The Six Most Dangerous New Attack Techniques And What s Coming Next? Ed Skoudis CounterHackChallenge

Transcription

1 The Six Most Dangerous New Attack Techniques And What s Coming Next? MODERATOR: Alan Paller SANS Institute PANELISTS: Ed Skoudis CounterHackChallenge Johannes Ullrich SANS Internet Storm Center Session ID: EXP-108 Session Classification: Advanced Agenda Ed Skoudis top attacks and defenses Johannes Ullrich s top attacks and defenses What s coming next? Your questions and predictions 2 1

2 Ed Skoudis Author of Malware: Fighting Malicious Code Top Emerging Threats - Skoudis Command and control channels evolve: DNS! SSL gets slapped again and hard Mobile malware as network infection vector 4 2

3 Evolving Command and Control Channels Attackers have used numerous command and control channels for their installed backdoors Listening ports and some ICMP Outbound connections for reverse connection on arbitrary TCP port, IRC, IRC on unusual ports, HTTP, HTTPS, Twitter, YouTube comments, etc. Evil Bad Guy Internet Firewall Allows outbound traffic Internal Network Compromised Internal Host Malware Each of those mechanism required the victim machine to have direct connectivity back to attacker 5 DNS Command and Control Channel With DNS as a command and control channel, now the victim machine doesn t need outbound connectivity at all Evil Bad Guy as long as it can resolve names through a name server with recursive look-ups on the Internet, it can reach the attacker: CNAME, TXT, SOA, etc. Internet External DNS External DNS Firewall blocks direct outbound Internal DNS Internal Network Attackers have recently used this technique in cases involving the theft of millions of accounts Malware For an example implementation, check out Ron Bowes dnscat at Compromised Internal Host 6 3

4 DNS Command and Control Defenses Look for unusual DNS queries and responses Beware of performance impact of logging all queries on DNS server Instead, consider a sniffing solution sampling periodically Look for unusually long requests and/or responses with nonsensical names Look for a barrage of DNS traffic to parts of the world where you don t do business Look for repeated DNS traffic every few seconds or minutes 7 SSL Gets Slapped Again and Hard An attacker has numerous options available to prevent that SSL warning message shown in browsers for illegit certs: Compromise a CA or RA and issue certs Diginotar CA compromised in 2011 resulted in dozens of bogus certs Comodo affiliate RA compromised in 2011 resulted in 9 bogus certs Trick a CA or RA into giving legit certificates to attacker Verisign tricked in 2002 into granting code-signing certs to people posing as Microsoft (code-signing, not SSL) Other examples happen periodically Build a bogus cert that has an MD5 hash collision with a trusted cert Hash collision bogus cert generated as proof of concept by A. Sotirov, et al in 2009 Find a flaw in SSL or TLS Marsh Ray discovered such a problem in 2009 In 2011, Thai Duong and Juliano Rizzo discovered an issue in TLS 1.0 and earlier, exploited with their Browser Exploit Against SSL/TLS (BEAST), using JavaScript in a browser to send encrypted messages with chosen plaintext Find a flaw in the way browsers validate certificates many examples 8 4

5 More SSL Slapping Are those too hard? There are other, far easier options for an attacker to avoid browser SSL warning messages: Just buy a legit certificate from a low-cost CA and use an organization name that the user might trust Trick the user into accepting cert through social engineering , pop-ups, or other means Sit in the middle, and tell the browser to use HTTP, not HTTPS Rewrite links Moxie Marlinspike s sslstrip tool does this Attack sites that use SSL only for authentication, with cleartext HTTP for the post-authenticated session The firesheep tool does this Compromise the browser and import an attacker s cert as trusted Increasing avenue used by malware in 2011 and SSL Defenses Upgrade to latest version of TLS on all servers Pare down trusted certificate authorities in browsers Keep browsers up to date Harden browsing machines Keep an eye out for tools that monitor installed CA certificates to look for changes Educate users (ugh!) 10 5

6 Mobile Malware as Network Infection Vector Mobile malware is starting to come into its own Android market and various app stores hosting malware Sometimes it s a maliciously refurbished app stolen from elsewhere Apple s App Store hosting apps with hidden functionality Tethering buried in a flashlight app Current concern: Harvesting sensitive information in mobile device Coming soon: Using the infected mobile device as a means to pivot to an internal network Act as connection from 3G/4G to enterprise wireless LAN Or, malware on mobile device makes a backdoor Evil Bad Guy connection through enterprise wireless LAN back to attacker, who can then attack enterprise network Compromised Mobile Device Internet Firewall Allows outbound traffic Internal Network ATTACK!! 11 Defending Mobile Devices Develop a sound enterprise policy Fantastic checklist released this month by Lee Neely available at Establish a process for evaluating and approving specific applications for use on mobile environment Analyze behavior of app in sandbox/emulator, device file system, and especially on network Build a secure wireless infrastructure for mobile device access in the enterprise Segment from your normal internal network 12 6

7 Johannes Ullrich Director of the Internet Storm Center 13 Hacktivism is back Hacktivism used to be big until about 5 years ago Lost importance, but never went away. Overtaken by financial motivation and state sponsored attacks Now back in a big way with anonymous, lulzsec, antisec + others Much more visible then other attacks. Not trying to hide Focus on simple exploit and leveraging basic mistakes 14 7

8 Example Exploit Step 1: Scan web sites using automated tools like Havij, sqlmap, Google Step 2: find and exploit a SQL Injection vulnerability Step 3: download database Step 4: Find passwords, maybe break hashes Step 5: check for re-used passwords in systems Step 6: publish s / embarrass target Graphic: itsecteam.com 15 How to defend against it? Focus on the basics Don t get distracted by flashy crazy new flashing attacks Operationalize security Inventory control (know what you have, eliminate what you don t need) Authentication (do passwords provide sufficient security? Software security (various injection issues) Continuous monitoring 16 8

9 Home Automation Security Lot of attention focused on professional control systems At the same time, home automation is exploding Nothing in the home that can t be controlled Often now integrated with alarm systems and locks Based on a mix of various technologies (Zigbee, web services, mobile applications, wifi, x10, insteon ) Technologies focus on cost, not security 17 Example: WiFi Thermostat WiFi Risks: EncrypWon / DoS Cloud Risks: AuthenWcaWon Privacy Mobile Risks: AuthenWcaWon Privacy Device Loss 18 9

10 Example: Zigbee ( ) Wardriving hzp://travisgoodspeed.blogspot.com Zigbee wardriving Is about to become More mainstream 19 Zigbee Application in Home Automation Now used in home security and automawon Smart Home systems (Comcast, ADT ) 20 10

11 Cloud Security More data being entrusted to cloud environments shared tenant systems are hard to isolate from each other Cloud being used to storage and processing First public cloud vulnerabilities start to surface Dropbox authentication bypass Amazon XML signature vulnerability 21 Flashback: IPv6 We start seeing IPv6 exploits, intentional or not Spam via IPv6 Web Application Attacks DoS attacks Unintentional deplyment remains to be a big issue Some progress on defenses, but not enough awareness of problem 22 11

12 Flashback 2011: Cognitive Threats Remain to be one of the top infection vectors Not a day without new social networking ruse to get users infected More awareness from operators of social networks Some improvements in user awareness 23 What s Coming Next and Q&A 24 12