1 / 49

Anatomy of Ownage: The painful lessons learned by others

Explore the painful lessons learned by others in the world of cybersecurity, including HBGary vs Anonymous and Sony Inc. vs The Internet. Discover the importance of schadenfreude and overcoming optimism bias to protect yourself from similar attacks.

octaviaj
Download Presentation

Anatomy of Ownage: The painful lessons learned by others

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anatomy of Ownage: The painful lessons learned by others Matt Linton IT Security Specialist NASA Ames Research Center

  2. Overview Schadenfreude Optimism Bias HBGary vs Anonymous Sony, Inc. vs The internet ??????? vs RSA Security ??????? vs Iran Nuclear Enrichment Program Anatomy of Ownage—2—

  3. Schadenfreude Schadenfreude is “Pleasure derived from the misfortunes of others” i.e. “Wow, I'm glad I'm not those guys right now.” Anatomy of Ownage—3—

  4. Schadenfreude Just to be clear, We're not happy they got hacked. We are happy we're not them. But ditch your optimism bias for a moment, because It can happen to us too. Anatomy of Ownage—4—

  5. OPTIMISM BIAS “The demonstrated, systematic tendency for people to be overly optimistic about the outcome of planned actions.” Symptoms include: Over-estimating the likelihood of positive events Under-estimating the likelihood of negative events Illusion of control Illusion of superiority Anatomy of Ownage—5—

  6. OPTIMISM BIAS Anatomy of Ownage—6—

  7. Ding, ding! Round 1..... Anatomy of Ownage—7—

  8. HBGary vs Anonymous VS Anatomy of Ownage—8—

  9. HBGary vs Anonymous SETTING THE STAGE: HBGary Federal needs positive press to grow, decides to capitalize on the controversy surrounding Anonymous's defense of Wikileaks. CEO Aaron Barr issues press releases taunting Anonymous, claiming to have identified them and threatening to expose them to law enforcement. Internally, his staff warns him that this is a bad idea and his data is wrong but he persists. Anatomy of Ownage—9—

  10. HBGary vs Anonymous The Damage: Anatomy of Ownage—10—

  11. HBGary vs Anonymous The Damage: - Company servers penetrated - Internal company emails (incl. Potential evidence of criminal activity by the company) leaked to public - All of Barr's emails leaked to public - Barr's iPad remotely wiped - Company data erased - Company backups erased too - General humiliation of the company Anatomy of Ownage—11—

  12. HBGary vs Anonymous The vector: - Attackers compromised company's public-facing CMS with SQL Injection (sql injection) - Attackers use rainbow tables to reverse unsalted MD5 password hashes from CMS (bad pw storage) - Attackers use those passwords to log into company bastion hosts (single factor auth) - Attackers use unpatched local exploit to privilege escalate to root (unpatched system) (see next slide) Anatomy of Ownage—12—

  13. HBGary vs Anonymous - Attackers use CEO and COO's passwords, gain entry to their Google Mail (SAAS) accounts (password re-use, simple passwords) - Attackers reset GMail password for Greg Hoglund, CEO of parent company and owner of rootkit.com - Using Hoglunds' email, attackers socially engineer a support tech into disclosing the root password on rootkit.com (poor general practice) Anatomy of Ownage—13—

  14. HBGary vs Anonymous HOW NOT TO GET OWNED LIKE THIS: - Follow OWASP to check for and prevent SQL injection - Salt your hashes! Hash without salt is just potatoes. - Perform social engineering / phishing awareness - Hold leadership to same best practice standards as everyone else - Do NOT re-use passwords in multiple locations Anatomy of Ownage—14—

  15. Ding, ding! Round 2..... Anatomy of Ownage—15—

  16. Sony, Inc. VS The Internet VS Anatomy of Ownage—16—

  17. Sony, Inc. VS The Internet SETTING THE STAGE: Sony locks Linux hackers out of PS3 via firmware update, angering geeks who bought PS3 to install Linux George Hotz (GeoHotz) finds a way to work around firmware update, informs community. Sony sues GeoHotz. PS3 hackers and Anonymous issue call to action in defense of GeoHotz. Anatomy of Ownage—17—

