View
25
Download
0
Category
Preview:
Citation preview
What is a Hacker?
“Originally, a hacker was anybody who tinkered with any kind of system, mechanical or electrical, in order to better understand how it worked. Today hackers are persons who create or modify computer software, typically with the goal of using software in a manner not intended by the original computer programmer” – Wikipedia
“A person who enjoys exploring the details of programmable
systems and stretching their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.“ – Wikipedia
Hacker Ethics The Hacker Manifesto An essay written by ‘The Mentor’ (born Loyd Blankenship) after his arrest in Jan 1986 Considered a cornerstone of hacker culture by hackers across the globe. States:
� Hacking is an alternative way to learn � Often out of frustration/boredom created by the limitations of current society � Expresses the satori of a hacker realizing his potential � Hacking supersedes the selfish desire to exploit or harm other people � Technology should be used to expand our horizons and to keep the world free
Hacker ethics are concerned primarily with sharing, openness, collaboration, and engaging in the Hands-On Imperative
The Reality in 2012
Malicious activity is increasing in: �Volume �Sophistication (TTP) �Intensity and focus (APT)
Source: Verizon 2012 Data Breach Investigations Report
0 1 2 3 4 5 6 1 day
91% of breaches led to data compromise within “days” or less
79% of breaches took “weeks” or more to discover
Initial Penetration
week
2 3
The Reality in 2012 Response after compromise creates an undesirable foot-race
� The damage has already been done
Accept that we will never keep 100% of the attackers out � The ‘fortress mentality’ is becoming obsolete
Move backwards in the “Kill Chain” to move the defensive wall
out � Requires rapid analysis of huge, real-time data sets
Recon Weaponize Deliver Exploit Install C2 Action
Detection Response
The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him. - Sun Tzu, The Art of War
Hacking Methodology Phase 1 – Passive Reconnaissance Phase 2 – Active Reconnaissance Phase 3 – Vulnerability Research Phase 4 – Penetration Phase 5 – Going Deeper Phase 6 – Covering Your Tracks
80%
20%
Phase 1 & 2 - Reconnaissance
Phase 1 – Passive Recon
� Locations � Policies, processes/attitudes
� Press releases, public sentiment � Technology preferences/standards
� Financial information
Phase 2 – Active Recon (Scanning) � Social engineering � Network perimeter scans
� Topology mapping � DNS Zone transfers
� Fire-walking � Port Scanning � Dumpster Diving
Gather anything and everything about the target
Phase 3 – Vulnerability Research
Use Well Known Vulnerabilities � Useful to an extent � Typically already patched
Buy 0-days from white- or black-market sources
� Expensive � No Guarantees � Can backfire!
Roll your own 0-day � Time consuming � Requires Highly Skilled Resources � Creates a Dilemma
Responsible Disclosure – aka ‘Now What?’ Discover a new Vulnerability
� Accidental discovery � Directed Research
Develop an exploit � Usually build a proof of concept to verify and classify the vulnerability
Now What? 1. Sell the exploit to the highest bidder 2. Use the exploit 3. Full Disclosure 4. Inform CERT/CC 5. Sell the exploit to a white market vendor
Disclosure Debate � Security through Transparency - Full public disclosure enables informed choice and keeps vendors on their toes
wrt admitting to flaws and patching them.
� Security through Obscurity - Full public disclosure does not give anyone time to react to a security flaw who’s details are now available to even the least sophisticated of attackers.
Responsible Disclosure attempts to find a middle ground
Phase 4 & Phase 5 – Penetration Phase 4 – Penetration Initial targets are typically low value assets
� Web servers � VPN end points � DMZ Networks
Phase 5 – Going Deeper Pivot and move up the food chain
� Start attacking peers and higher value internal targets � Admin credentials
� Password hash cracking � Network devices – routers/switches/AP’s
� Peripheral devices – Printers, etc.
Phase 6 – Covering Your Tracks
Entrench and consolidate position
� Hidden accounts � Back doors � Robust C2 side channels � Root Kits � Stenography
The ARP protocol Address Resolution Protocol (ARP) is a telecommunications protocol used for resolution of
network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37.
