SEAN HANNA
GRC & CYBER WARFARE CONSULTANT
CISM, CISA, LPT, ECSA, CEH, CHFI, CISSP, GSEC, GCIA, GCIH, PRINCE2, CCNA, MCT, MCSE+Security
EC-Council Instructor of the Year 2007, 2008, 2010 & 2011
EC-Council Circle of Excellence Member 2012
Director at Nemstar - Offering Cyber Security Consultancy & Training services in Ireland, the UK and throughout EMEA
The Server Side Tradition
• Historically valuable data resides on the server
• Hackers targeted server side systems and data
– Domain Controllers
– Web Servers
– SQL Servers
– Data Centres
• They still do !
Show Me The Money !
• With server systems progressively well
protected
• And more and more data stored on the client
• Increasingly the client is the new target
• But could there be other factors at play?
Client Side Hacking
• Laptops
• Mobile devices
• Wireless connections
• Online banking
• The social media community
• The App phenomena
• User centric data and systems
The Goal
• The goal is money
– Directly
– As part of bigger plan
• But could there be other reasons?
What Is A Hack?
• Lets spend a few minutes looking at the
architecture of a hack:
– Vulnerabilities
– Exploits
– Payloads
– Frameworks
Weapons R&D
• Finding the next Vulnerability is highly technical
• Greatest challenge for coders
• Years of experience required
• Reverse Engineering
• Zero Day Attacks
For Example…
• MS08-067: Vulnerability in Server service
could allow remote code execution
• Remote Code Buffer Overflows occurs when
data written to a buffer, due to insufficient
bounds checking, corrupts data values in
memory addresses adjacent to the allocated
buffer and may allow remote code to be run
The Exploits
• Buffer Overflows
• SQL Injection
• XSS
• Unicode Injection
• Trojans
• Virus
• Social Engineering
“Delivery Method”
MS08-067 Exploit
• Exploits a parsing flaw in the path
canonicalization code of NetAPI32.dll
• Capable of bypassing NX
The Payloads
• Shells
• Reverse Shells
• HTTP
• Reverse HTTP
• VNC
• Password Collector
• Visa Collector
• Bombs
“Dangerous Weapon”
For Example…
• A botnet is a collection of compromised
computers, each of which is known as a 'bot',
connected to the Internet.
• Shark
– Botnet Payload
– Botnet C&C Server
Every attack requires coding
• Assembly Language
• C+ or C++
• Perl
• Ruby
• Visual Basic
• Java
• .NET Framework
• So its NOT easy !!!!
The Frameworks
• There are various
frameworks
– Underground
– Commercial
• These are the engines
of hacking
For Example…
• Metasploit a well-known Framework, a tool
for developing and executing exploit code
against a remote target machine
• Contains many plug-ins
– SET
Random Demos?
• Were these just 3 random demos, or was
there something more behind them?
• Each of the demos targeted a client system
• This is only the start of our story…
The Arms Race
• The term arms race in its original usage describes a competition between two or more parties for military supremacy. Each party competes to produce larger numbers of weapons, greater armies, or superior military technology in a technological escalation
• Source: Wiki
The Ingredients Of An Arms Race
• A new technology that might have a use a
weapon
• Existing research in non-weapon areas
• An accidental or deliberate demonstration of
its potential
• One government to use it against another
• Big business to see the chance of massive
profits
The Dawn of a New Era
• We have just entered the dawn of new era
• Cyber Warfare is not the stuff of science
fiction
• Militaries around the world deploy Cyber
Warfare Weaponry on an hourly bases
• The technologies is in use in live operational
theatres around the world
China military unit
'behind prolific hacking'
• BBC News @ 10:00 this Tuesday
• A secretive branch of China's military is
probably one of the world's "most prolific
cyber espionage groups”
2nd Bureau of the
People’s Liberation Army
• General staff 3rd Department
• Unit 61398’s
• AKA - APT1
APT1
• Systematically stolen 100’s Tb of data
• Hit at least 141 organizations
• Has demonstrated its capability and intent
• Steals intellectual property:– technology blueprints
– proprietary manufacturing processes
– Test results
– business plans
– pricing documents
– partnership agreements
– victim organizations’ leadership data
© Sean Hanna Nemstar Ltd 2013
APT1 Targets
• APT1 doesn’t just target
government agencies
• They target commercial
interests
• Their goal is giving
China an economic
advantage
This Time Its Different
• The human race has always been careful to
control the availability of weapons
• This time we can’t
Cyber Weaponry
• When a solider leaves the army
– You can take his gun of him
• When a sailor leaves the navy
– You can take his ship of him
• When a pilot leaves the air force
– You can take his plane of him
RISK
• Your job is managing Information RISK
• The risk profile id constantly changing
• New threats are constantly emerging
• Everything is a state of constant flux
Journey
• Let me take you on journey through hacking
• From the start though the years to today
• Then on towards the future
• Let me share why things are about to change
• FOREVER.
Evolution
• Hacking is continuing to evolve
• If we understand how it has evolved..