  18. Sony, Inc. VS The Internet The Damage: - 20 hacks in 5 weeks, by 5+ different groups, in 4+ countries - PS3 Network (now required to play any games) shut down for weeks, angering all legitimate customers - > $300 million in losses to Sony for PS3N outage + Incident response costs Anatomy of Ownage—18—

  19. Sony, Inc. VS The Internet The Damage: - 70 million customer credit cards lost - 24 million customers' personal information lost - 11 thousand customers' bank information lost - millions of customers' email address + passwords lost - And the stock price for the company? Anatomy of Ownage—19—

  20. Sony, Inc. VS The Internet Anatomy of Ownage—20—

  21. Sony, Inc VS The Internet Common vectors and mistakes: (see: http://attrition.org/security/rants/sony_aka_sownage.html) - SQL Injection, leading to compromise of.... - Passwords stored in plaintext, - User information stored in accessible databases unencrypted - Sony ignored reports of vulnerabilities on several disclosure lists - Reportedly no firewalls, and old apache versions on multiple of their developer networks Anatomy of Ownage—21—

  22. Ding, ding! Round 3..... Anatomy of Ownage—22—

  23. RSA Security vs ?????? VS Anatomy of Ownage—23—

  24. RSA Security vs ?????? SETTING THE STAGE: RSA Security owns the “SecurID” product, a two-factor token that is very popular with governments and defense industry to protect critical data and systems. Somewhere deep within RSA is a set of secret seed numbers which, if known, defeats all the security afforded by the SecurID token. Guess what happens next? Anatomy of Ownage—24—

  25. RSA Security vs ?????? Anatomy of Ownage—25—

  26. RSA Security vs ?????? The Damage: - RSA's secret seed database is compromised - Lockheed-Martin and others have been compromised as well, directly related to their RSA keys - Unknown damage yet to be discovered Anatomy of Ownage—26—

  27. RSA Security vs ?????? The vector: - Attackers send crafted excel spreadsheet titled “2011 recruitment plan” to select company insiders. (phishing) - Attackers embed Zero-day Adobe Flash exploit into the excel spreadsheet (adobe flash) - Using administrative privileges gained through zero-day, Attackers install “Poison Ivy RAT” tool to remotely access systems - Using these systems, they sniffed and discovered through the internal network (local network trust issues) - Once they escalated to the keystore, they stole the keys Anatomy of Ownage—27—

  28. RSA Security vs ?????? HOW NOT TO GET OWNED LIKE THIS: - Train users about phishing, AND test them - Reconsider whether your users really NEED things like Flash, PDFs with active code embedded, etc – and disable them if you can - Reconsider whether end users really NEED administrative level access to their operating systems - Employ multiple trust zones within your networks, and SECTION OFF critical areas of the company from administrative networks - Discourage, prevent & prohibit password re-use among said zones Anatomy of Ownage—28—

  29. RSA Security vs ?????? PART TWO... Shortly thereafter, US Defense Contractor Lockheed-Martin was broken into. Compromised RSA SecurID token values comprised part of the attack! Anatomy of Ownage—29—

  30. Ding, ding! Round 4..... Anatomy of Ownage—30—

  31. Iran vs ????? VS Anatomy of Ownage—31—

  32. Iran vs ????? SETTING THE STAGE: Iran grows dangerously close to bringing online their countrys' first Nuclear Fuel Enrichment center. Many countries suspect it is not for peaceful use. In March of 2010, power plant operators and industrial centers began reporting about a strange computer worm that had penetrated their SCADA control systems. Anatomy of Ownage—32—

  33. Iran vs ????? SETTING THE STAGE: Unlike most computer worms, this one didn't seem to DO anything – just hang around. Deeper research into the worm revealed that it was very advanced, and appeared to only attack SCADA systems with very specific characteristics. Then, without explanation, Iran's nuclear enrichment activity ground to a halt. Anatomy of Ownage—33—

