anatomy of ownage: the painful lessons learned by others matt linton it security specialist nasa...
Post on 26-Dec-2015
221 Views
Preview:
TRANSCRIPT
Anatomy of Ownage:The painful lessons learned by others
Matt Linton
IT Security Specialist
NASA Ames Research Center
Anatomy of Ownage—2—
Overview
Schadenfreude Optimism Bias HBGary vs Anonymous Sony, Inc. vs The internet ??????? vs RSA Security ??????? vs Iran Nuclear Enrichment Program
Anatomy of Ownage—3—
Schadenfreude
Schadenfreude is
“Pleasure derived from the misfortunes of others”
i.e.
“Wow, I'm glad I'm not those guys right now.”
Anatomy of Ownage—4—
Schadenfreude
Just to be clear,
We're not happy they got hacked.
We are happy we're not them.
But ditch your optimism bias for a moment, because
It can happen to us too.
Anatomy of Ownage—5—
OPTIMISM BIAS
“The demonstrated, systematic tendency for people to be overly optimistic about the outcome of planned actions.”
Symptoms include: Over-estimating the likelihood of positive events Under-estimating the likelihood of negative events Illusion of control Illusion of superiority
Anatomy of Ownage—6—
OPTIMISM BIAS
Anatomy of Ownage—7—
Ding, ding! Round 1.....
Anatomy of Ownage—8—
HBGary vs Anonymous
VS
Anatomy of Ownage—9—
HBGary vs AnonymousSETTING THE STAGE:
HBGary Federal needs positive press to grow, decides to capitalize on the controversy surrounding Anonymous's defense of Wikileaks.
CEO Aaron Barr issues press releases taunting Anonymous, claiming to have identified them and threatening to expose them to law enforcement.
Internally, his staff warns him that this is a bad idea and his data is wrong but he persists.
Anatomy of Ownage—10—
HBGary vs Anonymous
The Damage:
Anatomy of Ownage—11—
HBGary vs Anonymous
The Damage:
- Company servers penetrated
- Internal company emails (incl. Potential evidence of criminal activity
by the company) leaked to public
- All of Barr's emails leaked to public
- Barr's iPad remotely wiped
- Company data erased
- Company backups erased too
- General humiliation of the company
Anatomy of Ownage—12—
HBGary vs Anonymous
The vector:
- Attackers compromised company's public-facing CMS with SQL Injection (sql injection)
- Attackers use rainbow tables to reverse unsalted MD5 password hashes from CMS (bad pw storage)
- Attackers use those passwords to log into company bastion hosts (single factor auth)
- Attackers use unpatched local exploit to privilege escalate to root (unpatched system)
(see next slide)
Anatomy of Ownage—13—
HBGary vs Anonymous
- Attackers use CEO and COO's passwords, gain entry to their Google Mail (SAAS) accounts (password re-use, simple passwords)
- Attackers reset GMail password for Greg Hoglund, CEO of parent company and owner of rootkit.com
- Using Hoglunds' email, attackers socially engineer a support tech into disclosing the root password on rootkit.com (poor general practice)
Anatomy of Ownage—14—
HBGary vs Anonymous
HOW NOT TO GET OWNED LIKE THIS:
- Follow OWASP to check for and prevent SQL injection
- Salt your hashes! Hash without salt is just potatoes.
- Perform social engineering / phishing awareness
- Hold leadership to same best practice standards as everyone else
- Do NOT re-use passwords in multiple locations
Anatomy of Ownage—15—
Ding, ding! Round 2.....
Anatomy of Ownage—16—
Sony, Inc. VS The Internet
VS
Anatomy of Ownage—17—
Sony, Inc. VS The Internet
SETTING THE STAGE:
Sony locks Linux hackers out of PS3 via firmware update, angering geeks who bought PS3 to install Linux
George Hotz (GeoHotz) finds a way to work around firmware update, informs community.
Sony sues GeoHotz.
PS3 hackers and Anonymous issue call to action in defense of GeoHotz.
