Security in e-commerce

GORDON INSTITUTE OF

BUSINESS SCIENCE

Security in e-Commerce

March 2001

© Luc de Graevewww.sensepost.com

Security in e-CommerceSecurity in

e-Commerce

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


1. CASE STUDYWake up call February 2000

2. THE BASICSUnderstanding the ‘Net

Understanding DoS

3. THE NEW KID ON THE BLOCK - HELLO DDoSIntroducing Co-ordinated Distributed Attacks

Profile of a typical attack

Common DDoS attack tools

4. DEFENDING YOURSELF & YOUR FRIENDSStrategies for availability

Join the team - global defense efforts

Getting greasy

5. RESPONDING TO DoS ATTACKSWhat to do when your number’s up

6. THE BOTTOM LINEQuestions & Conclusions

AGENDAAGENDAAGENDAAGENDA

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


IntroductionIntroductionIntroductionIntroduction

• About me

• SensePost

• Objective

• Approach

• References:– http://www.sensepost.com

– [email protected]

– [email protected]

discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention- Charles Tomlinson- Rudimentary Treatise on the Construction of Locks- 1850

discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention- Charles Tomlinson- Rudimentary Treatise on the Construction of Locks- 1850

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


Just in case you missed out on the whole ordeal last

week, we were hacked 4 times by an elite group called r 139.

So we thought we would help the hackers out by hacking

our own page to save them some time...

Just in case you missed out on the whole ordeal last

week, we were hacked 4 times by an elite group called r 139.

So we thought we would help the hackers out by hacking

our own page to save them some time...

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


We’re trying to make banking…

Simpler. Better. Faster.

We’re trying to break banking…

Simpler. Better. Faster.

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


What Hackers do:What Hackers do:What Hackers do:What Hackers do:

• Steal

– Information - to use and to sell

– Money from accounts

– Goods through e-buying

– Resource - time and equipment

• Talk, Boast

• Leave backdoors open

– Launch new attacks

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


How do they do it?How do they do it?How do they do it?How do they do it?

• Social engineering

• Networking

• Resources from the web...

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


• Information gathering• Foot printing• ID servers/services by portscan• ID OS, services types (MS, IIS)• Check vulnerability databases• Run vulnerability checker (whisker)• Search for exploit tool / build exploit tool• Use tool• Gain control• De- face, delete, cover tracks.

How do they do it 2?How do they do it 2?How do they do it 2?How do they do it 2?

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


February FunFebruary FunFebruary FunFebruary Fun

• Major attack launched between February 7 and 14 2000

• Approximately 1,200 sites affected

• Including a number of high profile sites:– CNN.com, Yahoo, eBay, Amazon, Dell, Buy.com

• Simple bandwidth usage

• Yahoo! Attack lasted from about 10:30 a.m. till 1 p.m.

– requests totaled roughly 1 gigabit per second

• Canadian teen “Mafiaboy” arrested in April– pleads guilty to 55 charges in Montreal, November

2000

– Faces 2 years & US$650

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


February Fun - the aftermathFebruary Fun - the aftermathFebruary Fun - the aftermathFebruary Fun - the aftermath

• FBI estimates that DoS attacks during

February 2000 cost $1.2 billion

• eBay‘s share price fell 25% the day after its

Website was taken down costing them a total

of US1,2bn. They reportedly spent US$ 100

000 in securing their site against further

attacks.

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


DoS using Amplifiers - SMURFDoS using Amplifiers - SMURFDoS using Amplifiers - SMURFDoS using Amplifiers - SMURF

check:www.netscan.org

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


New Kid on the block - DDoSNew Kid on the block - DDoSNew Kid on the block - DDoSNew Kid on the block - DDoS

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


Profile of a typical attackProfile of a typical attackProfile of a typical attackProfile of a typical attack

• Initiate a scan phase in which a large number of hosts (100,000 or more) are probed for a known vulnerability.

• Compromise the vulnerable hosts to gain access.

• Rootkit

• Install the tool on each host.

• Use the compromised hosts for further scanning and compromises.

• Via automated processes a single host can be compromised in under 5 seconds

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


Building an attack networkBuilding an attack networkBuilding an attack networkBuilding an attack network

• August 1999, a trinoo network of 2,200 systems used against the University of Minnessota and others

• Assuming 3 to 6 seconds for each host, pre-selection of the target systems, gives 2 - 4 hours to set up

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


The challenge of DDoSThe challenge of DDoSThe challenge of DDoSThe challenge of DDoS

• You may be down• Spoofed addresses

– Technically difficult to trace

• Diverse network ownership– You don’t control the infrastructure

– Neither does your ISP

• Different Time Zones– Hello, is that Singapore?