  34. Iran vs ????? The Damage: Computers in a dozen countries were infected but operational 60% of the computers worldwide infected with Stuxnet were in Iran The Bashir and Natanz enrichment facilities in Iran were knocked offline and valuable equipment destroyed Anatomy of Ownage—34—

  35. Iran vs ????? The Vector: - Stuxnet first infected Iranian SCADA systems via USB stick carried into the plant by a Russian contractor - Utilizing an exploit 'warhead' of four Windows embedded zero-days, Stuxnet spread among the SCADA systems - Targeting only systems which matched the vendor, manufacturer and configuration characteristics of nuclear fuel centrifuges (the 357 and 415 payloads) - Stuxnet would lie in wait until the optimal time to disrupt enrichment activity & destroy industrial equipment Anatomy of Ownage—35—

  36. Iran vs ????? HOW TO KEEP FROM GETTING OWNED LIKE THIS: - SCADA systems are built with incredibly weak host level controls. This is their nature. - Strictly separate SCADA networks from the world and do not provide an internet route - Strictly control the interfaces on which SCADA network configuration and operation are performed - Carefully audit any incoming media - Watch your optimism bias!! Anatomy of Ownage—36—

  37. RSA Security vs ?????? Q&A, Criticism, Flames, & Heckling matt@nasa.gov mattatnasa Anatomy of Ownage—37—

  38. RSA Security vs ?????? OK, so I blew through the slides and need something to talk about still. How about a little Jerry Springer? Anatomy of Ownage—38—

  39. LIGATT vs LIGATT? VS Anatomy of Ownage—39—

  40. LIGATT vs LIGATT? SETTING THE STAGE: Gregory D. Evans founds LIGATT security, begins referring to himself as “Worlds' #1 hacker”. Evans was previously convicted of Fraud and served 2 years in prison. Despite this and a lack of credentials, he begins media tours. His Charisma earns him a welcome spot in the news media, which he relishes. Anatomy of Ownage—40—

  41. LIGATT vs LIGATT? LIGATT's first product is a re-skinned and branded copy of NMAP, his latest book reportedly 99% plagiarized. Critics on twitter begin pointing this out and discussion ensues among authors of (allegedly) plagiarized content. A website, ligattleaks, is formed to chronicle the mis-statements. Gradually a picture is painted of a media-savvy but technically incompetent man. So, this happens: Anatomy of Ownage—41—

  42. LIGATT vs LIGATT? Anatomy of Ownage—42—

  43. LIGATT vs LIGATT? THEN THIS HAPPENS: Anatomy of Ownage—43—

  44. LIGATT vs LIGATT? Anatomy of Ownage—44—

  45. LIGATT vs LIGATT? SO WHAT HAPPENED? Anatomy of Ownage—45—

  46. LIGATT vs LIGATT? A LIGATT Insider became public whistleblower, exposing all the companys' internal email (as well as Evans') to the full-disclosure email list Details of internal company politics, harrassment, (alleged) investigations into employees' personal lives by private detectives were among the leaked documents Anatomy of Ownage—46—

  47. LIGATT vs LIGATT? Evans, who until then had been a constant presence on news media programs, began to be the subject instead of the expert commentator. Feb. 2011 – CBS News runs a series “Hacker or Hoax”, laying out the internets' charges against Evans. Anatomy of Ownage—47—

  48. LIGATT vs LIGATT? Signs you may be headed down his path: - You start referring to yourself as “World's #1” at something, without a gold medal to back it up. - Your first instinct at facing criticism is to call your lawyer - The hackers that people make fun of, are making fun of you. - Your own employees are considering whistleblowing about you. On twitter. I'm sure you can figure out how to avoid the above...... Anatomy of Ownage—48—

  49. LIGATT vs LIGATT? Sources: - http://www.youtube.com/watch?v=O3Ms8UZnOoA - http://en.wikipedia.org/wiki/Stuxnet - http://www.youtube.com/watch?v=scNkLWV7jSw - http://attrition.org/errata/charlatan/gregory_evans/ - http://attrition.org/security/rants/sony_aka_sownage.html http://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/ Anatomy of Ownage—49—

More Related