The Anatomy and Security of an Anonymous OperationJuly 2012

Terry Ray – VP WW Security Engineering

What is Anonymous?

Perception

“[Anonymous is] the first Internet-based

superconsciousness.” —Chris Landers. Baltimore City Paper, April 2,

2008

Hacktivists fighting for moral causes.

The 99%.

Reality

“Anonymous is an umbrella for anyone to hack anything for

any reason.” —New York Times, 27 Feb 2012

Targets include porn sites, Mexican drug lords, Sony, government agencies, banks, churches, law enforcement and Vladimir Putin.

Anyone can be a target.

2

The Plot

Attack took place in 2011 over a 25 day period.

Anonymous was on a deadline to breach and disrupt a website, a proactive attempt at hacktivism.

10-15 skilled hackers. Several hundred to

thousands supporters.

3

How They Attack: The Anonymous Attack Anatomy

4

Anonymous Attack on Customer SiteWeb Application Protection Use Case

PHASE I

Phase III

PHASE II

Scanners such as Nikto

Havij SQL injection tool

LOIC application

SecureSphere stopped all phases of attack

Business Logic Attack

Technical Attack

Technical Attack

On the Offense

Skilled hackers—This group, around 10 to 15 individuals per campaign, have genuine hacking experience and are quite savvy. Broad use of anonymizing services (aProxy & TOR).Nontechnical—This group can be quite large, ranging from a few dozen to a few hundred volunteers. Directed by the skilled hackers, their role is primarily to conduct DDoS attacks by either downloading and using special software or visiting websites designed to flood victims with excessive traffic.

6

On the Defense

Deployment line was network firewall, IDS, WAF, web servers, network anti-DOS and anti-virus.

Imperva WAF+ SecureSphere WAF version 8.5 inline, high availability+ ThreatRadar reputation (IP Reputation)+ SSL wasn’t used, the whole website was in HTTP

7

1Recruiting and Communications

8

Step 1A: An “Inspirational” Video

9

Step 1B: Social Media Helps Recruit

10

Setting Up An Early Warning System

11

Example

12

2Recon and Application Attack

13

“Avoid strength, attack weakness: Striking where the enemy is most vulnerable.”

—Sun Tzu

Step 1A: Finding Vulnerabilities

Tool #1: Vulnerability Scanners Purpose: Rapidly find application vulnerabilities. Cost: $0-$1000 per license. The specific tools:

+ Acunetix (named a “Visionary” in a Gartner 2011 MQ)+ Nikto (open source)

14

Hacking Tools

Tool #2: Havij Purpose:

+ Automated SQL injection and data harvesting tool.

+ Solely developed to take data transacted by applications

Developed in Iran

15

Vulnerabilities of Interest

16

Day 19 Day 20 Day 21 Day 22 Day 230

500

1000

1500

2000

2500

3000

3500

4000

Directory TraversalSQL injectionDDoS reconXSS

Date

#ale

rts

SQLi

DT

XSS

Comparing to Lulzsec Activity

• Lulzsec was/is a team of hackers focused on breaking applications and databases.

• ‘New’ Lulzsec taking credit for recent attacks. Militarysingles.com.

• Our observations have a striking similarity to the attacks employed by Lulzsec during their campaign.

• Lulzsec used: SQL Injection, Cross-site Scripting and Remote File Inclusion (RFI/LFI). RFI

index.php

Lulzsec Activity Samples

1 infected server ≈ 3000 bot infected PC power 8000 infected servers ≈ 24 million bot infected PC power

Automation is Prevailing

In one hacker forum, it was boasted that one hacker had found 5012 websites vulnerable to SQLi through automation tools.

Note:

• Due to automation, hackers can be effective in small groups – i.e. Lulzsec.

• Automation also means that attacks are equal opportunity offenders. They don’t discriminate between well-known and unknown sites.

US is the ‘visible’ source of most attacks

United States61.3%

United Kingdom

1.1%

Other19.2%

France2.1%

Undefined2.1% China

9.4%

Sweden4.4% United States

United KingdomOtherFranceUndefinedNetherlandsChinaSweden

During the Anonymous attack 74% of the technical attack traffic originated from anonymizing services and was detected by IP reputation.

Mitigation: AppSec 101

Code Fixing

Dork Yourself

Blacklist + IP Rep

WAF

WAF + VA

Stop Automated Attacks

3Application DDoS

22

LOIC Facts

Low-Orbit Ion Canon (LOIC) Purpose:

+ DDoS+ Mobile and Javascript variations

Other variations – HOIC, GOIC, RefRef

LOIC downloads+ 2011: 381,976 + 2012 (through May 10): 374,340+ June 2012= ~98% of 2011’s downloads!

23

Anonymous and LOIC in Action

24

Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 280

100000

200000

300000

400000

500000

600000

700000

Average Site Traffic

LOIC in Action

Tra

nsac

tions

per

Sec

ond

Application DDoS

25

The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched

yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe

organizations will rush to patch this flaw en masse before being hit.—The Hacker News, July 30, 2011

But That Much Sophistication Isn’t Always Required

26

But That Much Sophistication Isn’t Always Required

27

Meet your target URL

4Non-Mitigations

28

I have IPS and NGFW, am I safe?

IPS and NGFWs do not prevent web application attacks.

+ Don’t confuse “application aware marketing” with Web Application Security.

WAFs at a minimum must include the following to protect web applications:

29

• Web-App Profile• Web-App Signatures• Web-App Protocol Security• Web-App DDOS Security• Web-App Cookie Protection• Anonymous Proxy/TOR IP

Security• HTTPS (SSL) visibility

Security Policy Correlation

I have IPS and NGFW, am I safe?

IPS and NGFWs do not prevent web application attacks.

+ Don’t confuse “application aware marketing” with Web Application Security.

However, IPS and NGFWs at best only partially support the items in Red:

30

• Web-App Profile• Web-App Signatures• Web-App Protocol Security• Web-App DDOS Security• Web-App Cookie Protection• Anonymous Proxy/TOR IP

Security• HTTPS (SSL) visibility

Security Policy Correlation

31

Church of ScientologyMuslim BrotherhoodZappos.comMilitarySingles.comAmazonAustria Federal ChancellorHBGary FederalMexican Interior MinistryMexican SenateMexican Chamber of DeputiesIrish Department of JusticeIrish Department of FinanceGreek Department of JusticeEgyptian National Democratic PartySpanish PoliceOrlando Chamber of CommerceCatholic Diocese of OrlandoBay Area Rapid TransitPayPalMastercardVisa

Recent attacker targets….

Yahoo VoiceLinked InLast.fmFormspringeHarmonyUS Department of JusticeUS Copyright OfficeFBIMPAAWarner BrothersRIAAHADOPIBMISOHHOffice of the AU Prime MinisterAU House of ParliamentAU Department of CommunicationsSwiss bank PostFinanceEgyptian GovernmentItauBanco de BrazilUS SenateCaixa

How many of these organizations have AV, IPS and Next Generations Firewalls?

Why are the attacks successful when these technologies claim to prevent them?

5Demo

32