Embed Size (px)
Citation preview
White hat
Cases of the year2015 TOP-10
Maxim Avdyunin
LLC Advanced Monitoring
Corporate Group
Advanced Monitoring
Criminal Code of Russia. Article 272. Illegal Accessing of Computer Information.
Criminal Code of Russia. Article 273. Creation, Use, and Dissemination of Harmful Computer Viruses
Criminal Code of Russia. Article 274. Violation of Rules for the Operation of Computers, Computer Systems, or Their Networks
vs
We are the white hat hackers!
Informational development and Communications ministry of the Perm Territory
The Federal Service for State Registration, Cadastre and Cartography (Rosreestr)
Khabarovsk Territory government
JSC Russian Railways
PJSC «Uralkali»
etc.
Customer ListAdvanced Monitoring
Information Security AuditSoftware Security AuditPenetration testing
Software development
IS Incident Monitoring
Digital Forensics Competitive Intelligence
Our arsenalNetwork Scanners
IP-Tools
nmap
Vulnerability Scanners
MaxPatrol
Nessus
Traffic Analyzers
Wireshark
Intercepter-ng
Ettercap-ng
GigaStor
Tcpdump
Web Vulnerability Scanner
Acunetix
Burp Suite
Nikto
arachni
sqlmap
Exploit frameworks
Metasploit
Online bases:0day.todayrapid7.comexploit-db.com
Static Analyzers
PVS-Studio
Cppcheck
Clang
SonarQUBE
Disassemblers / Debuggers
IDA
OllyDbg
WinDbg
Immunity Debagger
GDB
Brute force software
hydra
John the Ripper
hashcat
Developer tools
Visual Studio
Eclipse
IDLE
Cases of the yearTop 10
Case 1/10 «Bad news»
Client
Government contractor
Task and setting
Perform a black box penetration testing
Work done
A spear phishing attack on client personnel was performed with two “news” letters about parking fees and pensions, containing web link to a script, that intercepted user authentication information
Case 1/10 «Bad news»
Results
More then a half of staff followed at least one of the links Nobody reported suspicious letters to a client’s Information Security Department Client’s IT-infrastructure has been fully compromised during the testing Information Security Department activity has been logged and log was included in a
final report
Case 2/10 «Leaky front-end»
Client
Large governmental organization
Task and setting
Perform a server-client sales system information security audit
Work done
Client terminal reverse engineering, its web-interface instrumental examination, and also penetration testing and fuzzing of its server components have been performed
Results
Fuzzing procedure that guaranteed server malfunction has been developed
A variety of vulnerabilities have been found in client software.Those vulnerabilities could allow an attacker to:
o Tamper with the information on the cliento Send modified data to the servero Clone client terminals
Case 2/10 «Leaky front-end»
Case 3/10 «Shakespearean tragedy»
Client
A theater
Setting
Leak of confidential financial information about directory salary
It’s publication on the Internet
Backlash from Client’s personnel
Task
Find the source of the leak and people responsible
Case 3/10«Shakespearean tragedy»
Work done
Leaked materials were analyzed and a list of potential malefactors was created
Information on their computers was copied and examined
Source data searched in the file archives and potential leakage paths were determined
Results
Leakage sources were determined and recommendations for their closure were made
Client was given a list of suspects
Case 4/10 «Blowing the lid off»
Client
Shipment tracking information provider
Task and setting
Some web-sites offered for sale information distributed by our Client without any legal ways to. The task was to find out how they get the information and if possible deanomize them
Work done
To complete the task an open source intelligence research was performed and sites of interest were analyzed instrumentally
Case 4/10 «Blowing the lid off»
Results
The following information has been acquired:
The list of people affiliated with the web resources in question Their personal and contact information, social relations, etc. Confidential information, legal documents in particular
Case 5/10 «Watchmen»
Client
Large IT-Company
Task and setting
A Client asked Advanced monitoring to develop a system of information security incident monitoring in his network and protocols for an on-the-spot incident response, and to create corresponding rules for the corporate intrusion detection system.
