security update vincent brillault hepix spring 2014, annecy
TRANSCRIPT
Security Update
Vincent BRILLAULT
HEPiX Spring 2014, Annecy
2Vincent Brillault
Crypto-Currencies
3
• Uncontrolled currencies
• Create an account == Generate new address
• Wallet: list of addresses & private keys
• Exchanges with real currencies
Vincent Brillault
Crypto-Currencies
HEPiX Spring 2014, Annecy
4Vincent Brillault
Transactions everywhere (chains)
HEPiX Spring 2014, Annecy
A_1
B_1
C_1
4 BTC(B_1)
2 BTC(B_1)
5 BTC(B_1)
11 BTCFor A_1
2.3 BTC(C_1)
0.2 BTC(C_1)
2.5 BTCFor A_1
11 BTC(A_1)
2.5 BTC(A_1)
12 BTCFor D_1
1.5 BTCFor A_2
5
• Block:– Contains aggregated valid transaction– Proof of work: hard computer problem
• BTC: hash(block) < target
• Miners:– Hash blocks until someone find good one– Paid:
• Per solved block• Per transaction (if it included a mining fee)
Vincent Brillault
Block Chain & Miners
HEPiX Spring 2014, Annecy
6Vincent Brillault
Exchange rates: BTC <-> USD
HEPiX Spring 2014, Annecy
© Blockchain.org
7Vincent Brillault
Mining malwares
HEPiX Spring 2014, Annecy
© Kaspesky
8Vincent Brillault
Interesting transactions
HEPiX Spring 2014, Annecy
9Vincent Brillault
Interesting transactions
HEPiX Spring 2014, Annecy
10Vincent Brillault
Why ?
HEPiX Spring 2014, Annecy
• Make money out of botnets ([CG]PU -> $$)
• Very low traceability:– No link address <-> user (except exchanges)– Laundering: create new addresses and move coins
11
• Forbidden by VO AUPs
• Increasing number of incidents:– Tests– Benchmarks– Malicious jobs
• Cost:– CPU time– Forensics, investigations …
Vincent Brillault
EGI / WLCG: mining jobs
HEPiX Spring 2014, Annecy
12
• VOs:– Remind users of the AUPs– Make examples (temporary ban users) ?
• Sites:– Look for standard mining software– Monitor network (connection to known pools)
• Virtualization: detection by sites harderVincent Brillault
What can we do for the grid ?
HEPiX Spring 2014, Annecy
13Vincent Brillault
SSL/TLS & x509
14
• Apple SSL: Wrong certificate validation
• GNUTLS: Wrong certificate validation
Vincent Brillault
Broken SSL libraries
HEPiX Spring 2014, Annecy
15Vincent Brillault
HeartBleed: What ?
HEPiX Spring 2014, Annecy
© XKCD
16Vincent Brillault
HeartBleed
HEPiX Spring 2014, Annecy
• Reason:– No input sanitization!– Openssl maintained by 6 peoples (1 paid)
• Costs:– All password changed– Certificates revoked & rekeyed
17Vincent Brillault
HeartBleed: “fixed”
HEPiX Spring 2014, Annecy
18Vincent Brillault
HeartBleed: Lesson Learned
HEPiX Spring 2014, Annecy
19Vincent Brillault
Grid impact
HEPiX Spring 2014, Annecy
• Lots of services protected by old versions
• Most vulnerable (web)sites fixed promptly– Thanks!
• Client certificates can’t be leaked on servers
• Still pending: clients vulnerability:– Hard to detect– Hard to abuse (require MITM)
20Vincent Brillault
X509 Validation
HEPiX Spring 2014, Annecy
Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations Chad Brubaker and Suman Jana
21Vincent Brillault
Windigo
22Vincent Brillault
Windigo
HEPiX Spring 2014, Annecy
• Large scale malicious operation– Targeting mainly servers– Without using 0-days or vulnerability (mostly)
• Two parts:– Botnet building– Botnet exploitation (making money)
23Vincent Brillault
Botnet building: Ebury
HEPiX Spring 2014, Annecy
• Ebury already presented during last HEPiXs
• Two versions:– Malicious SSHD binary (old version)– Malicious libkeyutil library (loaded for sshd)
• Malicious activity:– Backdoor based on magic ssh version string– Credential Exfiltration
24Vincent Brillault
Ebury Exfiltration
HEPiX Spring 2014, Annecy
• Credentials exfiltrated:– Password from compromised servers– Password to compromised servers– Private ssh keys from compromised servers
• Exfiltration:– Encoded DNS query: passwords & username– Shared memory: privates keys & passwords
25Vincent Brillault
Ebury Exfiltration
HEPiX Spring 2014, Annecy
• DNS queries:– Domain Generation Algorithm: identify server– Protections:
• Redundancy (old): compare 2 requests• Signature (new): Sign exfiltration IP with private key
• Shared memory– Every credential is stored to memory– Backdoor (‘cat’) used to fetch them– Easily identifiable (0666 & big): recently fixed
26Vincent Brillault
Botnet exploitation
HEPiX Spring 2014, Annecy
• Send spam from the backdoor
• Perl/Calfbot: send spam from servers
• Linux/Cdorked:– Redirect users to malicious websites– Infects clients & sent spam
• Activity dissimulation (proxy)
27Vincent Brillault
Botnet exploitation
HEPiX Spring 2014, Annecy
© EsET
28Vincent Brillault
Botnet propagation
HEPiX Spring 2014, Annecy
© EsET
29Vincent Brillault
Grid ?
HEPiX Spring 2014, Annecy
• No infection so far in EGI !
• Stay careful: could easily propagate
30Vincent Brillault
Protection/Detection
HEPiX Spring 2014, Annecy
• Protection:– Kerberos authentication not targetted– 2 factor authentication
• Detection:– rpm –Va (at least keyutils-libs & openssh-server)– https://github.com/eset/malware-ioc
31Vincent Brillault
New threat
32Vincent Brillault
Surveillance
HEPiX Spring 2014, Annecy
• Theoretical physics is not protected: international center in Italy targeted!
© usnewsghost.wordpress.com
33Vincent Brillault
Hardware interception
HEPiX Spring 2014, Annecy
34Vincent Brillault
Man In The Middle
HEPiX Spring 2014, Annecy
35Vincent Brillault
Questions ?