(isc)2 cybersecuregov 2015 - the next apt: advanced, persistent tracking

#Cybersecuregov

From Zero to 60: Advancing the Cybersecurity Workforce

The Next APT: Advanced, Persistent Tracking

Jarad Kopf and G. S. McNamara

3 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Introduction

» Persistent tracking mechanisms very prevalent and growing

» Tech conglomerates such as Google have flirted with this type of new technology

» Not limited to cookies anymore, these tracking mechanisms come in many forms  

4 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Why should you care?

» Privacy concerns

» These technologies are extremely

accurate

» Perhaps violating your organization’s

policy

5 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Evercookies

» Goal: Identify unique client even after standard cookies have been removed

» Storage mechanisms include: Flash Cookies, Silverlight Isolated storage, HTTP ETags*, many more

6 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Evercookie FAQs

» Do evercookies work cross-browser?

» Does the browser or server have to install anything?

7 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Evercookie Repopulation

Image: https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf

8 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

ETag Overview

» One storage mechanism of Evercookies

» ETag (Entity Tag) part of HTTP protocol• provides for web cache validation

» Can be used as opaque identifier assigned by a web server to a specific version of a resource found at a URL

9 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

ETag Mechanism

Im1e.coage: https://lucbm/randomprojects/cookielesscookies/

10 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

HSTS Overview» HSTS: web security policy

mechanism to protect HTTPS websites from downgrade attacks

» Allows web servers to declare that web browsers should only interact using secure connections

» Your browser can remember this – this is set when the server sends back an HTTP header with a parameter field named Strict-Transport-Security

11 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Abusing HSTS

» HSTS potential for tracking is specified in RFC 6797

» No known cases in the wild yet

Images taken from: https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-browser-dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or-security/)

12 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Fingerprinting (Type 1 of 2): Device

13 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Fingerprinting (Type 2 of 2): Canvas

14 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Let’s tell a story…

(If I were evil)

15 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

A world full of corporate assets

16 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

We might even allow BYOD

17 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

We’ve hardened our network

18 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

And we trust our ISP

19 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

But what about the phones?

20 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

The carrier wouldn’t meddle with our data

“Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine”http://www.wired.com/2014/10/verizons-perma-cookie/

21 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

The data gathered would never then be sold

“Relevant Mobile Advertising Program”

http://www.verizonwireless.com/support/relevant-mobile-ad/

22 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Selling location data is inconceivable

“Carriers Sell Users’ Tracking Data in $5.5 Billion Market” http://www.bloomberg.com/news/articles/2013-06-06/carriers-sell-users-tracking-data-in-5-5-billion-market

23 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Location lacks impact

“ISIS Fighter Accidentally Geotagged Tweets And Revealed His Not-So Secret Location”http://www.mtv.com/news/2038989/isis-twitter-geotagging-fail/

24 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

If only used for ads, is this OK?

25 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Ads are safe

“Malware in ads turn computers into zombies”

http://www.usatoday.com/story/tech/2015/01/20/malvertising/21889547/

26 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Well, if you stick to legitimate sites

“Malvertising hits The New York Times”

http://www.dailyfinance.com/2009/09/14/malvertising-hits-the-new-york-times/

27 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

This ‘malvertising’ economy won’t catch on

“Malvertising Abuses Real-Time Bidding on Ad Networks”https://threatpost.com/ad-networks-ripe-for-abuse-via-malvertising/111840

28 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

It’s probably just run by kids

“APTs Target Victims with Precision, Ephemeral Malvertising”https://threatpost.com/apts-target-victims-with-precision-ephemeral-malvertising/108906

29 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Besides, cyber-physical isn’t real

“'Operation DeathClick' targets defense contractors”http://archive.federaltimes.com/article/20141017/IT/310170016/-Operation-DeathClick-targets-defense-contractors

30 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Malware doesn’t even work on phones

“Ads 'biggest mobile malware risk'”

http://www.bbc.com/news/technology-26447423

31 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

It only works on “real” computers

“Now e-cigarettes can give you malware”

http://www.theguardian.com/technology/2014/nov/21/e-cigarettes-malware-computers

32 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

The future isn’t mobility anyway

“BYOD: Many Call It Bring Your Own Malware (BYOM)”

http://blogs.cisco.com/security/byod-many-call-it-bring-your-own-malware-byom

33 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

And the small details don’t matter

“Two US power plants infected with malware spread via USB drive”http://arstechnica.com/security/2013/01/two-us-power-plants-infected-with-malware-spread-via-usb-drive/

34 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Next-Gen Tracking is a blind spot.

35 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

This was just one idea

36 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

Policy Scandals

37 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

EU Cookie Law

» Into effect May 2012» EU requires prior

informed consent for storage of or access to information stored on a user’s machine• Many exemptions

» Tools like Google Analytics fall under jurisdiction

38 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

So what now?

»Talk to legal about policy

updates

»Talk to IT about control

39 #CybersecuregovFrom Zero to 60:Advancing the Cybersecurity Workforce

“The greatest victory is that which requires no battle.”― Sun Tzu, The Art of War

Jarad Kopf, M.S., CISSPJarad.Kopf@gmail.com

G. S. McNamara, M.S.Main@GSMcNamara.com