Work done
Advanced Monitoring has established an Information Security Operation Center (AM ISOC)
AM ISOC has been integrated with Client’s network infrastructure and AM instrumentalbase (network scanners, traffic analyzers, etc)
Detection and response protocols have been established and tested in “combat environment”
Results
During a five months period:
29 information security incidents were detected and handled
34 signatures for Client IDS were developed
Case 5/10 «Watchmen»
Case 6/10 «The Star-Spangled Scare»
Client
Large IT-company
Task and setting
Investigate an incident taken place in client’s network
Work done
Monitoring of a Client’s network showed an attempt of a ShellShock attack.
Client’s resources were not vulnerable to the attack and no harm was done.
Attack analysis showed that an intruder had been sending queries in the search for vulnerable resources from San-Antonio, US.
Connecting to a Command&Control server with the observation purpose showed thatabout 300 victims were successfully attacked and “zombified”.
One of the infected IP-addresses turned out to belong to a Russian hosting provider«Radiosvyaz».
Among the services hosted on that IP an e-mail server, operating a mail domain of a large regional generation company was found. As it turned out it was hacked by our intruder.
Results
Owners of a server were informed of the compartmentation of their web resource and it’s use as a part of a botnet.
Case 6/10 «The Star-Spangled Scare»
Client
Electronic publisher
Task and setting
Perform a security audit of a client application of an e-book distribution platform.Check the possibility of book theft.
Work done
Within the framework of the project an Android, iOS and Windows 8.1 versions of a client application for e-book download and read were reverse engineered. Research also included checking for traffic interception possibilities for the risk of unauthorized access to a copyrighted material.
Case 7/10 «Booky buccaneers»
Case 7/10 «Booky buccaneers»
Results
Three client application vulnerabilities were found and exploited Unauthorized access to a distributed content and account data was gained One server application vulnerability was found Set of remedial measures for the vulnerabilities found and suggestions for the increase of the
platform overall security were proposed
Case 8/10 «USB maneuvers»
Client
A large industrial company
Task and setting
Industrial facility dealing with national security information turned to Advanced monitoring for planning and organizing information security maneuvers with “infected” USB-drives scattered on client’s premises and collecting information of their usage after their connection to a computer.
Case 8/10«USB maneuvers»
Work done and results
AM developed a USB-flash firmware suitable for a BadUSB attack that enabled an emulation of a two different devices after connecting that special firmware flash to acomputer. After that in course of the attack a devise emulating a keyboard send a sequence of instructions that run a (undetectable by antivirus software) script on a victims machine.
In current case potentially malicious script just sent information of the flash usage to a LAN server.
Case 9/10«Wireless mayhem»
Client
Large IT-company
Task and setting
Check Client’s office space in order to detect unauthorized Wi-Fi hotspots.
Case 9/10
Work done
A methodology of the use of laptop, Wi-Fi antenna and special software was created.
Using this methodology Client’s office space was consistently examined.
Wi-Fi signal map was build and all sources of the signal were found.
Results
Client’s office space of 30 rooms on two floors of the building was checked for hotspots. 10 legal and 25 illegal hotspots were found.
«Wireless mayhem»
Case 10/10 «AM — the Privacy Protector»
Client
Large IT-company
Task and setting
Check if Windows 10 really spy on users
Make a list of recommendations to disable such functionality
Case 10/10«AM — the Privacy Protector»
Work done and results
Available recommendations were accumulated, checked (with Wireshark) and improved.
A specialized tool for selective implementation of those recommendations was developed.
Results
An installation image with all recommendations applied was made and given to the Client
The software developed was published openly: http://amonitoring.ru/cc/program/am-privacy-protector-w10/
And our experience and all the recommendations were also published: www.anti-malware.ru/analytics/Threats_Analysis/Windows_10_Threshold_2
Thanks for your time!
Maxim Avdyunin
LLC Advanced Monitoring
