4 ivan buetler cyber_espionage

Ivan Bütler
Compass Security AG, Schweiz
Ivan.buetler@csnc.ch
CYBER
FACES Compass Security AG Tel.+41 55-214 41 60
Glärnischstrasse 7 Fax+41 55-214 41 61
Postfach 1628 team@csnc.ch
CH-8640 Rapperswil www.csnc.ch

Ethical Hacker / Penetration Tester

Gründer & CEO Compass Security AG
Lecturer @ University of Applied Science Rapperswil

Lecturer @ University of Applied Science Lucerne

Lecturer @ University of St.Gallen

Speaker @ BlackHat Las Vegas 2008
SmartCard (In) Security

Speaker @ IT Underground Warsaw 2009
Advanced Web Hacking

Speaker @ Swiss IT Leadership Forum Nice 2009
Cyber Underground

Founder of Swiss Cyber Storm Sec Conference

Board member of Information Security
Society Switzerland (ISSS)

Board member of Cyber Tycoons
Anti-Warfare Foundation

© Compass Security AG www.csnc.ch Slide 2

Agenda

Hacking 1x1

Hacking for Fun and Honor

Hacking for Profit

Hacking for Companies / Espionage

Hacking for States / Espionage

Hacking in a War

Conclusion


Hacking 1x1

Compass Security AG Tel.+41 55-214 41 60

Hacking 1x1

Attack Attack
Creation Exploitation

Hacker
Toolbox

Attack Attack
Improvement Maintenance


Hacking Targets


We are all „easy targets“

Source: Symantec Internet Security Threat Report, H1, 2005

Advisory is
published

Patch 54 days

Exploit 6 days

[3] ETHZ Stefan Frei 2009 (Dissertation): We found that exploit
availability consistently exceeds patch availability since 2000

Human Proxy – Illusion – Social Eng.


Direct Attack

Server Exploitation

BLOCKED

PASSED

BLOCKED


Indirect Attack (I)

Man in the Middle – Phishing


Indirect Attack (II)

Malware – Mobile Devices – W-LAN

PASSED


Drivers behind „Hacking“


Motivation for„Hacking“

Hacking for Fun Cyber Crime Cyber Espionage

Cyber Warfare


Hacking for Fun or Moral

Hacking not for commerce – but for fun or moral !


Joy Rider – Hacking for Honor


Moral Hacking


Hacking for Profit

Cyber Crime


Who is the Enemy?


Cyber Warfare


How to make Money?

Business Case of „Hackers“

Hacker-Tools Hacker-Services Trading
„Rent a BotNet“ Illegal Goods
„Spam the World“


Example: SQL Injection

Approach: Direct Attack
Impact: Credit Card Disclosure


SQL Introduction

Protocols

HTTPS
RMI

SQL


SQL Introduction

Protocols

HTTPS + SQL Hacker Code
RMI

SQL


Demo1: SQL Injection

Impact: Credit Card Disclosure


How to make Money? (1)

Market for anonymous trading is required !


Show: Video 1: Cyber Market


Trading of illegal goods

Dumps Stolen Credit Cards

Carders Provider of “Dumps”

Carding Using Dumps

WU Western Union

WMZ Web Money

WU Western Union

LR Liberty Reserve

CVVs Card Verification Value

Drops Remailing Location

Rippers CVV verification service


5000 Unexpired/Valid CC Dumps $2000
Money Rule: How to pay the illegal goods?

Payment with Liberty
Reserve


Liberty Reserve?

-> Internet Currency (anonymous)


Liberty Reserve as E-Currency

Both, seller and buyer need an LR account

The LR account is anonymous

Anonym Anonym


LR requires „Exchanger“

Real Money is exchanged into LR currency

Direct payment into LR account is not possible

More than 100 LR enabled banks (exchanger banks)

Trust



Money Mule and Money Laundry


Example PostFinance (Phishing)

Transaction with Money Mule


MELANI says ...

Response from Cyber Underground to MELANI request

Reference: Marc Henauer, Leiter Melani
ISSS St.Galler Tagung, 29. April 2010



Split Hacking from financial benefit


Splitting „Hacking“ and Financial Benefit

Financial
Hacking
Benefit


Example: XML Injection

Impact: Credential Disclosure


XML Einführung

Protokoll

HTTPS + XML
XML Query


XML Injection

Protokoll

HTTPS + XML Hacker Code
XML Parser
Attack


Demo2: XML Injection

Impact: Credential Disclosure


Cyber Espionage

They go after information ...


Who is the Enemy?


