?

Log in

No account? Create an account
CarolinaCon 2012 notesdump - badgerblog
May 13th, 2012
02:48 pm

[Link]

Previous Entry Share Next Entry
CarolinaCon 2012 notesdump
Slightly redacted notes from Friday and Saturday's CarolinaCon 8 / 2012. Short version: Well worth it.


----
sql injection and buffer overflow cocktails at the bar

CarolinaCon 8 notes
----
Identifying Cyberwarriors: Predicting Civilian Participation in On-Line Conflict

asymmetric warfare, civilian participation realistic & cost-effective

tech in pol. conflict
near-real-time comms
low cost
anonymity
can spin the msg the way you want

can manage significant damage against infra

Dorothy Denning récent civilian cyberwarrior
simply engaging in an attack because they have a POV they want to express, might not be associated with official nation of residence

who's going to be a CC? what drives? how to prepare for?

4 factors
willingness to commit physical attacks against own country
willingness to commit cyber attacks against own country
willingness to commit physical attacks against other country
willingness to commit cyber attacks against other country


pos.relationship
cyberattack is a predictor of physical attack against crit.infra

----
Android hacking

----
Bluetooth hacking

----
special surprise guest and presentation

-----------------------
Saturday

----
DevHack: Pre-Product Exploitation

why attack poor developers?
valuable resources
credentials/access
sensitive data
password lists
potential users
tools set up from the start
tight deadlines/pressure
easily fooled, just want things to work

finding devs
targeteed/specific attacks
linkedin
job descriptions
interview for a job
resumes
email sigs

Maltego
Scrape LinkedIn, Google+, OSINT, resumes
usernames on common sites: source forge, github, stack overflow

tech:
look for open ports
web, DB, admin, protocols, dev tools, debug tools, debug ports
user agents
look for log files
sniff network traffic to/from servers

how to attack?
same as regular
their machine
apps
social eng
the tools they use
SQL inject
parameter & regex abuse

servers
IDEs
phpMyAdmin
phpPGAdmin
Redmine
Trac
version control:

from a dev perspective, think how things can go wrong, turn it around and do it

sql inject,
use build tools/dependency mgmt
Ant/Ivy, Maven, Gradle (Groovy)


attacking Java
lots of open source used
Apache Commons
Spring, Hibernate, Struts, Jetty, Tomcat
Maven

http://maven.apache.org

MITM attacks: proxy mods, ARP poisoning, DNS spoofing

Goal: build software to intercept and distribute bad dependencies
manually compile, distribute on request



Repo managers
manage artifacts
Apache Archiva
MITM to proxy dependency requests

other build tools use Maven repos
Gradle, IVY, buildr

Continuous integration
if you infect a CI build place with a bad library

CI/build managers

how to fix?
Maven3 uses https
SSL
digitally sign jars
verify checksums
host internal repo
utilize java security manager
AUDIT
code review
NO BINARY IN VCS

----
Malware Retooled
moving away from purpose-built platforms (Zeus, SpyEye, TDL3) to general tools (Sunspot) to target specific industries

old malware Zeus etc.
new Sunspot, NetHell, Lymbo

malware analysis - what malware looks like

clustering & visualization

Zeus & SpyEye
banking trojans,
infection point web browser or social eng
very modular, work w/any browser hack
Crime Packs (CrimeWare)
DDL hooking/injection
dynamic process (random filenames)

SpyEye kills Zeus & AV
Zeus supports Vista/7, Firefox recent

TDL3 Sold
Malware Operating Sytem (MaOS)
framework
uninstalled by ZeroAccess (ZA took basics of TDL3 for ZA)

Sunspot (Limbo, ambler)
HTML injection
Win 7 aware
dynamic process

Crime Packs are more affordable, price dropping, lowers entry

Google / Facebook Ad Rev

Malware Trends

recent: VXHeaven //vx.netlux.org/index.html
shut down by Ukranian
FB page "Saving Private Herm1t"