Anatomy of Ownage—18—
Sony, Inc. VS The Internet
The Damage:
- 20 hacks in 5 weeks, by 5+ different groups, in 4+ countries
- PS3 Network (now required to play any games) shut down for weeks, angering all legitimate customers
- > $300 million in losses to Sony for PS3N outage + Incident response costs
Anatomy of Ownage—19—
Sony, Inc. VS The Internet
The Damage:
- 70 million customer credit cards lost
- 24 million customers' personal information lost
- 11 thousand customers' bank information lost
- millions of customers' email address + passwords lost
- And the stock price for the company?
Anatomy of Ownage—20—
Sony, Inc. VS The Internet
Anatomy of Ownage—21—
Sony, Inc VS The Internet
Common vectors and mistakes:
(see: http://attrition.org/security/rants/sony_aka_sownage.html)
- SQL Injection, leading to compromise of....
- Passwords stored in plaintext,
- User information stored in accessible databases unencrypted
- Sony ignored reports of vulnerabilities on several disclosure lists
- Reportedly no firewalls, and old apache versions on multiple of their developer networks
Anatomy of Ownage—22—
Ding, ding! Round 3.....
Anatomy of Ownage—23—
RSA Security vs ??????
VS
Anatomy of Ownage—24—
RSA Security vs ??????
SETTING THE STAGE:
RSA Security owns the “SecurID” product, a two-factor token that is very popular with governments and defense industry to protect critical data and systems.
Somewhere deep within RSA is a set of secret seed numbers which, if known, defeats all the security afforded by the SecurID token.
Guess what happens next?
Anatomy of Ownage—25—
RSA Security vs ??????
Anatomy of Ownage—26—
RSA Security vs ??????
The Damage:
- RSA's secret seed database is compromised
- Lockheed-Martin and others have been compromised as well, directly related to their RSA keys
- Unknown damage yet to be discovered
Anatomy of Ownage—27—
RSA Security vs ??????
The vector:
- Attackers send crafted excel spreadsheet titled “2011 recruitment plan” to select company insiders. (phishing)
- Attackers embed Zero-day Adobe Flash exploit into the excel spreadsheet (adobe flash)
- Using administrative privileges gained through zero-day, Attackers install “Poison Ivy RAT” tool to remotely access systems
- Using these systems, they sniffed and discovered through the internal network (local network trust issues)
- Once they escalated to the keystore, they stole the keys
Anatomy of Ownage—28—
RSA Security vs ??????
HOW NOT TO GET OWNED LIKE THIS:
- Train users about phishing, AND test them
- Reconsider whether your users really NEED things like Flash, PDFs with active code embedded, etc – and disable them if you can
- Reconsider whether end users really NEED administrative level access to their operating systems
- Employ multiple trust zones within your networks, and SECTION OFF critical areas of the company from administrative networks
- Discourage, prevent & prohibit password re-use among said zones
Anatomy of Ownage—29—
RSA Security vs ??????
PART TWO...
Shortly thereafter, US Defense Contractor Lockheed-Martin was broken into.
Compromised RSA SecurID token values comprised part of the attack!
Anatomy of Ownage—30—
Ding, ding! Round 4.....
Anatomy of Ownage—31—
Iran vs ?????
VS
Anatomy of Ownage—32—
Iran vs ?????
SETTING THE STAGE:
Iran grows dangerously close to bringing online their countrys' first Nuclear Fuel Enrichment center.
Many countries suspect it is not for peaceful use.
In March of 2010, power plant operators and industrial centers began reporting about a strange computer worm that had penetrated their SCADA control systems.
Anatomy of Ownage—33—
Iran vs ?????
SETTING THE STAGE:
Unlike most computer worms, this one didn't seem to DO anything – just hang around.
Deeper research into the worm revealed that it was very advanced, and appeared to only attack SCADA systems with very specific characteristics.
Then, without explanation, Iran's nuclear enrichment activity ground to a halt.
Anatomy of Ownage—34—
Iran vs ?????
