emerging threats and attack surfaces
DESCRIPTION
Peter Wood and his team conduct ethical hacking engagements for multi-national organisations in varied business sectors. Peter will address the top three emerging threats, how they affect the attack surface of a typical business and how they can be exploited.TRANSCRIPT
Hackers and Threats Summit
Emerging Threats and Attack Surfaces
Peter WoodChief Executive Officer
First•Base Technologies LLP
An Ethical Hacker’s View
Slide 2 © First Base Technologies 2012
Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’
Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupUK Chair, Corporate Executive Programme
FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa
Slide 3 © First Base Technologies 2012
Agenda
Top issues for this year:
•BYOD
•Public WiFi (and home working)
•Password quality
•… I had more but not enough time!
Beware: this presentation offers no easy solutions!
Slide 4 © First Base Technologies 2012
Bring Your Own …
Slide 5 © First Base Technologies 2012
Activity monitoring and data retrieval
• Messaging (SMS and Email)• Audio (calls and open microphone
recording)• Video (still and full-motion)• Location• Contact list• Call history• Browsing history• Input• Data files
Mobile data that attackers can monitor and intercept:
Source: Jason Steer, Veracode
Slide 6 © First Base Technologies 2012
Unauthorised network connectivity(exfiltration or command & control)
• Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker
• Communication channels for exfiltration and command and control:- Email- SMS- HTTP get/post- TCP socket- UDP socket- DNS exfiltration- Bluetooth- Blackberry Messenger- Endless list………
Source: Jason Steer, Veracode
Slide 7 © First Base Technologies 2012
UI impersonation
• Similar to phishing attacks that impersonate website of their bank or online service
• Web view applications on the mobile device can proxy to legitimate website
• Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application
• Victim is asked to authenticate and ends up sending their credentials to an attacker
Proxy/MITM 09Droid Banking apps(fake banking apps for Android)
Source: Jason Steer, Veracode
Slide 8 © First Base Technologies 2012
Sensitive data leakage
Source: Jason Steer, Veracode
Slide 9 © First Base Technologies 2012
Unsafe sensitive data storage
• Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card numbers, or online service passwords
• Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this data off of the file system
- Citibank insecure storage of sensitive data- Wells Fargo Mobile app 1.1 for Android
Source: Jason Steer, Veracode
Slide 10 © First Base Technologies 2012
Unsafe sensitive data transmission
• Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi
• If the app implements SSL it could still fall victim to a downgrade attack if it allows degrading HTTPS to HTTP
• SSL could also be compromised if the app does not fail on invalid certificates, enabling a man-in-the-middle attack
Source: Jason Steer, Veracode
Slide 11 © First Base Technologies 2012
Drive-by vulnerabilities
Slide 12 © First Base Technologies 2012
BYOD Issues
• Activity monitoring and data retrieval
• Unauthorised network connectivity
• UI impersonation
• Sensitive data leakage
• Unsafe sensitive data storage
• Unsafe sensitive data transmission
• Drive-by vulnerabilities
Slide 13 © First Base Technologies 2012
Public & Home WiFi
Slide 14 © First Base Technologies 2012
Infosecurity Europe 2012 Experiment
• Open WiFi on a laptop on our stand
• Network name:‘Infosec free wifi’
• Fake AP using airbase-ng on BackTrack
• In one day we collected 86 unique devices
Slide 15 © First Base Technologies 2012
Home & Public WiFi
• No encryption (or just WEP)
• Plain text traffic
(email, unencrypted sites)
• SSL VPNs
• False sense of security
Slide 16 © First Base Technologies 2012
Eavesdropping
Packet sniffing unprotected WiFi can reveal:
• logons and passwords for unencrypted sites
• all plain-text traffic (e-mails, web browsing, file transfers)
Slide 17 © First Base Technologies 2012
Firesheep capturing
Slide 18 © First Base Technologies 2012
Firesheep: game over
Slide 19 © First Base Technologies 2012
Open WiFi Issues
• Open and WEP-encrypted WiFi networks are visible to anyone
• Plain-text data on an insecure wireless network can be intercepted and read by anyone
• SSL and TLS may be no protection at all
• Password re-use is a major vulnerability(e.g. HB Gary)
• Home networks are usually insecureand hence vulnerable to targeted attacks
Slide 20 © First Base Technologies 2012
Password Quality
Slide 21 © First Base Technologies 2012
Password ‘Quality’
• “I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, “We’ve been following the same patterns since the 1990s.”
• Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace.
• The list was briefly posted on the Web, and hackers and security researchers downloaded it.
Slide 22 © First Base Technologies 2012
List Windows privileged accounts andlook for service accounts
Slide 23 © First Base Technologies 2012
Case study: Administrator passwords
admin5crystalfinancefridaymacadminmonkeyorangepasswordpassword1praguepuddingrocky4securitysecurity1sparklewebadminyellow
Global organisation:
• 67 Administrator accounts
• 43 simple passwords (64%)
• 15 were “password” (22%)
• Some examples we found ->
Slide 24 © First Base Technologies 2012
Case study password crack
• 26,310 passwords from a Windows domain
• 11,279 (42.9%) cracked in 2½ minutes
• It’s not a challenge!
Slide 25 © First Base Technologies 2012
Typical passwords
Account name Password
administrator null, password, administrator
arcserve arcserve, backup
test test, testing, password
backup backup
tivoli tivoli
backupexec backup
smsservice smsservice
any username password, monday, football
any service account same as account name
Slide 26 © First Base Technologies 2012
If we can boot from CD or USB …
Slide 27 © First Base Technologies 2012
Boot Ophcrack Live
Slide 28 © First Base Technologies 2012
We have some passwords!
Slide 29 © First Base Technologies 2012
… or just read the disk
Slide 30 © First Base Technologies 2012
Copy hashes to USB key
Slide 31 © First Base Technologies 2012
… a few minutes later
Slide 32 © First Base Technologies 2012
Change the Administrator Password
Slide 33 © First Base Technologies 2012
Password Issues
• Passwords based on dictionary words and names
• Service accounts with simple/stupid passwords
• Other easy-to-guess passwords
• Little or no use of passphrases
• Password policies not tailored to specific environments (e.g. Windows LM hash problem)
• Old fashioned rules no longer apply(rainbow tables, parallel cracking,video processors)
• Just general ignorance and apathy?
Slide 34 © First Base Technologies 2012
Do you know how vulnerable you are?
Peter WoodChief Executive Officer
First•Base Technologies LLP
http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com
Blog: fpws.blogspot.comTwitter: peterwoodx
Need more information?