• Language– Sprechen Sie Deutsch?

• National boundaries• Differing legislation• Protecting legitimate users

– You can’t block 196.4.160.0/16

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001Future Imperfect - predictions 2001

Marcus H. SachsUS Department of Defense

2001 will also see continued development of distributed denial of service attack networks.These attack networks will no longer rely on manual establishment by the attacker, but willautomatically establish themselves through the use of mobile code and html scripting.

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001



Peter G. NeumannSRI International

We are likely to see some organized, possibly collaborative, attacks that do some real damage, perhaps to our critical infrastructures, perhaps to our financial systems, perhaps to government systems all of which have significant vulnerabilities.

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001



Bruce MoultonFidelity Investments

Hactivism and other cyber attacks emanating from countries with weak or non-existent legal sanctions and investigative capabilities will escalate. This is likely to be the root of at least one headline-grabbing cyber incident (much bigger than DDOS or LoveBug) that will send a loud wake-up call to the commercial sector.

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


Commercial CrimeCommercial CrimeCommercial CrimeCommercial Crime

• Commercial crime up 3.5% from last year

– R 3.4 billion in the first half of '99 alone

• 84.3% of cases involved fraud

– 25,000 incidents

– R 2.9 billion

• Gauteng occupies a first position with regard to Commercial Crime

• www.saps.org.za

SECURITY STATISTICS

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


Computer CrimeComputer CrimeComputer CrimeComputer Crime

• 61% of the organizations surveyed have

experienced losses due to unauthorized

computer use.

• The average loss resulting from security

breaches in all categories was approximately

$ 1,000,000

FBI / CSI Survey, 1999SECURITY

STATISTICS

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


CyberCrime Costs MoneyCyberCrime Costs MoneyCyberCrime Costs MoneyCyberCrime Costs Money

SECURITY STATISTICS

“Just ask Edgars, the clothing retail group, which lost more than R1m after a

computer programmer brought down more than 600 stores for an entire day.”

Financial Mail - April 2000

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


Computers & Commercial CrimeComputers & Commercial CrimeComputers & Commercial CrimeComputers & Commercial Crime

SECURITY STATISTICS

KPMG:

‘63% of top-level managers in South Africa rate their company's dependence on IT for the

successful running of business as "Extremely High”’

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


Did they have it coming?Did they have it coming?Did they have it coming?Did they have it coming?

SECURITY STATISTICS

• Access control 93%

• Biometrics 9%

• Encrypted files 61%

• Anti-virus software 98%

• Reusable passwords 61%

• Firewalls 91%

• Encrypted log-in/sessions 46%

• Physical security 91%

• PCMCIA, smart cords, one-time tokens 39%

• Intrusion detection 42%

• Digital Ids, certificates 34%

FBI / CSI Survey, 1999

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


• Theft of proprietary info 20%

• Sabotage of data or networks 15%

• Telecom eavesdropping 10%

• System penetration by outsider 24%

• Insider abuse of net access 76%

• Financial fraud 11%

• Denial of service 25%

• Virus contamination 70%

• Unauthorized access to info by insider 43%

• Telecom fraud 13%

• Active wiretapping 2%

• Laptop theft 54%

Threat Distribution - USAThreat Distribution - USAThreat Distribution - USAThreat Distribution - USA

SECURITY STATISTICS

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


Threat Distribution - RSAThreat Distribution - RSAThreat Distribution - RSAThreat Distribution - RSA

SECURITY STATISTICS

Some form of breach 89%

Virus incident 87%

Theft of equipment 80%

E-mail intrusion 27%

Loss of company documents 12%

Breach of confidentiality 8%

External systems attack 8%

Internal systems attack 6%

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


The value of statisticsThe value of statisticsThe value of statisticsThe value of statistics

• What we know:– There is a threat to our Information Resources

– The threat has direct financial implications

– The threat is growing

– A large part of the threat is internal

– There are a number of distinguishable trends

• What we don’t know:– How accurate are the statistics?

– Are international statistics relevant in SA?

– Are international solutions relevant in SA?

– What does this all mean to me?

You need to determine your own unique risk profile

SECURITY STATISTICS

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


• Loss in productivity

• Human resources

– Internal & external

• Loss of reputation

• Lost confidence

– in your service & in e-business in general

• Lost transaction revenue

• Lost customer base

• Share price manipulation

– Share holders, staff, working capital

• Liability costs

What me worry?! What me worry?! What me worry?! What me worry?!