The Damage:
Computers in a dozen countries were infected but operational
60% of the computers worldwide infected with Stuxnet were in Iran
The Bashir and Natanz enrichment facilities in Iran were knocked offline and valuable equipment destroyed
Anatomy of Ownage—35—
Iran vs ?????
The Vector:
- Stuxnet first infected Iranian SCADA systems via USB stick carried into the plant by a Russian contractor
- Utilizing an exploit 'warhead' of four Windows embedded zero-days, Stuxnet spread among the SCADA systems
- Targeting only systems which matched the vendor, manufacturer and configuration characteristics of nuclear fuel centrifuges (the 357 and 415 payloads)
- Stuxnet would lie in wait until the optimal time to disrupt enrichment activity & destroy industrial equipment
Anatomy of Ownage—36—
Iran vs ?????
HOW TO KEEP FROM GETTING OWNED LIKE THIS:
- SCADA systems are built with incredibly weak host level controls. This is their nature.
- Strictly separate SCADA networks from the world and do not provide an internet route
- Strictly control the interfaces on which SCADA network configuration and operation are performed
- Carefully audit any incoming media
- Watch your optimism bias!!
Anatomy of Ownage—37—
RSA Security vs ??????
Q&A, Criticism, Flames, & Heckling
matt@nasa.gov
mattatnasa
Anatomy of Ownage—38—
RSA Security vs ??????
OK, so I blew through the slides and need something to talk about still.
How about a little Jerry Springer?
Anatomy of Ownage—39—
LIGATT vs LIGATT?
VS
Anatomy of Ownage—40—
LIGATT vs LIGATT?
SETTING THE STAGE:
Gregory D. Evans founds LIGATT security, begins referring to himself as “Worlds' #1 hacker”. Evans was previously convicted of Fraud and served 2 years in prison.
Despite this and a lack of credentials, he begins media tours. His Charisma earns him a welcome spot in the news media, which he relishes.
Anatomy of Ownage—41—
LIGATT vs LIGATT?
LIGATT's first product is a re-skinned and branded copy of NMAP, his latest book reportedly 99% plagiarized.
Critics on twitter begin pointing this out and discussion ensues among authors of (allegedly) plagiarized content. A website, ligattleaks, is formed to chronicle the mis-statements.
Gradually a picture is painted of a media-savvy but technically incompetent man.
So, this happens:
Anatomy of Ownage—42—
LIGATT vs LIGATT?
Anatomy of Ownage—43—
LIGATT vs LIGATT?
THEN THIS HAPPENS:
Anatomy of Ownage—44—
LIGATT vs LIGATT?
Anatomy of Ownage—45—
LIGATT vs LIGATT?
SO WHAT HAPPENED?
Anatomy of Ownage—46—
LIGATT vs LIGATT?
A LIGATT Insider became public whistleblower, exposing all the companys' internal email (as well as Evans') to the full-disclosure email list
Details of internal company politics, harrassment, (alleged) investigations into employees' personal lives by private detectives were among the leaked documents
Anatomy of Ownage—47—
LIGATT vs LIGATT?
Evans, who until then had been a constant presence on news media programs, began to be the subject instead of the expert commentator.
Feb. 2011 – CBS News runs a series “Hacker or Hoax”, laying out the internets' charges against Evans.
Anatomy of Ownage—48—
LIGATT vs LIGATT?
Signs you may be headed down his path:
- You start referring to yourself as “World's #1” at something, without a gold medal to back it up.
- Your first instinct at facing criticism is to call your lawyer
- The hackers that people make fun of, are making fun of you.
- Your own employees are considering whistleblowing about you. On twitter.
I'm sure you can figure out how to avoid the above......
Anatomy of Ownage—49—
LIGATT vs LIGATT?Sources:
- http://www.youtube.com/watch?v=O3Ms8UZnOoA
- http://en.wikipedia.org/wiki/Stuxnet
- http://www.youtube.com/watch?v=scNkLWV7jSw
- http://attrition.org/errata/charlatan/gregory_evans/
- http://attrition.org/security/rants/sony_aka_sownage.html
http://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/
top related