RSA vs Hacker

Alessio L.R. [email protected], twitter: mayhemspp

Facebook: alessio.pennasilico

Milano, 11 Settembre 2012

RSA Security vs Ethical Hacker

Gli hacker sono ovunque intorno a noi, ma le persone non lo sanno.

Ancora.

Alessio L.R. Pennasilico [email protected]

Alessio L.R. Pennasilico

Members of: Associazione Informatici Professionisti, CLUSIT, OPSI/AIP

Associazione Italiana Professionisti Sicurezza Informatica

Italian Linux Society, Sikurezza.org, Hacker’s Profiling Project

Spippolatori.org, IISFA, Metro Olografix, CrISTAL

2

!

Security Evangelist @

mailto:[email protected]


http://www.alba.st/

http://www.alba.st/


Disclaimer #1

Sono personalmente responsabile

di tutto quel che dirò,

che rappresenta la mia opinione

e la mia soltanto

3




Disclaimer #2

Don’t try this at home!

L’uso di alcune delle tecniche descritte su sistemi altrui

comporta l’arresto...

4




Jargon file

hacker: n.

1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. RFC1392, the Internet Users' Glossary, usefully amplifies this as: A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular.

5




Il vero lockpicker

Costruisce

Impara

Capisce

6




Pallottole...

7




Credenziali

8




Identity theft

Solo un furto di denaro?

9




Uno scherzo?

Danni economici

Danni di immagine

Ripercussioni sul credito

Difficile da dimostrare

Strascichi lunghissimi

10




FB from hackers perspective

“The social reconnaissance enabled us to identify 1402 employees 906 of which used facebook.”

[…]

“We also populated the profile with information about our experiences at work by using

combined stories that we collected from real employee facebook profiles.”

http://snosoft.blogspot.com/2009/02/facebook-from-hackers-perspective.html

11







“Upon completion we joined our customer's facebook group. Joining wasn't an issue and our

request was approved in a matter of hours. Within twenty minutes of being accepted as

group members, legitimate customer employees began requesting our friendship. […] Our friends

list grew very quickly and included managers, executives, secretaries, interns, and even

contractors.”

12





“We used those credentials to access the web-vpn which in turn gave us access to the network. As it turns out those credentials also allowed us

to access the majority of systems on the network including the Active Directory server, the

mainframe, pump control systems, the checkpoint firewall console, etc.”

13



Ale

ssio

L.R

. Pen

nasi

lico

WarDriving


Device

15




Antenne

16




Mezzi alternativi

17




Molto alternativi...

18




Strumenti autocostruiti

19




Personalizzazioni

20




La carriola

Prima Edizione

CAT Orvieto 2009

21




Kismet

Is an 802.11 layer2

wireless network detector,

sniffer, and intrusion detection system.

22




Kismet

23




Kismac

24




NetStumbler

25




MiniStumbler

26




Coordinate GPS

27




Aircrack

Is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data

packets have been captured.

28




Craccare le chiavi

29




Dove si usa il WiFi?

30




Incidenti

Vitek Boden, in 2000, was arrested, convicted and jailed because he released millions of liters of untreated sewage using his wireless laptop. It happened in Maroochy Shire, Queensland, may be as a revenge against his last former employer.

http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/

31




Non usare il WiFi?

La tecnologia WiFi permette di essere sicura

E’ necessaria una corretta analisi iniziale

E’ necessaria una corretta implementazione

Un errore può avere conseguenze eccessivamente gravose...

32



Ale

ssio

L.R

. Pen

nasi

lico

0day


0day

Vulnerabilità non ancora pubbliche

Exploit disponibili

Vendor/User ignari del pericolo

34




0day

Vulnerabilità pubbliche

Exploit disponibili

Patch non disponibili

35




Il problema tempo

36

Window of Exposure

Vulnerability

Exploit

Patch

Applied Patch

Critical Zone




WoE

La window of exposure si riduce

Il time2market degli exploit diminuisce

Il numero di host compromessi aumenta

37




In the wild

Esiste un complesso sottobosco con un attivissimo mercato nero di exploit scambiati tra

amici / cr3w

38




0day

Oggi hanno sempre più valore:

vengono acquistati dai vendor

vengono acquistati dai security vendor

39




0day 2012

Le applicazioni sono più mature

Le competenze sono aumentate

L’organizzazione è migliorata

40




0day

“a remote ssh root shell, nowadays,

is a dead dream”

anonymous researcher, 2007

41




Vendor

Incoscienti o troppo “famosi”?

42




Quanti attacchi con 0day?

43




Flash

44




USB Case

Un’azienda commissiona un PenTest.