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


Whoah Cowboy!Whoah Cowboy!Whoah Cowboy!Whoah Cowboy!

icsa.net, February 2000:

„The Internet has now taken a drastic "hit" to its reliability and integrity due to the recent DDoS attacks. It is only through the cooperation and unification of all Internet users that we will find the solution-and stop DDoS from taking the Internet out from under our commerce, education, communities, and individuals.“

But has it really been all that bad?

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


The New Wave is hereThe New Wave is hereThe New Wave is hereThe New Wave is here

• We’re already seeing examples of the new generation of threats:

• DDoS– Yahoo / Ebay

• Trojans & Worms– Microsoft

• Semantic– Emulex Corp.– NIKE– Air Traffic Control

• Corporate Backdoors– Microsoft NSA backdoor?– 3COM Switch undocumented accessTRENDS

& FUTURE THREATS

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


• What is Risk?– Valuable resources + exploitable technology

• What is “Secure”?– When the financial losses incurred are at an

acceptable level

• Your “Risk-Profile”:– The value of your Information

– The degree of technological vulnerability

– A level of loss that is acceptable to you

Unique to your organisation. Today.

Determining your own riskDetermining your own riskDetermining your own riskDetermining your own risk

DEFINING RISK

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


Objectives of a Risk AssessmentObjectives of a Risk AssessmentObjectives of a Risk AssessmentObjectives of a Risk Assessment

• Understand your own unique risk-profile.

• Determine whether a given system:

– safeguards assets.

– maintains data integrity.

– allow the goals of an organisation to be achieved.

• Identify significant computer security threats

• Measure yourself against defined standard

– Internal (policy)

– External (certification)

• Make informed decisions on how to spend– Time

– Money

– PeopleASSESINGYOURRISK

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


An effective AssessmentAn effective AssessmentAn effective AssessmentAn effective Assessment

• Independent and Objective

• Business aware but technology focused

• Prove its worth

• Concrete, practical recommendations

• Finite

• Honest

• Recursive...

ASSESINGYOURRISK

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


Recursive AssessmentsRecursive AssessmentsRecursive AssessmentsRecursive Assessments

• Delta Testing– Monitor the effect of changes

• New exploits and vulnerabilities– Staying secure in a global battlefield

• Improved Methodologies– Tools, techniques, philosophies etc.

• Innovation– A chance to get to know you

• Extended Scope– There’s never enough time

• Enhanced Scope– Moving toward a

zero-defect environment

ASSESINGYOURRISK

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


..

INFORMATION SECURITY

FUNDAMENTALS

charl van der walt

Content removed

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


Planning for disasterPlanning for disasterPlanning for disasterPlanning for disaster

• Be convinced that the Internet is not a friendly place

• Be prepared to detect of failure (malicious or accidental)

• Mirror critical resources

– geographically remote from the original

• Create transparent alternative entry points

• Implement switching in the case of failure

– Must be considered during the design phase

• Analyse, plan, communicate, test

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


Things to considerThings to considerThings to considerThings to consider

• The Internet is probably not your main income generator

• There’s more then one way to skin a cat– Physical attacks on infrastructure

– Hardware theft

– DNS & other upstream services

– Viruses & other content born attack

– Get "Slashdotted"

• Who’s responsible for your family jewels?

• It could get worse:– Imagine MS-based worm attack– http://www.hackernews.com/bufferoverflow/99/nitmar/nitmar1.html

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


THE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINE

THE BOTTOM LINE

1. Take security seriously

2. Don’t panic!

3. Value your information

4. Evaluate your risk

5. Be requirement driven,

not technology driven

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


questions?

GORDON INSTITUTE OF

BUSINESS SCIENCE


March 2001


• Information Systems Audit & Control Association:

– http://www.isaca.org.za/

• Configuring Cisco routers:

– http://www.cisco.com/warp/public/707/newsflash.html

• Archive of DDoS attack tools:

– http://packetstorm.securify.com/distributed/

• CERT:

– http://www.cert.org

– http://www.cert.org/contact_cert/certmaillist.html

• Paul Ferguson's DDoS resource page:

– http://www.denialinfo.com/

• Test whether your network space can be used as an amplifier:– http://www.netscan.org

• RFCs:– http://www.ietf.org

Useful ReferencesUseful ReferencesUseful ReferencesUseful References

Security in e-commerce

Technology

dos attacks

cyber attacks

fun major attack

block ddos

block hello ddos

future imperfect predictions

challenge of ddos

security statistics