Offensive Computing Danny_Quist@chamewco (?)
@forensication @kdpryor @patories
@coryaltheide
took down his site

OpenRE

Malware Domain List .com


------------------
Inside Jobs: Stealing Sensitive Data and Intellectual Property

old style
hardcopies sneakernet
mainframes, fumb terminals
floppy
Intellectual Property IP
Personally Identifiable Information PII

1994, Internet took off
consumes, modems, services
Remote file transfer
removable media storage capacity grew
today: high bandwidth, countless protocols, thumb drives

Information

financial company - dev copies code for future reference
DLP (Data Loss Prevention) in warn mode, NOT block mode, sent alert to IT

US manufacturer - employee copying design docs to sell to competitor
no DLP, but other users noticed network slowdown from big files xfer

financial - overseas contract worker emailed entire HR table to a personal email account
DLP in warn mode,
company had to warn every employee

Wikileaks

Corporate Trends (example snapshot)
most incidents over the network


what can DLP tell Compliance & InfoSec Teams about User Activity?

DLP
content monitoring
encrypted data
end-user policy compliance

psych of a trusted data thief
who steals data?
machiavellian leader - greed
disgruntled & entitled thief

portrait of an insider data thief
current employee, male, 37, technical, changes in behavior, had professional setbacks, suspect behavior patterns

pre-employment risk indicators
social skills/personality issues - don't get along
social/professional network association risk, govt. has overseas friends
history of mental health issues
previous law violations
previous company policy violations
history of substance abuse

personal data theft triggers
financial
legal probs
sig. medical probs
family prob.
bad performance reviews,demotion, passed over
disagree over corp. IP rights
coworker conflict

FBI Profile of Espionage Suspects - similar kind of list

How to Steal Data
hardcopy
removable media
transfer outbound -scp, whatever
email out
portable devices

how thieves caught?
other employees notice
careless thieves make mistakes
tech controls
SIM/SIEM
HIDS
NIDS
IPS
DLP tech (network, endpoint)
anomaly detection

how thieves get away w/it?
encryption
file
network
org lacks monitoring processes
network controls weak
if data flows out like a sieve, can be bad
DLP, HIDS, etc. bought but not implemented

if worried about data theft, can't lock down BYOD bring your own device, so don't recommend it

Infosec team: need to customize DLP to avoid false negs, false positives, tailor to your needs

how thieves getting past endpoint DLP?
disable - stop service
rename the .exe so the exe can't be found
block console via personal firewall
block console access with fake DNS
personal BIND server
edit host file

Kill Targets
know your DLP

the never-ending arms race
attack emp walks out hardcopy
counter - monitor print, need to know access control, data labeling, coworker awareness
anti-countermeasure disable print monitoring, etc., hide hardcopy
anti-countermeasure attack countermeasure - video monitoring at desks, print rooms, etc.

scenario 2
uploading large data files out,

CM - terminate & re-encrypt, monitor for PCI, HIPAA, PII, limit access to services


scenario 3
use sync tools (Dropbox) to move offsite

CM don't let install on corporate machines, company-installed firewalls block those services

scenario 4
email sensitive data
CM DLP monitor SMTP
antiCM encrypt data
limit outbound email domains

scenario #5
upload data to internet storage
CM network DLP monitoring HTTP
antiCM encrypt data

#6
copy sensitive data to corporate laptop, take home, remove drive & copy
CM whole disk encryption
antiCM

#7
employee copies sensitive data to portable drive

#*

#9
at-home worker
better trust them


employers: many attackers are unaware of many CMS
attackers:

what can employers do?