When computers communicate across a network, the sender sends an ARP packet
asking who has or knows a particular IP address. This request is broadcast to everyone on the LAN and assumes the only response will
be coming from the true owner of the IP address. The protocol has no ability to validate the authenticity of the response.
Additionally, there is nothing in the ARP protocol that says one has to wait for a request before sending a response!
IPv6 Timeline: 1998 – IPv6 standard is published (RFC2460) 2008 – Study indicates IPv6 penetration < 1% of internet enabled hosts1 2011 – The last top level (/8) block of IPv4 addresses is assigned in Feb 2011 – 8th June, World IPv6 Day. Over 1000 websites participated in a 24-hour ‘test-flight’ 2
2012 – 6th June. 2nd event 10x the participation 2013 – Total global traffic @ 1.35%
IPv4 = 232 ~4.2 billion (4,294,967,296) IPv6 = 2128 ~340 undecillion (3.4x1038) or 340,282,366,920,938,463,463,374,607,431,768,211,456
� Subnets are /64 - 4,294,967,296 x the size of the internet – good luck scanning for hosts! � No broadcasts.
� Multicasts, but they are local only.
IPv6 was designed using security models that are over 14 years old...
2 octets each
Separated by colons
Leading zeros omitted
Longest chain of :0:0: replaced with ::
2a01:2b3:4:a::1
IPv6 Headers IPv6 is much simpler than IPv4...
� No Header Length � No Identification � No Checksum � No Fragmentation � No Options � Every option is an extension header
� Fragmentation, IPSEC, Src Routing, Dest Options.
... In theory � What happens if I repeat a header extension? � What happens if I define conflicting options?
Packets can include all, some, or none of the extension headers.
Known IPv6 Vulnerabilities
0
5
10
15
20
25
30
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
IPv6 Vulnerabilities (CVE)
Same old problems, and some new ones... ARP Spoofing => ND Spoofing
� Attacker claims to be every system on the LAN
DHCP => Auto configuration � Attacker can set any IP as the default route, define new network prefixes, DNS servers, etc.
Duplicate address detection DOS � Attacker answers every NS query
Kick the default router � Attacker spoofs an RA from the default router with 0 lifetime & sends their own RA. All hosts now use the attackers IP
Many 3rd party firewall solutions fail open (do not support IPv6) Most new OS’s have IPv6 enabled by default (Vista and above, Linux, OSX, etc)
� If both stacks are configured, most OS’s will route traffic over IPv6 in preference to the IPv4 stack � Configuring an IPv6 stack is as simple as sending out an RA multicast packet to the local LAN
RA Flooding – DOS attack � Attacker floods the network with RA packets. Cisco ASA, Windows -Vista, -7, -2008, Cisco ASAs, Cisco IOS (Recently
Fixed CSCti24526, CSCti33534), Linux (pre 2.6.37) are vulnerable
Little to no IPv6 monitoring on LANs � Detected 17 IPv6 devices at my local coffee shop, not bad given the company does not officially support IPv6! � IPv6 is a side channel today
IPv6 is still an immature technology!
Trends Industry Trends
� Increasing rates of product & service delivery � Increasing rate of new potential attack surfaces
� Diminishing product & service lifespan � Lower tolerance for hardening (security testing & controls)
� Dissolving network boundaries � Partners, cloud services, mobile devices, BYOD programs, etc.
� Signature based controls are rapidly becoming ineffective (IPS, AV, etc).
TELUS � 7.5M Mobile & 1.4M HSIA Customers
� Poor endpoint security + High-speed networks + High end CPUs + Personal Data = High value Targets
�Super Data Centers
03/12/2013
24
What’s Next? Ultra high density, on demand compute fabric
� Cloud Computing
High-speed mobile devices � LTE (4G) cellular network
� 326Mb/s down, 85 Mb/s up � Cloud based mobile thin clients
Advanced Persistent Threats � High stealth, sophisticated attack vectors
� Nation-state, criminal organizations � Low-speed, high stealth, stenographic data egress
Intelligent Threat Mitigation Platforms
� Big Data based threat detection and prevention � Static code analysis & execution watchdogs � Anomaly detection engines � Behavioural Modelling � Global Threat Intelligence Communities
Recommended