• We might see how it will evolve in the future
Hobbyist Hackers
• C0mrade
– hacked into NASA
– downloaded the source code of the
International Space Station
– $1.7 million
• Kevin Mitnick
– most wanted computer criminal in U.S.
history
– breached the national defence system
Security Research Companies
• HP Fortify
– largest commercial research organization in the
world
– Identified over 430 vulnerability categories across
18 programming languages
– Discovered two entirely new categories of
vulnerabilities (JavaScript Hijacking and Cross-
Build Injection)
Criminal Gangs
• 431 million adults worldwide were victims of
cyber crime last year (Norton Cyber Crime
Report 2011)
• $388 billion is lost globally each year to cyber
crime (Norton Cyber Crime Report 2011)
Criminal Gangs
• Russian cybercriminals (Mafia Today)
– raked in over $4 billion in 2011
– consolidated their efforts; organized crime groups
are clamoring for a piece of the action
– most lucrative form of Russian cybercrime last
year was online fraud
– “The cybercrime market originating from Russia
costs the global economy billions of dollars every
year,” Ilya Sachkov, Group-IB’s CEO
Criminal Gangs
• Cyber crime costs the UK economy £27bn a
year, the government has said.
• £21bn of costs to businesses
• £2.2bn to government
• £3.1bn to citizens
• Security minister Baroness Neville-Jones said
the government was determined to work with
industry to tackle cyber crime.
Criminal Gangs
• Took the process to third stage
• Invested money to make money
• Professional career hackers
• Large budgets
• Large multi-skills teams
• Results in the production of commercial quality hacks:
– Crimeware is born
Crimeware
• Crimeware is a class of malware designed
specifically to automate cybercrime
• The term was coined by Peter Cassidy,
Secretary General of the Anti-Phishing
Working Group
• Crimeware is said to started around 2003
• Crimeware has made rapid advancements in
the last 9 years
Crimeware Part 1
• Advancement 1:
– Form-grabbing (spyware)
• Advancement 2:
– Anti-detection (stealth)
• Advancement 3:
– Web-injects (man-in-the-browser)
• Advancement 4:
– Expanded Target Support
Crimeware Part 2
• Advancement 5:
– Source Code Availability/Release
• Advancement 6:
– Mobile Device Support (man-in-the-mobile)
• Advancement 7:
– Anti-removal (persistence)
• Advancement 8:
– Commercialisation (market)
Cyber Warfare
• “actions by a nation-state to penetrate
another nation's computers or networks for
the purposes of causing damage or
disruption”
• “the fifth domain of warfare”
• “as critical to military operations as land, sea,
air, and space”
Cyber Warfare - History
• March 1999: Hackers in Serbia attack NATO systems in retaliation for NATO’s military intervention
in Kosovo.
• May 1999: NATO accidentally bombs the Chinese embassy in Belgrade, spawning a wave of
cyberattacks from China against U.S. government Web sites.
• 2003: Hackers begin a series of assaults on U.S. government computer systems that lasts for
years. The government code names the attacks Titan Rain and eventually traces them to China.
• April-May 2007: Hackers believed to be linked to the Russian government bring down the Web
sites of Estonia’s parliament, banks, ministries, newspapers and broadcasters.
• June-July 2008: Hundreds of government and corporate Web sites in Lithuania are hacked, and
some are covered in digital Soviet-era graffiti, implicating Russian nationalist hackers.
• August 2008: Cyber attackers hijack government and commercial Web sites in Georgia during a
military conflict with Russia.
• January 2009: Attacks shut down at least two of Kyrgyzstan’s four Internet service providers
during political squabbling among Russia, the ruling Kyrgyzstan party and an opposition party.
• April 2009: An attack on neighboring Kazakhstan shuts down a popular news Web site.
US First Cyber Warfare General
• The US military appointed its first senior general to direct cyber warfare – despite fears that the move marks another stage in the militarisation of cyberspace.
• The creation of Cyber Command is in response to increasing anxiety over the vulnerability of the US's military and other networks to a cyber attack
• The US air force discloses that some 30,000 of its troops had been re-assigned from technical support "to the frontlines of cyber warfare".
• May 2010 – The Guardian Newspaper UK
Cyber Warfare
• A cyber attack by one state on another could
be considered an "act of war", former top
national security adviser (BBC News)
• William Hague: UK is under cyber-attack (BBC
News)
White House warns of Cyber Warfare
boomerangs
• Unlike a bullet or missile fired at an enemy, a
Cyber Weapon that spreads across the
Internet may circle back accidentally to infect
computers it was never supposed to target.
• The Homeland Security Department’s warning
about the new virus, known as “Flame,”
• Source - The White House
Germany prepares special unit to
tackle cyber attack
• BERLIN: Germany has prepared a special cyber
warfare unit of its military to conduct
offensive operations against computer
hackers, who attack key installations or
engage in espionage activities, defence
ministry has said.
• Source – Economic Times
The Government Wants You
• Agencies need to hack clients
• Al Qaeda operatives for example
• Millions have been spent in developing the
next generation of client side hacking tools
Client Side Hacking
• The target is you
• Your data
• Your devices
• This is biggest area for research and development
• What they have one year…
• The hacker has next !
Sean Hanna
• GRC & Cyber Warfare Consultant
• Security Consultancy & Training
• Delivering World Class Training in Belfast
– 18th March - Forensics
– 25th March – Ethical Hacking