HSB15 - Thijs Bosschert - Radically Open Security

Post on 24-Jan-2017

1.011 views 0 download

Transcript of HSB15 - Thijs Bosschert - Radically Open Security

Thijs Bosschert

27 oktober 2015, Den Haag info@radicallyopensecurity.com thijs@radicallyopensecurity.com

Wat hebben we geleerd van de Hacking Team hack?

May 12, 2014

Radically Open Security

Non-Profit Computer Security Consultancy

We're an idealistic bunch of security researchers,

networking/forensics geeks, and Capture The

Flag winners that are passionate about making

the world more secure. We believe in

transparency and openness. And our goal is to

secure the society that allows us to run a

company in the first place.

https://radicallyopensecurity.com/

May 12, 2014

Thijs Bosschert

Freelance Security Professional

• Incident Response

• Forensics

• Penetration tester

• Security researcher

• Trainer

• CTF player (Eindbazen, Hack.ERS)

May 12, 2014

Worldwide IR

May 12, 2014

HackingTeam

Source: http://www.hackingteam.it/

May 12, 2014

HackingTeam

Remote Control System

Take control of your targets and monitor them

regardless of encryption and mobility. It doesn’t

matter if you are after an Android phone or a

Windows computer: you can monitor all the

devices. Remote Control System is invisible to

the user, evades antivirus and firewalls…

Source: http://www.hackingteam.it/images/stories/galileo.pdf

May 12, 2014

HackingTeam

Remote Control System

Hack into your targets with the most advanced

infection vectors available. Enter his wireless

network and tackle tactical operations with ad-hoc

equipment designed to operate while on the

move. Keep an eye on all your targets and

manage them remotely, all from a single screen.

Be alerted on incoming relevant data and have

meaningful events automatically highlighted.

Source: http://www.hackingteam.it/images/stories/galileo.pdf

May 12, 2014

You will be hacked

Source: https://twitter.com/hackingteam/status/563356441885835264

May 12, 2014

Imagine this

Source: https://wikileaks.org/hackingteam/emails/

May 12, 2014

You have been hacked

Source: https://twitter.com/hackingteam/status/563356441885835264

May 12, 2014

How was it done?

Source: https://twitter.com/GammaGroupPR

May 12, 2014

How was it done?

Source: http://0x27.me/HackBack/0x00.txt

May 12, 2014

0x00.txt

● Mapping out the target

● Scanning & Exploiting

● Escalating

● Pivoting

● Have Fun

Source: http://0x27.me/HackBack/0x00.txt

May 12, 2014

Denial

Source: Twitter

May 12, 2014

Bad response

Source: Twitter

May 12, 2014

Bad press reactions

Source: http://www.hackingteam.it/index.php/about-us

May 12, 2014

~400 GB

May 12, 2014

WikiLeaks Email DB

Source: https://wikileaks.org/hackingteam/emails/

May 12, 2014

0 days & exploits

● CVE-2015-0349 – Adobe Flash Player

● CVE-2015-2425 – IE 11

● CVE-2015-2426 – OpenType Font Driver

● CVE-2015-5119 - Adobe Flash Player

● CVE-2015-5122 - Adobe Flash Player

● CVE-2015-5123 - Adobe Flash player

May 12, 2014

Weak passwords

● P4ssword

● Passw0rd

● wolverine

● universo

● HTPassw0rd

● Passw0rd!81

+ Password reusage

Source: http://pastebin.com/bxYXHFMu

May 12, 2014

Code like everyone is watching

def content(*args)

hash = [args].flatten.first || {}

process = hash[:process] || ["Explorer.exe\0",

"Firefox.exe\0", "Chrome.exe\0"].sample

process.encode!("US-ASCII")

path = hash[:path] || ["C:\\Utenti\\pippo\\pedoporno.mpg",

"C:\\Utenti\\pluto\\Documenti\\childporn.avi",

"C:\\secrets\\bomb_blueprints.pdf"].sample

path = path.to_utf16le_binary_null

Source: https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence/file.rb

May 12, 2014

CIS Critical Security Controls

Source: SANS 20 Critical Controls Poster

May 12, 2014

CIS Critical Security Controls

Source: SANS 20 Critical Controls Poster

May 12, 2014

~400 GB

May 12, 2014

What went wrong?

● Weak passwords usage and re-usage

● No network Segmenting and protection

● No data encryption

● No secure email

● No data classification

● No monitoring

● Incorrect incident response procedures

● Usage of illegal software

May 12, 2014

Security level

Source: http://lockheedmartin.com

May 12, 2014

Protection level

Source: http://www.slideshare.net/jaredcarst/cyber-threats-cybersecurity-are-you-ready

May 12, 2014

Wat hebben we geleerd?

Als security bedrijf ben je een

gewild target voor aanvallers, dan

kan je maar beter zorgen dat je

daar dan ook op voorbereid bent.

May 12, 2014

Questions?

https://radicallyopensecurity.com/

http://www.thice.nl

thijs@radicallyopensecurity.com

@ThiceNL

http://nl.linkedin.com/in/bosschert

Thijs Bosschert