HSB15 - Thijs Bosschert - Radically Open Security
-
Upload
splend -
Category
Technology
-
view
1.011 -
download
0
Transcript of HSB15 - Thijs Bosschert - Radically Open Security
Thijs Bosschert
27 oktober 2015, Den Haag [email protected] [email protected]
Wat hebben we geleerd van de Hacking Team hack?
May 12, 2014
Radically Open Security
Non-Profit Computer Security Consultancy
We're an idealistic bunch of security researchers,
networking/forensics geeks, and Capture The
Flag winners that are passionate about making
the world more secure. We believe in
transparency and openness. And our goal is to
secure the society that allows us to run a
company in the first place.
https://radicallyopensecurity.com/
May 12, 2014
Thijs Bosschert
Freelance Security Professional
• Incident Response
• Forensics
• Penetration tester
• Security researcher
• Trainer
• CTF player (Eindbazen, Hack.ERS)
May 12, 2014
Worldwide IR
May 12, 2014
HackingTeam
Source: http://www.hackingteam.it/
May 12, 2014
HackingTeam
Remote Control System
Take control of your targets and monitor them
regardless of encryption and mobility. It doesn’t
matter if you are after an Android phone or a
Windows computer: you can monitor all the
devices. Remote Control System is invisible to
the user, evades antivirus and firewalls…
Source: http://www.hackingteam.it/images/stories/galileo.pdf
May 12, 2014
HackingTeam
Remote Control System
Hack into your targets with the most advanced
infection vectors available. Enter his wireless
network and tackle tactical operations with ad-hoc
equipment designed to operate while on the
move. Keep an eye on all your targets and
manage them remotely, all from a single screen.
Be alerted on incoming relevant data and have
meaningful events automatically highlighted.
Source: http://www.hackingteam.it/images/stories/galileo.pdf
May 12, 2014
You will be hacked
Source: https://twitter.com/hackingteam/status/563356441885835264
May 12, 2014
Imagine this
Source: https://wikileaks.org/hackingteam/emails/
May 12, 2014
You have been hacked
Source: https://twitter.com/hackingteam/status/563356441885835264
May 12, 2014
How was it done?
Source: https://twitter.com/GammaGroupPR
May 12, 2014
How was it done?
Source: http://0x27.me/HackBack/0x00.txt
May 12, 2014
0x00.txt
● Mapping out the target
● Scanning & Exploiting
● Escalating
● Pivoting
● Have Fun
Source: http://0x27.me/HackBack/0x00.txt
May 12, 2014
Denial
Source: Twitter
May 12, 2014
Bad response
Source: Twitter
May 12, 2014
Bad press reactions
Source: http://www.hackingteam.it/index.php/about-us
May 12, 2014
~400 GB
May 12, 2014
WikiLeaks Email DB
Source: https://wikileaks.org/hackingteam/emails/
May 12, 2014
0 days & exploits
● CVE-2015-0349 – Adobe Flash Player
● CVE-2015-2425 – IE 11
● CVE-2015-2426 – OpenType Font Driver
● CVE-2015-5119 - Adobe Flash Player
● CVE-2015-5122 - Adobe Flash Player
● CVE-2015-5123 - Adobe Flash player
May 12, 2014
Weak passwords
● P4ssword
● Passw0rd
● wolverine
● universo
● HTPassw0rd
● Passw0rd!81
+ Password reusage
Source: http://pastebin.com/bxYXHFMu
May 12, 2014
Code like everyone is watching
def content(*args)
hash = [args].flatten.first || {}
process = hash[:process] || ["Explorer.exe\0",
"Firefox.exe\0", "Chrome.exe\0"].sample
process.encode!("US-ASCII")
path = hash[:path] || ["C:\\Utenti\\pippo\\pedoporno.mpg",
"C:\\Utenti\\pluto\\Documenti\\childporn.avi",
"C:\\secrets\\bomb_blueprints.pdf"].sample
path = path.to_utf16le_binary_null
Source: https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence/file.rb
May 12, 2014
CIS Critical Security Controls
Source: SANS 20 Critical Controls Poster
May 12, 2014
CIS Critical Security Controls
Source: SANS 20 Critical Controls Poster
May 12, 2014
~400 GB
May 12, 2014
What went wrong?
● Weak passwords usage and re-usage
● No network Segmenting and protection
● No data encryption
● No secure email
● No data classification
● No monitoring
● Incorrect incident response procedures
● Usage of illegal software
May 12, 2014
Security level
Source: http://lockheedmartin.com
May 12, 2014
Protection level
Source: http://www.slideshare.net/jaredcarst/cyber-threats-cybersecurity-are-you-ready
May 12, 2014
Wat hebben we geleerd?
Als security bedrijf ben je een
gewild target voor aanvallers, dan
kan je maar beter zorgen dat je
daar dan ook op voorbereid bent.
May 12, 2014
Questions?
https://radicallyopensecurity.com/
http://www.thice.nl
@ThiceNL
http://nl.linkedin.com/in/bosschert
Thijs Bosschert