Anatomy of Ownage: The painful lessons learned by others Matt Linton IT Security Specialist NASA...

Anatomy of Ownage:The painful lessons learned by others

Matt Linton

IT Security Specialist

NASA Ames Research Center

Anatomy of Ownage—2—

Overview

Schadenfreude Optimism Bias HBGary vs Anonymous Sony, Inc. vs The internet ??????? vs RSA Security ??????? vs Iran Nuclear Enrichment Program


Schadenfreude

Schadenfreude is

“Pleasure derived from the misfortunes of others”

i.e.

“Wow, I'm glad I'm not those guys right now.”


Schadenfreude

Just to be clear,

We're not happy they got hacked.

We are happy we're not them.

But ditch your optimism bias for a moment, because

It can happen to us too.


OPTIMISM BIAS

“The demonstrated, systematic tendency for people to be overly optimistic about the outcome of planned actions.”

Symptoms include: Over-estimating the likelihood of positive events Under-estimating the likelihood of negative events Illusion of control Illusion of superiority


OPTIMISM BIAS


Ding, ding! Round 1.....


HBGary vs Anonymous

VS


HBGary vs AnonymousSETTING THE STAGE:

HBGary Federal needs positive press to grow, decides to capitalize on the controversy surrounding Anonymous's defense of Wikileaks.

CEO Aaron Barr issues press releases taunting Anonymous, claiming to have identified them and threatening to expose them to law enforcement.

Internally, his staff warns him that this is a bad idea and his data is wrong but he persists.


HBGary vs Anonymous

The Damage:


HBGary vs Anonymous

The Damage:

- Company servers penetrated

- Internal company emails (incl. Potential evidence of criminal activity

by the company) leaked to public

- All of Barr's emails leaked to public

- Barr's iPad remotely wiped

- Company data erased

- Company backups erased too

- General humiliation of the company


HBGary vs Anonymous

The vector:

- Attackers compromised company's public-facing CMS with SQL Injection (sql injection)

- Attackers use rainbow tables to reverse unsalted MD5 password hashes from CMS (bad pw storage)

- Attackers use those passwords to log into company bastion hosts (single factor auth)

- Attackers use unpatched local exploit to privilege escalate to root (unpatched system)

(see next slide)


HBGary vs Anonymous

- Attackers use CEO and COO's passwords, gain entry to their Google Mail (SAAS) accounts (password re-use, simple passwords)

- Attackers reset GMail password for Greg Hoglund, CEO of parent company and owner of rootkit.com

- Using Hoglunds' email, attackers socially engineer a support tech into disclosing the root password on rootkit.com (poor general practice)


HBGary vs Anonymous

HOW NOT TO GET OWNED LIKE THIS:

- Follow OWASP to check for and prevent SQL injection

- Salt your hashes! Hash without salt is just potatoes.

- Perform social engineering / phishing awareness

- Hold leadership to same best practice standards as everyone else

- Do NOT re-use passwords in multiple locations


Sony, Inc. VS The Internet

VS



SETTING THE STAGE:

Sony locks Linux hackers out of PS3 via firmware update, angering geeks who bought PS3 to install Linux

George Hotz (GeoHotz) finds a way to work around firmware update, informs community.

Sony sues GeoHotz.

PS3 hackers and Anonymous issue call to action in defense of GeoHotz.



The Damage:

- 20 hacks in 5 weeks, by 5+ different groups, in 4+ countries

- PS3 Network (now required to play any games) shut down for weeks, angering all legitimate customers

- > $300 million in losses to Sony for PS3N outage + Incident response costs



The Damage:

- 70 million customer credit cards lost

- 24 million customers' personal information lost

- 11 thousand customers' bank information lost

- millions of customers' email address + passwords lost

- And the stock price for the company?


Sony, Inc VS The Internet

Common vectors and mistakes:

(see: http://attrition.org/security/rants/sony_aka_sownage.html)

- SQL Injection, leading to compromise of....

- Passwords stored in plaintext,

- User information stored in accessible databases unencrypted

- Sony ignored reports of vulnerabilities on several disclosure lists

- Reportedly no firewalls, and old apache versions on multiple of their developer networks


RSA Security vs ??????

VS



SETTING THE STAGE:

RSA Security owns the “SecurID” product, a two-factor token that is very popular with governments and defense industry to protect critical data and systems.

Somewhere deep within RSA is a set of secret seed numbers which, if known, defeats all the security afforded by the SecurID token.

Guess what happens next?



The Damage:

- RSA's secret seed database is compromised

- Lockheed-Martin and others have been compromised as well, directly related to their RSA keys

- Unknown damage yet to be discovered



The vector:

- Attackers send crafted excel spreadsheet titled “2011 recruitment plan” to select company insiders. (phishing)

- Attackers embed Zero-day Adobe Flash exploit into the excel spreadsheet (adobe flash)

- Using administrative privileges gained through zero-day, Attackers install “Poison Ivy RAT” tool to remotely access systems

- Using these systems, they sniffed and discovered through the internal network (local network trust issues)

- Once they escalated to the keystore, they stole the keys



HOW NOT TO GET OWNED LIKE THIS:

- Train users about phishing, AND test them

- Reconsider whether your users really NEED things like Flash, PDFs with active code embedded, etc – and disable them if you can

- Reconsider whether end users really NEED administrative level access to their operating systems

- Employ multiple trust zones within your networks, and SECTION OFF critical areas of the company from administrative networks

- Discourage, prevent & prohibit password re-use among said zones



PART TWO...

