - @kafeine • CVE-2015-0310 – APSB14-02 22. Januar • CVE-2015-0311 – APSB14-03 +- 24. Januar • Flash unter Google Chrome nicht angegriffen • EMET verhindert Angriff • Enhanced Mitigation Experience Toolkit – Zwangsjacke für Windows
  26. 26. Beispiel Exploit Kit Angler - Update • Januar 2015: Angler und Exploits für 2 * 0-days • 0-day: bekannte Schwachstelle ohne Patch • Security Researcher Kafeine - @kafeine • CVE-2015-0310 – APSB14-02 22. Januar • CVE-2015-0311 – APSB14-03 +- 24. Januar • Flash unter Google Chrome nicht angegriffen • EMET verhindert Angriff • Enhanced Mitigation Experience Toolkit – Zwangsjacke für Windows
  27. 27. Beispiel Exploit Kit Angler - Update • Januar 2015: Angler und Exploits für 2 * 0-days • 0-day: bekannte Schwachstelle ohne Patch • Security Researcher Kafeine - @kafeine • CVE-2015-0310 – APSB14-02 22. Januar • CVE-2015-0311 – APSB14-03 +- 24. Januar • Flash unter Google Chrome nicht angegriffen • EMET verhindert Angriff • Enhanced Mitigation Experience Toolkit – Zwangsjacke für Windows • Attack Kampagnen haben schon angefangen
  28. 28. Beispiel Exploit Kit Angler - Update • Januar 2015: Angler und Exploits für 2 * 0-days • 0-day: bekannte Schwachstelle ohne Patch • Security Researcher Kafeine - @kafeine • CVE-2015-0310 – APSB14-02 22. Januar • CVE-2015-0311 – APSB14-03 +- 24. Januar • Flash unter Google Chrome nicht angegriffen • EMET verhindert Angriff • Enhanced Mitigation Experience Toolkit – Zwangsjacke für Windows • Attack Kampagnen haben schon angefangen
  29. 29. Fazit • Gefahrenlage ist hoch • Regierung • Strukturiert sich im Moment • International Aspekte erschweren • In den nächsten 10 Jahren ist keine aktive Hilfe zu erwarten
  30. 30. Fazit • Gefahrenlage ist hoch • Regierung • Strukturiert sich im Moment • International Aspekte erschweren • In den nächsten 10 Jahren ist keine aktive Hilfe zu erwarten • Firmen müssen sich selbst schützen • BSI (und andere) Vorgaben befolgen • Aus vergangen Angriffen lernen • JP Morgan – Angreifer benutzten Username/Passwort gegen Server • CHS – ‘Heartbleed’ Schwachstelle im VPN Server • Sony – Wurm verbreitete sich durch SMB mit bekannten Passwörtern
  31. 31. Prioritäten 1. Identitätsmanagement verbessern • 2FA einsetzen
  32. 32. Prioritäten 1. Identitätsmanagement verbessern • 2FA einsetzen 2. Patchlage verbessern – Microsoft, Adobe, Oracle • Fokus auf Exploit verfügbar
  33. 33. Prioritäten 1. Identitätsmanagement verbessern • 2FA einsetzen 2. Patchlage verbessern – Microsoft, Adobe, Oracle • Fokus auf Exploit verfügbar 3. Robust konfigurieren • Software deinstallieren wo möglich • Neuste Versionen einsetzen • Aktiv auf Sandboxing achten • Google Chrome Browser, Office 2013, Adobe Reader XI
  34. 34. Prioritäten 1. Identitätsmanagement verbessern • 2FA einsetzen 2. Patchlage verbessern – Microsoft, Adobe, Oracle • Fokus auf Exploit verfügbar 3. Robust konfigurieren • Software deinstallieren wo möglich • Neuste Versionen einsetzen • Aktiv auf Sandboxing achten • Google Chrome Browser, Office 2013, Adobe Reader XI • EMET oder ähnlich
  35. 35. Prioritäten 1. Identitätsmanagement verbessern • 2FA einsetzen 2. Patchlage verbessern – Microsoft, Adobe, Oracle • Fokus auf Exploit verfügbar 3. Robust konfigurieren • Software deinstallieren wo möglich • Neuste Versionen einsetzen • Aktiv auf Sandboxing achten • Google Chrome Browser, Office 2013, Adobe Reader XI • EMET oder ähnlich 4. Anomalien erkennen
  36. 36. Resourcen • BSI - https://www.bsi.bund.de/DE/Publikationen/Lageberichte/lageberichte_ node.html • CERT-Bund: https://www.cert-bund.de/schwachstellenampel • Microsoft - https://technet.microsoft.com/library/security • Adobe - http://blogs.adobe.com/psirt • Apple - http://support.apple.com/en-us/HT1222 • Oracle Java - http://www.oracle.com/technetwork/topics/security/alerts-086861.html • Microsoft EMET - https://technet.microsoft.com/en-us/security/jj653751
  37. 37. Vielen Dank Wolfgang Kandek wkandek@qualys.com @wkandek http://laws.qualys.com

×