Gli attaccanti spargono chiavette contenenti malware scritto appositamente nei dintorni

dell’azienda.

I dati degli impiegati iniziano subito ad arrivare.

45



Ale

ssio

L.R

. Pen

nasi

lico

Dai servizi alle applicazioni


XSS

Affligge siti web con scarso controllo di variabili derivate da input dell'utente. Permette di inserire codice a livello browser al fine di modificare il codice sorgente della pagina web visitata. In questo modo un cracker può tentare di recuperare dati sensibili quali cookies.

47




SQL Injection

Sfrutta la non normalizzazione dell’input

a‘ OR ‘1’=’1

48




Minacce?

49




SQLninja

Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile

environment. It should be used by penetration testers to help and automate the process of

taking over a DB Server when a SQL Injection vulnerability has been discovered.

50




0day

Esistono ancora, sono una minaccia

Sfruttano utenti, non servizi

51




Users’ 0day

Sfruttano falle di browser, client di posta, visualizzatori di documenti per infettare grandi

quantità di macchine

52




Botnet

Lo scopo è creare un network

che si auto-espande

che esegue gli ordini del commander

53




PDF

54




Bakeca.it DDoS

http://www.slideshare.net/mayhemspp/bakeca-ddos-hope

55






Infezioni...

Rispetto al passato,

come sono cambiati i device di accesso?

56




iPhone Worm: Rickrolls

Jailbreak di iPhone:

qualcuno cambia

la password di root?

(Novembre 2009)

57




Mobile Malware

Che telefono avevate nel 2011?

58



Ale

ssio

L.R

. Pen

nasi

lico

Altre tecnologie…...altri rischi...


Virtualizzazione

CVE-2007-4496 (September 2008)

Unspecified vulnerability in [some version of VMware] allows authenticated users with administrative privileges on a guest operating system to corrupt memory and possibly execute arbitrary code on the host operating system via unspecified vectors.

60




Drive-By Pharming

First, the attacker creates a web page containing a simple piece of malicious JavaScript code. When the page is viewed, the code makes a login attempt into the user's home broadband router, and then attempts to change its DNS server settings to point to an attacker-controlled DNS server.

61




SPIT

Spam over Internet Telephony

62




Vishing

VoIP Phishing

63




The Pena Case

“Edwin Andreas Pena, a 23 year old Miami resident, was arrested by the Federal government: he was involved in a scheme to sell discounted Internet phone service by breaking into other Internet phone providers and routing connections through their networks.”

The New York Times, June 7th 2006

64




Robert Moore

“I'd say 85% of them were misconfigured routers. They had the default passwords on them: you would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them”.

65

"It's so easy a caveman can do it!"




HashCAT

66




Hydra

mayhem@coniglio:~$ hydra -‐L uid.txt -‐P pwd.txt / 127.0.0.1 ftp -‐f

Hydra v4.1 (c) 2004 by van Hauser / THCuse allowed only for legal purposes.Hydra (http://www.thc.org) starting at 2004-‐06-‐26 13:21:37

[DATA] 16 tasks, 1 servers, 132 login tries (l:12/p:11), ~8 tries per task[DATA] attacking service ftp on port 21

[21][ftp] host: 127.0.0.1 login: luser password: pippo

[STATUS] attack finished for 127.0.0.1 (valid pair found)Hydra (http://www.thc.org) finished at 2004-‐06-‐26 13:21:44

67



http://www.thc.org

http://www.thc.org

http://www.thc.org

http://www.thc.org


QoS Theft

Furto del Quality of Service

Maggior priorità al traffico di applicazioni non autorizzate

68




VoipHopper

"VoIP Hopper is the answer to all VoIP solution providers who make people believe that VLANS

is all you need to secure VoIP"

Sachin Joglekar, Sipera VIPER Lab

69



Ale

ssio

L.R

. Pen

nasi

lico

Altri strumenti...


Metasploit

71




Backtrack

72



Ale

ssio

L.R

. Pen

nasi

lico

Conclusioni


ConclusioniIl mercato evolve

Le tecnologie evolvono

Le minacce evolvono

La sicurezza deve evolvere

74



Alessio L.R. [email protected], twitter: mayhemspp

Facebook: alessio.pennasilico

Milano, 11 Settembre 2012

RSA Security vs Ethical Hacker

T h e s e s l i d e s a r e written by Alessio L.R. P e n n a s i l i c o a k a mayhem. They are subjected to Creative Commons Attribution-S h a r e A l i k e - 2 . 5 version; you can copy, modify, or sell them. “P lease” c i te your source and use the same licence :)

Grazie per l’attenzione!

Domande?

RSA vs Hacker

Technology

Transcript of RSA vs Hacker