Security Update

Vincent BRILLAULT

HEPiX Spring 2014, Annecy

2Vincent Brillault

Crypto-Currencies

3

• Uncontrolled currencies

• Create an account == Generate new address

• Wallet: list of addresses & private keys

• Exchanges with real currencies

Vincent Brillault

Crypto-Currencies

HEPiX Spring 2014, Annecy

4Vincent Brillault

Transactions everywhere (chains)

HEPiX Spring 2014, Annecy

A_1

B_1

C_1

4 BTC(B_1)

2 BTC(B_1)

5 BTC(B_1)

11 BTCFor A_1

2.3 BTC(C_1)

0.2 BTC(C_1)

2.5 BTCFor A_1

11 BTC(A_1)

2.5 BTC(A_1)

12 BTCFor D_1

1.5 BTCFor A_2

5

• Block:– Contains aggregated valid transaction– Proof of work: hard computer problem

• BTC: hash(block) < target

• Miners:– Hash blocks until someone find good one– Paid:

• Per solved block• Per transaction (if it included a mining fee)

Vincent Brillault

Block Chain & Miners

HEPiX Spring 2014, Annecy

6Vincent Brillault

Exchange rates: BTC <-> USD

HEPiX Spring 2014, Annecy

© Blockchain.org

7Vincent Brillault

Mining malwares

HEPiX Spring 2014, Annecy

© Kaspesky

8Vincent Brillault

Interesting transactions

HEPiX Spring 2014, Annecy

9Vincent Brillault

Interesting transactions

HEPiX Spring 2014, Annecy

10Vincent Brillault

Why ?

HEPiX Spring 2014, Annecy

• Make money out of botnets ([CG]PU -> $$)

• Very low traceability:– No link address <-> user (except exchanges)– Laundering: create new addresses and move coins

11

• Forbidden by VO AUPs

• Increasing number of incidents:– Tests– Benchmarks– Malicious jobs

• Cost:– CPU time– Forensics, investigations …

Vincent Brillault

EGI / WLCG: mining jobs

HEPiX Spring 2014, Annecy

12

• VOs:– Remind users of the AUPs– Make examples (temporary ban users) ?

• Sites:– Look for standard mining software– Monitor network (connection to known pools)

• Virtualization: detection by sites harderVincent Brillault

What can we do for the grid ?

HEPiX Spring 2014, Annecy

13Vincent Brillault

SSL/TLS & x509

14

• Apple SSL: Wrong certificate validation

• GNUTLS: Wrong certificate validation

Vincent Brillault

Broken SSL libraries

HEPiX Spring 2014, Annecy

15Vincent Brillault

HeartBleed: What ?

HEPiX Spring 2014, Annecy

© XKCD

16Vincent Brillault

HeartBleed

HEPiX Spring 2014, Annecy

• Reason:– No input sanitization!– Openssl maintained by 6 peoples (1 paid)

• Costs:– All password changed– Certificates revoked & rekeyed

17Vincent Brillault

HeartBleed: “fixed”

HEPiX Spring 2014, Annecy

18Vincent Brillault

HeartBleed: Lesson Learned

HEPiX Spring 2014, Annecy

19Vincent Brillault

Grid impact

HEPiX Spring 2014, Annecy

• Lots of services protected by old versions

• Most vulnerable (web)sites fixed promptly– Thanks!

• Client certificates can’t be leaked on servers

• Still pending: clients vulnerability:– Hard to detect– Hard to abuse (require MITM)

20Vincent Brillault

X509 Validation

HEPiX Spring 2014, Annecy

Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations Chad Brubaker and Suman Jana

21Vincent Brillault

Windigo

22Vincent Brillault

Windigo

HEPiX Spring 2014, Annecy

• Large scale malicious operation– Targeting mainly servers– Without using 0-days or vulnerability (mostly)

• Two parts:– Botnet building– Botnet exploitation (making money)

23Vincent Brillault

Botnet building: Ebury

HEPiX Spring 2014, Annecy

• Ebury already presented during last HEPiXs

• Two versions:– Malicious SSHD binary (old version)– Malicious libkeyutil library (loaded for sshd)

• Malicious activity:– Backdoor based on magic ssh version string– Credential Exfiltration

24Vincent Brillault

Ebury Exfiltration

HEPiX Spring 2014, Annecy

• Credentials exfiltrated:– Password from compromised servers– Password to compromised servers– Private ssh keys from compromised servers

• Exfiltration:– Encoded DNS query: passwords & username– Shared memory: privates keys & passwords

25Vincent Brillault

Ebury Exfiltration

HEPiX Spring 2014, Annecy

• DNS queries:– Domain Generation Algorithm: identify server– Protections:

• Redundancy (old): compare 2 requests• Signature (new): Sign exfiltration IP with private key

• Shared memory– Every credential is stored to memory– Backdoor (‘cat’) used to fetch them– Easily identifiable (0666 & big): recently fixed

26Vincent Brillault

Botnet exploitation

HEPiX Spring 2014, Annecy

• Send spam from the backdoor

• Perl/Calfbot: send spam from servers

• Linux/Cdorked:– Redirect users to malicious websites– Infects clients & sent spam

• Activity dissimulation (proxy)

27Vincent Brillault

Botnet exploitation

HEPiX Spring 2014, Annecy

© EsET

28Vincent Brillault

Botnet propagation

HEPiX Spring 2014, Annecy

© EsET

29Vincent Brillault

Grid ?

HEPiX Spring 2014, Annecy

• No infection so far in EGI !

• Stay careful: could easily propagate

30Vincent Brillault

Protection/Detection

HEPiX Spring 2014, Annecy

• Protection:– Kerberos authentication not targetted– 2 factor authentication

• Detection:– rpm –Va (at least keyutils-libs & openssh-server)– https://github.com/eset/malware-ioc

31Vincent Brillault

New threat

32Vincent Brillault

Surveillance

HEPiX Spring 2014, Annecy

• Theoretical physics is not protected: international center in Italy targeted!

© usnewsghost.wordpress.com

33Vincent Brillault

Hardware interception

HEPiX Spring 2014, Annecy

34Vincent Brillault

Man In The Middle

HEPiX Spring 2014, Annecy

35Vincent Brillault

Questions ?