-------------
Project Byzantium: Improvisable Ad-Hoc Wireless Mesh Networking for Disaster Zones

http://wiki.hacdc.org/index.php/Byzantium_Live_Distro

http://en.wikipedia.org/wiki/WokFi

--------
Hacking as an Act of War
China

RSA breach
Operation Night Dragon
Nitro - 48 chem & defense companies targeted
Operation Shady RAT - spearphishing


Sidewinder - early NSA reactive firewall, [Gibson's black ice]
defeated by attackers masquerading as someone else, attacks went elsewhere


expect more coupling of cyberwarfare with "kinetic actions"


--------------------
Big Bang Theory: The Evolution of Pentesting High Security Environments

pen testing now
1 scoping call
2 run vuln scanner
3 run exploit framework
4 copy paste info from previous customer
5 give custom recs knowing they'll be ignored

all this stuff doesn't stop APT (Advanced Persistent Threat)
welcome to APT: everyone's owned

why APT? if easier to steal than R&D or reverse engineer it, they will steal

"goal oriented pentesting"
Domain Admin is a stupid goal
stealing what makes a company $ is a better goal
can you detect that theft in real time or within X hours?

business impact


phase 1 targeting - test social media of targets
phase 2 initial entry
client-side exploit <1yr old
<90 days old
phishing for credentials

SLIDES ON SLIDESHARE

phase 3 post-exploitation


phase 5 data exfiltration


threat modeling
attacker-centric
asset-centric
software-centric

note: attacker-centric (sounds like persona modeling)

anecdote: "borrowed" dad's car, always caught - rolled back odometer, parked in exact location
how'd dad catch him every time? he put toothpicks on top of the tires. Roll the car, toothpicks fell off.



--------------

Biometric traits
systems
sensors & image acquisition techniques
dataveillance
privacy concerns
solutions?

physiological - fingerprints, hand, iris, face, DNA
current tech can do iris 1-3 meters away
behavioral - keystroke, signature, voice, gait

cognitive biometric recognition
id of friends/colleagues
cognitive enrollment process
meet, get to know
cognitive trait matching
face, voice, gait, behavior

types of enrollment
voluntary
pseudo-voluntary (submit pic for driver license)
non-cooperative (surveillance)

biometric performance: ROC curve (false versus true positives)
routine operating characteristics

pitfalls of unimodal biometrics
poor capture quality
accessibility limitations
unsuitable situational trai

multimodal biometrics
greater accessibility
decrease in error rates
improved image capture


soft biometrics
descriptive characteristics - hair/eye color, clothing, age
solely non-distinctive
lack permanence
whole>sum of parts

soft facial biometrics
gender/ethnicity - chin, lips, eyebrows, nose
accurate for mid-age range

sensors & tech
Hitachi Surveillance Camera System
36million faces/second
30degree range
facial images w/low resolution

NEC super-resolution cameras
learning-based Super Resolution
dictionary of stored images
initial regions compared to stored patches
final image generated from high-res patches

SentryScope
continuous recording 10,240x2,408
100x digital zoom
90 deg. field of view

automatic license-plate recognition

dataveillance

where data meets behavior: the rise of the statistician, the fall of conventional wisdom


biometric privacy issues
intended use
data retention
context leakage
information asymmetry
impersonation

personal data protection
confidential data
goes through some anonymization process

anonymization metrics
disclosure risk
information loss (reduction in use)
goal: minimize DR & IL

Privacy Enhancing Technology
more of a process or method
minimize exposure
strong access controls
centralized storage/processing
privacy policy linking
federated identity - secure lateral sharing

functional segregation
1 party has template database
1 party accepts/provides sample

provide opt-out choice
partial de-identification

user actions
facial camp (make-up)
posting decoy (incorrect) images

chemotherapy and fingerprints
capecitabine
hand-foot syndrome
palmar erthrodysesthesia
desquamation
epidermal growth inhibition
epidermal growth factor inhibitors

privacy vs. accessibility
analogous to usability vs. security


solutions?
PET/work in progress
awareness

------
Switzerland

----
hacker trivia

----
parties

Tags: , ,

(Leave a comment)

Surrounded By Skulls and Spiders Powered by LiveJournal.com