Cyber Warfare


How to rule the World


Example: USB Trojan

Approach: Indirect Attack
Impact: Advanced Persistent Threat


Virus Construction Toolkit

Covert Channel
Delivery with USB-Stick/CD-ROM

Attacker controls the
computer of the victim

Start via
Auto-Start

Company Network Internet


Demo3: USB Trojaner

Approach: Indirect Attack
Impact: Remote Control of Victim (RAT)
Access to files

Covert Channels I - Direkt

Simple Inside-Out Attack

Corporate LAN Internet

Direct Channels
ACK tunnel
TCP tunnel (pop, telnet, ssh)
UDP tunnel (syslog, snmp)
ICMP tunnel
IPSEC, PPTP


Covert Channels II - Proxified

Advanced Inside-Out Attack

LAN Proxy

Corporate LAN Internet

DMZ Proxy
Proxified Channels
Socks SSL tunnel
HTTP/S tunnel (payload of http = tunnel)
HTTP/S proxy CONNECT method tunnel
DNS tunnel
FTP tunnel
Mail tunnel


Advanced Persistent Threat



Agent
Zombie Host
Zombie Host
Agent
C&C Server

Agent

Zombie Host Zombie Host



Command & Control Communication

Client DNS Server
POLL

POLL

POLL

Command File

Commands

Commands Execute commands

1. POLL
2. GET FILE TO CLIENT
3. PUT FILE TO SERVER
4. EXECUTE @ CLIENT
5. EXIT CLIENT


APT Design Pattern

First Infection
Installation of a user-land virus or Trojan horse
The virus does not require local admin privileges
The virus talks back to the command & control server (C&C)
Get latest updates from C&C – very important!
If C&C is unreachable – self-destroy routine

Privilege Elevation
Elevate privileges with 0-day exploit
Keyboard Sniffer
Create encrypted storage
Evidence protection
Get latest updates
Send collected information - important
If C&C is unreachable – sleep for 90 days


What to do if we find out we are
compromized?

How to handle long-term attacks



Incident Handling – C&C Traffic Redirection
Agent
Zombie Host
Zombie Host
Agent
Redirect C&C Server
Update Service

Agent

Zombie Host Zombie Host

Problems!!! Updates are Anti-APT
Encrypted / Signed Zombie
Reverse Engineering required or C&C Host


US Report
Nov. 2008

China has an active cyber espionage program. Since China’s current
cyber operations capability is so advanced, it can engage in forms
of cyber warfare so sophisticated that the United States may be
unable to counteract or even detect the efforts. By some
estimates, there are 250 hacker groups in China that are
tolerated and may even be encouraged by the government to
enter and disrupt computer networks


Cyber War

Cyber is a new military domain of operations


USA: Cyber Command

On June 23, 2009, the Secretary of Defense directed the
Commander of U.S. Strategic Command to establish
USCYBERCOM.

Director of
NSA and
Commander
of Cybercom
http://www.defense.gov/cyber


USA: New Domain of Operations - Cyber

Land

Sea

Air

Space

Cyber

C⁴ISR (command and control, communications, computers,
intelligence, surveillance, and reconnaissance)


War Assets
Critical
Infrastructures


Schweiz
http://www.bevoelkerungsschutz.admin.ch/internet/bs/de/home/themen/ski/kritische_infrastrukturen.html


1) Cyber Attack: Government


2) Cyber Attack: Power and Energy


3) Cyber Attack: Trash Recycling


4) Cyber Attack: Finance


5) Cyber Attack: Health


7) Cyber Attack: IT & Telekommunikation


8) Cyber Attack: Nahrung


9) Cyber Attack: Public Security


10) Cyber Attack: Traffic & Transport


Cyber Defense in Switzerland?


Divisionär Kurt Nydegger

Er hat den Auftrag, eine
Auslegeordnung zu machen und
dem Bundesrat eine
Verteidigungsstrategie
vorzulegen. Die Aufgabe ist
komplex, denn das
Bedrohungsbild ist diffus.


Conclusion & Recommendations


Recommendations

Setup Basic Security (against Script Kiddies)

Identify critical assets which are essential for your business and
secure them very strict, even make them secure against internal
users (their computers could be compromized)

Test your security – Penetration Tests

Monitor your infrastructure day and night

Prepare yourself for an APT incident case. Think about how you
would monitor your perimeter network traffic, how to reverse-
engineer encrypted C&C traffic. How to communicate with your
employers, media, stakeholders, shareholders, management.


Discussion/Questions

Questions?!


Thank You – Ivan Bütler

Compass Security AG
Werkstrasse 20
P.O. Box 2037
CH - 8645 Jona SG
Switzerland

Tel. +41 55 214 41 60
Fax +41 55 214 41 61
team@csnc.ch
www.csnc.ch
ivan.buetler@csnc.ch


4 ivan buetler cyber_espionage

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Digicomp Academy AG

Mais de Digicomp Academy AG (20)

Último

Último (20)

4 ivan buetler cyber_espionage