Shortly thereafter, US Defense Contractor Lockheed-Martin was broken into.

Compromised RSA SecurID token values comprised part of the attack!


Iran vs ?????

VS


Iran vs ?????

SETTING THE STAGE:

Iran grows dangerously close to bringing online their countrys' first Nuclear Fuel Enrichment center.

Many countries suspect it is not for peaceful use.

In March of 2010, power plant operators and industrial centers began reporting about a strange computer worm that had penetrated their SCADA control systems.


Iran vs ?????

SETTING THE STAGE:

Unlike most computer worms, this one didn't seem to DO anything – just hang around.

Deeper research into the worm revealed that it was very advanced, and appeared to only attack SCADA systems with very specific characteristics.

Then, without explanation, Iran's nuclear enrichment activity ground to a halt.


Iran vs ?????

The Damage:

Computers in a dozen countries were infected but operational

60% of the computers worldwide infected with Stuxnet were in Iran

The Bashir and Natanz enrichment facilities in Iran were knocked offline and valuable equipment destroyed


Iran vs ?????

The Vector:

- Stuxnet first infected Iranian SCADA systems via USB stick carried into the plant by a Russian contractor

- Utilizing an exploit 'warhead' of four Windows embedded zero-days, Stuxnet spread among the SCADA systems

- Targeting only systems which matched the vendor, manufacturer and configuration characteristics of nuclear fuel centrifuges (the 357 and 415 payloads)

- Stuxnet would lie in wait until the optimal time to disrupt enrichment activity & destroy industrial equipment


Iran vs ?????

HOW TO KEEP FROM GETTING OWNED LIKE THIS:

- SCADA systems are built with incredibly weak host level controls. This is their nature.

- Strictly separate SCADA networks from the world and do not provide an internet route

- Strictly control the interfaces on which SCADA network configuration and operation are performed

- Carefully audit any incoming media

- Watch your optimism bias!!



Q&A, Criticism, Flames, & Heckling

[email protected]

mattatnasa



OK, so I blew through the slides and need something to talk about still.

How about a little Jerry Springer?


LIGATT vs LIGATT?

VS


LIGATT vs LIGATT?

SETTING THE STAGE:

Gregory D. Evans founds LIGATT security, begins referring to himself as “Worlds' #1 hacker”. Evans was previously convicted of Fraud and served 2 years in prison.

Despite this and a lack of credentials, he begins media tours. His Charisma earns him a welcome spot in the news media, which he relishes.


LIGATT vs LIGATT?

LIGATT's first product is a re-skinned and branded copy of NMAP, his latest book reportedly 99% plagiarized.

Critics on twitter begin pointing this out and discussion ensues among authors of (allegedly) plagiarized content. A website, ligattleaks, is formed to chronicle the mis-statements.

Gradually a picture is painted of a media-savvy but technically incompetent man.

So, this happens:


LIGATT vs LIGATT?


LIGATT vs LIGATT?

THEN THIS HAPPENS:


LIGATT vs LIGATT?


LIGATT vs LIGATT?

SO WHAT HAPPENED?


LIGATT vs LIGATT?

A LIGATT Insider became public whistleblower, exposing all the companys' internal email (as well as Evans') to the full-disclosure email list

Details of internal company politics, harrassment, (alleged) investigations into employees' personal lives by private detectives were among the leaked documents


LIGATT vs LIGATT?

Evans, who until then had been a constant presence on news media programs, began to be the subject instead of the expert commentator.

Feb. 2011 – CBS News runs a series “Hacker or Hoax”, laying out the internets' charges against Evans.


LIGATT vs LIGATT?

Signs you may be headed down his path:

- You start referring to yourself as “World's #1” at something, without a gold medal to back it up.

- Your first instinct at facing criticism is to call your lawyer

- The hackers that people make fun of, are making fun of you.

- Your own employees are considering whistleblowing about you. On twitter.

I'm sure you can figure out how to avoid the above......


LIGATT vs LIGATT?Sources:

- http://www.youtube.com/watch?v=O3Ms8UZnOoA

- http://en.wikipedia.org/wiki/Stuxnet

- http://www.youtube.com/watch?v=scNkLWV7jSw

- http://attrition.org/errata/charlatan/gregory_evans/

- http://attrition.org/security/rants/sony_aka_sownage.html

http://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/

Anatomy of Ownage: The painful lessons learned by others Matt Linton IT Security Specialist NASA...

Documents

Transcript of Anatomy of Ownage: The painful lessons learned by others Matt Linton IT Security Specialist NASA...